forwarding requests subjected to Login MFA to the active node (#15009)

* forwarding requests subjected to Login MFA to the active node

* CL, and making fmt happy

changelog/15009.txt

@@ -0,0 +1,3 @@
+```release-note:bug
+auth: forward requests subject to login MFA from perfStandby to Active node
+```

sdk/framework/backend_test.go

@@ -10,10 +10,9 @@ import (
 	"time"
 
 	"github.com/hashicorp/go-secure-stdlib/strutil"
-	"github.com/stretchr/testify/require"
-
 	"github.com/hashicorp/vault/sdk/helper/consts"
 	"github.com/hashicorp/vault/sdk/logical"
+	"github.com/stretchr/testify/require"
 )
 
 func BenchmarkBackendRoute(b *testing.B) {

vault/request_handling.go

@@ -1506,6 +1506,12 @@ func (c *Core) handleLoginRequest(ctx context.Context, req *logical.Request) (re
 					}
 				}
 			} else if len(matchedMfaEnforcementList) > 0 && len(req.MFACreds) == 0 {
+				// two-phase login MFA requests should be forwarded
+				// to the active node, as the validation should only
+				// happen in that node
+				if c.perfStandby {
+					return nil, nil, logical.ErrPerfStandbyPleaseForward
+				}
 				mfaRequestID, err := uuid.GenerateUUID()
 				if err != nil {
 					return nil, nil, err