diff --git a/modules/tide_tfa/src/Controller/TideTfaUserController.php b/modules/tide_tfa/src/Controller/TideTfaUserController.php
index 6a6fc6ba8..7be18ee78 100644
--- a/modules/tide_tfa/src/Controller/TideTfaUserController.php
+++ b/modules/tide_tfa/src/Controller/TideTfaUserController.php
@@ -5,6 +5,7 @@
 use Drupal\Component\Utility\Crypt;
 use Drupal\prlp\Controller\PrlpController;
 use Drupal\tfa\Controller\TfaUserControllerBase;
+use Symfony\Component\DependencyInjection\ContainerInterface;
 use Symfony\Component\HttpKernel\Exception\AccessDeniedHttpException;
 
 /**
@@ -12,13 +13,31 @@
  */
 class TideTfaUserController extends TfaUserControllerBase {
 
+  /**
+   * The request stack service.
+   *
+   * @var \Symfony\Component\HttpFoundation\RequestStack
+   */
+  protected $requestStack;
+
+  /**
+   * {@inheritdoc}
+   */
+  public static function create(ContainerInterface $container) {
+    // Get the parent instance with inherited dependencies.
+    $instance = parent::create($container);
+    $instance->requestStack = $container->get('request_stack');
+
+    return $instance;
+  }
+
   /**
    * {@inheritdoc}
    */
   public function doResetPassLogin($uid, $timestamp, $hash, $request = NULL) {
     // Ensure a valid request object.
     if (!$request) {
-      $request = \Drupal::request();
+      $request = $this->requestStack->getCurrentRequest();
     }
 
     // Check if the PRLP module is enabled.
@@ -41,8 +60,8 @@ public function doResetPassLogin($uid, $timestamp, $hash, $request = NULL) {
     $user = $this->userStorage->load($uid);
     $this->setUser($user);
 
-    // Let Drupal core deal with the one time login,
-    // if Tfa is not enabled or
+    // Let Drupal core deal with the one-time login,
+    // if TFA is not enabled or
     // current user can skip TFA while resetting password.
     if ($this->isTfaDisabled() || $this->canSkipPassReset()) {
       // Use PRLP's resetPassLogin instead of the core function.
@@ -76,7 +95,7 @@ public function doResetPassLogin($uid, $timestamp, $hash, $request = NULL) {
       if ($tfa_ready) {
         $this->session->migrate();
         $token = Crypt::randomBytesBase64(55);
-        $request ? $request->getSession()->set('pass_reset_' . $uid, $token) : $_SESSION['pass_reset_' . $uid] = $token;
+        $request->getSession()->set('pass_reset_' . $uid, $token);
 
         $this->logger->notice('User %name used one-time login link at time %timestamp.', [
           '%name' => $user->getDisplayName(),
diff --git a/modules/tide_tfa/src/TideTfaOperation.php b/modules/tide_tfa/src/TideTfaOperation.php
index 4e6a24282..281c7f2c8 100644
--- a/modules/tide_tfa/src/TideTfaOperation.php
+++ b/modules/tide_tfa/src/TideTfaOperation.php
@@ -59,12 +59,14 @@ public static function setupTfaSettings() {
     // Define the roles to exclude in a variable.
     $excluded_roles = ['authenticated', 'previewer', 'secure_file_user'];
 
-    // Iterate through the roles and map the role IDs.
-    foreach ($roles as $role) {
-      // Check if the current role is not in the excluded roles.
-      if (!in_array($role->id(), $excluded_roles)) {
-        // Map the role ID to itself.
-        $tfa_required_roles[$role->id()] = $role->id();
+    if (!empty($roles)) {
+      // Iterate through the roles and map the role IDs.
+      foreach ($roles as $role) {
+        // Check if the current role is not in the excluded roles.
+        if (!in_array($role->id(), $excluded_roles)) {
+          // Map the role ID to itself.
+          $tfa_required_roles[$role->id()] = $role->id();
+        }
       }
     }