🛡️ fix: OTP Verification For 2FA Disable Operation (#8975)

2025-09-22 08:12:00 +02:00 · 2025-08-10 15:05:16 -04:00 · 2025-08-10 15:05:16 -04:00 · 7e4c8a5d0d
commit 7e4c8a5d0d
parent edf33bedcb
6 changed files with 58 additions and 30 deletions
--- a/api/server/controllers/TwoFactorController.js
+++ b/api/server/controllers/TwoFactorController.js
@ -99,10 +99,36 @@ const confirm2FA = async (req, res) => {

 /**
 * Disable 2FA by clearing the stored secret and backup codes.
+ * Requires verification with either TOTP token or backup code if 2FA is fully enabled.
 */
 const disable2FA = async (req, res) => {
  try {
    const userId = req.user.id;
+    const { token, backupCode } = req.body;
+    const user = await getUserById(userId);
+
+    if (!user || !user.totpSecret) {
+      return res.status(400).json({ message: '2FA is not setup for this user' });
+    }
+
+    if (user.twoFactorEnabled) {
+      const secret = await getTOTPSecret(user.totpSecret);
+      let isVerified = false;
+
+      if (token) {
+        isVerified = await verifyTOTP(secret, token);
+      } else if (backupCode) {
+        isVerified = await verifyBackupCode({ user, backupCode });
+      } else {
+        return res
+          .status(400)
+          .json({ message: 'Either token or backup code is required to disable 2FA' });
+      }
+
+      if (!isVerified) {
+        return res.status(401).json({ message: 'Invalid token or backup code' });
+      }
+    }
    await updateUser(userId, { totpSecret: null, backupCodes: [], twoFactorEnabled: false });
    return res.status(200).json();
  } catch (err) {