fix(auth): add missing TOTP verification for /login/token (#6823)

2025-10-24 14:56:14 +08:00 · 2025-08-30 14:08:10 +03:00 · 2025-08-30 14:08:10 +03:00 · f7e77cd6cb
commit f7e77cd6cb
parent a7a94789e6 93c9383a92
1 changed files with 18 additions and 1 deletions
--- a/apps/server/src/routes/api/login.ts
+++ b/apps/server/src/routes/api/login.ts
@ -13,6 +13,8 @@ import sql from "../../services/sql.js";
 import ws from "../../services/ws.js";
 import etapiTokenService from "../../services/etapi_tokens.js";
 import type { Request } from "express";
+import totp from "../../services/totp";
+import recoveryCodeService from "../../services/encryption/recovery_codes";

 /**
 * @swagger
@ -161,9 +163,16 @@ function touchProtectedSession() {

 function token(req: Request) {
    const password = req.body.password;
+    const submittedTotpToken = req.body.totpToken;
+
+    if (totp.isTotpEnabled()) {
+        if (!verifyTOTP(submittedTotpToken)) {
+            return [401, "Incorrect credential"];
+        }
+    }

    if (!passwordEncryptionService.verifyPassword(password)) {
-        return [401, "Incorrect password"];
+        return [401, "Incorrect credential"];
    }

    // for backwards compatibility with Sender which does not send the name
@ -174,6 +183,14 @@ function token(req: Request) {
    return { token: authToken };
 }

+function verifyTOTP(submittedTotpToken: string) {
+    if (totp.validateTOTP(submittedTotpToken)) return true;
+
+    const recoveryCodeValidates = recoveryCodeService.verifyRecoveryCode(submittedTotpToken);
+
+    return recoveryCodeValidates;
+}
+
 export default {
    loginSync,
    loginToProtectedSession,