fix: invalidate all sessions when enabling TOTP
When a user enables two factor authentication, all existing sessions are now invalidated, requiring re-authentication. This prevents pre-existing sessions from bypassing 2FA. The frontend now shows a notice explaining the logout before the user confirms, and properly logs out after enabling. Ref: GHSA-pgc7-cmvg-mvp4
This commit is contained in:
parent
369b456d64
commit
3bc0093686
|
|
@ -138,10 +138,11 @@
|
|||
"scanQR": "Alternatively you can scan this QR code:",
|
||||
"passcode": "Passcode",
|
||||
"passcodePlaceholder": "A code generated by your TOTP application",
|
||||
"confirmNotice": "After enabling two factor authentication, you will be logged out of all sessions and need to log in again.",
|
||||
"setupSuccess": "You've successfully set up two factor authentication!",
|
||||
"enterPassword": "Please Enter Your Password",
|
||||
"disable": "Disable two factor authentication",
|
||||
"confirmSuccess": "You've successfully confirmed your TOTP setup and can use it from now on!",
|
||||
"confirmSuccess": "You've successfully enabled two factor authentication!",
|
||||
"disableSuccess": "Two factor authentication was successfully disabled."
|
||||
},
|
||||
"caldav": {
|
||||
|
|
|
|||
|
|
@ -23,6 +23,9 @@
|
|||
alt=""
|
||||
>
|
||||
</p>
|
||||
<p>
|
||||
{{ $t('user.settings.totp.confirmNotice') }}
|
||||
</p>
|
||||
<FormField
|
||||
id="totpConfirmPasscode"
|
||||
v-model="totpConfirmPasscode"
|
||||
|
|
@ -145,8 +148,8 @@ async function totpEnroll() {
|
|||
|
||||
async function totpConfirm() {
|
||||
await totpService.enable({passcode: totpConfirmPasscode.value})
|
||||
totp.value.enabled = true
|
||||
success({message: t('user.settings.totp.confirmSuccess')})
|
||||
await authStore.logout()
|
||||
}
|
||||
|
||||
async function totpDisable() {
|
||||
|
|
|
|||
|
|
@ -122,6 +122,11 @@ func UserTOTPEnable(c *echo.Context) error {
|
|||
return err
|
||||
}
|
||||
|
||||
if err := models.DeleteAllUserSessions(s, u.ID); err != nil {
|
||||
_ = s.Rollback()
|
||||
return err
|
||||
}
|
||||
|
||||
if err := s.Commit(); err != nil {
|
||||
_ = s.Rollback()
|
||||
return err
|
||||
|
|
|
|||
Loading…
Reference in New Issue