fix: invalidate all sessions when enabling TOTP

When a user enables two factor authentication, all existing sessions are
now invalidated, requiring re-authentication. This prevents pre-existing
sessions from bypassing 2FA. The frontend now shows a notice explaining
the logout before the user confirms, and properly logs out after enabling.

Ref: GHSA-pgc7-cmvg-mvp4
This commit is contained in:
kolaente 2026-03-18 23:55:25 +01:00
parent 369b456d64
commit 3bc0093686
3 changed files with 11 additions and 2 deletions

View File

@ -138,10 +138,11 @@
"scanQR": "Alternatively you can scan this QR code:",
"passcode": "Passcode",
"passcodePlaceholder": "A code generated by your TOTP application",
"confirmNotice": "After enabling two factor authentication, you will be logged out of all sessions and need to log in again.",
"setupSuccess": "You've successfully set up two factor authentication!",
"enterPassword": "Please Enter Your Password",
"disable": "Disable two factor authentication",
"confirmSuccess": "You've successfully confirmed your TOTP setup and can use it from now on!",
"confirmSuccess": "You've successfully enabled two factor authentication!",
"disableSuccess": "Two factor authentication was successfully disabled."
},
"caldav": {

View File

@ -23,6 +23,9 @@
alt=""
>
</p>
<p>
{{ $t('user.settings.totp.confirmNotice') }}
</p>
<FormField
id="totpConfirmPasscode"
v-model="totpConfirmPasscode"
@ -145,8 +148,8 @@ async function totpEnroll() {
async function totpConfirm() {
await totpService.enable({passcode: totpConfirmPasscode.value})
totp.value.enabled = true
success({message: t('user.settings.totp.confirmSuccess')})
await authStore.logout()
}
async function totpDisable() {

View File

@ -122,6 +122,11 @@ func UserTOTPEnable(c *echo.Context) error {
return err
}
if err := models.DeleteAllUserSessions(s, u.ID); err != nil {
_ = s.Rollback()
return err
}
if err := s.Commit(); err != nil {
_ = s.Rollback()
return err