From 3bc009368628fb286632b456f9bf2d575a8bfa43 Mon Sep 17 00:00:00 2001 From: kolaente Date: Wed, 18 Mar 2026 23:55:25 +0100 Subject: [PATCH] fix: invalidate all sessions when enabling TOTP When a user enables two factor authentication, all existing sessions are now invalidated, requiring re-authentication. This prevents pre-existing sessions from bypassing 2FA. The frontend now shows a notice explaining the logout before the user confirms, and properly logs out after enabling. Ref: GHSA-pgc7-cmvg-mvp4 --- frontend/src/i18n/lang/en.json | 3 ++- frontend/src/views/user/settings/TOTP.vue | 5 ++++- pkg/routes/api/v1/user_totp.go | 5 +++++ 3 files changed, 11 insertions(+), 2 deletions(-) diff --git a/frontend/src/i18n/lang/en.json b/frontend/src/i18n/lang/en.json index b7f4890a9..3d4b43c12 100644 --- a/frontend/src/i18n/lang/en.json +++ b/frontend/src/i18n/lang/en.json @@ -138,10 +138,11 @@ "scanQR": "Alternatively you can scan this QR code:", "passcode": "Passcode", "passcodePlaceholder": "A code generated by your TOTP application", + "confirmNotice": "After enabling two factor authentication, you will be logged out of all sessions and need to log in again.", "setupSuccess": "You've successfully set up two factor authentication!", "enterPassword": "Please Enter Your Password", "disable": "Disable two factor authentication", - "confirmSuccess": "You've successfully confirmed your TOTP setup and can use it from now on!", + "confirmSuccess": "You've successfully enabled two factor authentication!", "disableSuccess": "Two factor authentication was successfully disabled." }, "caldav": { diff --git a/frontend/src/views/user/settings/TOTP.vue b/frontend/src/views/user/settings/TOTP.vue index 83fe8627a..2a3f7abd5 100644 --- a/frontend/src/views/user/settings/TOTP.vue +++ b/frontend/src/views/user/settings/TOTP.vue @@ -23,6 +23,9 @@ alt="" >

+

+ {{ $t('user.settings.totp.confirmNotice') }} +