From 3bc009368628fb286632b456f9bf2d575a8bfa43 Mon Sep 17 00:00:00 2001
From: kolaente
Date: Wed, 18 Mar 2026 23:55:25 +0100
Subject: [PATCH] fix: invalidate all sessions when enabling TOTP
When a user enables two factor authentication, all existing sessions are
now invalidated, requiring re-authentication. This prevents pre-existing
sessions from bypassing 2FA. The frontend now shows a notice explaining
the logout before the user confirms, and properly logs out after enabling.
Ref: GHSA-pgc7-cmvg-mvp4
---
frontend/src/i18n/lang/en.json | 3 ++-
frontend/src/views/user/settings/TOTP.vue | 5 ++++-
pkg/routes/api/v1/user_totp.go | 5 +++++
3 files changed, 11 insertions(+), 2 deletions(-)
diff --git a/frontend/src/i18n/lang/en.json b/frontend/src/i18n/lang/en.json
index b7f4890a9..3d4b43c12 100644
--- a/frontend/src/i18n/lang/en.json
+++ b/frontend/src/i18n/lang/en.json
@@ -138,10 +138,11 @@
"scanQR": "Alternatively you can scan this QR code:",
"passcode": "Passcode",
"passcodePlaceholder": "A code generated by your TOTP application",
+ "confirmNotice": "After enabling two factor authentication, you will be logged out of all sessions and need to log in again.",
"setupSuccess": "You've successfully set up two factor authentication!",
"enterPassword": "Please Enter Your Password",
"disable": "Disable two factor authentication",
- "confirmSuccess": "You've successfully confirmed your TOTP setup and can use it from now on!",
+ "confirmSuccess": "You've successfully enabled two factor authentication!",
"disableSuccess": "Two factor authentication was successfully disabled."
},
"caldav": {
diff --git a/frontend/src/views/user/settings/TOTP.vue b/frontend/src/views/user/settings/TOTP.vue
index 83fe8627a..2a3f7abd5 100644
--- a/frontend/src/views/user/settings/TOTP.vue
+++ b/frontend/src/views/user/settings/TOTP.vue
@@ -23,6 +23,9 @@
alt=""
>
+
+ {{ $t('user.settings.totp.confirmNotice') }}
+