diff --git a/pkg/routes/caldav/auth.go b/pkg/routes/caldav/auth.go index ce9c3fdeb..06d86212d 100644 --- a/pkg/routes/caldav/auth.go +++ b/pkg/routes/caldav/auth.go @@ -47,6 +47,18 @@ func BasicAuth(c *echo.Context, username, password string) (bool, error) { log.Errorf("Error during basic auth for caldav: %v", err) return false, nil } + + // If the user has TOTP enabled, reject password-based basic auth. + // They must use a CalDAV token instead. + totpEnabled, err := user.TOTPEnabledForUser(s, u) + if err != nil { + log.Errorf("Error checking TOTP status for caldav basic auth: %v", err) + return false, nil + } + if totpEnabled { + log.Warningf("CalDAV basic auth rejected for user %d: TOTP is enabled, a CalDAV token is required", u.ID) + return false, nil + } } if u != nil && err == nil { c.Set("userBasicAuth", u)