From cdf5d30a425d032f749b78b98b828f25ad882615 Mon Sep 17 00:00:00 2001 From: kolaente Date: Fri, 20 Mar 2026 10:17:40 +0100 Subject: [PATCH] fix: reject CalDAV basic auth when TOTP is enabled --- pkg/routes/caldav/auth.go | 12 ++++++++++++ 1 file changed, 12 insertions(+) diff --git a/pkg/routes/caldav/auth.go b/pkg/routes/caldav/auth.go index ce9c3fdeb..06d86212d 100644 --- a/pkg/routes/caldav/auth.go +++ b/pkg/routes/caldav/auth.go @@ -47,6 +47,18 @@ func BasicAuth(c *echo.Context, username, password string) (bool, error) { log.Errorf("Error during basic auth for caldav: %v", err) return false, nil } + + // If the user has TOTP enabled, reject password-based basic auth. + // They must use a CalDAV token instead. + totpEnabled, err := user.TOTPEnabledForUser(s, u) + if err != nil { + log.Errorf("Error checking TOTP status for caldav basic auth: %v", err) + return false, nil + } + if totpEnabled { + log.Warningf("CalDAV basic auth rejected for user %d: TOTP is enabled, a CalDAV token is required", u.ID) + return false, nil + } } if u != nil && err == nil { c.Set("userBasicAuth", u)