fix: require password confirmation to disable 2FA, enhancing security against session hijacking

2026-02-23 11:35:02 +01:00
parent 2889b0bb0a
commit b54af6c03a
2 changed files with 6 additions and 1 deletions
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -6,6 +6,10 @@ The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.1.0/),

 ## [Unreleased]

+### Fixed
+
+- **2FA disable now requires password confirmation.** Disabling 2FA sends the derived password to the backend for verification. This prevents an attacker with a hijacked session from stripping 2FA.
+
 ## [0.11.1-alpha] - 2026-02-23

 ### Changed
--- a/lib/api/2fa.ts
+++ b/lib/api/2fa.ts
@@ -27,9 +27,10 @@ export async function verify2FA(code: string): Promise<Verify2FAResponse> {
  })
 }

-export async function disable2FA(): Promise<void> {
+export async function disable2FA(passwordDerived: string): Promise<void> {
  return apiRequest<void>('/auth/2fa/disable', {
    method: 'POST',
+    body: JSON.stringify({ password: passwordDerived }),
  })
 }