From b54af6c03a0feca0c69249ce2349edf6252e68a4 Mon Sep 17 00:00:00 2001
From: Usman Baig <mubaig@pm.me>
Date: Mon, 23 Feb 2026 11:35:02 +0100
Subject: [PATCH] fix: require password confirmation to disable 2FA, enhancing
 security against session hijacking

---
 CHANGELOG.md   | 4 ++++
 lib/api/2fa.ts | 3 ++-
 2 files changed, 6 insertions(+), 1 deletion(-)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index d090467..8797068 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -6,6 +6,10 @@ The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.1.0/),
 
 ## [Unreleased]
 
+### Fixed
+
+- **2FA disable now requires password confirmation.** Disabling 2FA sends the derived password to the backend for verification. This prevents an attacker with a hijacked session from stripping 2FA.
+
 ## [0.11.1-alpha] - 2026-02-23
 
 ### Changed
diff --git a/lib/api/2fa.ts b/lib/api/2fa.ts
index e2a7570..da27c8e 100644
--- a/lib/api/2fa.ts
+++ b/lib/api/2fa.ts
@@ -27,9 +27,10 @@ export async function verify2FA(code: string): Promise<Verify2FAResponse> {
   })
 }
 
-export async function disable2FA(): Promise<void> {
+export async function disable2FA(passwordDerived: string): Promise<void> {
   return apiRequest<void>('/auth/2fa/disable', {
     method: 'POST',
+    body: JSON.stringify({ password: passwordDerived }),
   })
 }