fix: require password confirmation to disable 2FA, enhancing security against session hijacking
This commit is contained in:
Usman Baig
@@ -6,6 +6,10 @@ The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.1.0/),
|
||||
|
||||
## [Unreleased]
|
||||
|
||||
### Fixed
|
||||
|
||||
- **2FA disable now requires password confirmation.** Disabling 2FA sends the derived password to the backend for verification. This prevents an attacker with a hijacked session from stripping 2FA.
|
||||
|
||||
## [0.11.1-alpha] - 2026-02-23
|
||||
|
||||
### Changed
|
||||
|
||||
Reference in New Issue
Block a user