fix: require password confirmation to disable 2FA, enhancing security against session hijacking

2026-02-23 11:35:02 +01:00
parent 2889b0bb0a
commit b54af6c03a
2 changed files with 6 additions and 1 deletions
--- a/lib/api/2fa.ts
+++ b/lib/api/2fa.ts
@@ -27,9 +27,10 @@ export async function verify2FA(code: string): Promise<Verify2FAResponse> {
  })
 }

-export async function disable2FA(): Promise<void> {
+export async function disable2FA(passwordDerived: string): Promise<void> {
  return apiRequest<void>('/auth/2fa/disable', {
    method: 'POST',
+    body: JSON.stringify({ password: passwordDerived }),
  })
 }