fix: 2FA bypassed when enabled but TOTP secret is missing (fail-open) (#1286)

* fix: fail closed when 2FA is enabled but the TOTP secret is missing * test: totp_verify fails closed when secret missing, passes when 2FA off
2026-06-02 17:26:47 +01:00
parent 65751186bd
commit 926a4c59cb
2 changed files with 25 additions and 1 deletions
--- a/core/auth.py
+++ b/core/auth.py
@@ -376,7 +376,10 @@ class AuthManager:
            return True  # 2FA not enabled, always pass
        secret = user.get("totp_secret")
        if not secret:
-            return True
+            # 2FA is enabled but no secret is stored (corrupt/partially-written
+            # auth.json). Fail closed — returning True here bypassed the second
+            # factor entirely.
+            return False
        # Check backup codes first
        backup = user.get("totp_backup_codes", [])
        if code in backup: