From 30fb754a5f93fac2040c94a41c525d46fc2eab43 Mon Sep 17 00:00:00 2001
From: Nriver <6752679+Nriver@users.noreply.github.com>
Date: Wed, 2 Apr 2025 14:29:37 +0800
Subject: [PATCH] hotfix(auth): fix TOTP validation bypass issue

---
 src/routes/login.ts | 10 +++++-----
 1 file changed, 5 insertions(+), 5 deletions(-)

diff --git a/src/routes/login.ts b/src/routes/login.ts
index 7b0ace3aa..dc24e2d1d 100644
--- a/src/routes/login.ts
+++ b/src/routes/login.ts
@@ -77,11 +77,6 @@ function login(req: Request, res: Response) {
     const submittedPassword = req.body.password;
     const submittedTotpToken = req.body.totpToken;
 
-    if (!verifyPassword(submittedPassword)) {
-        sendLoginError(req, res, 'password');
-        return;
-    }
-
     if (totp.isTotpEnabled()) {
         if (!verifyTOTP(submittedTotpToken)) {
             sendLoginError(req, res, 'totp');
@@ -89,6 +84,11 @@ function login(req: Request, res: Response) {
         }
     }
 
+    if (!verifyPassword(submittedPassword)) {
+        sendLoginError(req, res, 'password');
+        return;
+    }
+
     const rememberMe = req.body.rememberMe;
 
     req.session.regenerate(() => {