hotfix(auth): fix TOTP validation bypass issue

2025-07-27 18:12:29 +08:00 · 2025-04-02 14:29:37 +08:00 · 2025-04-02 14:29:37 +08:00 · 30fb754a5f
commit 30fb754a5f
parent 9a5793dfdd
1 changed files with 5 additions and 5 deletions
--- a/src/routes/login.ts
+++ b/src/routes/login.ts
@ -77,11 +77,6 @@ function login(req: Request, res: Response) {
    const submittedPassword = req.body.password;
    const submittedTotpToken = req.body.totpToken;

-    if (!verifyPassword(submittedPassword)) {
-        sendLoginError(req, res, 'password');
-        return;
-    }
-
    if (totp.isTotpEnabled()) {
        if (!verifyTOTP(submittedTotpToken)) {
            sendLoginError(req, res, 'totp');
@ -89,6 +84,11 @@ function login(req: Request, res: Response) {
        }
    }

+    if (!verifyPassword(submittedPassword)) {
+        sendLoginError(req, res, 'password');
+        return;
+    }
+
    const rememberMe = req.body.rememberMe;

    req.session.regenerate(() => {