2FA: require a code to disable; keep 'Bolt Card Hub' issuer#39
Merged
Conversation
Disabling 2FA now requires the admin password AND a current TOTP or recovery code, not just the password — a 24h-old 2FA-backed session plus a (phishable, reusable, browser-saved) password is exactly the threat 2FA defends against, so turning the second factor off must prove possession of it. The recovery codes and the DisableAdmin2FA CLI remain the lost-authenticator escape hatches, so this can't cause a lockout. The disable dialog gains a code field with an authenticator/recovery toggle (Enter submits). Also reverts the otpauth issuer back to "Bolt Card Hub" (from "Boltcard Hub"): the proper product name is preferred over chasing Authy's opaque logo matcher. Bump 0.20.2 -> 0.20.3. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Two follow-ups to the admin 2FA feature:
Disabling 2FA now requires proof of possession. The disable endpoint previously accepted just the admin password. But the session is up to 24h old and a password can be phished / reused / browser-saved — exactly what 2FA defends against. Disabling now requires the password and a current TOTP code (or a single-use recovery code). Backend (
adminApi2faDisable): when 2FA is active, a missing/invalid code → 400; valid TOTP or recovery code required before the keys are cleared. The disable dialog gains a code field with an authenticator/recovery toggle (Enter submits). No lockout risk — recovery codes and theDisableAdmin2FACLI remain the lost-authenticator escape hatches.Revert the otpauth issuer to
Bolt Card Hub. PR 2FA enrollment UX: submit on Enter + avoid wrong Authy logo #38 changed it toBoltcard Hubto dodge Authy's logo matcher, but Authy's matching is opaque/unverifiable and the proper product name is preferred. Reverted.Bump 0.20.2 → 0.20.3 (PATCH).
Test Plan
go vet,go build,go test -race ./web/(2FA/login/TOTP) andnpm run buildall pass.🤖 Generated with Claude Code