Skip to content

2FA: require a code to disable; keep 'Bolt Card Hub' issuer#39

Merged
PeterRounce merged 1 commit into
mainfrom
claude/2fa-disable-require-code
Jun 17, 2026
Merged

2FA: require a code to disable; keep 'Bolt Card Hub' issuer#39
PeterRounce merged 1 commit into
mainfrom
claude/2fa-disable-require-code

Conversation

@PeterRounce

Copy link
Copy Markdown
Member

Summary

Two follow-ups to the admin 2FA feature:

  1. Disabling 2FA now requires proof of possession. The disable endpoint previously accepted just the admin password. But the session is up to 24h old and a password can be phished / reused / browser-saved — exactly what 2FA defends against. Disabling now requires the password and a current TOTP code (or a single-use recovery code). Backend (adminApi2faDisable): when 2FA is active, a missing/invalid code → 400; valid TOTP or recovery code required before the keys are cleared. The disable dialog gains a code field with an authenticator/recovery toggle (Enter submits). No lockout risk — recovery codes and the DisableAdmin2FA CLI remain the lost-authenticator escape hatches.

  2. Revert the otpauth issuer to Bolt Card Hub. PR 2FA enrollment UX: submit on Enter + avoid wrong Authy logo #38 changed it to Boltcard Hub to dodge Authy's logo matcher, but Authy's matching is opaque/unverifiable and the proper product name is preferred. Reverted.

Bump 0.20.2 → 0.20.3 (PATCH).

Test Plan

  • go vet, go build, go test -race ./web/ (2FA/login/TOTP) and npm run build all pass.
  • Tests: disable with wrong password → 400 (stays on); right password + no code → 400; + wrong code → 400; + valid TOTP → 200 (keys cleared); + recovery code → 200.
  • After deploy: Settings → Disable 2FA now asks for password + code; wrong code is rejected; a recovery code works.

Note: depends on deploying ≥0.20.3. (The earlier "Enter doesn't work" / "Authy wrong logo" reports were a hub still running 0.20.1, before those fixes shipped in 0.20.2.)

🤖 Generated with Claude Code

Disabling 2FA now requires the admin password AND a current TOTP or recovery
code, not just the password — a 24h-old 2FA-backed session plus a (phishable,
reusable, browser-saved) password is exactly the threat 2FA defends against, so
turning the second factor off must prove possession of it. The recovery codes
and the DisableAdmin2FA CLI remain the lost-authenticator escape hatches, so
this can't cause a lockout. The disable dialog gains a code field with an
authenticator/recovery toggle (Enter submits).

Also reverts the otpauth issuer back to "Bolt Card Hub" (from "Boltcard Hub"):
the proper product name is preferred over chasing Authy's opaque logo matcher.

Bump 0.20.2 -> 0.20.3.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
@PeterRounce PeterRounce merged commit 243f6d7 into main Jun 17, 2026
7 checks passed
@PeterRounce PeterRounce deleted the claude/2fa-disable-require-code branch June 17, 2026 09:10
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant