Merge pull request #1597 from TriliumNext/hotfix/totp-validation-bypass

hotfix(auth): fix TOTP validation bypass issue
2026-02-17 19:58:46 -06:00 · 2025-04-02 11:42:38 +02:00
parent 9a5793dfdd 30fb754a5f
commit 9f3076755c
1 changed files with 5 additions and 5 deletions
--- a/src/routes/login.ts
+++ b/src/routes/login.ts
@@ -77,11 +77,6 @@ function login(req: Request, res: Response) {
    const submittedPassword = req.body.password;
    const submittedTotpToken = req.body.totpToken;

-    if (!verifyPassword(submittedPassword)) {
-        sendLoginError(req, res, 'password');
-        return;
-    }
-
    if (totp.isTotpEnabled()) {
        if (!verifyTOTP(submittedTotpToken)) {
            sendLoginError(req, res, 'totp');
@@ -89,6 +84,11 @@ function login(req: Request, res: Response) {
        }
    }

+    if (!verifyPassword(submittedPassword)) {
+        sendLoginError(req, res, 'password');
+        return;
+    }
+
    const rememberMe = req.body.rememberMe;

    req.session.regenerate(() => {