Add TOTP secret to user_key hash

thanks @downtownallday * this invalidates all user_keys after TOTP status is changed for user * after changing TOTP state, a login is required * due to the forced login, we can't and don't need to store the code used for setup in `mru_code`
2026-03-12 17:07:23 +01:00 · 2020-09-12 16:34:06 +02:00
parent 2ea97f0643
commit dcb93d071c
6 changed files with 43 additions and 26 deletions
--- a/management/daemon.py
+++ b/management/daemon.py
@@ -439,7 +439,7 @@ def totp_post_enable():
 		return json_response({ "error": 'bad_input' }, 400)

 	if totp.validate(secret, token):
-		create_totp_credential(email, secret, token, env)
+		create_totp_credential(email, secret, env)
 		return json_response({})

 	return json_response({ "error": 'token_mismatch' }, 400)