🔑 fix: Require OTP Verification for 2FA Re-Enrollment and Backup Code Regeneration#12223
Merged
Conversation
…ler and UserController - Reformatted code in TwoFactorController and UserController for better readability by aligning parameters and breaking long lines. - Updated test cases in deleteUser.spec.js and TwoFactorController.spec.js to enhance clarity by formatting object parameters consistently.
Contributor
There was a problem hiding this comment.
Pull request overview
This PR updates the 2FA “enable” flow to accept OTP/backup-code input (and switches the route from GET to POST), strengthens 2FA enforcement for sensitive actions (account deletion, backup-code regeneration, re-enrollment), and adds Jest coverage for the updated controller behavior.
Changes:
- Change
/api/auth/2fa/enablefrom GET → POST and plumb an optional{ token, backupCode }request payload through the data-provider and client mutation. - Enforce 2FA verification for account deletion when 2FA is enabled on the account.
- Tighten controller behavior around 2FA re-enrollment / backup-code regeneration and add unit tests for these flows.
Reviewed changes
Copilot reviewed 8 out of 8 changed files in this pull request and generated 7 comments.
Show a summary per file
| File | Description |
|---|---|
| packages/data-provider/src/types.ts | Adds TEnable2FARequest; removes backupCodesHash from TRegenerateBackupCodesResponse. |
| packages/data-provider/src/data-service.ts | Switches enableTwoFactor() to POST and forwards an optional payload. |
| client/src/data-provider/Auth/mutations.ts | Updates useEnableTwoFactorMutation to accept an optional 2FA payload. |
| api/server/routes/auth.js | Switches /2fa/enable route from GET to POST. |
| api/server/controllers/UserController.js | Requires OTP/backup-code verification to delete an account when 2FA is enabled. |
| api/server/controllers/TwoFactorController.js | Adds verification requirements for re-enrollment and backup-code regeneration; adjusts responses. |
| api/server/controllers/tests/deleteUser.spec.js | Adds tests covering delete-user behavior with/without 2FA and with valid/invalid credentials. |
| api/server/controllers/tests/TwoFactorController.spec.js | Adds tests for enable2FA re-enrollment rules and backup-code regeneration response shape. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
You can also share your feedback on Copilot code review. Take the survey.
…ctorController and UserController - Introduced a new `verifyOTPOrBackupCode` function to streamline the verification process for TOTP tokens and backup codes across multiple controllers. - Updated the `enable2FA`, `disable2FA`, and `deleteUserController` methods to utilize the new verification function, enhancing code reusability and readability. - Adjusted related tests to reflect the changes in verification logic, ensuring consistent behavior across different scenarios. - Improved error handling and response messages for verification failures, providing clearer feedback to users.
…n logic - Consolidated OTP input handling by moving the 2FA verification UI logic to a more consistent location within the component. - Improved the state management for OTP readiness, ensuring the regenerate button is only enabled when the OTP is ready. - Cleaned up imports by removing redundant type imports, enhancing code clarity and maintainability.
danny-avila
changed the title
… window enable2FA now writes to pendingTotpSecret/pendingBackupCodes instead of overwriting the live fields. confirm2FA performs the atomic swap only after the new TOTP code is verified. If the user abandons mid-flow, their existing 2FA remains active and intact.
jcbartle
pushed a commit
to jcbartle/LibreChat
that referenced
this pull request
May 11, 2026
… Regeneration (danny-avila#12223) * fix: require OTP verification for 2FA re-enrollment and backup code regeneration * fix: require OTP verification for account deletion when 2FA is enabled * refactor: Improve code formatting and readability in TwoFactorController and UserController - Reformatted code in TwoFactorController and UserController for better readability by aligning parameters and breaking long lines. - Updated test cases in deleteUser.spec.js and TwoFactorController.spec.js to enhance clarity by formatting object parameters consistently. * refactor: Consolidate OTP and backup code verification logic in TwoFactorController and UserController - Introduced a new `verifyOTPOrBackupCode` function to streamline the verification process for TOTP tokens and backup codes across multiple controllers. - Updated the `enable2FA`, `disable2FA`, and `deleteUserController` methods to utilize the new verification function, enhancing code reusability and readability. - Adjusted related tests to reflect the changes in verification logic, ensuring consistent behavior across different scenarios. - Improved error handling and response messages for verification failures, providing clearer feedback to users. * chore: linting * refactor: Update BackupCodesItem component to enhance OTP verification logic - Consolidated OTP input handling by moving the 2FA verification UI logic to a more consistent location within the component. - Improved the state management for OTP readiness, ensuring the regenerate button is only enabled when the OTP is ready. - Cleaned up imports by removing redundant type imports, enhancing code clarity and maintainability. * chore: lint * fix: stage 2FA re-enrollment in pending fields to prevent disarmament window enable2FA now writes to pendingTotpSecret/pendingBackupCodes instead of overwriting the live fields. confirm2FA performs the atomic swap only after the new TOTP code is verified. If the user abandons mid-flow, their existing 2FA remains active and intact.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
No description provided.