halo-dev · f2c-ci-robot · Jan 7, 2026 · Jan 6, 2026
diff --git a/...n/src/main/java/run/halo/app/security/authorization/AuthorizationExchangeConfigurers.java b/...n/src/main/java/run/halo/app/security/authorization/AuthorizationExchangeConfigurers.java
@@ -19,6 +19,7 @@
 import reactor.core.publisher.Mono;
 import run.halo.app.core.user.service.RoleService;
 import run.halo.app.security.authentication.SecurityConfigurer;
+import run.halo.app.security.authentication.twofactor.TwoFactorAuthentication;
 
 /**
  * Authorization exchange configurers.
@@ -61,13 +62,25 @@ SecurityConfigurer preAuthenticationAuthorizationConfigurer() {
             .hasRole(AuthorityUtils.SUPER_ROLE_NAME)
             .pathMatchers("/logout/impersonate")
             .hasAuthority(SwitchUserWebFilter.ROLE_PREVIOUS_ADMINISTRATOR)
+            .pathMatchers("/challenges/**")
+            .access((authentication, context) ->
+                authentication.map(TwoFactorAuthentication.class::isInstance)
+                    .map(AuthorizationDecision::new)
+                    .switchIfEmpty(Mono.fromSupplier(() -> new AuthorizationDecision(false)))
+            )
             .pathMatchers(
                 "/login/**",
-                "/challenges/**",
                 "/password-reset/**",
                 "/signup"
             )
-            .permitAll());
+            .permitAll()
+            .pathMatchers("/logout")
+            .access((authentication, context) ->
+                authentication.map(a -> !authenticationTrustResolver.isAnonymous(a))
+                    .map(AuthorizationDecision::new)
+                    .switchIfEmpty(Mono.fromSupplier(() -> new AuthorizationDecision(false)))
+            )
+        );
     }
 
     @Bean
@@ -76,10 +89,10 @@ SecurityConfigurer authenticatedAuthorizationConfigurer() {
         // Anonymous user is not allowed
         return http -> http.authorizeExchange(
             spec -> spec.pathMatchers(
-                "/console/**",
-                "/uc/**",
-                "/logout"
-            ).authenticated()
+                    "/console/**",
+                    "/uc/**"
+                )
+                .authenticated()
         );
     }
 

diff --git a/application/src/main/resources/templates/challenges/two-factor/totp.html b/application/src/main/resources/templates/challenges/two-factor/totp.html
@@ -1,15 +1,26 @@
 <!doctype html>
 <html
     xmlns:th="https://www.thymeleaf.org"
-    th:replace="~{gateway_fragments/layout :: layout(title = |#{title} - ${site.title}|, head = null, body = ~{::body})}"
+    th:replace="~{gateway_fragments/layout :: layout(title = |#{title} - ${site.title}|, head = ~{::head}, body = ~{::body})}"
 >
     <th:block th:fragment="body">
-        <div class="gateway-wrapper">
+        <div class="gateway-wrapper totp-page-wrapper">
             <div th:replace="~{gateway_fragments/common::haloLogo}"></div>
             <div class="halo-form-wrapper">
                 <h1 class="form-title" th:text="#{title}"></h1>
                 <form th:replace="~{gateway_fragments/totp::form}"></form>
             </div>
         </div>
     </th:block>
+
+    <th:block th:fragment="head">
+        <style>
+            .totp-page-wrapper .cancel-link {
+                color: var(--color-link);
+                font-size: var(--text-sm);
+                text-decoration: none;
+                text-align: center;
+            }
+        </style>
+    </th:block>
 </html>
diff --git a/application/src/main/resources/templates/gateway_fragments/totp.html b/application/src/main/resources/templates/gateway_fragments/totp.html
@@ -27,4 +27,7 @@
     <div class="form-item">
         <button type="submit" th:text="#{form.submit}"></button>
     </div>
+    <div class="form-item">
+        <a th:href="@{/logout}" class="cancel-link" th:text="#{form.cancel}"></a>
+    </div>
 </form>
diff --git a/application/src/main/resources/templates/gateway_fragments/totp.properties b/application/src/main/resources/templates/gateway_fragments/totp.properties
@@ -1,3 +1,4 @@
 form.messages.invalidError=错误的验证码
 form.code.label=验证码
-form.submit=验证
+form.submit=验证
+form.cancel=取消
diff --git a/application/src/main/resources/templates/gateway_fragments/totp_en.properties b/application/src/main/resources/templates/gateway_fragments/totp_en.properties
@@ -1,3 +1,4 @@
 form.messages.invalidError=Invalid TOTP code
 form.code.label=TOTP Code
-form.submit=Verify
+form.submit=Verify
+form.cancel=Cancel
diff --git a/application/src/main/resources/templates/gateway_fragments/totp_es.properties b/application/src/main/resources/templates/gateway_fragments/totp_es.properties
@@ -1,3 +1,4 @@
 form.messages.invalidError=Código de verificación incorrecto
 form.code.label=Código de Verificación
-form.submit=Verificar
+form.submit=Verificar
+form.cancel=Cancelar
diff --git a/application/src/main/resources/templates/gateway_fragments/totp_zh_TW.properties b/application/src/main/resources/templates/gateway_fragments/totp_zh_TW.properties
@@ -1,3 +1,4 @@
 form.messages.invalidError=錯誤的驗證碼
 form.code.label=驗證碼
-form.submit=驗證
+form.submit=驗證
+form.cancel=取消