disallow totp for master token

Author: NickOvt

lib/api/2fa/totp.js

@@ -264,6 +264,14 @@ module.exports = (db, server, userHandler) => {
                 req.validate(roles.can(req.role).readAny('users'));
             }
 
+            if (req.user === 'root') {
+                res.status(403);
+                return res.json({
+                    error: 'TOTP validation is not allowed with master token',
+                    code: 'InvalidToken'
+                });
+            }
+
             let user = new ObjectId(result.value.user);
             result.value.accessTokenHash = req.accessToken?.hash;
             let totp = await userHandler.checkTotp(user, result.value);