ZMS-45: totp check, require session to allow checking totp

NickOvt · NickOvt · commit a95bdba50ec8 · 2026-03-26T09:15:26.000+02:00
diff --git a/lib/api/2fa/totp.js b/lib/api/2fa/totp.js
@@ -256,6 +256,15 @@ module.exports = (db, server, userHandler) => {
                 });
             }
 
+            // TOTP validation is only allowed for the currently authenticated user's session
+            if (!req.accessToken || req.accessToken.user !== result.value.user) {
+                res.status(403);
+                return res.json({
+                    error: 'Invalid or missing session',
+                    code: 'InvalidToken'
+                });
+            }
+
             // permissions check
             if (req.user && req.user === result.value.user) {
                 req.validate(roles.can(req.role).readOwn('users'));
diff --git a/test/api/users-test.js b/test/api/users-test.js
@@ -4,6 +4,7 @@
 
 const supertest = require('supertest');
 const chai = require('chai');
+const speakeasy = require('speakeasy');
 
 const expect = chai.expect;
 chai.config.includeStack = true;
@@ -301,6 +302,88 @@ describe('API Users', function () {
         await server.get(`/users/me?accessToken=${token2}`).expect(403);
     });
 
+    it('should POST /users/{user}/2fa/totp/check expect failure without a matching session', async () => {
+        const setupResponse = await server
+            .post(`/users/${user2}/2fa/totp/setup`)
+            .send({
+                issuer: 'WildDuck'
+            })
+            .expect(200);
+
+        expect(setupResponse.body.success).to.be.true;
+        expect(setupResponse.body.seed).to.exist;
+
+        const enableToken = speakeasy.totp({
+            secret: setupResponse.body.seed,
+            encoding: 'base32'
+        });
+
+        const enableResponse = await server
+            .post(`/users/${user2}/2fa/totp/enable`)
+            .send({
+                token: enableToken
+            })
+            .expect(200);
+
+        expect(enableResponse.body.success).to.be.true;
+
+        const userTokenResponse = await server
+            .post('/authenticate')
+            .send({
+                username: 'myuser2',
+                password: 'secretvalue',
+                token: true
+            })
+            .expect(200);
+
+        expect(userTokenResponse.body.success).to.be.true;
+        expect(userTokenResponse.body.token).to.exist;
+
+        const user2TokenResponse = await server
+            .post('/authenticate')
+            .send({
+                username: 'myuser2hash',
+                password: 'test',
+                token: true
+            })
+            .expect(200);
+
+        expect(user2TokenResponse.body.success).to.be.true;
+        expect(user2TokenResponse.body.token).to.exist;
+
+        const totpToken = speakeasy.totp({
+            secret: setupResponse.body.seed,
+            encoding: 'base32'
+        });
+
+        const noSessionResponse = await server
+            .post(`/users/${user2}/2fa/totp/check`)
+            .send({
+                token: totpToken
+            })
+            .expect(403);
+
+        expect(noSessionResponse.body.code).to.equal('InvalidToken');
+
+        const wrongSessionResponse = await server
+            .post(`/users/${user2}/2fa/totp/check?accessToken=${userTokenResponse.body.token}`)
+            .send({
+                token: totpToken
+            })
+            .expect(403);
+
+        expect(wrongSessionResponse.body.code).to.equal('InvalidToken');
+
+        const successResponse = await server
+            .post(`/users/${user2}/2fa/totp/check?accessToken=${user2TokenResponse.body.token}`)
+            .send({
+                token: totpToken
+            })
+            .expect(200);
+
+        expect(successResponse.body.success).to.be.true;
+    });
+
     it('should PUT /users/{user}/logout expect success', async () => {
         // request logout
         const response = await server.put(`/users/${user}/logout`).send({ reason: 'Just because' }).expect(200);
