packages/backend/src/server/api/endpoints/i/2fa/key-done.ts

@@ -47,6 +47,10 @@ export default define(meta, paramDef, async (ps, user) => {
 		throw new Error("incorrect password");
 	}
 
+	if (!profile.twoFactorEnabled) {
+		throw new Error("2fa not enabled");
+	}
+
 	const clientData = JSON.parse(ps.clientDataJSON);
 
 	if (clientData.type !== "webauthn.create") {
@@ -144,8 +148,6 @@ export default define(meta, paramDef, async (ps, user) => {
 		}),
 	);
 
-	UserProfiles.update(user.id, { securityKeysAvailable: true });
-
 	return {
 		id: credentialIdString,
 		name: ps.name,

packages/backend/src/server/api/endpoints/i/2fa/register-key.ts

@@ -32,6 +32,10 @@ export default define(meta, paramDef, async (ps, user) => {
 		throw new Error("incorrect password");
 	}
 
+	// if (!profile.twoFactorEnabled) {
+	// 	throw new Error("2fa not enabled");
+	// }
+
 	// 32 byte challenge
 	const entropy = await randomBytes(32);
 	const challenge = entropy

packages/backend/src/server/api/endpoints/i/2fa/remove-key.ts

@@ -47,9 +47,8 @@ export default define(meta, paramDef, async (ps, user) => {
 	});
 
 	if (keyCount === 0) {
-		await UserProfiles.update(user.id, {
+		await UserProfiles.update(me.id, {
 			usePasswordLessLogin: false,
-			securityKeysAvailable: false,
 		});
 	}
 

packages/backend/src/server/api/private/signin.ts

@@ -116,7 +116,7 @@ export default async (ctx: Koa.Context) => {
 		);
 	}
 
-	if (!profile.twoFactorEnabled && !profile.securityKeysAvailable) {
+	if (!profile.twoFactorEnabled) {
 		if (same) {
 			signin(ctx, user);
 			return;
@@ -128,7 +128,7 @@ export default async (ctx: Koa.Context) => {
 		}
 	}
 
-	if (token && profile.twoFactorEnabled) {
+	if (token) {
 		if (!same) {
 			await fail(403, {
 				id: "932c904e-9460-45b7-9ce6-7ed33be7eb2c",

packages/client/src/components/MkSignin.vue

@@ -79,10 +79,10 @@
 						{{ i18n.ts.retry }}
 					</MkButton>
 				</div>
-				<div v-if="user && user.securityKeys && user.twoFactorEnabled" class="or-hr">
+				<div v-if="user && user.securityKeys" class="or-hr">
 					<p class="or-msg">{{ i18n.ts.or }}</p>
 				</div>
-				<div v-if="user.twoFactorEnabled" class="twofa-group totp-group">
+				<div class="twofa-group totp-group">
 					<p style="margin-bottom: 0">
 						{{ i18n.ts.twoStepAuthentication }}
 					</p>
@@ -247,23 +247,25 @@ function queryKey() {
 function onSubmit() {
 	signing.value = true;
 	console.log("submit");
-	if (window.PublicKeyCredential && user.value.securityKeys) {
+	if (!totpLogin.value && user.value && user.value.twoFactorEnabled) {
-		os.api("signin", {
+		if (window.PublicKeyCredential && user.value.securityKeys) {
-			username: username.value,
+			os.api("signin", {
-			password: password.value,
+				username: username.value,
-			"hcaptcha-response": hCaptchaResponse.value,
+				password: password.value,
-			"g-recaptcha-response": reCaptchaResponse.value,
+				"hcaptcha-response": hCaptchaResponse.value,
-		})
+				"g-recaptcha-response": reCaptchaResponse.value,
-			.then((res) => {
-				totpLogin.value = true;
-				signing.value = false;
-				challengeData.value = res;
-				return queryKey();
 			})
-			.catch(loginFailed);
+				.then((res) => {
-	} else if (!totpLogin.value && user.value && user.value.twoFactorEnabled) {
+					totpLogin.value = true;
-		totpLogin.value = true;
+					signing.value = false;
-		signing.value = false;
+					challengeData.value = res;
+					return queryKey();
+				})
+				.catch(loginFailed);
+		} else {
+			totpLogin.value = true;
+			signing.value = false;
+		}
 	} else {
 		os.api("signin", {
 			username: username.value,

packages/client/src/pages/settings/2fa.vue

@@ -14,7 +14,17 @@
 				<template #caption>{{ i18n.ts.totpDescription }}</template>
 				<div v-if="$i.twoFactorEnabled" class="_gaps_s">
 					<div v-text="i18n.ts._2fa.alreadyRegistered" />
-					<MkButton @click="unregisterTOTP"
+					<template v-if="$i.securityKeysList.length > 0">
+						<MkButton @click="renewTOTP"
+							><i
+								:class="icon('ph-shield-check')"
+								style="margin-inline-end: 0.5rem"
+							></i
+							>{{ i18n.ts._2fa.renewTOTP }}</MkButton
+						>
+						<MkInfo>{{ i18n.ts._2fa.whyTOTPOnlyRenew }}</MkInfo>
+					</template>
+					<MkButton v-else @click="unregisterTOTP"
 						><i
 							:class="icon('ph-shield-slash')"
 							style="margin-inline-end: 0.5rem"
@@ -49,6 +59,13 @@
 						{{ i18n.ts._2fa.securityKeyNotSupported }}
 					</MkInfo>
 
+					<MkInfo
+						v-else-if="supportsCredentials && !$i.twoFactorEnabled"
+						warn
+					>
+						{{ i18n.ts._2fa.registerTOTPBeforeKey }}
+					</MkInfo>
+
 					<template v-else>
 						<MkButton primary @click="addSecurityKey"
 							><i
@@ -188,6 +205,19 @@ function unregisterTOTP() {
 	});
 }
 
+function renewTOTP() {
+	os.confirm({
+		type: "question",
+		title: i18n.ts._2fa.renewTOTP,
+		text: i18n.ts._2fa.renewTOTPConfirm,
+		okText: i18n.ts._2fa.renewTOTPOk,
+		cancelText: i18n.ts._2fa.renewTOTPCancel,
+	}).then(({ canceled }) => {
+		if (canceled) return;
+		registerTOTP();
+	});
+}
+
 async function unregisterKey(key) {
 	const confirm = await os.confirm({
 		type: "question",