fix(frontend): show 2fa code field in login only if 2fa is enabled

fix(backend): don't reject logins where 2fa is disabled and security keys are available

packages/backend/src/server/api/endpoints/i/2fa/key-done.ts

@@ -47,10 +47,6 @@ export default define(meta, paramDef, async (ps, user) => {
 		throw new Error("incorrect password");
 	}
 
-	if (!profile.twoFactorEnabled) {
-		throw new Error("2fa not enabled");
-	}
-
 	const clientData = JSON.parse(ps.clientDataJSON);
 
 	if (clientData.type !== "webauthn.create") {
@@ -148,6 +144,8 @@ export default define(meta, paramDef, async (ps, user) => {
 		}),
 	);
 
+	UserProfiles.update(user.id, { securityKeysAvailable: true });
+
 	return {
 		id: credentialIdString,
 		name: ps.name,

packages/backend/src/server/api/endpoints/i/2fa/register-key.ts

@@ -32,10 +32,6 @@ export default define(meta, paramDef, async (ps, user) => {
 		throw new Error("incorrect password");
 	}
 
-	// if (!profile.twoFactorEnabled) {
-	// 	throw new Error("2fa not enabled");
-	// }
-
 	// 32 byte challenge
 	const entropy = await randomBytes(32);
 	const challenge = entropy

packages/backend/src/server/api/endpoints/i/2fa/remove-key.ts

@@ -47,8 +47,9 @@ export default define(meta, paramDef, async (ps, user) => {
 	});
 
 	if (keyCount === 0) {
-		await UserProfiles.update(me.id, {
+		await UserProfiles.update(user.id, {
 			usePasswordLessLogin: false,
+			securityKeysAvailable: false,
 		});
 	}
 

packages/backend/src/server/api/private/signin.ts

@@ -116,7 +116,7 @@ export default async (ctx: Koa.Context) => {
 		);
 	}
 
-	if (!profile.twoFactorEnabled) {
+	if (!profile.twoFactorEnabled && !profile.securityKeysAvailable) {
 		if (same) {
 			signin(ctx, user);
 			return;
@@ -128,7 +128,7 @@ export default async (ctx: Koa.Context) => {
 		}
 	}
 
-	if (token) {
+	if (token && profile.twoFactorEnabled) {
 		if (!same) {
 			await fail(403, {
 				id: "932c904e-9460-45b7-9ce6-7ed33be7eb2c",

packages/client/src/components/MkSignin.vue

@@ -79,10 +79,10 @@
 						{{ i18n.ts.retry }}
 					</MkButton>
 				</div>
-				<div v-if="user && user.securityKeys" class="or-hr">
+				<div v-if="user && user.securityKeys && user.twoFactorEnabled" class="or-hr">
 					<p class="or-msg">{{ i18n.ts.or }}</p>
 				</div>
-				<div class="twofa-group totp-group">
+				<div v-if="user.twoFactorEnabled" class="twofa-group totp-group">
 					<p style="margin-bottom: 0">
 						{{ i18n.ts.twoStepAuthentication }}
 					</p>
@@ -247,25 +247,23 @@ function queryKey() {
 function onSubmit() {
 	signing.value = true;
 	console.log("submit");
-	if (!totpLogin.value && user.value && user.value.twoFactorEnabled) {
-		if (window.PublicKeyCredential && user.value.securityKeys) {
-			os.api("signin", {
-				username: username.value,
-				password: password.value,
-				"hcaptcha-response": hCaptchaResponse.value,
-				"g-recaptcha-response": reCaptchaResponse.value,
+	if (window.PublicKeyCredential && user.value.securityKeys) {
+		os.api("signin", {
+			username: username.value,
+			password: password.value,
+			"hcaptcha-response": hCaptchaResponse.value,
+			"g-recaptcha-response": reCaptchaResponse.value,
+		})
+			.then((res) => {
+				totpLogin.value = true;
+				signing.value = false;
+				challengeData.value = res;
+				return queryKey();
 			})
-				.then((res) => {
-					totpLogin.value = true;
-					signing.value = false;
-					challengeData.value = res;
-					return queryKey();
-				})
-				.catch(loginFailed);
-		} else {
-			totpLogin.value = true;
-			signing.value = false;
-		}
+			.catch(loginFailed);
+	} else if (!totpLogin.value && user.value && user.value.twoFactorEnabled) {
+		totpLogin.value = true;
+		signing.value = false;
 	} else {
 		os.api("signin", {
 			username: username.value,

packages/client/src/pages/settings/2fa.vue

@@ -14,17 +14,7 @@
 				<template #caption>{{ i18n.ts.totpDescription }}</template>
 				<div v-if="$i.twoFactorEnabled" class="_gaps_s">
 					<div v-text="i18n.ts._2fa.alreadyRegistered" />
-					<template v-if="$i.securityKeysList.length > 0">
-						<MkButton @click="renewTOTP"
-							><i
-								:class="icon('ph-shield-check')"
-								style="margin-inline-end: 0.5rem"
-							></i
-							>{{ i18n.ts._2fa.renewTOTP }}</MkButton
-						>
-						<MkInfo>{{ i18n.ts._2fa.whyTOTPOnlyRenew }}</MkInfo>
-					</template>
-					<MkButton v-else @click="unregisterTOTP"
+					<MkButton @click="unregisterTOTP"
 						><i
 							:class="icon('ph-shield-slash')"
 							style="margin-inline-end: 0.5rem"
@@ -59,13 +49,6 @@
 						{{ i18n.ts._2fa.securityKeyNotSupported }}
 					</MkInfo>
 
-					<MkInfo
-						v-else-if="supportsCredentials && !$i.twoFactorEnabled"
-						warn
-					>
-						{{ i18n.ts._2fa.registerTOTPBeforeKey }}
-					</MkInfo>
-
 					<template v-else>
 						<MkButton primary @click="addSecurityKey"
 							><i
@@ -205,19 +188,6 @@ function unregisterTOTP() {
 	});
 }
 
-function renewTOTP() {
-	os.confirm({
-		type: "question",
-		title: i18n.ts._2fa.renewTOTP,
-		text: i18n.ts._2fa.renewTOTPConfirm,
-		okText: i18n.ts._2fa.renewTOTPOk,
-		cancelText: i18n.ts._2fa.renewTOTPCancel,
-	}).then(({ canceled }) => {
-		if (canceled) return;
-		registerTOTP();
-	});
-}
-
 async function unregisterKey(key) {
 	const confirm = await os.confirm({
 		type: "question",