auth(2fa): block setup after enable to avoid secret reissue

2026-03-08 19:07:20 +03:00
parent af1ce20640
commit d069ff1121
4 changed files with 38 additions and 1 deletions
--- a/app/auth/service.py
+++ b/app/auth/service.py
@@ -260,6 +260,8 @@ def get_access_session_info(token: str) -> tuple[str, datetime] | None:

 async def setup_twofa(db: AsyncSession, user: User) -> tuple[str, str]:
    if user.twofa_enabled and user.twofa_secret:
+        raise HTTPException(status_code=status.HTTP_400_BAD_REQUEST, detail="2FA is already enabled")
+    if user.twofa_secret:
        secret = user.twofa_secret
    else:
        secret = generate_totp_secret()