auth(2fa): block setup after enable to avoid secret reissue

2026-03-08 19:07:20 +03:00
parent af1ce20640
commit d069ff1121
4 changed files with 38 additions and 1 deletions
--- a/docs/core-checklist-status.md
+++ b/docs/core-checklist-status.md
@@ -38,7 +38,7 @@ Legend:
 29. Archive - `DONE`
 30. Blacklist - `DONE`
 31. Privacy - `PARTIAL` (avatar/last-seen/group-invites + PM policy `everyone|contacts|nobody`; policy behavior covered by integration tests, remaining UX/matrix hardening)
-32. Security - `PARTIAL` (sessions + revoke + 2FA base + access-session visibility; revoke-all now force-disconnects active realtime sessions; UX/TOTP recovery flow ongoing)
+32. Security - `PARTIAL` (sessions + revoke + 2FA base + access-session visibility; revoke-all now force-disconnects active realtime sessions; 2FA setup now blocked after enable to prevent secret re-issuance; UX/TOTP recovery flow ongoing)
 33. Realtime Events - `DONE` (connect/disconnect/send/receive/typing/read/delivered/online/offline + chat/message updates)
 34. Sync - `PARTIAL` (cross-device via backend state + realtime; reconciliation improved for loaded chats/messages, chat-info panel now hot-refreshes on `chat_updated`)
 35. Additional - `PARTIAL` (drafts/link preview partial/autoload media basic)