bert.hausmans
63a13c0ce9
When MFA was already enabled and the user clicked "Opnieuw instellen" on the TOTP card, setupTotp() unconditionally set mfa_confirmed_at to null. If the user then cancelled the dialog without confirming, the login controller's check `mfa_enabled && mfa_confirmed_at` evaluated to false (true && null), silently skipping the MFA challenge. Fix: only set mfa_method and mfa_confirmed_at when MFA is not yet enabled (first-time setup). For re-setup or adding TOTP as a second method, only rotate the mfa_secret — matching the guard already applied to setupEmail(). Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
14 KiB
14 KiB