Fix MFA Remember (#7085)

Signed-off-by: BlackDex <black.dex@gmail.com>
2026-04-15 22:42:17 -06:00 · 2026-04-12 21:04:32 +02:00 · 2026-04-12 21:04:32 +02:00 · bb549986e6
commit bb549986e6
parent 39954af96a
2 changed files with 20 additions and 9 deletions
--- a/Cargo.lock
+++ b/Cargo.lock
@ -2405,16 +2405,15 @@ dependencies = [

 [[package]]
 name = "hyper-rustls"
-version = "0.27.7"
+version = "0.27.8"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "e3c93eb611681b207e1fe55d5a71ecf91572ec8a6705cdb6857f7d8d5242cf58"
+checksum = "c2b52f86d1d4bc0d6b4e6826d960b1b333217e07d36b882dca570a5e1c48895b"
 dependencies = [
 "http 1.4.0",
 "hyper 1.9.0",
 "hyper-util",
 "rustls 0.23.37",
 "rustls-native-certs",
- "rustls-pki-types",
 "tokio",
 "tokio-rustls 0.26.4",
 "tower-service",
@ -3722,9 +3721,9 @@ dependencies = [

 [[package]]
 name = "pkg-config"
-version = "0.3.32"
+version = "0.3.33"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "7edddbd0b52d732b21ad9a5fab5c704c14cd949e5e9a1ec5929a24fded1b904c"
+checksum = "19f132c84eca552bf34cab8ec81f1c1dcc229b811638f9d283dceabe58c5569e"

 [[package]]
 name = "polling"
@ -4409,12 +4408,12 @@ dependencies = [

 [[package]]
 name = "rtoolbox"
-version = "0.0.3"
+version = "0.0.4"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "a7cc970b249fbe527d6e02e0a227762c9108b2f49d81094fe357ffc6d14d7f6f"
+checksum = "327b72899159dfae8060c51a1f6aebe955245bcd9cc4997eed0f623caea022e4"
 dependencies = [
 "libc",
- "windows-sys 0.52.0",
+ "windows-sys 0.59.0",
 ]

 [[package]]
--- a/src/api/identity.rs
+++ b/src/api/identity.rs
@ -742,7 +742,7 @@ async fn twofactor_auth(

    TwoFactorIncomplete::mark_incomplete(&user.uuid, &device.uuid, &device.name, device.atype, ip, conn).await?;

-    let twofactor_ids: Vec<_> = twofactors
+    let mut twofactor_ids: Vec<_> = twofactors
        .iter()
        .filter_map(|tf| {
            let provider_type = TwoFactorType::from_i32(tf.atype)?;
@ -753,6 +753,18 @@ async fn twofactor_auth(
        err!("No enabled and usable two factor providers are available for this account")
    }

+    // Add TwoFactorTypes which are not stored as a record but might be enabled
+    // Since these types could also be not valid, we do some custom checks here
+    twofactor_ids.extend(
+        [
+            (!CONFIG.disable_2fa_remember() && device.twofactor_remember.is_some())
+                .then_some(TwoFactorType::Remember as i32),
+            user.totp_recover.is_some().then_some(TwoFactorType::RecoveryCode as i32),
+        ]
+        .into_iter()
+        .flatten(),
+    );
+
    let selected_id = data.two_factor_provider.unwrap_or(twofactor_ids[0]); // If we aren't given a two factor provider, assume the first one
    if !twofactor_ids.contains(&selected_id) {
        err_json!(