Admins can enable 2FA

Added the feature for admins to force 2FA on accounts. The next time the user logs in they will have to setup 2FA on their account.
2026-03-02 16:56:39 +00:00 · 2025-07-07 16:02:42 -04:00
parent f11fa4f32d
commit 2a6298e9eb
12 changed files with 843 additions and 20 deletions
--- a/server/routers/auth/login.ts
+++ b/server/routers/auth/login.ts
@@ -35,6 +35,7 @@ export type LoginBody = z.infer<typeof loginBodySchema>;
 export type LoginResponse = {
    codeRequested?: boolean;
    emailVerificationRequired?: boolean;
+    twoFactorSetupRequired?: boolean;
 };

 export const dynamic = "force-dynamic";
@@ -110,6 +111,17 @@ export async function login(
        }

        if (existingUser.twoFactorEnabled) {
+            // If 2FA is enabled but no secret exists, force setup
+            if (!existingUser.twoFactorSecret) {
+                return response<LoginResponse>(res, {
+                    data: { twoFactorSetupRequired: true },
+                    success: true,
+                    error: false,
+                    message: "Two-factor authentication setup required",
+                    status: HttpCode.ACCEPTED
+                });
+            }
+
            if (!code) {
                return response<{ codeRequested: boolean }>(res, {
                    data: { codeRequested: true },
@@ -122,7 +134,7 @@ export async function login(

            const validOTP = await verifyTotpCode(
                code,
-                existingUser.twoFactorSecret!,
+                existingUser.twoFactorSecret,
                existingUser.userId
            );