2FA有効時、パスワードをチェックしてからトークンを確認するように

packages/backend/src/server/api/endpoints/i/2fa/key-done.ts

@@ -61,10 +61,15 @@ export default class extends Endpoint<typeof meta, typeof paramDef> {
 		private globalEventService: GlobalEventService,
 	) {
 		super(meta, paramDef, async (ps, me) => {
-			const token = ps.token;
 			const profile = await this.userProfilesRepository.findOneByOrFail({ userId: me.id });
 
+			const passwordMatched = await bcrypt.compare(ps.password, profile.password ?? '');
+			if (!passwordMatched) {
+				throw new ApiError(meta.errors.incorrectPassword);
+			}
+
 			if (profile.twoFactorEnabled) {
+				const token = ps.token;
 				if (token == null) {
 					throw new Error('authentication failed');
 				}
@@ -74,14 +79,7 @@ export default class extends Endpoint<typeof meta, typeof paramDef> {
 				} catch (e) {
 					throw new Error('authentication failed');
 				}
-			}
-
-			const passwordMatched = await bcrypt.compare(ps.password, profile.password ?? '');
-			if (!passwordMatched) {
-				throw new ApiError(meta.errors.incorrectPassword);
-			}
-
-			if (!profile.twoFactorEnabled) {
+			} else {
 				throw new ApiError(meta.errors.twoFactorNotEnabled);
 			}