feat: 2fa backup codes#1
Conversation
Co-authored-by: Peer Richelsen <peeroke@gmail.com>
|
bugbot run |
![cursor[bot]](https://avatars.githubusercontent.com/in/1210556?s=60&v=4){kind=small}
There was a problem hiding this comment.
Cursor Bugbot has reviewed your changes and found 2 potential issues.
Bugbot Autofix is OFF. To automatically fix reported issues with Cloud Agents, enable Autofix in the Cursor dashboard.
| ); | ||
|
|
||
| // check if user-supplied code matches one | ||
| const index = backupCodes.indexOf(credentials.backupCode.replaceAll("-", "")); |
There was a problem hiding this comment.
Case-sensitive backup code comparison rejects valid uppercase input
Medium Severity
Backup codes are generated as lowercase hex via crypto.randomBytes(5).toString("hex"), but the comparison in both the login and disable endpoints uses indexOf without case normalization — only dashes are stripped with replaceAll("-", ""). A user who manually types their backup code with uppercase hex letters (A–F) will get a rejection even though the code is valid. This is especially problematic in the "lost access" recovery flow, where the user may already be locked out.
Additional Locations (1)
| import { useLocale } from "@calcom/lib/hooks/useLocale"; | ||
| import { Label, TextField } from "@calcom/ui"; | ||
|
|
||
| export default function TwoFactor({ center = true }) { |
There was a problem hiding this comment.
BackupCode component function misleadingly named TwoFactor
Low Severity
The BackupCode.tsx file exports function TwoFactor, which is the same function name used by the actual TwoFactor component in TwoFactor.tsx. Since both are default exports, imports work fine, but React DevTools and error stack traces will show both components identically as "TwoFactor", making debugging confusing. The function name here would logically be BackupCode.
2 participants
Test 3
Summary by CodeRabbit
Release Notes
✏️ Tip: You can customize this high-level summary in your review settings.
Replicated from ai-code-review-evaluation/cal.com-coderabbit#3
Note
High Risk
Touches authentication and 2FA disable logic and introduces new encrypted secrets persisted to the user table, so mistakes could cause account lockouts or weaken recovery security.
Overview
Adds 2FA backup codes as an alternate second factor: the setup API now generates and returns 10 random codes, stores them encrypted in the new
users.backupCodescolumn, and the enable modal displays them with copy/download/close actions.Updates authentication and settings flows to accept a
backupCodein addition to TOTP: credential auth can validate and consume a backup code for login, the disable-2FA endpoint can validate a backup code and clearsbackupCodeswhen turning 2FA off, and the UI adds a “Lost access” toggle on login/disable modals (plus minor input autofocus/tabIndex tweaks).Written by Cursor Bugbot for commit a308075. Configure here.