From 5771478e4b1e931e41e30cb01266641dd68e1587 Mon Sep 17 00:00:00 2001 From: Girish Ramakrishnan Date: Thu, 20 Jun 2019 16:36:46 -0700 Subject: [PATCH] Use 412 for invalid token, otherwise user gets logged out --- CHANGES | 1 + src/routes/profile.js | 2 +- 2 files changed, 2 insertions(+), 1 deletion(-) diff --git a/CHANGES b/CHANGES index 756ee5cf9..fec1eee8f 100644 --- a/CHANGES +++ b/CHANGES @@ -1634,4 +1634,5 @@ [4.1.5] * Make the terminal addon button inject variables based on manifest version * Preserve addon passwords correctly when using v2 manifest +* Show error message instead of logging out user when invalid 2FA token is provided diff --git a/src/routes/profile.js b/src/routes/profile.js index d3619e5cd..cd4eb273b 100644 --- a/src/routes/profile.js +++ b/src/routes/profile.js @@ -85,7 +85,7 @@ function enableTwoFactorAuthentication(req, res, next) { users.enableTwoFactorAuthentication(req.user.id, req.body.totpToken, function (error) { if (error && error.reason === UsersError.NOT_FOUND) return next(new HttpError(404, 'User not found')); - if (error && error.reason === UsersError.BAD_TOKEN) return next(new HttpError(403, 'Invalid token')); + if (error && error.reason === UsersError.BAD_TOKEN) return next(new HttpError(412, 'Invalid token')); if (error && error.reason === UsersError.ALREADY_EXISTS) return next(new HttpError(409, 'TwoFactor Authentication is already enabled')); if (error) return next(new HttpError(500, error));