external ldap: ensure dashboard login does totp check

src/externalldap.js

@@ -278,10 +278,10 @@ async function maybeCreateUser(identifier) {
     return await users.add(user.email, { username: user.username, password: null, displayName: user.displayName, source: 'ldap' }, AuditSource.EXTERNAL_LDAP);
 }
 
-async function verifyPassword(username, password, totpToken) {
+async function verifyPassword(username, password, options) {
     assert.strictEqual(typeof username, 'string');
     assert.strictEqual(typeof password, 'string');
-    assert(totpToken === null || typeof totpToken === 'string');
+    assert.strictEqual(typeof options, 'object');
 
     const config = await getConfig();
     if (config.provider === 'noop') throw new BoxError(BoxError.BAD_STATE, 'not enabled');
@@ -293,10 +293,10 @@ async function verifyPassword(username, password, totpToken) {
     const client = await getClient(config, { bind: false });
 
     let userAuthDn;
-    if (totpToken !== null) {
+    if (!options.skipTotpCheck) {
         // inject totptoken into first attribute. in ldap, '+' is the attribute separator in a RDNS
         const rdns = ldapUsers[0].dn.split(',');
-        userAuthDn = `${rdns[0]}+totptoken=${totpToken},` + rdns.slice(1).join(',');
+        userAuthDn = `${rdns[0]}+totptoken=${options.totpToken},` + rdns.slice(1).join(',');
     } else {
         userAuthDn = ldapUsers[0].dn;
     }