Fix SEC-01: require password for TOTP enroll

- REST handleTOTPEnroll now requires password field in request body - gRPC EnrollTOTP updated with password field in proto message - Both handlers check lockout status and record failures on bad password - Updated Go, Python, and Rust client libraries to pass password - Updated OpenAPI specs with new requestBody schema - Added TestTOTPEnrollRequiresPassword with no-password, wrong-password, and correct-password sub-tests Security: TOTP enrollment now requires the current password to prevent session-theft escalation to persistent account takeover. Lockout and failure recording use the same Argon2id constant-time path as login. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-03-13 00:48:31 -07:00
parent 586d4e3355
commit 8545473703
13 changed files with 192 additions and 17 deletions
--- a/clients/go/client.go
+++ b/clients/go/client.go
@@ -401,9 +401,15 @@ func (c *Client) RenewToken() (token, expiresAt string, err error) {
 // Returns a base32 secret and an otpauth:// URI for QR-code generation.
 // The secret is shown once; it is not retrievable after this call.
 // TOTP is not enforced until confirmed via ConfirmTOTP.
-func (c *Client) EnrollTOTP() (*TOTPEnrollResponse, error) {
+//
+// Security (SEC-01): the current password is required to prevent a stolen
+// session token from being used to enroll attacker-controlled TOTP.
+func (c *Client) EnrollTOTP(password string) (*TOTPEnrollResponse, error) {
 	var resp TOTPEnrollResponse
-	if err := c.do(http.MethodPost, "/v1/auth/totp/enroll", nil, &resp); err != nil {
+	body := struct {
+		Password string `json:"password"`
+	}{Password: password}
+	if err := c.do(http.MethodPost, "/v1/auth/totp/enroll", body, &resp); err != nil {
 		return nil, err
 	}
 	return &resp, nil
--- a/clients/go/client_test.go
+++ b/clients/go/client_test.go
@@ -275,7 +275,7 @@ func TestEnrollTOTP(t *testing.T) {
 	}))
 	defer srv.Close()
 	c := newTestClient(t, srv.URL)
-	resp, err := c.EnrollTOTP()
+	resp, err := c.EnrollTOTP("testpass123")
 	if err != nil {
 		t.Fatalf("EnrollTOTP: %v", err)
 	}
--- a/clients/python/mcias_client/_client.py
+++ b/clients/python/mcias_client/_client.py
@@ -148,11 +148,15 @@ class Client:
        expires_at = str(data["expires_at"])
        self.token = token
        return token, expires_at
-    def enroll_totp(self) -> tuple[str, str]:
+    def enroll_totp(self, password: str) -> tuple[str, str]:
        """POST /v1/auth/totp/enroll — begin TOTP enrollment.
+
+        Security (SEC-01): current password is required to prevent session-theft
+        escalation to persistent account takeover.
+
        Returns (secret, otpauth_uri). The secret is shown only once.
        """
-        data = self._request("POST", "/v1/auth/totp/enroll")
+        data = self._request("POST", "/v1/auth/totp/enroll", json={"password": password})
        assert data is not None
        return str(data["secret"]), str(data["otpauth_uri"])
    def confirm_totp(self, code: str) -> None:
--- a/clients/python/tests/test_client.py
+++ b/clients/python/tests/test_client.py
@@ -191,7 +191,7 @@ def test_enroll_totp(admin_client: Client) -> None:
            json={"secret": "JBSWY3DPEHPK3PXP", "otpauth_uri": "otpauth://totp/MCIAS:alice?secret=JBSWY3DPEHPK3PXP&issuer=MCIAS"},
        )
    )
-    secret, uri = admin_client.enroll_totp()
+    secret, uri = admin_client.enroll_totp("testpass123")
    assert secret == "JBSWY3DPEHPK3PXP"
    assert "otpauth://totp/" in uri
@respx.mock
--- a/clients/rust/src/lib.rs
+++ b/clients/rust/src/lib.rs
@@ -484,9 +484,12 @@ impl Client {

    /// Begin TOTP enrollment. Returns `(secret, otpauth_uri)`.
    /// The secret is shown once; store it in an authenticator app immediately.
-    pub async fn enroll_totp(&self) -> Result<(String, String), MciasError> {
+    ///
+    /// Security (SEC-01): current password is required to prevent session-theft
+    /// escalation to persistent account takeover.
+    pub async fn enroll_totp(&self, password: &str) -> Result<(String, String), MciasError> {
        let resp: TotpEnrollResponse =
-            self.post("/v1/auth/totp/enroll", &serde_json::json!({})).await?;
+            self.post("/v1/auth/totp/enroll", &serde_json::json!({"password": password})).await?;
        Ok((resp.secret, resp.otpauth_uri))
    }

--- a/clients/rust/tests/client_tests.rs
+++ b/clients/rust/tests/client_tests.rs
@@ -449,7 +449,7 @@ async fn test_enroll_totp() {
        .await;

    let c = admin_client(&server).await;
-    let (secret, uri) = c.enroll_totp().await.unwrap();
+    let (secret, uri) = c.enroll_totp("testpass123").await.unwrap();
    assert_eq!(secret, "JBSWY3DPEHPK3PXP");
    assert!(uri.starts_with("otpauth://totp/"));
 }