Fix SEC-01: require password for TOTP enroll

- REST handleTOTPEnroll now requires password field in request body
- gRPC EnrollTOTP updated with password field in proto message
- Both handlers check lockout status and record failures on bad password
- Updated Go, Python, and Rust client libraries to pass password
- Updated OpenAPI specs with new requestBody schema
- Added TestTOTPEnrollRequiresPassword with no-password, wrong-password,
  and correct-password sub-tests

Security: TOTP enrollment now requires the current password to prevent
session-theft escalation to persistent account takeover. Lockout and
failure recording use the same Argon2id constant-time path as login.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

internal/grpcserver/auth.go

@@ -195,13 +195,39 @@ func (a *authServiceServer) RenewToken(ctx context.Context, _ *mciasv1.RenewToke
 }
 
 // EnrollTOTP begins TOTP enrollment for the calling account.
-func (a *authServiceServer) EnrollTOTP(ctx context.Context, _ *mciasv1.EnrollTOTPRequest) (*mciasv1.EnrollTOTPResponse, error) {
+//
+// Security (SEC-01): the current password is required to prevent a stolen
+// session token from being used to enroll attacker-controlled TOTP on the
+// victim's account.  Lockout is checked and failures are recorded.
+func (a *authServiceServer) EnrollTOTP(ctx context.Context, req *mciasv1.EnrollTOTPRequest) (*mciasv1.EnrollTOTPResponse, error) {
 	claims := claimsFromContext(ctx)
 	acct, err := a.s.db.GetAccountByUUID(claims.Subject)
 	if err != nil {
 		return nil, status.Error(codes.Unauthenticated, "account not found")
 	}
 
+	if req.Password == "" {
+		return nil, status.Error(codes.InvalidArgument, "password is required")
+	}
+
+	// Security: check lockout before verifying (same as login flow).
+	locked, lockErr := a.s.db.IsLockedOut(acct.ID)
+	if lockErr != nil {
+		a.s.logger.Error("lockout check (gRPC TOTP enroll)", "error", lockErr)
+	}
+	if locked {
+		a.s.db.WriteAuditEvent(model.EventTOTPEnrolled, &acct.ID, &acct.ID, peerIP(ctx), `{"result":"locked"}`) //nolint:errcheck
+		return nil, status.Error(codes.ResourceExhausted, "account temporarily locked")
+	}
+
+	// Security: verify the current password with Argon2id (constant-time).
+	ok, verifyErr := auth.VerifyPassword(req.Password, acct.PasswordHash)
+	if verifyErr != nil || !ok {
+		_ = a.s.db.RecordLoginFailure(acct.ID)
+		a.s.db.WriteAuditEvent(model.EventTOTPEnrolled, &acct.ID, &acct.ID, peerIP(ctx), `{"result":"wrong_password"}`) //nolint:errcheck
+		return nil, status.Error(codes.Unauthenticated, "password is incorrect")
+	}
+
 	rawSecret, b32Secret, err := auth.GenerateTOTPSecret()
 	if err != nil {
 		return nil, status.Error(codes.Internal, "internal error")

internal/server/server.go

@@ -780,6 +780,10 @@ func (s *Server) handleRevokeRole(w http.ResponseWriter, r *http.Request) {
 
 // ---- TOTP endpoints ----
 
+type totpEnrollRequest struct {
+	Password string `json:"password"` // security: current password required to prevent session-theft escalation
+}
+
 type totpEnrollResponse struct {
 	Secret     string `json:"secret"` // base32-encoded
 	OTPAuthURI string `json:"otpauth_uri"`
@@ -789,6 +793,12 @@ type totpConfirmRequest struct {
 	Code string `json:"code"`
 }
 
+// handleTOTPEnroll begins TOTP enrollment for the calling account.
+//
+// Security (SEC-01): the current password is required in the request body to
+// prevent a stolen session token from being used to enroll attacker-controlled
+// MFA on the victim's account.  Lockout is checked and failures are recorded
+// to prevent brute-force use of this endpoint as a password oracle.
 func (s *Server) handleTOTPEnroll(w http.ResponseWriter, r *http.Request) {
 	claims := middleware.ClaimsFromContext(r.Context())
 	acct, err := s.db.GetAccountByUUID(claims.Subject)
@@ -797,6 +807,38 @@ func (s *Server) handleTOTPEnroll(w http.ResponseWriter, r *http.Request) {
 		return
 	}
 
+	var req totpEnrollRequest
+	if !decodeJSON(w, r, &req) {
+		return
+	}
+
+	if req.Password == "" {
+		middleware.WriteError(w, http.StatusBadRequest, "password is required", "bad_request")
+		return
+	}
+
+	// Security: check lockout before verifying (same as login and password-change flows)
+	// so an attacker cannot use this endpoint to brute-force the current password.
+	locked, lockErr := s.db.IsLockedOut(acct.ID)
+	if lockErr != nil {
+		s.logger.Error("lockout check (TOTP enroll)", "error", lockErr)
+	}
+	if locked {
+		s.writeAudit(r, model.EventTOTPEnrolled, &acct.ID, &acct.ID, `{"result":"locked"}`)
+		middleware.WriteError(w, http.StatusTooManyRequests, "account temporarily locked", "account_locked")
+		return
+	}
+
+	// Security: verify the current password with the same constant-time
+	// Argon2id path used at login to prevent timing oracles.
+	ok, verifyErr := auth.VerifyPassword(req.Password, acct.PasswordHash)
+	if verifyErr != nil || !ok {
+		_ = s.db.RecordLoginFailure(acct.ID)
+		s.writeAudit(r, model.EventTOTPEnrolled, &acct.ID, &acct.ID, `{"result":"wrong_password"}`)
+		middleware.WriteError(w, http.StatusUnauthorized, "password is incorrect", "unauthorized")
+		return
+	}
+
 	rawSecret, b32Secret, err := auth.GenerateTOTPSecret()
 	if err != nil {
 		middleware.WriteError(w, http.StatusInternalServerError, "internal error", "internal_error")

internal/server/server_test.go

@@ -519,8 +519,10 @@ func TestTOTPEnrollDoesNotRequireTOTP(t *testing.T) {
 		t.Fatalf("TrackToken: %v", err)
 	}
 
-	// Start enrollment.
-	rr := doRequest(t, handler, "POST", "/v1/auth/totp/enroll", nil, tokenStr)
+	// Start enrollment (password required since SEC-01 fix).
+	rr := doRequest(t, handler, "POST", "/v1/auth/totp/enroll", totpEnrollRequest{
+		Password: "testpass123",
+	}, tokenStr)
 	if rr.Code != http.StatusOK {
 		t.Fatalf("enroll status = %d, want 200; body: %s", rr.Code, rr.Body.String())
 	}
@@ -558,6 +560,61 @@ func TestTOTPEnrollDoesNotRequireTOTP(t *testing.T) {
 	}
 }
 
+// TestTOTPEnrollRequiresPassword verifies that TOTP enrollment (SEC-01)
+// requires the current password.  A stolen session token alone must not be
+// sufficient to add attacker-controlled MFA to the victim's account.
+func TestTOTPEnrollRequiresPassword(t *testing.T) {
+	srv, _, priv, _ := newTestServer(t)
+	acct := createTestHumanAccount(t, srv, "totp-pw-check")
+	handler := srv.Handler()
+
+	tokenStr, claims, err := token.IssueToken(priv, testIssuer, acct.UUID, nil, time.Hour)
+	if err != nil {
+		t.Fatalf("IssueToken: %v", err)
+	}
+	if err := srv.db.TrackToken(claims.JTI, acct.ID, claims.IssuedAt, claims.ExpiresAt); err != nil {
+		t.Fatalf("TrackToken: %v", err)
+	}
+
+	t.Run("no password", func(t *testing.T) {
+		rr := doRequest(t, handler, "POST", "/v1/auth/totp/enroll", totpEnrollRequest{}, tokenStr)
+		if rr.Code != http.StatusBadRequest {
+			t.Errorf("enroll without password: status = %d, want %d; body: %s",
+				rr.Code, http.StatusBadRequest, rr.Body.String())
+		}
+	})
+
+	t.Run("wrong password", func(t *testing.T) {
+		rr := doRequest(t, handler, "POST", "/v1/auth/totp/enroll", totpEnrollRequest{
+			Password: "wrong-password",
+		}, tokenStr)
+		if rr.Code != http.StatusUnauthorized {
+			t.Errorf("enroll with wrong password: status = %d, want %d; body: %s",
+				rr.Code, http.StatusUnauthorized, rr.Body.String())
+		}
+	})
+
+	t.Run("correct password", func(t *testing.T) {
+		rr := doRequest(t, handler, "POST", "/v1/auth/totp/enroll", totpEnrollRequest{
+			Password: "testpass123",
+		}, tokenStr)
+		if rr.Code != http.StatusOK {
+			t.Fatalf("enroll with correct password: status = %d, want 200; body: %s",
+				rr.Code, rr.Body.String())
+		}
+		var resp totpEnrollResponse
+		if err := json.Unmarshal(rr.Body.Bytes(), &resp); err != nil {
+			t.Fatalf("unmarshal: %v", err)
+		}
+		if resp.Secret == "" {
+			t.Error("expected non-empty TOTP secret")
+		}
+		if resp.OTPAuthURI == "" {
+			t.Error("expected non-empty otpauth URI")
+		}
+	})
+}
+
 func TestRenewToken(t *testing.T) {
 	srv, _, priv, _ := newTestServer(t)
 	acct := createTestHumanAccount(t, srv, "renew-user")