Merge SEC-01: require password for TOTP enrollment

internal/grpcserver/auth.go

@@ -207,13 +207,39 @@ func (a *authServiceServer) RenewToken(ctx context.Context, _ *mciasv1.RenewToke
 }
 
 // EnrollTOTP begins TOTP enrollment for the calling account.
-func (a *authServiceServer) EnrollTOTP(ctx context.Context, _ *mciasv1.EnrollTOTPRequest) (*mciasv1.EnrollTOTPResponse, error) {
+//
+// Security (SEC-01): the current password is required to prevent a stolen
+// session token from being used to enroll attacker-controlled TOTP on the
+// victim's account.  Lockout is checked and failures are recorded.
+func (a *authServiceServer) EnrollTOTP(ctx context.Context, req *mciasv1.EnrollTOTPRequest) (*mciasv1.EnrollTOTPResponse, error) {
 	claims := claimsFromContext(ctx)
 	acct, err := a.s.db.GetAccountByUUID(claims.Subject)
 	if err != nil {
 		return nil, status.Error(codes.Unauthenticated, "account not found")
 	}
 
+	if req.Password == "" {
+		return nil, status.Error(codes.InvalidArgument, "password is required")
+	}
+
+	// Security: check lockout before verifying (same as login flow).
+	locked, lockErr := a.s.db.IsLockedOut(acct.ID)
+	if lockErr != nil {
+		a.s.logger.Error("lockout check (gRPC TOTP enroll)", "error", lockErr)
+	}
+	if locked {
+		a.s.db.WriteAuditEvent(model.EventTOTPEnrolled, &acct.ID, &acct.ID, peerIP(ctx), `{"result":"locked"}`) //nolint:errcheck
+		return nil, status.Error(codes.ResourceExhausted, "account temporarily locked")
+	}
+
+	// Security: verify the current password with Argon2id (constant-time).
+	ok, verifyErr := auth.VerifyPassword(req.Password, acct.PasswordHash)
+	if verifyErr != nil || !ok {
+		_ = a.s.db.RecordLoginFailure(acct.ID)
+		a.s.db.WriteAuditEvent(model.EventTOTPEnrolled, &acct.ID, &acct.ID, peerIP(ctx), `{"result":"wrong_password"}`) //nolint:errcheck
+		return nil, status.Error(codes.Unauthenticated, "password is incorrect")
+	}
+
 	rawSecret, b32Secret, err := auth.GenerateTOTPSecret()
 	if err != nil {
 		return nil, status.Error(codes.Internal, "internal error")