Merge SEC-01: require password for TOTP enrollment

2026-03-13 01:07:39 -07:00
parent fe780bf873 8545473703
commit cf02b8e2d8
13 changed files with 192 additions and 17 deletions
--- a/web/static/openapi.yaml
+++ b/web/static/openapi.yaml
@@ -435,6 +435,17 @@ paths:
      tags: [Auth]
      security:
        - bearerAuth: []
+      requestBody:
+        required: true
+        content:
+          application/json:
+            schema:
+              type: object
+              required: [password]
+              properties:
+                password:
+                  type: string
+                  description: Current account password (required to prevent session-theft escalation).
      responses:
        "200":
          description: TOTP secret generated.