Fix #5274 2fa backup codes not validating properly

jc21 · jc21 · commit c88de65d3a15 · 2026-02-05T10:51:15.000+10:00
diff --git a/backend/internal/2fa.js b/backend/internal/2fa.js
@@ -198,20 +198,23 @@ const internal2fa = {
 			return false;
 		}
 
-		// Try TOTP code first
-		const result = await verify({
-			token,
-			secret,
-		});
-
-		if (result.valid) {
-			return true;
+		// Try TOTP code first, if it's 6 chars. it will throw errors if it's not 6 chars
+		// and the backup codes are 8 chars.
+		if (token.length === 6) {
+			const result = await verify({
+				token,
+				secret,
+			});
+
+			if (result.valid) {
+				return true;
+			}
 		}
 
 		// Try backup codes
 		const backupCodes = auth?.meta?.backup_codes || [];
 		for (let i = 0; i < backupCodes.length; i++) {
-			const match = await bcrypt.compare(code.toUpperCase(), backupCodes[i]);
+			const match = await bcrypt.compare(token.toUpperCase(), backupCodes[i]);
 			if (match) {
 				// Remove used backup code
 				const updatedCodes = [...backupCodes];
diff --git a/backend/schema/paths/tokens/2fa/post.json b/backend/schema/paths/tokens/2fa/post.json
@@ -17,7 +17,7 @@
 						},
 						"code": {
 							"minLength": 6,
-							"maxLength": 6,
+							"maxLength": 8,
 							"type": "string",
 							"example": "012345"
 						}
diff --git a/backend/schema/paths/users/userID/2fa/backup-codes/post.json b/backend/schema/paths/users/userID/2fa/backup-codes/post.json
@@ -16,7 +16,7 @@
 		}
 	],
 	"requestBody": {
-		"description": "Verififcation Payload",
+		"description": "Verification Payload",
 		"required": true,
 		"content": {
 			"application/json": {
@@ -25,7 +25,7 @@
 					"properties": {
 						"code": {
 							"minLength": 6,
-							"maxLength": 6,
+							"maxLength": 8,
 							"type": "string",
 							"example": "123456"
 						}
diff --git a/backend/schema/paths/users/userID/2fa/enable/post.json b/backend/schema/paths/users/userID/2fa/enable/post.json
@@ -16,7 +16,7 @@
 		}
 	],
 	"requestBody": {
-		"description": "Verififcation Payload",
+		"description": "Verification Payload",
 		"required": true,
 		"content": {
 			"application/json": {
@@ -25,7 +25,7 @@
 					"properties": {
 						"code": {
 							"minLength": 6,
-							"maxLength": 6,
+							"maxLength": 8,
 							"type": "string",
 							"example": "123456"
 						}

Original file line number	Diff line number	Diff line change
`@@ -17,7 +17,7 @@`
`17`	`17`	`},`
`18`	`18`	`"code": {`
`19`	`19`	`"minLength": 6,`
`20`		`- "maxLength": 6,`
	`20`	`+ "maxLength": 8,`
`21`	`21`	`"type": "string",`
`22`	`22`	`"example": "012345"`
`23`	`23`	`}`