Enforce session-only identity for password-change (remove bearer-token fallback) by markwylde · Pull Request #121 · puzed/darkauth

markwylde · 2026-03-10T18:29:11Z

Prevent a 2FA bypass where password-change endpoints could accept a bearer JWT fallback when session validation failed, allowing password-only authentication to circumvent OTP enforcement.

Removed the bearer-token fallback and JWT verification from requirePasswordChangeIdentity so identity for password-change flows is derived only from requireSession and therefore subject to existing OTP/session checks.
Cleaned up unused imports in packages/api/src/controllers/user/passwordAuth.ts as part of the change.

Ran npm run tidy, which completed (reported lint/info warnings but no failures).
Ran npm run build, which completed successfully though brochureware PDF generation emitted platform warnings about missing system libraries; overall build succeeded.

Fix OTP bypass in password change identity auth

9547720

markwylde added codex aardvark labels Mar 10, 2026 — with ChatGPT Codex Connector

markwylde added codex aardvark labels Mar 10, 2026

Restore bearer-token fallback for password change identity

e1c9b89

markwylde merged commit 2ea730c into main Mar 10, 2026
17 checks passed

markwylde deleted the codex/propose-fix-for-otp-bypass-vulnerability branch March 10, 2026 21:26

Provide feedback