From fd35904e39eacc447387343b5bdf32f508b56538 Mon Sep 17 00:00:00 2001
From: jagdeep sidhu <sidhujag@syscoin.org>
Date: Sat, 25 Apr 2026 16:07:28 -0700
Subject: [PATCH 1/3] fix(auth): require password proof to disable TOTP

Send current-password step-up proof with the TOTP disable request so the UI matches the hardened backend contract.

Made-with: Cursor
---
 src/components/TwoFactorCard.js      |  5 +++--
 src/components/TwoFactorCard.test.js | 32 ++++++++++++++++++++++++++++
 src/lib/authService.js               |  7 ++++--
 src/lib/authService.test.js          | 26 ++++++++++++++++++++++
 4 files changed, 66 insertions(+), 4 deletions(-)

diff --git a/src/components/TwoFactorCard.js b/src/components/TwoFactorCard.js
index 24540d2..9edda46 100644
--- a/src/components/TwoFactorCard.js
+++ b/src/components/TwoFactorCard.js
@@ -179,7 +179,8 @@ export default function TwoFactorCard({
     setErrCode(null);
     setSuccess(null);
     try {
-      await authService.disableTotp(code);
+      const oldAuthHash = await deriveStepUpAuthHash();
+      await authService.disableTotp({ code, oldAuthHash });
       setSetup(null);
       setCode('');
       setCurrentPassword('');
@@ -290,7 +291,7 @@ export default function TwoFactorCard({
             </div>
           ) : null}
 
-          {!status.enabled ? (
+          {!setup ? (
             <div className="auth-field">
               <label className="auth-label" htmlFor="totp-current-password">
                 Current password
diff --git a/src/components/TwoFactorCard.test.js b/src/components/TwoFactorCard.test.js
index cb27863..ba23cf6 100644
--- a/src/components/TwoFactorCard.test.js
+++ b/src/components/TwoFactorCard.test.js
@@ -156,6 +156,38 @@ test('does not finalize TOTP enable UI without recovery codes', async () => {
   ).not.toBeInTheDocument();
 });
 
+test('requires current password step-up when disabling TOTP', async () => {
+  const authService = service({
+    getTotpStatus: jest.fn().mockResolvedValue({
+      enabled: true,
+      pending: false,
+      recoveryCodesRemaining: 9,
+    }),
+    disableTotp: jest.fn().mockResolvedValue({ status: 'disabled' }),
+  });
+  renderCard(authService);
+
+  await waitFor(() => expect(authService.me).toHaveBeenCalled());
+  await waitFor(() => expect(authService.getTotpStatus).toHaveBeenCalled());
+  expect(await screen.findByText('Enabled')).toBeInTheDocument();
+  await userEvent.type(screen.getByLabelText(/current password/i), 'Correct1!');
+  await userEvent.type(screen.getByLabelText(/authenticator code/i), '123456');
+  await userEvent.click(
+    screen.getByRole('button', { name: /disable two-factor authentication/i })
+  );
+
+  await waitFor(() =>
+    expect(authService.disableTotp).toHaveBeenCalledWith({
+      code: '123456',
+      oldAuthHash: 'a'.repeat(64),
+    })
+  );
+  expect(authService.deriveStepUpAuthHash).toHaveBeenCalledWith(
+    'Correct1!',
+    'user@example.com'
+  );
+});
+
 test('clears stale TOTP errors after a successful status refresh', async () => {
   const authService = service({
     getTotpStatus: jest
diff --git a/src/lib/authService.js b/src/lib/authService.js
index 80a4942..1b19b42 100644
--- a/src/lib/authService.js
+++ b/src/lib/authService.js
@@ -206,8 +206,11 @@ export function createAuthService(client = defaultClient) {
     return res.data;
   }
 
-  async function disableTotp(code) {
-    const res = await client.post('/auth/totp/disable', { code });
+  async function disableTotp({ code, oldAuthHash }) {
+    if (typeof oldAuthHash !== 'string' || oldAuthHash.length === 0) {
+      throw new Error('disableTotp: oldAuthHash required');
+    }
+    const res = await client.post('/auth/totp/disable', { code, oldAuthHash });
     return res.data;
   }
 
diff --git a/src/lib/authService.test.js b/src/lib/authService.test.js
index cfbdebb..6eb9185 100644
--- a/src/lib/authService.test.js
+++ b/src/lib/authService.test.js
@@ -375,6 +375,32 @@ describe('authService.updatePrefs', () => {
   });
 });
 
+describe('authService.disableTotp', () => {
+  const AUTH =
+    'a4f8b3c1d9e7f2a5b1c6d8e4f7a9b2c5d1e8f4a7b3c9d5e1f6a2b8c4d7e3f5a9';
+
+  test('posts authenticator code and current-password proof', async () => {
+    const { service, adapter } = makeService();
+    let captured;
+    adapter.onPost('/auth/totp/disable').reply((config) => {
+      captured = JSON.parse(config.data);
+      return [200, { status: 'disabled' }];
+    });
+
+    await expect(
+      service.disableTotp({ code: '123456', oldAuthHash: AUTH })
+    ).resolves.toEqual({ status: 'disabled' });
+    expect(captured).toEqual({ code: '123456', oldAuthHash: AUTH });
+  });
+
+  test('rejects client-side when oldAuthHash is missing', async () => {
+    const { service } = makeService();
+    await expect(service.disableTotp({ code: '123456' })).rejects.toThrow(
+      /oldAuthHash required/
+    );
+  });
+});
+
 // ---------------------------------------------------------------------------
 // PR 7 — deleteAccount (GDPR right to erasure)
 // ---------------------------------------------------------------------------

From 38cd41a1e5134686b98d56aeb7dae8ee3650b71d Mon Sep 17 00:00:00 2001
From: jagdeep sidhu <sidhujag@syscoin.org>
Date: Sat, 25 Apr 2026 16:15:09 -0700
Subject: [PATCH 2/3] fix(auth): keep TOTP setup password editable

Keep the current-password field available during active setup so users can correct stale password proof before enabling TOTP.

Made-with: Cursor
---
 src/components/TwoFactorCard.js      |  2 +-
 src/components/TwoFactorCard.test.js | 18 ++++++++++++++++++
 2 files changed, 19 insertions(+), 1 deletion(-)

diff --git a/src/components/TwoFactorCard.js b/src/components/TwoFactorCard.js
index 9edda46..c61d23f 100644
--- a/src/components/TwoFactorCard.js
+++ b/src/components/TwoFactorCard.js
@@ -291,7 +291,7 @@ export default function TwoFactorCard({
             </div>
           ) : null}
 
-          {!setup ? (
+          {!recoveryCodes ? (
             <div className="auth-field">
               <label className="auth-label" htmlFor="totp-current-password">
                 Current password
diff --git a/src/components/TwoFactorCard.test.js b/src/components/TwoFactorCard.test.js
index ba23cf6..26ccd0f 100644
--- a/src/components/TwoFactorCard.test.js
+++ b/src/components/TwoFactorCard.test.js
@@ -188,6 +188,24 @@ test('requires current password step-up when disabling TOTP', async () => {
   );
 });
 
+test('keeps current password editable during active TOTP setup', async () => {
+  const authService = renderCard();
+
+  await waitFor(() => expect(authService.me).toHaveBeenCalled());
+  await waitFor(() => expect(authService.getTotpStatus).toHaveBeenCalled());
+  await userEvent.type(screen.getByLabelText(/current password/i), 'OldPass1!');
+  await userEvent.click(
+    screen.getByRole('button', { name: /set up two-factor authentication/i })
+  );
+  await screen.findByLabelText(/manual setup secret fallback/i);
+
+  const password = screen.getByLabelText(/current password/i);
+  expect(password).toBeInTheDocument();
+  await userEvent.clear(password);
+  await userEvent.type(password, 'NewPass1!');
+  expect(password).toHaveValue('NewPass1!');
+});
+
 test('clears stale TOTP errors after a successful status refresh', async () => {
   const authService = service({
     getTotpStatus: jest

From 41197b41c5c8672516de6f4540d91d7790247653 Mon Sep 17 00:00:00 2001
From: jagdeep sidhu <sidhujag@syscoin.org>
Date: Sat, 25 Apr 2026 16:22:20 -0700
Subject: [PATCH 3/3] fix(auth): keep TOTP password field always available

Keep the current-password field visible through setup, recovery-code display, and disable states so step-up retries cannot get stuck.

Made-with: Cursor
---
 src/components/TwoFactorCard.js      | 28 +++++++++++++---------------
 src/components/TwoFactorCard.test.js | 25 +++++++++++++++++++++++++
 2 files changed, 38 insertions(+), 15 deletions(-)

diff --git a/src/components/TwoFactorCard.js b/src/components/TwoFactorCard.js
index c61d23f..366abcf 100644
--- a/src/components/TwoFactorCard.js
+++ b/src/components/TwoFactorCard.js
@@ -291,21 +291,19 @@ export default function TwoFactorCard({
             </div>
           ) : null}
 
-          {!recoveryCodes ? (
-            <div className="auth-field">
-              <label className="auth-label" htmlFor="totp-current-password">
-                Current password
-              </label>
-              <input
-                id="totp-current-password"
-                className="auth-input"
-                type="password"
-                autoComplete="current-password"
-                value={currentPassword}
-                onChange={(e) => setCurrentPassword(e.target.value)}
-              />
-            </div>
-          ) : null}
+          <div className="auth-field">
+            <label className="auth-label" htmlFor="totp-current-password">
+              Current password
+            </label>
+            <input
+              id="totp-current-password"
+              className="auth-input"
+              type="password"
+              autoComplete="current-password"
+              value={currentPassword}
+              onChange={(e) => setCurrentPassword(e.target.value)}
+            />
+          </div>
 
           {setup || status.enabled ? (
             <div className="auth-field">
diff --git a/src/components/TwoFactorCard.test.js b/src/components/TwoFactorCard.test.js
index 26ccd0f..474359f 100644
--- a/src/components/TwoFactorCard.test.js
+++ b/src/components/TwoFactorCard.test.js
@@ -206,6 +206,31 @@ test('keeps current password editable during active TOTP setup', async () => {
   expect(password).toHaveValue('NewPass1!');
 });
 
+test('keeps current password editable while recovery codes are displayed', async () => {
+  const authService = service({
+    enableTotp: jest.fn().mockResolvedValue({
+      recoveryCodes: ['one', 'two'],
+    }),
+  });
+  renderCard(authService);
+
+  await waitFor(() => expect(authService.me).toHaveBeenCalled());
+  await waitFor(() => expect(authService.getTotpStatus).toHaveBeenCalled());
+  await userEvent.type(screen.getByLabelText(/current password/i), 'Correct1!');
+  await userEvent.click(
+    screen.getByRole('button', { name: /set up two-factor authentication/i })
+  );
+  await screen.findByLabelText(/manual setup secret fallback/i);
+  await userEvent.type(screen.getByLabelText(/authenticator code/i), '123456');
+  await userEvent.click(screen.getByRole('button', { name: /verify and enable/i }));
+
+  expect(await screen.findByText(/save these recovery codes/i)).toBeInTheDocument();
+  const password = screen.getByLabelText(/current password/i);
+  expect(password).toBeInTheDocument();
+  await userEvent.type(password, 'DisablePass1!');
+  expect(password).toHaveValue('DisablePass1!');
+});
+
 test('clears stale TOTP errors after a successful status refresh', async () => {
   const authService = service({
     getTotpStatus: jest