From 365b5753419238bb96bc3f9b744d380ff20cbafc Mon Sep 17 00:00:00 2001
From: tobi <31960611+tsmethurst@users.noreply.github.com>
Date: Mon, 7 Apr 2025 16:14:41 +0200
Subject: [feature] add TOTP two-factor authentication (2FA) (#3960)

* [feature] add TOTP two-factor authentication (2FA)

* use byteutil.S2B to avoid allocations when comparing + generating password hashes

* don't bother with string conversion  for consts

* use io.ReadFull

* use MustGenerateSecret for backup codes

* rename util functions
---
 internal/api/client/accounts/accountdelete.go | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

(limited to 'internal/api/client/accounts')

diff --git a/internal/api/client/accounts/accountdelete.go b/internal/api/client/accounts/accountdelete.go
index 6438462c6..90fcd6eef 100644
--- a/internal/api/client/accounts/accountdelete.go
+++ b/internal/api/client/accounts/accountdelete.go
@@ -21,6 +21,7 @@ import (
 	"errors"
 	"net/http"
 
+	"codeberg.org/gruf/go-byteutil"
 	"github.com/gin-gonic/gin"
 	apimodel "github.com/superseriousbusiness/gotosocial/internal/api/model"
 	apiutil "github.com/superseriousbusiness/gotosocial/internal/api/util"
@@ -87,7 +88,10 @@ func (m *Module) AccountDeletePOSTHandler(c *gin.Context) {
 		return
 	}
 
-	if err := bcrypt.CompareHashAndPassword([]byte(authed.User.EncryptedPassword), []byte(form.Password)); err != nil {
+	if err := bcrypt.CompareHashAndPassword(
+		byteutil.S2B(authed.User.EncryptedPassword),
+		byteutil.S2B(form.Password),
+	); err != nil {
 		err = errors.New("invalid password provided in account delete request")
 		apiutil.ErrorHandler(c, gtserror.NewErrorForbidden(err, err.Error()), m.processor.InstanceGetV1)
 		return
-- 
cgit v1.2.3