Don't block site admin's operation if SECRET_KEY is lost (#35721) (#35724)

Backport #35721 by wxiaoguang Related: #24573 Co-authored-by: wxiaoguang <wxiaoguang@gmail.com>
2025-12-07 11:04:05 +09:00 · 2025-10-22 13:02:47 +08:00
parent cb338a2ba1
commit c84d17b1bb
4 changed files with 13 additions and 8 deletions
--- a/models/auth/twofactor.go
+++ b/models/auth/twofactor.go
@@ -111,11 +111,11 @@ func (t *TwoFactor) SetSecret(secretString string) error {
 func (t *TwoFactor) ValidateTOTP(passcode string) (bool, error) {
 	decodedStoredSecret, err := base64.StdEncoding.DecodeString(t.Secret)
 	if err != nil {
-		return false, err
+		return false, fmt.Errorf("ValidateTOTP invalid base64: %w", err)
 	}
 	secretBytes, err := secret.AesDecrypt(t.getEncryptionKey(), decodedStoredSecret)
 	if err != nil {
-		return false, err
+		return false, fmt.Errorf("ValidateTOTP unable to decrypt (maybe SECRET_KEY is wrong): %w", err)
 	}
 	secretStr := string(secretBytes)
 	return totp.Validate(passcode, secretStr), nil