Security Issue: TOTP Validation Occurs After Password Verification

### Description

Currently, the authentication flow validates the password before performing TOTP verification. This means an attacker can brute-force the password first without any TOTP checks, and once the correct password is found, they can then brute-force the TOTP code separately. This significantly weakens security, as it allows step-by-step credential cracking instead of enforcing two-factor authentication as a combined security measure.

Vulnerable Code

https://github.com/TriliumNext/Notes/blob/9a5793dfdd9042afcd4f31bd5ee53574f8f3d627/src/routes/login.ts#L80-L90



### TriliumNext Version

Source code

### What operating system are you using?

Other Linux

### What is your setup?

Local (no sync)

### Operating System Version

Manjaro

### Error logs

_No response_

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Security Issue: TOTP Validation Occurs After Password Verification #5614

Description

TriliumNext Version

What operating system are you using?

What is your setup?

Operating System Version

Error logs

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

Uh oh!

Security Issue: TOTP Validation Occurs After Password Verification #5614

Description

Description

TriliumNext Version

What operating system are you using?

What is your setup?

Operating System Version

Error logs

Metadata

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

Issue actions