From 1d14f72ba568410623197e614ec828d64570e170 Mon Sep 17 00:00:00 2001
From: 7heMech <83923848+7heMech@users.noreply.github.com>
Date: Sat, 14 Feb 2026 06:28:59 +0000
Subject: [PATCH] Add guardrail for disable 2fa

---
 backend/internal/2fa.js | 9 ++++++---
 1 file changed, 6 insertions(+), 3 deletions(-)

diff --git a/backend/internal/2fa.js b/backend/internal/2fa.js
index 4251520c..43307e02 100644
--- a/backend/internal/2fa.js
+++ b/backend/internal/2fa.js
@@ -161,9 +161,12 @@ const internal2fa = {
 		}
 
 		const result = await verify({
-			token: code,
-			secret: auth.meta.totp_secret,
-		});
+            token: code,
+            secret: auth.meta.totp_secret,
+            guardrails: createGuardrails({
+                MIN_SECRET_BYTES: 10,
+            }),
+        });
 
 		if (!result.valid) {
 			throw new errs.AuthError("Invalid verification code");