Bump the dev-patch-updates group in /frontend with 2 updates

Bumps the dev-patch-updates group in /frontend with 2 updates: [@types/react](https://github.com/DefinitelyTyped/DefinitelyTyped/tree/HEAD/types/react) and [happy-dom](https://github.com/capricorn86/happy-dom). Updates `@types/react` from 19.2.10 to 19.2.13 - [Release notes](https://github.com/DefinitelyTyped/DefinitelyTyped/releases) - [Commits](https://github.com/DefinitelyTyped/DefinitelyTyped/commits/HEAD/types/react) Updates `happy-dom` from 20.5.0 to 20.5.3 - [Release notes](https://github.com/capricorn86/happy-dom/releases) - [Commits](https://github.com/capricorn86/happy-dom/compare/v20.5.0...v20.5.3) --- updated-dependencies: - dependency-name: "@types/react" dependency-version: 19.2.13 dependency-type: direct:development update-type: version-update:semver-patch dependency-group: dev-patch-updates - dependency-name: happy-dom dependency-version: 20.5.3 dependency-type: direct:development update-type: version-update:semver-patch dependency-group: dev-patch-updates ... Signed-off-by: dependabot[bot] <support@github.com>
Fix upgrade problem with otplib existing secrets
2026-02-09 20:22:58 +00:00 · 2026-02-09 14:29:16 +00:00 · 2026-02-05 13:12:54 +10:00 · 2026-02-05 13:11:57 +10:00 · 2026-02-05 10:51:15 +10:00 · 2026-02-05 08:27:41 +10:00
11 changed files with 87 additions and 54 deletions
--- a/.version
+++ b/.version
@@ -1 +1 @@
-2.13.6
+2.13.7
--- a/README.md
+++ b/README.md
@@ -1,7 +1,7 @@
 <p align="center">
 	<img src="https://nginxproxymanager.com/github.png">
 	<br><br>
-	<img src="https://img.shields.io/badge/version-2.13.6-green.svg?style=for-the-badge">
+	<img src="https://img.shields.io/badge/version-2.13.7-green.svg?style=for-the-badge">
 	<a href="https://hub.docker.com/repository/docker/jc21/nginx-proxy-manager">
 		<img src="https://img.shields.io/docker/stars/jc21/nginx-proxy-manager.svg?style=for-the-badge">
 	</a>
--- a/backend/internal/2fa.js
+++ b/backend/internal/2fa.js
@@ -1,6 +1,6 @@
 import crypto from "node:crypto";
 import bcrypt from "bcrypt";
-import { generateSecret, generateURI, verify } from "otplib";
+import { createGuardrails, generateSecret, generateURI, verify } from "otplib";
 import errs from "../lib/error.js";
 import authModel from "../models/auth.js";
 import internalUser from "./user.js";
@@ -198,20 +198,30 @@ const internal2fa = {
 			return false;
 		}

-		// Try TOTP code first
-		const result = await verify({
-			token,
-			secret,
-		});
+		// Try TOTP code first, if it's 6 chars. it will throw errors if it's not 6 chars
+		// and the backup codes are 8 chars.
+		if (token.length === 6) {
+			const result = await verify({
+				token,
+				secret,
+				// These guardrails lower the minimum length requirement for secrets.
+				// In v12 of otplib the default minimum length is 10 and in v13 it is 16.
+				// Since there are 2fa secrets in the wild generated with v12 we need to allow shorter secrets
+				// so people won't be locked out when upgrading.
+				guardrails: createGuardrails({
+					MIN_SECRET_BYTES: 10,
+				}),
+			});

-		if (result.valid) {
-			return true;
+			if (result.valid) {
+				return true;
+			}
 		}

 		// Try backup codes
 		const backupCodes = auth?.meta?.backup_codes || [];
 		for (let i = 0; i < backupCodes.length; i++) {
-			const match = await bcrypt.compare(code.toUpperCase(), backupCodes[i]);
+			const match = await bcrypt.compare(token.toUpperCase(), backupCodes[i]);
 			if (match) {
 				// Remove used backup code
 				const updatedCodes = [...backupCodes];
@@ -275,7 +285,11 @@ const internal2fa = {
 	},

 	getUserPasswordAuth: async (userId) => {
-		const auth = await authModel.query().where("user_id", userId).andWhere("type", "password").first();
+		const auth = await authModel
+			.query()
+			.where("user_id", userId)
+			.andWhere("type", "password")
+			.first();

 		if (!auth) {
 			throw new errs.ItemNotFoundError("Auth not found");
--- a/backend/lib/config.js
+++ b/backend/lib/config.js
@@ -5,7 +5,7 @@ import { global as logger } from "../logger.js";
 const keysFile         = '/data/keys.json';
 const mysqlEngine      = 'mysql2';
 const postgresEngine   = 'pg';
-const sqliteClientName = 'sqlite3';
+const sqliteClientName = 'better-sqlite3';

 let instance = null;

@@ -84,6 +84,7 @@ const configure = () => {
 	}

 	const envSqliteFile = process.env.DB_SQLITE_FILE || "/data/database.sqlite";
+
 	logger.info(`Using Sqlite: ${envSqliteFile}`);
 	instance = {
 		database: {
--- a/backend/package.json
+++ b/backend/package.json
@@ -17,6 +17,7 @@
 		"archiver": "^7.0.1",
 		"batchflow": "^0.4.0",
 		"bcrypt": "^6.0.0",
+		"better-sqlite3": "^12.6.2",
 		"body-parser": "^2.2.2",
 		"compression": "^1.7.4",
 		"express": "^5.2.1",
@@ -36,7 +37,7 @@
 		"proxy-agent": "^6.5.0",
 		"signale": "1.4.0",
 		"sqlite3": "^5.1.7",
-		"temp-write": "^6.0.1"
+		"temp-write": "^4.0.0"
 	},
 	"devDependencies": {
 		"@apidevtools/swagger-parser": "^12.1.0",
--- a/backend/schema/paths/tokens/2fa/post.json
+++ b/backend/schema/paths/tokens/2fa/post.json
@@ -17,7 +17,7 @@
 						},
 						"code": {
 							"minLength": 6,
-							"maxLength": 6,
+							"maxLength": 8,
 							"type": "string",
 							"example": "012345"
 						}
--- a/backend/schema/paths/users/userID/2fa/backup-codes/post.json
+++ b/backend/schema/paths/users/userID/2fa/backup-codes/post.json
@@ -16,7 +16,7 @@
 		}
 	],
 	"requestBody": {
-		"description": "Verififcation Payload",
+		"description": "Verification Payload",
 		"required": true,
 		"content": {
 			"application/json": {
@@ -25,7 +25,7 @@
 					"properties": {
 						"code": {
 							"minLength": 6,
-							"maxLength": 6,
+							"maxLength": 8,
 							"type": "string",
 							"example": "123456"
 						}
--- a/backend/schema/paths/users/userID/2fa/enable/post.json
+++ b/backend/schema/paths/users/userID/2fa/enable/post.json
@@ -16,7 +16,7 @@
 		}
 	],
 	"requestBody": {
-		"description": "Verififcation Payload",
+		"description": "Verification Payload",
 		"required": true,
 		"content": {
 			"application/json": {
@@ -25,7 +25,7 @@
 					"properties": {
 						"code": {
 							"minLength": 6,
-							"maxLength": 6,
+							"maxLength": 8,
 							"type": "string",
 							"example": "123456"
 						}
--- a/backend/yarn.lock
+++ b/backend/yarn.lock
@@ -414,6 +414,14 @@ bcrypt@^6.0.0:
    node-addon-api "^8.3.0"
    node-gyp-build "^4.8.4"

+better-sqlite3@^12.6.2:
+  version "12.6.2"
+  resolved "https://registry.yarnpkg.com/better-sqlite3/-/better-sqlite3-12.6.2.tgz#770649f28a62e543a360f3dfa1afe4cc944b1937"
+  integrity sha512-8VYKM3MjCa9WcaSAI3hzwhmyHVlH8tiGFwf0RlTsZPWJ1I5MkzjiudCo4KC4DxOaL/53A5B1sI/IbldNFDbsKA==
+  dependencies:
+    bindings "^1.5.0"
+    prebuild-install "^7.1.1"
+
 binary-extensions@^2.0.0:
  version "2.3.0"
  resolved "https://registry.yarnpkg.com/binary-extensions/-/binary-extensions-2.3.0.tgz#f6e14a97858d327252200242d4ccfe522c445522"
@@ -1246,7 +1254,7 @@ gopd@^1.2.0:
  resolved "https://registry.yarnpkg.com/gopd/-/gopd-1.2.0.tgz#89f56b8217bdbc8802bd299df6d7f1081d7e51a1"
  integrity sha512-ZUKRh6/kUFoAiTAtTYPZJ3hw9wNxx+BIBOijnlG9PnrJsCcSjs1wyyD6vJpaYtgnzDrKYRSqf3OO6Rfa93xsRg==

-graceful-fs@^4.1.2, graceful-fs@^4.2.0, graceful-fs@^4.2.11, graceful-fs@^4.2.6:
+graceful-fs@^4.1.15, graceful-fs@^4.1.2, graceful-fs@^4.2.0, graceful-fs@^4.2.6:
  version "4.2.11"
  resolved "https://registry.yarnpkg.com/graceful-fs/-/graceful-fs-4.2.11.tgz#4183e4e8bf08bb6e05bbb2f7d2e0c8f712ca40e3"
  integrity sha512-RbJ5/jmFcNNCcDV5o9eTnBLJ/HszWV0P73bc+Ff4nS/rJj+YaS6IGyiOL0VoBYX+l1Wrl3k63h/KrH+nhJ0XvQ==
@@ -1472,16 +1480,11 @@ is-property@^1.0.2:
  resolved "https://registry.yarnpkg.com/is-property/-/is-property-1.0.2.tgz#57fe1c4e48474edd65b09911f26b1cd4095dda84"
  integrity sha512-Ks/IoX00TtClbGQr4TWXemAnktAQvYB7HzcCxDGqEZU6oCmb2INHuOoKxbtR+HFkmYWBKv/dOZtGRiAjDhj92g==

-is-stream@^2.0.1:
+is-stream@^2.0.0, is-stream@^2.0.1:
  version "2.0.1"
  resolved "https://registry.yarnpkg.com/is-stream/-/is-stream-2.0.1.tgz#fac1e3d53b97ad5a9d0ae9cef2389f5810a5c077"
  integrity sha512-hFoiJiTl63nn+kstHGBtewWSKnQLpyb155KHheA1l39uvtO9nWIop1p3udqPcUd/xbF1VLMO4n7OI6p7RbngDg==

-is-stream@^4.0.1:
-  version "4.0.1"
-  resolved "https://registry.yarnpkg.com/is-stream/-/is-stream-4.0.1.tgz#375cf891e16d2e4baec250b85926cffc14720d9b"
-  integrity sha512-Dnz92NInDqYckGEUJv689RbRiTSEHCQ7wOVeALbkOz999YpqT46yMRIGtSNl2iCL1waAZSx40+h59NV/EwzV/A==
-
 isarray@~1.0.0:
  version "1.0.0"
  resolved "https://registry.yarnpkg.com/isarray/-/isarray-1.0.0.tgz#bb935d48582cba168c06834957a54a3e07124f11"
@@ -1677,6 +1680,13 @@ lru.min@^1.1.0, lru.min@^1.1.3:
  resolved "https://registry.yarnpkg.com/lru.min/-/lru.min-1.1.3.tgz#c8c3d001dfb4cbe5b8d1f4bea207d4a320e5d76f"
  integrity sha512-Lkk/vx6ak3rYkRR0Nhu4lFUT2VDnQSxBe8Hbl7f36358p6ow8Bnvr8lrLt98H8J1aGxfhbX4Fs5tYg2+FTwr5Q==

+make-dir@^3.0.0:
+  version "3.1.0"
+  resolved "https://registry.yarnpkg.com/make-dir/-/make-dir-3.1.0.tgz#415e967046b3a7f1d185277d84aa58203726a13f"
+  integrity sha512-g3FeP20LNwhALb/6Cz6Dd4F2ngze0jz7tbzrD2wAV+o9FeNHe4rL+yK2md0J/fiSf1sa1ADhXqi5+oVwOM/eGw==
+  dependencies:
+    semver "^6.0.0"
+
 make-fetch-happen@^9.1.0:
  version "9.1.0"
  resolved "https://registry.yarnpkg.com/make-fetch-happen/-/make-fetch-happen-9.1.0.tgz#53085a09e7971433e6765f7971bf63f4e05cb968"
@@ -2492,6 +2502,11 @@ safe-buffer@~5.1.0, safe-buffer@~5.1.1:
  resolved "https://registry.yarnpkg.com/safer-buffer/-/safer-buffer-2.1.2.tgz#44fa161b0187b9549dd84bb91802f9bd8385cd6a"
  integrity sha512-YZo3K82SD7Riyi0E1EQPojLz7kpepnSQI9IyPbHHg1XXXevb5dJI7tpyN2ADxGcQbHG7vcyRHk0cbwqcQriUtg==

+semver@^6.0.0:
+  version "6.3.1"
+  resolved "https://registry.yarnpkg.com/semver/-/semver-6.3.1.tgz#556d2ef8689146e46dcea4bfdd095f3434dffcb4"
+  integrity sha512-BR7VvDCVHO+q2xBEWskxS6DJE1qRnb7DxzUrogb71CWoSficBxYsiAGd+Kl0mmq/MprG9yArRkyrQxTO6XjMzA==
+
 semver@^7.3.5, semver@^7.5.3, semver@^7.5.4:
  version "7.7.3"
  resolved "https://registry.yarnpkg.com/semver/-/semver-7.7.3.tgz#4b5f4143d007633a8dc671cd0a6ef9147b8bb946"
@@ -2846,19 +2861,21 @@ tarn@^3.0.2:
  resolved "https://registry.yarnpkg.com/tarn/-/tarn-3.0.2.tgz#73b6140fbb881b71559c4f8bfde3d9a4b3d27693"
  integrity sha512-51LAVKUSZSVfI05vjPESNc5vwqqZpbXCsU+/+wxlOrUjk2SnFTt97v9ZgQrD4YmxYW1Px6w2KjaDitCfkvgxMQ==

-temp-dir@^3.0.0:
-  version "3.0.0"
-  resolved "https://registry.yarnpkg.com/temp-dir/-/temp-dir-3.0.0.tgz#7f147b42ee41234cc6ba3138cd8e8aa2302acffa"
-  integrity sha512-nHc6S/bwIilKHNRgK/3jlhDoIHcp45YgyiwcAk46Tr0LfEqGBVpmiAyuiuxeVE44m3mXnEeVhaipLOEWmH+Njw==
+temp-dir@^1.0.0:
+  version "1.0.0"
+  resolved "https://registry.yarnpkg.com/temp-dir/-/temp-dir-1.0.0.tgz#0a7c0ea26d3a39afa7e0ebea9c1fc0bc4daa011d"
+  integrity sha512-xZFXEGbG7SNC3itwBzI3RYjq/cEhBkx2hJuKGIUOcEULmkQExXiHat2z/qkISYsuR+IKumhEfKKbV5qXmhICFQ==

-temp-write@^6.0.1:
-  version "6.0.1"
-  resolved "https://registry.yarnpkg.com/temp-write/-/temp-write-6.0.1.tgz#b1ed81e80e120ba4957db3e01e010669d7c15870"
-  integrity sha512-6bj9LlNld+knzEOQvnZK6YxiPF+foOUjvG/WoWj1/Mt9c6f2kQCPsh8KZ+NyTk0AejubTQSPpx2alcswE1bF8g==
+temp-write@^4.0.0:
+  version "4.0.0"
+  resolved "https://registry.yarnpkg.com/temp-write/-/temp-write-4.0.0.tgz#cd2e0825fc826ae72d201dc26eef3bf7e6fc9320"
+  integrity sha512-HIeWmj77uOOHb0QX7siN3OtwV3CTntquin6TNVg6SHOqCP3hYKmox90eeFOGaY1MqJ9WYDDjkyZrW6qS5AWpbw==
  dependencies:
-    graceful-fs "^4.2.11"
-    is-stream "^4.0.1"
-    temp-dir "^3.0.0"
+    graceful-fs "^4.1.15"
+    is-stream "^2.0.0"
+    make-dir "^3.0.0"
+    temp-dir "^1.0.0"
+    uuid "^3.3.2"

 text-decoder@^1.1.0:
  version "1.2.3"
@@ -2946,6 +2963,11 @@ util@^0.10.3:
  dependencies:
    inherits "2.0.3"

+uuid@^3.3.2:
+  version "3.4.0"
+  resolved "https://registry.yarnpkg.com/uuid/-/uuid-3.4.0.tgz#b23e4358afa8a202fe7a100af1f5f883f02007ee"
+  integrity sha512-HjSDRw6gZE5JMggctHBcjVak08+KEVhSIiDzFnT9S9aegmp85S/bReBVTb4QTFaRNptJ9kuYaNhnbNEOkbKb/A==
+
 vary@^1.1.2, vary@~1.1.2:
  version "1.1.2"
  resolved "https://registry.yarnpkg.com/vary/-/vary-1.1.2.tgz#2299f02c6ded30d4a5961b0b9f74524a18f634fc"
--- a/frontend/package.json
+++ b/frontend/package.json
@@ -48,11 +48,11 @@
 		"@testing-library/react": "^16.3.2",
 		"@types/country-flag-icons": "^1.2.2",
 		"@types/humps": "^2.0.6",
-		"@types/react": "^19.2.10",
+		"@types/react": "^19.2.13",
 		"@types/react-dom": "^19.2.3",
 		"@types/react-table": "^7.7.20",
 		"@vitejs/plugin-react": "^5.1.3",
-		"happy-dom": "^20.5.0",
+		"happy-dom": "^20.5.3",
 		"postcss": "^8.5.6",
 		"postcss-simple-vars": "^7.0.1",
 		"sass": "^1.97.3",
--- a/frontend/yarn.lock
+++ b/frontend/yarn.lock
@@ -1111,10 +1111,10 @@
  resolved "https://registry.npmjs.org/@types/react-transition-group/-/react-transition-group-4.4.12.tgz"
  integrity sha512-8TV6R3h2j7a91c+1DXdJi3Syo69zzIZbz7Lg5tORM5LEJG7X/E6a1V3drRyBRZq7/utz7A+c4OgYLiLcYGHG6w==

-"@types/react@*", "@types/react@>=16.9.11", "@types/react@^19.2.10":
-  version "19.2.10"
-  resolved "https://registry.yarnpkg.com/@types/react/-/react-19.2.10.tgz#f3ea799e6b4cebad6dfd231c238fc9de7652e2d2"
-  integrity sha512-WPigyYuGhgZ/cTPRXB2EwUw+XvsRA3GqHlsP4qteqrnnjDrApbS7MxcGr/hke5iUoeB7E/gQtrs9I37zAJ0Vjw==
+"@types/react@*", "@types/react@>=16.9.11", "@types/react@^19.2.13":
+  version "19.2.13"
+  resolved "https://registry.yarnpkg.com/@types/react/-/react-19.2.13.tgz#7cea30d7f60a01d97e4ece039c04e9056682218a"
+  integrity sha512-KkiJeU6VbYbUOp5ITMIc7kBfqlYkKA5KhEHVrGMmUUMt7NeaZg65ojdPk+FtNrBAOXNVM5QM72jnADjM+XVRAQ==
  dependencies:
    csstype "^3.2.2"

@@ -1472,12 +1472,7 @@ electron-to-chromium@^1.5.211:
  resolved "https://registry.npmjs.org/electron-to-chromium/-/electron-to-chromium-1.5.213.tgz"
  integrity sha512-xr9eRzSLNa4neDO0xVFrkXu3vyIzG4Ay08dApecw42Z1NbmCt+keEpXdvlYGVe0wtvY5dhW0Ay0lY0IOfsCg0Q==

-entities@^4.5.0:
-  version "4.5.0"
-  resolved "https://registry.yarnpkg.com/entities/-/entities-4.5.0.tgz#5d268ea5e7113ec74c4d033b79ea5a35a488fb48"
-  integrity sha512-V0hjH4dGPh9Ao5p0MoRY6BVqtwCjhz6vI5LT8AJ55H+4g9/4vbHx1I54fS0XuclLhDHArPQCiMjDxjaL8fPxhw==
-
-entities@^6.0.0:
+entities@^6.0.0, entities@^6.0.1:
  version "6.0.1"
  resolved "https://registry.npmjs.org/entities/-/entities-6.0.1.tgz"
  integrity sha512-aN97NXWF6AWBTahfVOIrB/NShkzi5H7F9r1s9mD3cDj4Ko5f2qhhVoYMibXF7GlLveb/D2ioWay8lxI97Ven3g==
@@ -1632,15 +1627,15 @@ globrex@^0.1.2:
  resolved "https://registry.npmjs.org/globrex/-/globrex-0.1.2.tgz"
  integrity sha512-uHJgbwAMwNFf5mLst7IWLNg14x1CkeqglJb/K3doi4dw6q2IvAAmM/Y81kevy83wP+Sst+nutFTYOGg3d1lsxg==

-happy-dom@^20.5.0:
-  version "20.5.0"
-  resolved "https://registry.yarnpkg.com/happy-dom/-/happy-dom-20.5.0.tgz#64899aad7272f7e02a728e231bc9c151b872a3a5"
-  integrity sha512-VQe+Q5CYiGOgcCERXhcfNsbnrN92FDEKciMH/x6LppU9dd0j4aTjCTlqONFOIMcAm/5JxS3+utowbXV1OoFr+g==
+happy-dom@^20.5.3:
+  version "20.5.3"
+  resolved "https://registry.yarnpkg.com/happy-dom/-/happy-dom-20.5.3.tgz#0cc4159c4ca841cd388a45afe452060f41dbb84b"
+  integrity sha512-xqAxGnkRU0KNhheHpxb3uScqg/aehqUiVto/a9ApWMyNvnH9CAqHYq9dEPAovM6bOGbLstmTfGIln5ZIezEU0g==
  dependencies:
    "@types/node" ">=20.0.0"
    "@types/whatwg-mimetype" "^3.0.2"
    "@types/ws" "^8.18.1"
-    entities "^4.5.0"
+    entities "^6.0.1"
    whatwg-mimetype "^3.0.0"
    ws "^8.18.3"
Author	SHA1	Message	Date
dependabot[bot]	09a3d65aa1	Bump the dev-patch-updates group in /frontend with 2 updates Bumps the dev-patch-updates group in /frontend with 2 updates: [@types/react](https://github.com/DefinitelyTyped/DefinitelyTyped/tree/HEAD/types/react) and [happy-dom](https://github.com/capricorn86/happy-dom). Updates `@types/react` from 19.2.10 to 19.2.13 - [Release notes](https://github.com/DefinitelyTyped/DefinitelyTyped/releases) - [Commits](https://github.com/DefinitelyTyped/DefinitelyTyped/commits/HEAD/types/react) Updates `happy-dom` from 20.5.0 to 20.5.3 - [Release notes](https://github.com/capricorn86/happy-dom/releases) - [Commits](https://github.com/capricorn86/happy-dom/compare/v20.5.0...v20.5.3) --- updated-dependencies: - dependency-name: "@types/react" dependency-version: 19.2.13 dependency-type: direct:development update-type: version-update:semver-patch dependency-group: dev-patch-updates - dependency-name: happy-dom dependency-version: 20.5.3 dependency-type: direct:development update-type: version-update:semver-patch dependency-group: dev-patch-updates ... Signed-off-by: dependabot[bot] <support@github.com>	2026-02-09 14:29:16 +00:00
Jamie Curnow	d19f5c1960	Fix upgrade problem with otplib existing secrets All checks were successful Close stale issues and PRs / stale (push) Successful in 32s Details	2026-02-05 13:12:54 +10:00
Jamie Curnow	77662b4e7f	Use better-sqlite3 package for sqlite databases	2026-02-05 13:11:57 +10:00
Jamie Curnow	c88de65d3a	Fix #5274 2fa backup codes not validating properly	2026-02-05 10:51:15 +10:00
jc21	ac4efd2333	Merge branch 'master' into develop	2026-02-05 08:27:41 +10:00
Jamie Curnow	eab38d8934	Bump version	2026-02-05 08:26:49 +10:00
jc21	f3efaae320	Merge pull request #5141 from NginxProxyManager/develop v2.13.6	2026-01-14 14:30:49 +10:00
@@ -1 +1 @@
 .13.6
 .13.7