fix(security) Disable 2FA configure if 2FA is enabled

packages/backend/src/api/APIError.js

@@ -335,6 +335,10 @@ module.exports = class APIError {
             status: 400,
             message: ({ action }) => `Invalid action: ${quot(action)}.`,
         },
+        '2fa_already_enabled': {
+            status: 409,
+            message: '2FA is already enabled.',
+        },
 
         // Object Mapping
         'field_not_allowed_for_create': {

packages/backend/src/routers/auth/configure-2fa.js

@@ -1,5 +1,6 @@
 const APIError = require("../../api/APIError");
 const eggspress = require("../../api/eggspress");
+const { get_user } = require("../../helpers");
 const { UserActorType } = require("../../services/auth/Actor");
 const { DB_WRITE } = require("../../services/database/consts");
 const { Context } = require("../../util/context");
@@ -25,6 +26,12 @@ module.exports = eggspress('/auth/configure-2fa/:action', {
     const db = await x.get('services').get('database').get(DB_WRITE, '2fa');
 
     actions.setup = async () => {
+        const user = await get_user({ id: req.user.id, force: true });
+
+        if ( user.otp_enabled ) {
+            throw APIError.create('2fa_already_enabled');
+        }
+
         const svc_otp = x.get('services').get('otp');
 
         // generate secret
@@ -56,6 +63,8 @@ module.exports = eggspress('/auth/configure-2fa/:action', {
         );
         req.user.otp_secret = result.secret;
         req.user.otp_recovery_codes = hashed_recovery_codes.join(',');
+        user.otp_secret = result.secret;
+        user.otp_recovery_codes = hashed_recovery_codes.join(',');
 
         return result;
     };
@@ -77,6 +86,12 @@ module.exports = eggspress('/auth/configure-2fa/:action', {
             return res.status(429).send('Too many requests.');
         }
 
+        const user = await get_user({ id: req.user.id, force: true });
+
+        if ( user.otp_enabled ) {
+            throw APIError.create('2fa_already_enabled');
+        }
+
         await db.write(
             `UPDATE user SET otp_enabled = 1 WHERE uuid = ?`,
             [user.uuid]