Skip to content

fix: scope dashboard TOTP rotation state to the authenticated session #8600

Open
Open
fix: scope dashboard TOTP rotation state to the authenticated session#8600
Labels
area:webuiThe bug / feature is about webui(dashboard) of astrbot.
@zouyonghe

Description

@zouyonghe
zouyonghe
opened on Jun 5, 2026

What to build

Make dashboard TOTP rotation state session-scoped instead of process-global. A verification performed in one dashboard session must not authorize a different session to submit or save a new TOTP secret.

Acceptance criteria

  • Pending TOTP secrets are scoped to the authenticated dashboard session or an explicit short-lived rotation transaction.
  • The old-TOTP verification flag is scoped the same way and is single-use.
  • Config-save verification only accepts the pending secret for the same session or transaction.
  • Tests cover two authenticated sessions with the same username where session B cannot consume session A's rotation verification.

Blocked by

None - can start immediately

Metadata

Metadata

Assignees

No one assigned

    Labels

    area:webuiThe bug / feature is about webui(dashboard) of astrbot.

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions