security: auth bypasses, constant-time comparisons, MFA password re-auth, OAuth revocation

app/controllers/api/v1/auth_controller.rb

@@ -12,6 +12,12 @@ class AuthController < BaseController
       before_action :log_api_access, only: :enable_ai
 
       def signup
+        # Block signups when registration is closed (self-hosted)
+        if Rails.application.config.app_mode.self_hosted? && Setting.onboarding_state == "closed"
+          render json: { error: "Registration is currently closed" }, status: :forbidden
+          return
+        end
+
         # Check if invite code is required
         if invite_code_required? && params[:invite_code].blank?
           render json: { error: "Invite code is required" }, status: :forbidden
@@ -65,9 +71,21 @@ def signup
       end
 
       def login
+        # Enforce AuthConfig — respect SSO-only mode for API clients too
+        unless AuthConfig.local_login_enabled?
+          render json: { error: "Local login is disabled. Please use SSO." }, status: :forbidden
+          return
+        end
+
         user = User.find_by(email: params[:email])
 
         if user&.authenticate(params[:password])
+          # Reject deactivated users
+          unless user.active?
+            render json: { error: "Account has been deactivated" }, status: :unauthorized
+            return
+          end
+
           # Check MFA if enabled
           if user.otp_required?
             unless params[:otp_code].present? && user.verify_otp?(params[:otp_code])
@@ -258,7 +276,23 @@ def refresh
           return
         end
 
-        # Create new access token
+        # Reject deactivated or deleted users BEFORE issuing a fresh token.
+        # If we checked after creation, a concurrent request could briefly pass
+        # the OAuth gate in base_controller against `new_token` — and we'd also
+        # do pointless writes. Also matches the 401-for-missing-user shape used
+        # by api/v1/base_controller#authenticate_oauth (use find_by, not find).
+        user = User.find_by(id: access_token.resource_owner_id)
+        unless user&.active?
+          # Revoke every outstanding access token for this resource owner so
+          # other devices lose access immediately.
+          Doorkeeper::AccessToken
+            .where(resource_owner_id: access_token.resource_owner_id, revoked_at: nil)
+            .find_each(&:revoke)
+          render json: { error: "Account has been deactivated" }, status: :unauthorized
+          return
+        end
+
+        # Create new access token (only after the active check passes).
         new_token = Doorkeeper::AccessToken.create!(
           application: access_token.application,
           resource_owner_id: access_token.resource_owner_id,
@@ -272,7 +306,6 @@ def refresh
         access_token.revoke
 
         # Update device last seen
-        user = User.find(access_token.resource_owner_id)
         device = user.mobile_devices.find_by(device_id: params[:device][:device_id])
         device&.update_last_seen!
 

app/controllers/api/v1/base_controller.rb

@@ -56,7 +56,8 @@ def authenticate_oauth
       # Check token validity and scope (read_write includes read access)
       has_sufficient_scope = access_token&.scopes&.include?("read") || access_token&.scopes&.include?("read_write")
 
-      unless access_token && !access_token.expired? && has_sufficient_scope
+      # Also reject revoked tokens (revocation is meaningless if we still accept them)
+      unless access_token && !access_token.expired? && !access_token.revoked? && has_sufficient_scope
         render_json({ error: "unauthorized", message: "Access token is invalid, expired, or missing required scope" }, status: :unauthorized)
         return false
       end

app/controllers/mfa_controller.rb

@@ -1,13 +1,22 @@
 class MfaController < ApplicationController
   layout :determine_layout
   skip_authentication only: [ :verify, :verify_code ]
+  before_action :block_sso_only_users, only: [ :new, :create, :disable ]
 
   def new
     redirect_to root_path if Current.user.otp_required?
     Current.user.setup_mfa! unless Current.user.otp_secret.present?
   end
 
   def create
+    unless password_reauth_ok?
+      # Do NOT call disable_mfa! here — a wrong password during enable should
+      # not wipe the in-progress otp_secret / backup codes. Only an actual
+      # code mismatch below invalidates the setup.
+      redirect_to new_mfa_path, alert: t(".invalid_password")
+      return
+    end
+
     if Current.user.verify_otp?(params[:code])
       Current.user.enable_mfa!
       @backup_codes = Current.user.otp_backup_codes
@@ -41,12 +50,36 @@ def verify_code
   end
 
   def disable
+    unless password_reauth_ok?
+      redirect_to settings_security_path, alert: t(".invalid_password")
+      return
+    end
+
     Current.user.disable_mfa!
     redirect_to settings_security_path, notice: t(".success")
   end
 
   private
 
+    # SSO-only users can't satisfy the password prompt MFA enable/disable
+    # requires (F-11). Block every MFA management action for them — including
+    # GET /mfa/new, which would otherwise call setup_mfa! and leave an
+    # incomplete otp_secret the user can never finish wiring up. The view
+    # already hides the enable/disable UI for these users; this is the
+    # server-side backstop for a direct-URL visit.
+    def block_sso_only_users
+      return if Current.user.password_digest.present?
+      redirect_to settings_security_path, alert: t("mfa.new.sso_only_not_supported", default: "Two-factor authentication requires a local password — it is managed through your identity provider.")
+    end
+
+    # Password re-auth for sensitive MFA operations. SSO-only users are
+    # already rejected by block_sso_only_users, but the guard here is kept
+    # for defense-in-depth.
+    def password_reauth_ok?
+      return false if Current.user.password_digest.blank?
+      Current.user.authenticate(params[:password]).present?
+    end
+
     def determine_layout
       if action_name.in?(%w[verify verify_code])
         "auth"

app/models/api_key.rb

@@ -56,7 +56,7 @@ def expired?
   end
 
   def key_matches?(plain_key)
-    display_key == plain_key
+    ActiveSupport::SecurityUtils.secure_compare(display_key.to_s, plain_key.to_s)
   end
 
   def revoke!

app/models/user.rb

@@ -449,8 +449,9 @@ def totp
     def verify_backup_code?(code)
       return false if otp_backup_codes.blank?
 
-      # Find and remove the used backup code
-      if (index = otp_backup_codes.index(code))
+      # Use constant-time comparison to prevent timing attacks
+      index = otp_backup_codes.index { |stored| ActiveSupport::SecurityUtils.secure_compare(stored.to_s, code.to_s) }
+      if index
         remaining_codes = otp_backup_codes.dup
         remaining_codes.delete_at(index)
         update!(otp_backup_codes: remaining_codes)

app/views/mfa/new.html.erb

@@ -46,7 +46,7 @@
       </div>
 
       <%= styled_form_with url: mfa_path, method: :post, class: "mt-5", data: { turbo: false } do |f| %>
-        <div>
+        <div class="space-y-4">
           <%= f.text_field :code,
             required: true,
             autofocus: true,
@@ -56,6 +56,12 @@
             label: t(".code_label"),
             placeholder: t(".code_placeholder") %>
 
+          <%= f.password_field :password,
+            required: true,
+            autocomplete: "current-password",
+            label: t(".password_label"),
+            placeholder: t(".password_placeholder") %>
+
           <div class="flex justify-end mt-4">
             <%= f.submit t(".verify_button") %>
           </div>

app/views/settings/securities/show.html.erb

@@ -20,19 +20,24 @@
       </div>
 
       <div class="mt-4 md:mt-0">
-        <% if Current.user.otp_required? %>
-          <%= render DS::Button.new(
-            text: t(".disable_mfa"),
-            variant: "secondary",
-            href: disable_mfa_path,
-            method: :delete,
-            confirm: CustomConfirm.new(
-              title: t(".disable_mfa_confirm"),
-              body: t(".disable_mfa_confirm"),
-              btn_text: t(".disable_mfa"),
-              destructive: true
-            )
-          ) %>
+        <% if Current.user.password_digest.blank? %>
+          <%# SSO-only user — password re-auth is impossible. Surface a hint
+              instead of the enable/disable form they could never submit. %>
+          <p class="text-sm text-subdued"><%= t(".mfa_sso_only") %></p>
+        <% elsif Current.user.otp_required? %>
+          <details class="group" <%= "open" if flash[:alert].present? %>>
+            <summary class="cursor-pointer text-sm font-medium text-destructive">
+              <%= t(".disable_mfa") %>
+            </summary>
+            <%= styled_form_with url: disable_mfa_path, method: :delete, class: "mt-3 space-y-3", data: { turbo: false } do |f| %>
+              <%= f.password_field :password,
+                required: true,
+                autocomplete: "current-password",
+                label: t(".disable_mfa_password_label"),
+                placeholder: t(".disable_mfa_password_placeholder") %>
+              <%= f.submit t(".disable_mfa") %>
+            <% end %>
+          </details>
         <% else %>
           <%= render DS::Link.new(
             text: t(".enable_mfa"),

config/locales/views/mfa/en.yml

@@ -12,14 +12,19 @@ en:
       title: Save Your Backup Codes
     create:
       invalid_code: Invalid verification code. Please try again.
+      invalid_password: Incorrect password. Please try again.
     disable:
+      invalid_password: Incorrect password. Please try again.
       success: Two-factor authentication has been disabled
     new:
       code_label: Verification Code
       code_placeholder: Enter 6-digit code
       description: Enhance your account security by setting up two-factor authentication
       page_title: Two-Factor Authentication Setup
+      password_label: Password
+      password_placeholder: Enter your password
       scan_description: Use an authenticator app like Google Authenticator or 1Password
+      sso_only_not_supported: Two-factor authentication requires a local password — it is managed through your identity provider.
         to scan this QR code
       scan_title: 1. Scan QR Code
       secret_description: If you can't scan the QR code, enter this secret key manually

config/locales/views/settings/de.yml

@@ -102,6 +102,9 @@ de:
         enable_mfa: 2FA aktivieren
         disable_mfa: 2FA deaktivieren
         disable_mfa_confirm: Bist du sicher, dass du die Zwei-Faktor-Authentifizierung deaktivieren möchtest?
+        disable_mfa_password_label: Mit deinem Passwort bestätigen
+        disable_mfa_password_placeholder: Passwort eingeben
+        mfa_sso_only: Die Zwei-Faktor-Authentifizierung wird über deinen Identitätsanbieter verwaltet.
         sso_title: Verbundene Konten
         sso_subtitle: Verwalte deine Single Sign-On-Kontoverbindungen
         sso_disconnect: Trennen

config/locales/views/settings/en.yml

@@ -138,6 +138,9 @@ en:
         enable_mfa: Enable 2FA
         disable_mfa: Disable 2FA
         disable_mfa_confirm: Are you sure you want to disable two-factor authentication?
+        disable_mfa_password_label: Confirm with your password
+        disable_mfa_password_placeholder: Enter your password
+        mfa_sso_only: Two-factor authentication is managed through your identity provider.
         sso_title: Connected Accounts
         sso_subtitle: Manage your single sign-on account connections
         sso_disconnect: Disconnect

config/locales/views/settings/es.yml

@@ -103,6 +103,9 @@ es:
         enable_mfa: Activar 2FA
         disable_mfa: Desactivar 2FA
         disable_mfa_confirm: ¿Estás seguro de que deseas desactivar la autenticación de dos factores?
+        disable_mfa_password_label: Confirma con tu contraseña
+        disable_mfa_password_placeholder: Introduce tu contraseña
+        mfa_sso_only: La autenticación de dos factores se gestiona a través de tu proveedor de identidad.
         sso_title: Cuentas Conectadas
         sso_subtitle: Gestiona tus conexiones de inicio de sesión único (SSO)
         sso_disconnect: Desconectar

config/locales/views/settings/fr.yml

@@ -136,6 +136,9 @@ fr:
         enable_mfa: Activer 2FA
         disable_mfa: Désactiver 2FA
         disable_mfa_confirm: Êtes-vous sûr(e) de vouloir désactiver l'authentification à deux facteurs ?
+        disable_mfa_password_label: Confirmez avec votre mot de passe
+        disable_mfa_password_placeholder: Entrez votre mot de passe
+        mfa_sso_only: L'authentification à deux facteurs est gérée par votre fournisseur d'identité.
         sso_title: Comptes connectés
         sso_subtitle: Gérez vos connexions de compte à authentification unique
         sso_disconnect: Déconnecter

config/locales/views/settings/nl.yml

@@ -99,6 +99,9 @@ nl:
         enable_mfa: 2FA inschakelen
         disable_mfa: 2FA uitschakelen
         disable_mfa_confirm: Weet u zeker dat u twee-factor authenticatie wilt uitschakelen?
+        disable_mfa_password_label: Bevestig met uw wachtwoord
+        disable_mfa_password_placeholder: Voer uw wachtwoord in
+        mfa_sso_only: Twee-factor authenticatie wordt beheerd via uw identiteitsprovider.
         sso_title: Gekoppelde Accounts
         sso_subtitle: Beheer uw single sign-on accountverbindingen
         sso_disconnect: Loskoppelen

config/locales/views/settings/pl.yml

@@ -119,6 +119,9 @@ pl:
         enable_mfa: Włącz 2FA
         disable_mfa: Wyłącz 2FA
         disable_mfa_confirm: Czy na pewno chcesz wyłączyć uwierzytelnianie dwuskładnikowe?
+        disable_mfa_password_label: Potwierdź hasłem
+        disable_mfa_password_placeholder: Wpisz hasło
+        mfa_sso_only: Uwierzytelnianie dwuskładnikowe jest zarządzane przez dostawcę tożsamości.
         sso_title: Połączone konta
         sso_subtitle: Zarządzaj połączeniami kont jednokrotnego logowania
         sso_disconnect: Odłącz

config/locales/views/settings/pt-BR.yml

@@ -121,6 +121,9 @@ pt-BR:
         enable_mfa: Ativar 2FA
         disable_mfa: Desativar 2FA
         disable_mfa_confirm: Tem certeza de que deseja desativar a autenticação de dois fatores?
+        disable_mfa_password_label: Confirme com sua senha
+        disable_mfa_password_placeholder: Digite sua senha
+        mfa_sso_only: A autenticação de dois fatores é gerenciada pelo seu provedor de identidade.
         sso_title: Contas Conectadas
         sso_subtitle: Gerencie suas conexões de contas de login único (SSO)
         sso_disconnect: Desconectar

test/controllers/api/v1/auth_controller_test.rb

@@ -818,4 +818,74 @@ class Api::V1::AuthControllerTest < ActionDispatch::IntegrationTest
     assert_equal "AI is not available for your account", response_data["error"]
     assert_not user.reload.ai_enabled
   end
+
+  # Security tests — ported from origin/security/pentest-2026-03-02
+
+  test "signup is blocked when registration is closed on self-hosted" do
+    Rails.application.config.app_mode.stubs(:self_hosted?).returns(true)
+    Setting.stubs(:onboarding_state).returns("closed")
+
+    post "/api/v1/auth/signup", params: {
+      user: { email: "[email protected]", password: "SecurePass123!", first_name: "New", last_name: "User" },
+      device: @device_info
+    }
+
+    assert_response :forbidden
+    assert_equal "Registration is currently closed", JSON.parse(response.body)["error"]
+  end
+
+  test "login is blocked when local login disabled via AuthConfig" do
+    AuthConfig.stubs(:local_login_enabled?).returns(false)
+
+    post "/api/v1/auth/login", params: {
+      email: users(:family_admin).email,
+      password: user_password_test,
+      device: @device_info
+    }
+
+    assert_response :forbidden
+    assert_equal "Local login is disabled. Please use SSO.", JSON.parse(response.body)["error"]
+  end
+
+  test "refresh token is rejected for deactivated user and new token is revoked" do
+    user = users(:family_member)
+    device = user.mobile_devices.create!(@device_info)
+
+    initial_token = Doorkeeper::AccessToken.create!(
+      application: @shared_app,
+      resource_owner_id: user.id,
+      mobile_device_id: device.id,
+      expires_in: 30.days.to_i,
+      scopes: "read_write",
+      use_refresh_token: true
+    )
+
+    user.update!(active: false)
+
+    post "/api/v1/auth/refresh", params: {
+      refresh_token: initial_token.refresh_token,
+      device: @device_info
+    }
+
+    assert_response :unauthorized
+    assert_equal "Account has been deactivated", JSON.parse(response.body)["error"]
+
+    # All tokens for this user must be revoked (including any newly issued one)
+    assert Doorkeeper::AccessToken.where(resource_owner_id: user.id).all?(&:revoked?),
+      "Expected all tokens to be revoked for deactivated user"
+  end
+
+  test "login is rejected for deactivated user" do
+    user = users(:family_member)
+    user.update!(active: false)
+
+    post "/api/v1/auth/login", params: {
+      email: user.email,
+      password: user_password_test,
+      device: @device_info
+    }
+
+    assert_response :unauthorized
+    assert_equal "Account has been deactivated", JSON.parse(response.body)["error"]
+  end
 end