From ba067e3deb7677e8f29054e747a7fd66cfe6db77 Mon Sep 17 00:00:00 2001
From: syeopite <syeopite@syeopite.dev>
Date: Fri, 16 Jul 2021 14:37:08 -0700
Subject: [PATCH] Only allow totp removal endpoint for users w/ 2fa

---
 src/invidious/routes/account.cr | 15 +++++++++++----
 1 file changed, 11 insertions(+), 4 deletions(-)

diff --git a/src/invidious/routes/account.cr b/src/invidious/routes/account.cr
index 2f3194f3..fb37c993 100644
--- a/src/invidious/routes/account.cr
+++ b/src/invidious/routes/account.cr
@@ -515,10 +515,17 @@ module Invidious::Routes::Account
   # Templates the page to remove 2fa on an user account
   def remove_2fa_page(env)
     locale = env.get("preferences").as(Preferences).locale
-    referer = get_referer(env)
 
-    user = env.get("user").as(User)
-    sid = env.get("sid").as(String)
+    user = env.get? "user"
+    sid = env.get? "sid"
+    referer = get_referer(env, unroll: false)
+
+    if !user || user.is_a? User && !user.totp_secret
+      return env.redirect referer
+    end
+
+    user = user.as(User)
+    sid = sid.as(String)
     csrf_token = generate_response(sid, {":2fa/remove"}, HMAC_KEY)
 
     return templated "user/remove_2fa"
@@ -532,7 +539,7 @@ module Invidious::Routes::Account
     sid = env.get? "sid"
     referer = get_referer(env, unroll: false)
 
-    if !user
+    if !user || user.is_a? User && !user.totp_secret
       return env.redirect referer
     end