From 020a64dbbd035f28ea42015381d74c6301b450ea Mon Sep 17 00:00:00 2001
From: KernelDeimos <7225168+KernelDeimos@users.noreply.github.com>
Date: Fri, 6 Feb 2026 23:37:39 -0500
Subject: [PATCH] fix: ensure cache invalidation when verifying OTP

It is possible this broke after redis caching was employed because it
broke the expectation that assignments to attributes on cached objects
would remain for future accesses on said objects. This has not been
confirmed as the cause.
---
 src/backend/src/routers/auth/configure-2fa.js | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/backend/src/routers/auth/configure-2fa.js b/src/backend/src/routers/auth/configure-2fa.js
index adb8984b7..220a02a96 100644
--- a/src/backend/src/routers/auth/configure-2fa.js
+++ b/src/backend/src/routers/auth/configure-2fa.js
@@ -87,7 +87,7 @@ module.exports = eggspress('/auth/configure-2fa/:action', {
     // this should never be used to verify the user's 2FA code
     // for authentication purposes.
     actions.test = async () => {
-        const user = req.user;
+        const user = await get_user({ id: req.user.id, force: true });
         const svc_otp = x.get('services').get('otp');
         const code = req.body.code;
         const ok = svc_otp.verify(user.username, user.otp_secret, code);