Disable MFA without TOTP

[mtrezza]

New Issue Checklist

• Report security issues confidentially.
• Any contribution is under this license.
• Before posting search existing issues.

Issue Description

Originally posted by @SteffenKeller:

A logged-in user can disable MFA for their account without entering a valid verification code by simply calling the unlink function or saving null for the MFA auth data.

The TOTP auth adapter prevents setting a new secret without a valid code (AuthenticationAdapters.spec.js line 2413), but it does not prevent clearing the secret first and then setting a new one.

This may not be critical, but since the TOTP auth adapter was designed to require a valid code to disable mfa, I thought it was worth mentioning.

Steps to reproduce

JS SDK:

await user._unlinkFrom('mfa');

or

await user.save(
    { authData: { mfa: null } },
    { sessionToken: user.getSessionToken() }
);

Environment

Server

• Parse Server version: FILL_THIS_OUT

[parse-github-assistant]

Thanks for opening this issue!

• ❌ Please fill out all fields with a placeholder FILL_THIS_OUT, otherwise your issue will be closed. If a field does not apply to the issue, fill in n/a.