From c7b365787846c684205afba92036cafb15ba3b8e Mon Sep 17 00:00:00 2001
From: syeopite <syeopite@syeopite.dev>
Date: Fri, 16 Jul 2021 14:37:08 -0700
Subject: [PATCH] Only allow totp removal endpoint for users w/ 2fa

---
 src/invidious/routes/accounts.cr | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/src/invidious/routes/accounts.cr b/src/invidious/routes/accounts.cr
index e0eb82af..b89c4e64 100644
--- a/src/invidious/routes/accounts.cr
+++ b/src/invidious/routes/accounts.cr
@@ -35,7 +35,7 @@ class Invidious::Routes::Accounts < Invidious::Routes::BaseRoute
     sid = env.get? "sid"
     referer = get_referer(env, unroll: false)
 
-    if !user
+    if !user || user.is_a? User && !user.totp_secret
       return env.redirect referer
     end
 
@@ -54,7 +54,7 @@ class Invidious::Routes::Accounts < Invidious::Routes::BaseRoute
     sid = env.get? "sid"
     referer = get_referer(env, unroll: false)
 
-    if !user
+    if !user || user.is_a? User && !user.totp_secret
       return env.redirect referer
     end