fix: update 2FA support descriptions and improve error handling in TOTP actions

README.md

@@ -36,7 +36,7 @@ English：[`README_EN.md`](./README_EN.md)
 | Send | ✅ | ✅ | 已支持文本 Send 与文件 Send |
 | 多用户 | ✅ | ✅ | 完整的用户管理，邀请机制 |
 | 组织/集合/成员权限 | ✅ | ❌ | 没必要实现 |
-| 登录 2FA（TOTP/WebAuthn/Duo/Email） | ✅ | ⚠️ 部分支持 | 仅支持 TOTP（通过 `TOTP_SECRET`） |
+| 登录 2FA（TOTP/WebAuthn/Duo/Email） | ✅ | ⚠️ 部分支持 | 仅支持用户级 TOTP |
 | SSO / SCIM / 企业目录 | ✅ | ❌ | 没必要实现 |
 | 紧急访问 | ✅ | ❌ | 没必要实现 |
 | 管理后台 / 计费订阅 | ✅ | ❌ | 纯免费 |

README_EN.md

@@ -36,7 +36,7 @@
 | Multi-user | ✅ | ✅ | Full user management with invitation mechanism |
 | Send | ✅ | ✅ | Text Send and File Send are supported |
 | Organizations / Collections / Member roles | ✅ | ❌ | Not necessary to implement |
-| Login 2FA (TOTP/WebAuthn/Duo/Email) | ✅ | ⚠️ Partial | TOTP-only  via `TOTP_SECRET` |
+| Login 2FA (TOTP/WebAuthn/Duo/Email) | ✅ | ⚠️ Partial | User-level TOTP only |
 | SSO / SCIM / Enterprise directory | ✅ | ❌ | Not necessary to implement |
 | Emergency access | ✅ | ❌ | Not necessary to implement |
 | Admin console / Billing & subscription | ✅ | ❌ | Free only |

src/handlers/accounts.ts

@@ -71,7 +71,7 @@ function toProfile(user: User, env: Env): ProfileResponse {
     usesKeyConnector: false,
     masterPasswordHint: null,
     culture: 'en-US',
-    twoFactorEnabled: !!user.totpSecret || isTotpEnabled(env.TOTP_SECRET),
+    twoFactorEnabled: !!user.totpSecret,
     key: user.key,
     privateKey: user.privateKey,
     accountKeys: null,

src/handlers/identity.ts

@@ -19,13 +19,10 @@ const TWO_FACTOR_PROVIDER_RECOVERY_CODE_RESPONSE = '-1';
 const TWO_FACTOR_PROVIDER_RECOVERY_CODE_LEGACY = 8;
 const TWO_FACTOR_PROVIDER_RECOVERY_CODE_ANDROID_REQUEST = 100;
 
-function resolveTotpSecret(userSecret: string | null, envSecret: string | undefined): string | null {
+function resolveTotpSecret(userSecret: string | null): string | null {
   if (userSecret && isTotpEnabled(userSecret)) {
     return userSecret;
   }
-  if (isTotpEnabled(envSecret)) {
-    return envSecret!;
-  }
   return null;
 }
 
@@ -155,9 +152,9 @@ export async function handleToken(request: Request, env: Env): Promise<Response>
       );
     }
 
-    // Optional 2FA: enabled per-user secret first, then falls back to global env secret for compatibility.
+    // Optional 2FA: enabled only by per-user secret.
     let trustedTwoFactorTokenToReturn: string | undefined;
-    const effectiveTotpSecret = resolveTotpSecret(user.totpSecret, env.TOTP_SECRET);
+    const effectiveTotpSecret = resolveTotpSecret(user.totpSecret);
     if (effectiveTotpSecret) {
       const canUseRecoveryCode = !!user.totpRecoveryCode;
       const normalizedTwoFactorProvider = String(twoFactorProvider ?? '').trim();

src/handlers/sync.ts

@@ -4,7 +4,6 @@ import { errorResponse } from '../utils/response';
 import { cipherToResponse } from './ciphers';
 import { sendToResponse } from './sends';
 import { LIMITS } from '../config/limits';
-import { isTotpEnabled } from '../utils/totp';
 
 interface SyncCacheEntry {
   body: string;
@@ -76,7 +75,7 @@ export async function handleSync(request: Request, env: Env, userId: string): Pr
     usesKeyConnector: false,
     masterPasswordHint: null,
     culture: 'en-US',
-    twoFactorEnabled: !!user.totpSecret || isTotpEnabled(env.TOTP_SECRET),
+    twoFactorEnabled: !!user.totpSecret,
     key: user.key,
     privateKey: user.privateKey,
     accountKeys: null,

webapp/src/App.tsx

@@ -611,14 +611,16 @@ export default function App() {
 
   async function enableTotpAction(secret: string, token: string) {
     if (!secret.trim() || !token.trim()) {
-      pushToast('error', t('txt_secret_and_code_are_required'));
-      return;
+      const error = new Error(t('txt_secret_and_code_are_required'));
+      pushToast('error', error.message);
+      throw error;
     }
     try {
       await setTotp(authedFetch, { enabled: true, secret: secret.trim(), token: token.trim() });
       pushToast('success', t('txt_totp_enabled'));
     } catch (error) {
       pushToast('error', error instanceof Error ? error.message : t('txt_enable_totp_failed'));
+      throw error;
     }
   }
 

webapp/src/components/SettingsPage.tsx

@@ -55,10 +55,14 @@ export default function SettingsPage(props: SettingsPageProps) {
   }, [props.profile.email, secret]);
 
   async function enableTotp(): Promise<void> {
+    try {
       await props.onEnableTotp(secret, token);
       // Secret is now stored on the server; remove plaintext copy from localStorage.
       localStorage.removeItem(totpSecretStorageKey);
       setTotpLocked(true);
+    } catch {
+      // Keep inputs editable after a failed attempt.
+    }
   }
 
   async function loadRecoveryCode(): Promise<void> {