2FA Can Be Removed Without a Security Check

### Description

A User is able to remove 2FA without an additional security check.

Standard practice here dictates that, if the user has 2FA already enabled; they should not be able to disable it without a 2FA check.

This would mean someone could have 2FA disabled, just by leaving their browser open for a few seconds.

This is for an admin account, in the event of a loss; recovery keys will need to be used.

### Gitea Version

1.20

### Can you reproduce the bug on the Gitea demo site?

Yes

### Log Gist

_No response_

### Screenshots

_No response_

### Git Version

_No response_

### Operating System

_No response_

### How are you running Gitea?

Podman

### Database

PostgreSQL

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Uh oh!

2FA Can Be Removed Without a Security Check #27690

Description

Gitea Version

Can you reproduce the bug on the Gitea demo site?

Log Gist

Screenshots

Git Version

Operating System

How are you running Gitea?

Database

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

Uh oh!

2FA Can Be Removed Without a Security Check #27690

Description

Description

Gitea Version

Can you reproduce the bug on the Gitea demo site?

Log Gist

Screenshots

Git Version

Operating System

How are you running Gitea?

Database

Metadata

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

Issue actions