Security
- 2FA tickets no longer usable as access tokens — pre-2FA login tickets and 2FA setup tickets are signed with the same JWT secret as the access token, and the auth middleware did not check token type. A holder of either ticket could read device inventory and other endpoints guarded only by authentication. The middleware — and the WebSocket auth path, which had the same hole — now reject anything other than a real access token. Existing sessions stay valid through the upgrade (the frontend silently refreshes on the new token format).
- Enabling 2FA now ends pre-existing sessions — refresh-token validity previously only checked the password timestamp, so a session opened before 2FA enrollment could keep refreshing without ever completing the new second factor. Enabling 2FA, disabling 2FA, and admin "Reset 2FA" now all invalidate any active refresh tokens, forcing the affected user to log back in (with 2FA, when applicable).