From 6342b4036913eb001ee385816f1eb6c2563923d5 Mon Sep 17 00:00:00 2001
From: OE6DXD <oe6dxd@arcg.at>
Date: Mon, 16 Mar 2026 12:35:08 +0100
Subject: [PATCH] honor requested auth method instead of silently falling back

Return auth.method_unavailable when a user requests an auth method that is not enabled for their account, rather than silently sending the smtp-link challenge. Also log requested/selected method details in auth.request_access audit entries for easier diagnostics.
---
 server/index.js | 16 ++++++++++++++--
 1 file changed, 14 insertions(+), 2 deletions(-)

diff --git a/server/index.js b/server/index.js
index 3f07c46..d59e5b7 100644
--- a/server/index.js
+++ b/server/index.js
@@ -958,6 +958,9 @@ async function handleRequestAccess(req, res, body) {
   }
 
   const selectedMethod = resolveAuthMethodForUser(user, requestedMethod);
+  if (requestedMethod && !selectedMethod) {
+    return sendError(res, 400, "auth.method_unavailable", "Gewaehlte Bestaetigungsart ist fuer dieses Konto nicht verfuegbar");
+  }
   if (!selectedMethod) {
     const token = await issueEmailToken(user.id, user.status === "active" ? "login" : "verify");
     const actionPath = user.status === "active" ? "/login?loginToken=" : "/login?verifyToken=";
@@ -978,7 +981,11 @@ async function handleRequestAccess(req, res, body) {
       message.text,
       message.html
     );
-    await appendAudit("auth.request_access", user, { status: user.status, method: "fallback-mail" });
+    await appendAudit("auth.request_access", user, {
+      status: user.status,
+      requestedMethod: requestedMethod || null,
+      method: "fallback-mail"
+    });
     return sendJson(res, 200, {
       ok: true,
       method: "smtp-link",
@@ -1039,7 +1046,12 @@ async function handleRequestAccess(req, res, body) {
     return sendError(res, 400, "auth.method_invalid", "Unbekannte Bestaetigungsart");
   }
 
-  await appendAudit("auth.request_access", user, { status: user.status });
+  await appendAudit("auth.request_access", user, {
+    status: user.status,
+    requestedMethod: requestedMethod || null,
+    method: selectedMethod.id,
+    challengeType
+  });
   return sendJson(res, 200, {
     ok: true,
     method: selectedMethod.id,