From 3a22fca79cf23df71fcc32b5872dc6a7e36cc718 Mon Sep 17 00:00:00 2001
From: jonechenug <jonechenug@gmail.com>
Date: Thu, 8 Jan 2026 17:39:04 +0800
Subject: [PATCH 1/2] =?UTF-8?q?=E5=AF=86=E7=A0=81=E7=99=BB=E5=BD=95?=
 =?UTF-8?q?=E5=BC=80=E5=90=AF2FA?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

根据环境变量STS_PASSWORD_LOGIN_TWOFACTOR 判断是否开启密码2FA登录
---
 .../Controllers/AccountController.cs             | 16 ++++++++++++++++
 src/SecurityTokenService/Controllers/Inputs.cs   |  6 ++++++
 2 files changed, 22 insertions(+)

diff --git a/src/SecurityTokenService/Controllers/AccountController.cs b/src/SecurityTokenService/Controllers/AccountController.cs
index 333e039..c6c7aa3 100644
--- a/src/SecurityTokenService/Controllers/AccountController.cs
+++ b/src/SecurityTokenService/Controllers/AccountController.cs
@@ -45,6 +45,9 @@ public class AccountController(
     private readonly SecurityTokenServiceOptions _options = options.CurrentValue;
     private readonly IdentityExtensionOptions _identityExtensionOptions = identityExtensionOptions.CurrentValue;
 
+    private static readonly bool PasswordLoginTwoFactorEnable =
+        bool.Parse(Environment.GetEnvironmentVariable("STS_PASSWORD_LOGIN_TWOFACTOR") ?? "false");
+
     /// <summary>
     /// 通过旧密码修改密码
     /// 要提供用户名
@@ -214,6 +217,19 @@ await events.RaiseAsync(new UserLoginFailureEvent(model.Username, "invalid crede
         {
             await events.RaiseAsync(new UserLoginSuccessEvent(user.UserName, user.Id, user.UserName,
                 clientId: context?.Client.ClientId));
+            if (PasswordLoginTwoFactorEnable)
+            {
+                var isValid = await userManager.VerifyUserTokenAsync(user, Util.PhoneNumberTokenProvider,
+                    Util.PurposeLogin,
+                    model.VerifyCode);
+                if (!isValid)
+                {
+                    return new ObjectResult(new ApiResult
+                    {
+                        Code = Errors.VerifyCodeIsInCorrect, Success = false, Message = "手机验证码不正确"
+                    });
+                }
+            }
 
             if (context != null)
             {
diff --git a/src/SecurityTokenService/Controllers/Inputs.cs b/src/SecurityTokenService/Controllers/Inputs.cs
index 6c479fb..b8f2b0a 100644
--- a/src/SecurityTokenService/Controllers/Inputs.cs
+++ b/src/SecurityTokenService/Controllers/Inputs.cs
@@ -199,6 +199,12 @@ public class LoginInput
             /// </summary>
             [StringLength(10, ErrorMessage = "验证码长度超长"), Required(ErrorMessage = "请输入验证码")]
             public string CaptchaCode { get; set; }
+            
+            /// <summary>
+            /// 验证码
+            /// </summary>
+            [StringLength(8, ErrorMessage = "验证码长度不正确")]
+            public string VerifyCode { get; set; }
         }
 
         public class LogoutInput

From d3eecb1f45da579a8fc87b8125d566c1414fa0a3 Mon Sep 17 00:00:00 2001
From: jonechenug <jonechenug@gmail.com>
Date: Thu, 8 Jan 2026 17:46:40 +0800
Subject: [PATCH 2/2] =?UTF-8?q?=E4=B8=A4=E6=AD=A5=E9=AA=8C=E8=AF=81?=
 =?UTF-8?q?=E6=98=AF=E4=B8=8D=E9=9C=80=E8=A6=81=E9=AA=8C=E8=AF=81=E5=9B=BE?=
 =?UTF-8?q?=E5=BD=A2=E9=AA=8C=E8=AF=81=E7=A0=81?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 .../Controllers/AccountController.cs          | 37 +++++++++++--------
 1 file changed, 21 insertions(+), 16 deletions(-)

diff --git a/src/SecurityTokenService/Controllers/AccountController.cs b/src/SecurityTokenService/Controllers/AccountController.cs
index c6c7aa3..384f504 100644
--- a/src/SecurityTokenService/Controllers/AccountController.cs
+++ b/src/SecurityTokenService/Controllers/AccountController.cs
@@ -193,10 +193,13 @@ public async Task<IActionResult> Login([FromBody] Inputs.V1.LoginInput model)
             return new ObjectResult(new RedirectResult("/"));
         }
 
-        var checkCaptchaResult = Util.CheckCaptcha(memoryCache, logger, Request, model.CaptchaCode);
-        if (checkCaptchaResult != null)
+        if (!PasswordLoginTwoFactorEnable)
         {
-            return new ObjectResult(checkCaptchaResult);
+            var checkCaptchaResult = Util.CheckCaptcha(memoryCache, logger, Request, model.CaptchaCode);
+            if (checkCaptchaResult != null)
+            {
+                return new ObjectResult(checkCaptchaResult);
+            }
         }
 
         var user = await userManager.FindAsync(model.Username, _identityExtensionOptions.SoftDeleteColumn);
@@ -211,25 +214,27 @@ await events.RaiseAsync(new UserLoginFailureEvent(model.Username, "invalid crede
             });
         }
 
+        if (PasswordLoginTwoFactorEnable)
+        {
+            var isValid = await userManager.VerifyUserTokenAsync(user, Util.PhoneNumberTokenProvider,
+                Util.PurposeLogin,
+                model.VerifyCode);
+            if (!isValid)
+            {
+                return new ObjectResult(new ApiResult
+                {
+                    Code = Errors.VerifyCodeIsInCorrect, Success = false, Message = "手机验证码不正确"
+                });
+            }
+        }
+
         var result = await signInManager.PasswordSignInAsync(user, model.Password,
             model.RememberLogin, true);
         if (result.Succeeded)
         {
             await events.RaiseAsync(new UserLoginSuccessEvent(user.UserName, user.Id, user.UserName,
                 clientId: context?.Client.ClientId));
-            if (PasswordLoginTwoFactorEnable)
-            {
-                var isValid = await userManager.VerifyUserTokenAsync(user, Util.PhoneNumberTokenProvider,
-                    Util.PurposeLogin,
-                    model.VerifyCode);
-                if (!isValid)
-                {
-                    return new ObjectResult(new ApiResult
-                    {
-                        Code = Errors.VerifyCodeIsInCorrect, Success = false, Message = "手机验证码不正确"
-                    });
-                }
-            }
+
 
             if (context != null)
             {