RocketChat · ggazzo · May 29, 2026
diff --git a/.changeset/ddp-migrate-batch5-totp-caller.md b/.changeset/ddp-migrate-batch5-totp-caller.md
@@ -0,0 +1,5 @@
+---
+'@rocket.chat/meteor': patch
+---
+
+Migrated the `TwoFactorTOTP` account settings page from the five `2fa:*` DDP methods to the new `/v1/users.totp.*` REST endpoints. DDP methods stay registered for external SDK/mobile clients with deprecation logs pointing at the new routes until 9.0.0.
diff --git a/.changeset/rest-users-totp.md b/.changeset/rest-users-totp.md
@@ -0,0 +1,14 @@
+---
+'@rocket.chat/rest-typings': minor
+'@rocket.chat/meteor': minor
+---
+
+Added five new REST endpoints under `/v1/users.totp.*` covering the TOTP 2FA flows that previously only existed as DDP methods:
+
+- `POST /v1/users.totp.enable` → `{ secret, url }` (replaces `2fa:enable`)
+- `POST /v1/users.totp.disable` body `{ code }` → `{ disabled }` (replaces `2fa:disable`)
+- `POST /v1/users.totp.validate` body `{ code }` → `{ codes }` (replaces `2fa:validateTempToken`; also rotates non-PAT login tokens server-side)
+- `POST /v1/users.totp.regenerateCodes` body `{ code }` → `{ codes }` (replaces `2fa:regenerateCodes`)
+- `GET /v1/users.totp.codesRemaining` → `{ remaining }` (replaces `2fa:checkCodesRemaining`)
+
+The legacy DDP methods stay registered with deprecation logs pointing at the new routes until 9.0.0 removes them.
diff --git a/apps/meteor/app/2fa/server/functions/totp.ts b/apps/meteor/app/2fa/server/functions/totp.ts
@@ -0,0 +1,154 @@
+import { Users } from '@rocket.chat/models';
+import { Accounts } from 'meteor/accounts-base';
+import { Meteor } from 'meteor/meteor';
+
+import { notifyOnUserChange, notifyOnUserChangeAsync } from '../../../lib/server/lib/notifyListener';
+import { TOTP } from '../lib/totp';
+
+const requireUser = async (userId: string | null) => {
+	if (!userId) {
+		throw new Meteor.Error('not-authorized');
+	}
+
+	const user = await Users.findOneById(userId);
+	if (!user) {
+		throw new Meteor.Error('error-invalid-user', 'Invalid user');
+	}
+
+	return user;
+};
+
+export const enableTotp = async (userId: string | null): Promise<{ secret: string; url: string }> => {
+	const user = await requireUser(userId);
+
+	if (!user.username) {
+		throw new Meteor.Error('error-invalid-user', 'Invalid user');
+	}
+
+	if (user.services?.totp?.enabled) {
+		throw new Meteor.Error('error-2fa-already-enabled');
+	}
+
+	const secret = TOTP.generateSecret();
+
+	await Users.disable2FAAndSetTempSecretByUserId(user._id, secret.base32);
+
+	return {
+		secret: secret.base32,
+		url: TOTP.generateOtpauthURL(secret, user.username),
+	};
+};
+
+export const disableTotp = async (userId: string | null, code: string): Promise<boolean> => {
+	const user = await requireUser(userId);
+
+	if (!user.services?.totp?.enabled) {
+		return false;
+	}
+
+	const verified = await TOTP.verify({
+		secret: user.services.totp.secret,
+		token: code,
+		userId: user._id,
+		backupTokens: user.services.totp.hashedBackup,
+	});
+
+	if (!verified) {
+		return false;
+	}
+
+	const { modifiedCount } = await Users.disable2FAByUserId(user._id);
+
+	if (!modifiedCount) {
+		return false;
+	}
+
+	void notifyOnUserChange({ clientAction: 'updated', id: user._id, diff: { 'services.totp.enabled': false } });
+
+	return true;
+};
+
+export const validateTotpTempToken = async (userId: string | null, userToken: string, authToken?: string): Promise<{ codes: string[] }> => {
+	const user = await requireUser(userId);
+
+	if (!user.services?.totp?.tempSecret) {
+		throw new Meteor.Error('invalid-totp');
+	}
+
+	const verified = await TOTP.verify({
+		secret: user.services.totp.tempSecret,
+		token: userToken,
+	});
+	if (!verified) {
+		throw new Meteor.Error('invalid-totp');
+	}
+
+	const { codes, hashedCodes } = TOTP.generateCodes();
+
+	await Users.enable2FAAndSetSecretAndCodesByUserId(user._id, user.services.totp.tempSecret, hashedCodes);
+
+	if (authToken) {
+		const hashedToken = Accounts._hashLoginToken(authToken);
+
+		const { modifiedCount } = await Users.removeNonPATLoginTokensExcept(user._id, hashedToken);
+
+		if (modifiedCount > 0) {
+			void notifyOnUserChangeAsync(async () => {
+				const refreshed = await Users.findOneById(user._id, {
+					projection: { 'services.resume.loginTokens': 1, 'services.totp': 1 },
+				});
+				return {
+					clientAction: 'updated',
+					id: user._id,
+					diff: {
+						'services.resume.loginTokens': refreshed?.services?.resume?.loginTokens,
+						...(refreshed?.services?.totp && { 'services.totp.enabled': refreshed.services.totp.enabled }),
+					},
+				};
+			});
+		} else {
+			void notifyOnUserChange({ clientAction: 'updated', id: user._id, diff: { 'services.totp.enabled': true } });
+		}
+	} else {
+		void notifyOnUserChange({ clientAction: 'updated', id: user._id, diff: { 'services.totp.enabled': true } });
+	}
+
+	return { codes };
+};
+
+export const regenerateTotpCodes = async (userId: string | null, userToken: string): Promise<{ codes: string[] } | undefined> => {
+	const user = await requireUser(userId);
+
+	if (!user.services?.totp?.enabled) {
+		throw new Meteor.Error('invalid-totp');
+	}
+
+	const verified = await TOTP.verify({
+		secret: user.services.totp.secret,
+		token: userToken,
+		userId: user._id,
+		backupTokens: user.services.totp.hashedBackup,
+	});
+
+	if (!verified) {
+		return undefined;
+	}
+
+	const { codes, hashedCodes } = TOTP.generateCodes();
+
+	await Users.update2FABackupCodesByUserId(user._id, hashedCodes);
+
+	return { codes };
+};
+
+export const codesRemainingTotp = async (userId: string | null): Promise<{ remaining: number }> => {
+	const user = await requireUser(userId);
+
+	if (!user.services?.totp?.enabled) {
+		throw new Meteor.Error('invalid-totp');
+	}
+
+	return {
+		remaining: user.services.totp.hashedBackup?.length ?? 0,
+	};
+};
diff --git a/apps/meteor/app/2fa/server/methods/checkCodesRemaining.ts b/apps/meteor/app/2fa/server/methods/checkCodesRemaining.ts
@@ -1,6 +1,9 @@
 import type { ServerMethods } from '@rocket.chat/ddp-client';
 import { Meteor } from 'meteor/meteor';
 
+import { methodDeprecationLogger } from '../../../lib/server/lib/deprecationWarningLogger';
+import { codesRemainingTotp } from '../functions/totp';
+
 declare module '@rocket.chat/ddp-client' {
 	// eslint-disable-next-line @typescript-eslint/naming-convention
 	interface ServerMethods {
@@ -10,24 +13,7 @@ declare module '@rocket.chat/ddp-client' {
 
 Meteor.methods<ServerMethods>({
 	async '2fa:checkCodesRemaining'() {
-		if (!Meteor.userId()) {
-			throw new Meteor.Error('not-authorized');
-		}
-
-		const user = await Meteor.userAsync();
-
-		if (!user) {
-			throw new Meteor.Error('error-invalid-user', 'Invalid user', {
-				method: '2fa:checkCodesRemaining',
-			});
-		}
-
-		if (!user.services?.totp?.enabled) {
-			throw new Meteor.Error('invalid-totp');
-		}
-
-		return {
-			remaining: user.services.totp.hashedBackup.length,
-		};
+		methodDeprecationLogger.method('2fa:checkCodesRemaining', '9.0.0', '/v1/users.totp.codesRemaining');
+		return codesRemainingTotp(Meteor.userId());
 	},
 });
diff --git a/apps/meteor/app/2fa/server/methods/disable.ts b/apps/meteor/app/2fa/server/methods/disable.ts
@@ -1,9 +1,8 @@
 import type { ServerMethods } from '@rocket.chat/ddp-client';
-import { Users } from '@rocket.chat/models';
 import { Meteor } from 'meteor/meteor';
 
-import { notifyOnUserChange } from '../../../lib/server/lib/notifyListener';
-import { TOTP } from '../lib/totp';
+import { methodDeprecationLogger } from '../../../lib/server/lib/deprecationWarningLogger';
+import { disableTotp } from '../functions/totp';
 
 declare module '@rocket.chat/ddp-client' {
 	// eslint-disable-next-line @typescript-eslint/naming-convention
@@ -14,42 +13,7 @@ declare module '@rocket.chat/ddp-client' {
 
 Meteor.methods<ServerMethods>({
 	async '2fa:disable'(code) {
-		const userId = Meteor.userId();
-		if (!userId) {
-			throw new Meteor.Error('not-authorized');
-		}
-
-		const user = await Meteor.userAsync();
-
-		if (!user) {
-			throw new Meteor.Error('error-invalid-user', 'Invalid user', {
-				method: '2fa:disable',
-			});
-		}
-
-		if (!user.services?.totp?.enabled) {
-			return false;
-		}
-
-		const verified = await TOTP.verify({
-			secret: user.services.totp.secret,
-			token: code,
-			userId,
-			backupTokens: user.services.totp.hashedBackup,
-		});
-
-		if (!verified) {
-			return false;
-		}
-
-		const { modifiedCount } = await Users.disable2FAByUserId(userId);
-
-		if (!modifiedCount) {
-			return false;
-		}
-
-		void notifyOnUserChange({ clientAction: 'updated', id: user._id, diff: { 'services.totp.enabled': false } });
-
-		return true;
+		methodDeprecationLogger.method('2fa:disable', '9.0.0', '/v1/users.totp.disable');
+		return disableTotp(Meteor.userId(), code);
 	},
 });
diff --git a/apps/meteor/app/2fa/server/methods/enable.ts b/apps/meteor/app/2fa/server/methods/enable.ts
@@ -1,8 +1,8 @@
 import type { ServerMethods } from '@rocket.chat/ddp-client';
-import { Users } from '@rocket.chat/models';
 import { Meteor } from 'meteor/meteor';
 
-import { TOTP } from '../lib/totp';
+import { methodDeprecationLogger } from '../../../lib/server/lib/deprecationWarningLogger';
+import { enableTotp } from '../functions/totp';
 
 declare module '@rocket.chat/ddp-client' {
 	// eslint-disable-next-line @typescript-eslint/naming-convention
@@ -13,30 +13,7 @@ declare module '@rocket.chat/ddp-client' {
 
 Meteor.methods<ServerMethods>({
 	async '2fa:enable'() {
-		const userId = Meteor.userId();
-		if (!userId) {
-			throw new Meteor.Error('not-authorized');
-		}
-
-		const user = await Meteor.userAsync();
-
-		if (!user?.username) {
-			throw new Meteor.Error('error-invalid-user', 'Invalid user', {
-				method: '2fa:enable',
-			});
-		}
-
-		if (user.services?.totp?.enabled) {
-			throw new Meteor.Error('error-2fa-already-enabled');
-		}
-
-		const secret = TOTP.generateSecret();
-
-		await Users.disable2FAAndSetTempSecretByUserId(userId, secret.base32);
-
-		return {
-			secret: secret.base32,
-			url: TOTP.generateOtpauthURL(secret, user.username),
-		};
+		methodDeprecationLogger.method('2fa:enable', '9.0.0', '/v1/users.totp.enable');
+		return enableTotp(Meteor.userId());
 	},
 });
diff --git a/apps/meteor/app/2fa/server/methods/regenerateCodes.ts b/apps/meteor/app/2fa/server/methods/regenerateCodes.ts
@@ -1,8 +1,8 @@
 import type { ServerMethods } from '@rocket.chat/ddp-client';
-import { Users } from '@rocket.chat/models';
 import { Meteor } from 'meteor/meteor';
 
-import { TOTP } from '../lib/totp';
+import { methodDeprecationLogger } from '../../../lib/server/lib/deprecationWarningLogger';
+import { regenerateTotpCodes } from '../functions/totp';
 
 declare module '@rocket.chat/ddp-client' {
 	// eslint-disable-next-line @typescript-eslint/naming-convention
@@ -13,34 +13,7 @@ declare module '@rocket.chat/ddp-client' {
 
 Meteor.methods<ServerMethods>({
 	async '2fa:regenerateCodes'(userToken) {
-		const userId = Meteor.userId();
-		if (!userId) {
-			throw new Meteor.Error('not-authorized');
-		}
-
-		const user = await Meteor.userAsync();
-		if (!user) {
-			throw new Meteor.Error('error-invalid-user', 'Invalid user', {
-				method: '2fa:regenerateCodes',
-			});
-		}
-
-		if (!user.services?.totp?.enabled) {
-			throw new Meteor.Error('invalid-totp');
-		}
-
-		const verified = await TOTP.verify({
-			secret: user.services.totp.secret,
-			token: userToken,
-			userId,
-			backupTokens: user.services.totp.hashedBackup,
-		});
-
-		if (verified) {
-			const { codes, hashedCodes } = TOTP.generateCodes();
-
-			await Users.update2FABackupCodesByUserId(userId, hashedCodes);
-			return { codes };
-		}
+		methodDeprecationLogger.method('2fa:regenerateCodes', '9.0.0', '/v1/users.totp.regenerateCodes');
+		return regenerateTotpCodes(Meteor.userId(), userToken);
 	},
 });