#973

2 files changed, 41 insertions, 4 deletions

diff --git a/src/api/endpoints.ts b/src/api/endpoints.ts
index 49871c0ce3..1138df193b 100644
--- a/src/api/endpoints.ts
+++ b/src/api/endpoints.ts
@@ -157,11 +157,18 @@ const endpoints: Endpoint[] = [
 	},
 	{
 		name: 'i/2fa/register',
-		withCredential: true
+		withCredential: true,
+		secure: true
+	},
+	{
+		name: 'i/2fa/unregister',
+		withCredential: true,
+		secure: true
 	},
 	{
 		name: 'i/2fa/done',
-		withCredential: true
+		withCredential: true,
+		secure: true
 	},
 	{
 		name: 'i/update',
@@ -179,11 +186,13 @@ const endpoints: Endpoint[] = [
 	},
 	{
 		name: 'i/change_password',
-		withCredential: true
+		withCredential: true,
+		secure: true
 	},
 	{
 		name: 'i/regenerate_token',
-		withCredential: true
+		withCredential: true,
+		secure: true
 	},
 	{
 		name: 'i/pin',
diff --git a/src/api/endpoints/i/2fa/unregister.ts b/src/api/endpoints/i/2fa/unregister.ts
new file mode 100644
index 0000000000..6bee6a26f2
--- /dev/null
+++ b/src/api/endpoints/i/2fa/unregister.ts
@@ -0,0 +1,28 @@
+/**
+ * Module dependencies
+ */
+import $ from 'cafy';
+import * as bcrypt from 'bcryptjs';
+import User from '../../../models/user';
+
+module.exports = async (params, user) => new Promise(async (res, rej) => {
+	// Get 'password' parameter
+	const [password, passwordErr] = $(params.password).string().$;
+	if (passwordErr) return rej('invalid password param');
+
+	// Compare password
+	const same = await bcrypt.compare(password, user.password);
+
+	if (!same) {
+		return rej('incorrect password');
+	}
+
+	await User.update(user._id, {
+		$set: {
+			two_factor_secret: null,
+			two_factor_enabled: false
+		}
+	});
+
+	res();
+});