From 7ac0fbaf76cc58b26fc897816167afeb24b51a03 Mon Sep 17 00:00:00 2001
From: PKC278 <52959804+PKC278@users.noreply.github.com>
Date: Tue, 20 Jan 2026 19:53:59 +0800
Subject: [PATCH] =?UTF-8?q?fix(otp):=20=E4=BF=AE=E6=AD=A3=20OTP=20?=
 =?UTF-8?q?=E5=85=B3=E9=97=AD=E9=80=BB=E8=BE=91?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 app/api/endpoints/mfa.py | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/app/api/endpoints/mfa.py b/app/api/endpoints/mfa.py
index dbef09d1..0b4590cc 100644
--- a/app/api/endpoints/mfa.py
+++ b/app/api/endpoints/mfa.py
@@ -161,9 +161,9 @@ async def otp_disable(
     current_user: User = Depends(get_current_active_user_async)
 ) -> Any:
     """关闭当前用户的 OTP 验证功能"""
-    # 安全检查：如果存在 PassKey，不允许关闭 OTP
+    # 安全检查：如果存在 PassKey，默认不允许关闭 OTP，除非配置允许
     has_passkey = await _check_user_has_passkey(db, current_user.id)
-    if has_passkey:
+    if has_passkey and not settings.PASSKEY_ALLOW_REGISTER_WITHOUT_OTP:
         return schemas.Response(
             success=False,
             message="您已注册通行密钥，为了防止域名配置变更导致无法登录，请先删除所有通行密钥再关闭 OTP 验证"