From e7e4b9a86d4effaadd67e3465d36100d47d0f073 Mon Sep 17 00:00:00 2001
From: Mathijs van Veluw <black.dex@gmail.com>
Date: Mon, 13 Apr 2026 21:47:20 +0200
Subject: [PATCH] Fix 2FA for Android (#7093)

The `RecoveryCode` Type should not be sent as a valid type which can be used.
Fixes #7092

Signed-off-by: BlackDex <black.dex@gmail.com>
---
 src/api/identity.rs | 9 ++-------
 1 file changed, 2 insertions(+), 7 deletions(-)

diff --git a/src/api/identity.rs b/src/api/identity.rs
index cab17331..d7248647 100644
--- a/src/api/identity.rs
+++ b/src/api/identity.rs
@@ -756,13 +756,8 @@ async fn twofactor_auth(
     // Add TwoFactorTypes which are not stored as a record but might be enabled
     // Since these types could also be not valid, we do some custom checks here
     twofactor_ids.extend(
-        [
-            (!CONFIG.disable_2fa_remember() && device.twofactor_remember.is_some())
-                .then_some(TwoFactorType::Remember as i32),
-            user.totp_recover.is_some().then_some(TwoFactorType::RecoveryCode as i32),
-        ]
-        .into_iter()
-        .flatten(),
+        (!CONFIG.disable_2fa_remember() && device.twofactor_remember.is_some())
+            .then_some(TwoFactorType::Remember as i32),
     );
 
     let selected_id = data.two_factor_provider.unwrap_or(twofactor_ids[0]); // If we aren't given a two factor provider, assume the first one