fix: give login a dedicated authMiddleware instance

api/account/account.go

@@ -272,6 +272,13 @@ func (a AccountAPI) ping(jc jape.Context) {
 
 func (a AccountAPI) Routes() (*httprouter.Router, error) {
 	authMw2fa := authMiddleware(middleware.AuthMiddlewareOptions{
+		Identity: a.identity,
+		Accounts: a.accounts,
+		Config:   a.config,
+		Purpose:  account.JWTPurpose2FA,
+	})
+
+	loginAuthMw2fa := authMiddleware(middleware.AuthMiddlewareOptions{
 		Identity:     a.identity,
 		Accounts:     a.accounts,
 		Config:       a.config,
@@ -288,7 +295,7 @@ func (a AccountAPI) Routes() (*httprouter.Router, error) {
 
 	routes := map[string]jape.Handler{
 		"POST /api/auth/ping":                   middleware.ApplyMiddlewares(a.ping, authMw2fa, middleware.ProxyMiddleware),
-		"POST /api/auth/login":                  middleware.ApplyMiddlewares(a.login, authMw2fa, middleware.ProxyMiddleware),
+		"POST /api/auth/login":                  middleware.ApplyMiddlewares(a.login, loginAuthMw2fa, middleware.ProxyMiddleware),
 		"POST /api/auth/register":               middleware.ApplyMiddlewares(a.register, middleware.ProxyMiddleware),
 		"POST /api/auth/verify-email":           middleware.ApplyMiddlewares(a.verifyEmail, middleware.ProxyMiddleware),
 		"GET /api/auth/otp/generate":            middleware.ApplyMiddlewares(a.otpGenerate, authMw, middleware.ProxyMiddleware),