fix: give login a dedicated authMiddleware instance

api/account/account.go

@@ -276,6 +276,13 @@ func (a AccountAPI) Routes() (*httprouter.Router, error) {
 		Accounts: a.accounts,
 		Config:   a.config,
 		Purpose:  account.JWTPurpose2FA,
+	})
+
+	loginAuthMw2fa := authMiddleware(middleware.AuthMiddlewareOptions{
+		Identity:     a.identity,
+		Accounts:     a.accounts,
+		Config:       a.config,
+		Purpose:      account.JWTPurpose2FA,
 		EmptyAllowed: true,
 	})
 
@@ -288,7 +295,7 @@ func (a AccountAPI) Routes() (*httprouter.Router, error) {
 
 	routes := map[string]jape.Handler{
 		"POST /api/auth/ping":                   middleware.ApplyMiddlewares(a.ping, authMw2fa, middleware.ProxyMiddleware),
-		"POST /api/auth/login":                  middleware.ApplyMiddlewares(a.login, authMw2fa, middleware.ProxyMiddleware),
+		"POST /api/auth/login":                  middleware.ApplyMiddlewares(a.login, loginAuthMw2fa, middleware.ProxyMiddleware),
 		"POST /api/auth/register":               middleware.ApplyMiddlewares(a.register, middleware.ProxyMiddleware),
 		"POST /api/auth/verify-email":           middleware.ApplyMiddlewares(a.verifyEmail, middleware.ProxyMiddleware),
 		"GET /api/auth/otp/generate":            middleware.ApplyMiddlewares(a.otpGenerate, authMw, middleware.ProxyMiddleware),