refactor: set ExpiredAllowed on loginAuthMw2fa

api/account/account.go

@@ -352,11 +352,12 @@ func (a AccountAPI) updatePassword(c jape.Context) {
 
 func (a *AccountAPI) Routes() (*httprouter.Router, error) {
 	loginAuthMw2fa := authMiddleware(middleware.AuthMiddlewareOptions{
-		Identity:     a.identity,
-		Accounts:     a.accounts,
-		Config:       a.config,
-		Purpose:      account.JWTPurpose2FA,
-		EmptyAllowed: true,
+		Identity:       a.identity,
+		Accounts:       a.accounts,
+		Config:         a.config,
+		Purpose:        account.JWTPurpose2FA,
+		EmptyAllowed:   true,
+		ExpiredAllowed: true,
 	})
 
 	authMw := authMiddleware(middleware.AuthMiddlewareOptions{