There are two bugs here, one that allows an attacker to reset the password of any account, another to bypass 2FA.

Password Reset

This comes down to an unexpected array being passed in to the /api/recover_password endpoint. Normally it is expecting a JSON body containing a string named email. By passing an array to this, the first email will be used to find the account to reset the password for, but the email will be sent to both emails in the array. Meaning the attacker will get a copy of the password reset link.

2FA Bypass

This is atleast a partial bypass of 2FA, its unclear what the restrictions are. The login response even before providing the 2FA code contained the keys necessary to authenticate with the API. As the API doesn’t enfore the 2FA requirement an attacker can bypass the need for 2FA.

This sort of 2FA bypass is something I’ve seen a number of times, more often when dealing with a secondary authentication mechanism, like logging in on an admin panel needing an extra password. You can bypass it by simply using the API so its a good thing to keep an eye out for.