From e3eaccd430030ebaf61823ac1e6da0fad05e04a5 Mon Sep 17 00:00:00 2001
From: Logan Fick <logaldeveloper@protonmail.com>
Date: Thu, 7 Jun 2018 21:45:02 -0400
Subject: Added ability to configure 2FA settings in login settings.

---
 app/controllers/users_controller.rb | 19 ++++++++++++++++++-
 app/views/users/edit_login.html.erb | 37 +++++++++++++++++++++++++++++++++++++
 2 files changed, 55 insertions(+), 1 deletion(-)

diff --git a/app/controllers/users_controller.rb b/app/controllers/users_controller.rb
index 85e1613..4ad9d59 100644
--- a/app/controllers/users_controller.rb
+++ b/app/controllers/users_controller.rb
@@ -241,6 +241,11 @@ class UsersController < ApplicationController
     unless @user.is?(current_user) || admin? && current_user.role > @user.role || superadmin?
       flash[:alert] = "You are not allowed to edit this user's login details!"
       redirect_to @user
+      return
+    end
+
+    if !@user.totp_enabled
+      @user.update(totp_secret: TOTP.secret)
     end
   end
 
@@ -263,6 +268,18 @@ class UsersController < ApplicationController
       @user.email_token = SecureRandom.hex(16) if mail_changed
       @user.confirmed   = !mail_changed
 
+      if params[:user][:totp_enabled] == "1" && !@user.totp_enabled
+        if TOTP.valid?(@user.totp_secret, params[:totp_code].to_i)
+          @user.totp_enabled = true
+        else
+          flash[:alert] = "Wrong TOTP code!"
+          render action: "edit_login"
+          return
+        end
+      elsif params[:user][:totp_enabled] == "0" && @user.totp_enabled
+        @user.totp_enabled = false
+      end
+
       # checking here for password so we can send back changes to the view
       if authenticated
         if @user.save
@@ -370,7 +387,7 @@ class UsersController < ApplicationController
   end
 
   def user_params(add = [])
-    a = [:ign, :email, :password, :password_confirmation, :mail_own_thread_reply, :mail_other_thread_reply, :mail_own_blogpost_comment, :mail_other_blogpost_comment, :mail_mention, :public_key] + add
+    a = [:ign, :email, :password, :password_confirmation, :mail_own_thread_reply, :mail_other_thread_reply, :mail_own_blogpost_comment, :mail_other_blogpost_comment, :mail_mention, :public_key, :totp_code] + add
     params.require(:user).permit(a)
   end
 end
diff --git a/app/views/users/edit_login.html.erb b/app/views/users/edit_login.html.erb
index 2fb9903..c09bd54 100644
--- a/app/views/users/edit_login.html.erb
+++ b/app/views/users/edit_login.html.erb
@@ -25,12 +25,49 @@
           <%= f.password_field :password_confirmation %>
         </td>
       </tr>
+    </tbody>
+  </table>
+  <hr>
+  <table>
+    <tbody>
+      <tr>
+        <td>2FA Enabled</td>
+        <td>
+          <%= f.check_box :totp_enabled %>
+        </td>
+      </tr>
+      <tr>
+        <td>TOTP Secret</td>
+        <td>
+          <% if !@user.totp_enabled? %>
+          <%= f.text_field :totp_secret, :readonly => true %>
+          <% else %>
+          <i>2FA is currently enabled. Disable 2FA to generate a new secret.</i>
+          <% end %>
+        </td>
+      </tr>
+    </tbody>
+  </table>
+  <hr>
+  <table>
+    <tbody>
       <tr>
         <td>Current password</td>
         <td>
           <%= password_field_tag :current_password, nil, disabled: !@user.is?(current_user) %>
         </td>
       </tr>
+      <% if !@user.totp_enabled? %>
+      <tr>
+        <td>TOTP Code</td>
+        <td>
+          <%= text_field_tag :totp_code, nil, disabled: !@user.is?(current_user) %>
+        </td>
+      </tr>
+      <tr>
+        <td></td>
+        <td><i>Leave this field blank if you are not enabling 2FA.</i></td>
+      <% end %>
     </tbody>
   </table>
   <p><%= f.submit "Save Changes", class: "btn blue left" %></p>
-- 
cgit v1.2.3