diff --git a/pkg/controller/account/two_factor.go b/pkg/controller/account/two_factor.go index d82e2ff..c163cf6 100644 --- a/pkg/controller/account/two_factor.go +++ b/pkg/controller/account/two_factor.go @@ -70,6 +70,9 @@ func Setup2FA() http.HandlerFunc { } } + // Are they (re)viewing their original QR code? + var isPairingSecondDevice bool + // POST form actions. if r.Method == http.MethodPost { var intent = r.PostFormValue("intent") @@ -84,8 +87,15 @@ func Setup2FA() http.HandlerFunc { // Valid? if !valid { session.FlashError(w, r, "The passcode you submitted didn't seem correct. Try a new six-digit code.") - templates.Redirect(w, r.URL.Path) - return + + // If they were reconfiguring a second device, go back to the re-setup screen. + if tf.Enabled { + isPairingSecondDevice = true + break + } else { + templates.Redirect(w, r.URL.Path) + return + } } // OK! @@ -120,12 +130,24 @@ func Setup2FA() http.HandlerFunc { session.Flash(w, r, "Your 2FA settings have been cleared and disabled.") } } + case "resetup": + // View the original QR code to set up a new device. + var password = r.PostFormValue("password") + if err := currentUser.CheckPassword(password); err != nil { + session.FlashError(w, r, "Couldn't access your 2FA QR code: the password you entered is incorrect.") + } else { + session.Flash(w, r, "Password accepted. Your 2FA QR code and setup steps will be displayed below.") + isPairingSecondDevice = true + } default: session.FlashError(w, r, "Unknown intent: %s", intent) } - templates.Redirect(w, r.URL.Path) - return + // All POST requests redirect away except resetup. + if !isPairingSecondDevice { + templates.Redirect(w, r.URL.Path) + return + } } // Generate the QR code. @@ -135,9 +157,10 @@ func Setup2FA() http.HandlerFunc { } var vars = map[string]interface{}{ - "TwoFactor": tf, - "Key": key, - "QRCode": qrCode, + "TwoFactor": tf, + "Key": key, + "QRCode": qrCode, + "IsPairingSecondDevice": isPairingSecondDevice, } if err := tmpl.Execute(w, r, vars); err != nil { diff --git a/web/templates/account/dashboard.html b/web/templates/account/dashboard.html index c7fc735..d94d106 100644 --- a/web/templates/account/dashboard.html +++ b/web/templates/account/dashboard.html @@ -134,7 +134,7 @@ {{end}} - {{if not .TwoFactorEnabled}} +
diff --git a/web/templates/account/two_factor_setup.html b/web/templates/account/two_factor_setup.html index 85bee1d..daf4004 100644 --- a/web/templates/account/two_factor_setup.html +++ b/web/templates/account/two_factor_setup.html @@ -38,7 +38,13 @@ the time-limited six-digit code to log in.

-

Backup Codes

+ + {{if .IsPairingSecondDevice}} + {{template "2fa-setup" .}} +
+ {{end}} + +

Backup Codes

In case you lose access to your Authenticator App, please print off or write down these @@ -72,7 +78,12 @@ -

Disable Two-Factor Auth

+
+ +

+ + Disable Two-Factor Auth +

If you wish to disable two-factor authentication for your account, please enter @@ -95,6 +106,43 @@ Disable Two-Factor Authentication + +

+ +

+ + Set Up Another Device +

+ +

+ If you wish to set up another authenticator device and view your original + QR code, you may do so by entering your current account password below. This may be useful + if you have bought a new phone or want to migrate your authenticator to a different device, + so that you may access the original QR code and configure the new authenticator. +

+ +

+ Note: this will not change your 2FA security key or backup codes. If you + have lost your old authenticator, it will be more secure to disable and then set up + 2FA from scratch, which will generate a new secret key and backup codes. +

+ +
+ {{InputCSRF}} + + +
+ + +
+ + +
@@ -144,95 +192,7 @@ setting up your Authenticator App.

-

Set up your Authenticator App

- -

- To set up Two-Factor Auth, you'll need to download and install a compatible - Authenticator App on your device. Some suggestions for apps that are compatible - with {{PrettyTitle}} are as follows: -

- - - -

Add {{PrettyTitle}} to your Authenticator App

- -

- When you have your Authenticator App ready, click on its "Add a new site" button and scan - the following QR code to enroll your device for {{PrettyTitle}}: -

- - {{ToHTML .QRCode}} - -

- Alternatively (if you can't scan the QR code), you may copy and paste this secret text - in to your Authenticator app: -

- -
-
- -
-
- -
-
- -

Test your Authenticator App

- -

- After scanning the QR code (or copying the secret key) into your Authenticator app, you - should be able to generate temporary six-digit authentication codes. -

- -

- Test that you have enrolled your authenticator correctly by entering the current six-digit - code below: -

- -
- {{InputCSRF}} - -
- - -
- - -
+ {{template "2fa-setup" .}} @@ -241,6 +201,97 @@ {{end}} +{{define "2fa-setup"}} +

Set up your Authenticator App

+ +

+ To set up Two-Factor Auth, you'll need to download and install a compatible + Authenticator App on your device. Some suggestions for apps that are compatible + with {{PrettyTitle}} are as follows: +

+ + + +

Add {{PrettyTitle}} to your Authenticator App

+ +

+ When you have your Authenticator App ready, click on its "Add a new site" button and scan + the following QR code to enroll your device for {{PrettyTitle}}: +

+ +{{ToHTML .QRCode}} + +

+ Alternatively (if you can't scan the QR code), you may copy and paste this secret text + in to your Authenticator app: +

+ +
+
+ +
+
+ +
+
+ +

Test your Authenticator App

+ +

+ After scanning the QR code (or copying the secret key) into your Authenticator app, you + should be able to generate temporary six-digit authentication codes. +

+ +

+ Test that you have enrolled your authenticator correctly by entering the current six-digit + code below: +

+ +
+ {{InputCSRF}} + +
+ + +
+ + +
+{{end}} {{define "scripts"}}