diff --git a/pkg/controller/account/two_factor.go b/pkg/controller/account/two_factor.go index d82e2ff..c163cf6 100644 --- a/pkg/controller/account/two_factor.go +++ b/pkg/controller/account/two_factor.go @@ -70,6 +70,9 @@ func Setup2FA() http.HandlerFunc { } } + // Are they (re)viewing their original QR code? + var isPairingSecondDevice bool + // POST form actions. if r.Method == http.MethodPost { var intent = r.PostFormValue("intent") @@ -84,8 +87,15 @@ func Setup2FA() http.HandlerFunc { // Valid? if !valid { session.FlashError(w, r, "The passcode you submitted didn't seem correct. Try a new six-digit code.") - templates.Redirect(w, r.URL.Path) - return + + // If they were reconfiguring a second device, go back to the re-setup screen. + if tf.Enabled { + isPairingSecondDevice = true + break + } else { + templates.Redirect(w, r.URL.Path) + return + } } // OK! @@ -120,12 +130,24 @@ func Setup2FA() http.HandlerFunc { session.Flash(w, r, "Your 2FA settings have been cleared and disabled.") } } + case "resetup": + // View the original QR code to set up a new device. + var password = r.PostFormValue("password") + if err := currentUser.CheckPassword(password); err != nil { + session.FlashError(w, r, "Couldn't access your 2FA QR code: the password you entered is incorrect.") + } else { + session.Flash(w, r, "Password accepted. Your 2FA QR code and setup steps will be displayed below.") + isPairingSecondDevice = true + } default: session.FlashError(w, r, "Unknown intent: %s", intent) } - templates.Redirect(w, r.URL.Path) - return + // All POST requests redirect away except resetup. + if !isPairingSecondDevice { + templates.Redirect(w, r.URL.Path) + return + } } // Generate the QR code. @@ -135,9 +157,10 @@ func Setup2FA() http.HandlerFunc { } var vars = map[string]interface{}{ - "TwoFactor": tf, - "Key": key, - "QRCode": qrCode, + "TwoFactor": tf, + "Key": key, + "QRCode": qrCode, + "IsPairingSecondDevice": isPairingSecondDevice, } if err := tmpl.Execute(w, r, vars); err != nil { diff --git a/web/templates/account/dashboard.html b/web/templates/account/dashboard.html index c7fc735..d94d106 100644 --- a/web/templates/account/dashboard.html +++ b/web/templates/account/dashboard.html @@ -134,7 +134,7 @@ {{end}} - {{if not .TwoFactorEnabled}} +
In case you lose access to your Authenticator App, please print off or write down these @@ -72,7 +78,12 @@ -
If you wish to disable two-factor authentication for your account, please enter @@ -95,6 +106,43 @@ Disable Two-Factor Authentication + +
+ If you wish to set up another authenticator device and view your original + QR code, you may do so by entering your current account password below. This may be useful + if you have bought a new phone or want to migrate your authenticator to a different device, + so that you may access the original QR code and configure the new authenticator. +
+ ++ Note: this will not change your 2FA security key or backup codes. If you + have lost your old authenticator, it will be more secure to disable and then set up + 2FA from scratch, which will generate a new secret key and backup codes. +
+ +- To set up Two-Factor Auth, you'll need to download and install a compatible - Authenticator App on your device. Some suggestions for apps that are compatible - with {{PrettyTitle}} are as follows: -
- -- When you have your Authenticator App ready, click on its "Add a new site" button and scan - the following QR code to enroll your device for {{PrettyTitle}}: -
- - {{ToHTML .QRCode}} - -- Alternatively (if you can't scan the QR code), you may copy and paste this secret text - in to your Authenticator app: -
- -- After scanning the QR code (or copying the secret key) into your Authenticator app, you - should be able to generate temporary six-digit authentication codes. -
- -- Test that you have enrolled your authenticator correctly by entering the current six-digit - code below: -
- - + {{template "2fa-setup" .}} @@ -241,6 +201,97 @@ {{end}} +{{define "2fa-setup"}} ++ To set up Two-Factor Auth, you'll need to download and install a compatible + Authenticator App on your device. Some suggestions for apps that are compatible + with {{PrettyTitle}} are as follows: +
+ ++ When you have your Authenticator App ready, click on its "Add a new site" button and scan + the following QR code to enroll your device for {{PrettyTitle}}: +
+ +{{ToHTML .QRCode}} + ++ Alternatively (if you can't scan the QR code), you may copy and paste this secret text + in to your Authenticator app: +
+ ++ After scanning the QR code (or copying the secret key) into your Authenticator app, you + should be able to generate temporary six-digit authentication codes. +
+ ++ Test that you have enrolled your authenticator correctly by entering the current six-digit + code below: +
+ + +{{end}} {{define "scripts"}}