From 4db3445ca17d9ef64b24803d091ae7051a3cc795 Mon Sep 17 00:00:00 2001
From: Hillel Coren <hillelcoren@gmail.com>
Date: Fri, 24 Nov 2017 11:13:34 +0200
Subject: [PATCH] Require OTP to enable 2FA

---
 app/Http/Controllers/TwoFactorController.php | 5 ++++-
 resources/lang/en/texts.php                  | 1 +
 resources/views/users/two_factor.blade.php   | 8 ++++++--
 3 files changed, 11 insertions(+), 3 deletions(-)

diff --git a/app/Http/Controllers/TwoFactorController.php b/app/Http/Controllers/TwoFactorController.php
index e6a5c0473276..165a530fe636 100644
--- a/app/Http/Controllers/TwoFactorController.php
+++ b/app/Http/Controllers/TwoFactorController.php
@@ -38,8 +38,11 @@ class TwoFactorController extends Controller
     {
         $user = auth()->user();
         $secret = session()->pull('2fa:secret');
+        $oneTimePassword = request('one_time_password');
 
-        if ($secret && ! $user->google_2fa_secret && $user->phone && $user->confirmed) {
+        if (! $secret || ! \Google2FA::verifyKey($secret, $oneTimePassword)) {
+            return redirect('settings/enable_two_factor')->withMessage(trans('texts.invalid_one_time_password'));
+        } elseif (! $user->google_2fa_secret && $user->phone && $user->confirmed) {
             $user->google_2fa_secret = Crypt::encrypt($secret);
             $user->save();
 
diff --git a/resources/lang/en/texts.php b/resources/lang/en/texts.php
index d0de14e0e037..5534a3965ea2 100644
--- a/resources/lang/en/texts.php
+++ b/resources/lang/en/texts.php
@@ -2557,6 +2557,7 @@ $LANG = array(
     'deleted_scheduled_report' => 'Successfully canceled scheduled report',
     'scheduled_report_attached' => 'Your scheduled :type report is attached.',
     'scheduled_report_error' => 'Failed to create schedule report',
+    'invalid_one_time_password' => 'Invalid one time password',
 );
 
 return $LANG;
diff --git a/resources/views/users/two_factor.blade.php b/resources/views/users/two_factor.blade.php
index a053021f3cc2..e8ab179c2661 100644
--- a/resources/views/users/two_factor.blade.php
+++ b/resources/views/users/two_factor.blade.php
@@ -8,7 +8,7 @@
         @include('accounts.nav', ['selected' => ACCOUNT_USER_DETAILS])
     @endif
 
-    {!! Former::open() !!}
+    {!! Former::open()->rules(['one_time_password' => 'required']) !!}
 
     <div class="row">
         <div class="col-md-12">
@@ -22,8 +22,12 @@
                         <p class="text-muted">{{ $secret }}</p><br/>
                         <p>{!! trans('texts.two_factor_setup_help', ['link' => link_to('https://github.com/antonioribeiro/google2fa#google-authenticator-apps', 'Google Authenticator', ['target' => '_blank'])]) !!}</p>
                     </div>
-                    <p>&nbsp;</p>
                     <center class="buttons">
+                        {!! Former::text('one_time_password')
+                                ->placeholder('one_time_password')
+                                ->style('width:300px;font-size:18px')
+                                ->raw() !!}
+                        <p>&nbsp;</p>
                         {!! Button::normal(trans('texts.cancel'))->large()->asLinkTo(url('settings/user_details'))->appendIcon(Icon::create('remove-circle')) !!}
                         {!! Button::success(trans('texts.enable'))->large()->submit()->appendIcon(Icon::create('lock')) !!}
                     </center>