From 8e6cfe706ff074c9354c9d5f2e5e966803c7bfdd Mon Sep 17 00:00:00 2001
From: Hillel Coren <hillelcoren@gmail.com>
Date: Fri, 24 Nov 2017 11:15:02 +0200
Subject: [PATCH] Merge: Require to enable 2FA

---
 app/Http/Controllers/TwoFactorController.php | 5 ++++-
 resources/views/users/two_factor.blade.php   | 8 ++++++--
 2 files changed, 10 insertions(+), 3 deletions(-)

diff --git a/app/Http/Controllers/TwoFactorController.php b/app/Http/Controllers/TwoFactorController.php
index e6a5c04732..165a530fe6 100644
--- a/app/Http/Controllers/TwoFactorController.php
+++ b/app/Http/Controllers/TwoFactorController.php
@@ -38,8 +38,11 @@ class TwoFactorController extends Controller
     {
         $user = auth()->user();
         $secret = session()->pull('2fa:secret');
+        $oneTimePassword = request('one_time_password');
 
-        if ($secret && ! $user->google_2fa_secret && $user->phone && $user->confirmed) {
+        if (! $secret || ! \Google2FA::verifyKey($secret, $oneTimePassword)) {
+            return redirect('settings/enable_two_factor')->withMessage(trans('texts.invalid_one_time_password'));
+        } elseif (! $user->google_2fa_secret && $user->phone && $user->confirmed) {
             $user->google_2fa_secret = Crypt::encrypt($secret);
             $user->save();
 
diff --git a/resources/views/users/two_factor.blade.php b/resources/views/users/two_factor.blade.php
index a053021f3c..e8ab179c26 100644
--- a/resources/views/users/two_factor.blade.php
+++ b/resources/views/users/two_factor.blade.php
@@ -8,7 +8,7 @@
         @include('accounts.nav', ['selected' => ACCOUNT_USER_DETAILS])
     @endif
 
-    {!! Former::open() !!}
+    {!! Former::open()->rules(['one_time_password' => 'required']) !!}
 
     <div class="row">
         <div class="col-md-12">
@@ -22,8 +22,12 @@
                         <p class="text-muted">{{ $secret }}</p><br/>
                         <p>{!! trans('texts.two_factor_setup_help', ['link' => link_to('https://github.com/antonioribeiro/google2fa#google-authenticator-apps', 'Google Authenticator', ['target' => '_blank'])]) !!}</p>
                     </div>
-                    <p>&nbsp;</p>
                     <center class="buttons">
+                        {!! Former::text('one_time_password')
+                                ->placeholder('one_time_password')
+                                ->style('width:300px;font-size:18px')
+                                ->raw() !!}
+                        <p>&nbsp;</p>
                         {!! Button::normal(trans('texts.cancel'))->large()->asLinkTo(url('settings/user_details'))->appendIcon(Icon::create('remove-circle')) !!}
                         {!! Button::success(trans('texts.enable'))->large()->submit()->appendIcon(Icon::create('lock')) !!}
                     </center>