If 2FA enforced, do it for an email login as well.

1 files changed, 31 insertions, 0 deletions

diff --git a/perllib/FixMyStreet/App/Controller/Auth.pm b/perllib/FixMyStreet/App/Controller/Auth.pm
index ecca92bd3..041a8b76e 100644
--- a/perllib/FixMyStreet/App/Controller/Auth.pm
+++ b/perllib/FixMyStreet/App/Controller/Auth.pm
@@ -259,6 +259,7 @@ sub process_login : Private {
 
     # People using 2FA need to supply a code
     $c->forward( 'token_2fa', [ $user, $url_token ] ) if $user->has_2fa;
+    $c->forward( 'signup_2fa', [ $user ] ) if $c->cobrand->call_hook('must_have_2fa', $user);
 
     if ($data->{old_user_id}) {
         # Were logged in as old_user_id, want to switch to $user
@@ -320,6 +321,36 @@ sub token_2fa : Private {
     $c->detach;
 }
 
+sub signup_2fa : Private {
+    my ($self, $c, $user) = @_;
+
+    $c->stash->{form_action} = $c->req->path;
+    $c->stash->{template} = 'auth/2fa/intro.html';
+    my $action = $c->get_param('2fa_action') || '';
+
+    my $secret;
+    if ($action eq 'confirm') {
+        $secret = $c->get_param('secret32');
+        if ($c->check_2fa($secret)) {
+            $user->set_extra_metadata('2fa_secret' => $secret);
+            $user->update;
+            $c->stash->{stage} = 'success';
+            return;
+        } else {
+            $action = 'activate'; # Incorrect code, reshow
+        }
+    }
+
+    if ($action eq 'activate') {
+        my $auth = Auth::GoogleAuth->new;
+        $c->stash->{qr_code} = $auth->qr_code($secret, $user->email, 'FixMyStreet');
+        $c->stash->{secret32} = $auth->secret32;
+        $c->stash->{stage} = 'activate';
+    }
+
+    $c->detach;
+}
+
 =head2 redirect_on_signin
 
 Used after signing in to take the person back to where they were.