Some more work on 2FA

cp/app/Controllers/ProfileController.php

@@ -23,9 +23,14 @@ class ProfileController extends Controller
 
     public function profile(Request $request, Response $response)
     {
+        global $container;
+
         $username = $_SESSION['auth_username'];
         $email = $_SESSION['auth_email'];
+        $userId = $_SESSION['auth_user_id'];
         $status = $_SESSION['auth_status'];
+
+        $db = $container->get('db');
         $tfa = new \RobThree\Auth\TwoFactorAuth('Namingo');
         $secret = $tfa->createSecret();
         $qrcodeDataUri = $tfa->getQRCodeImageAsDataUri($email, $secret);
@@ -40,17 +45,79 @@ class ProfileController extends Controller
             $role = "Admin";
         } else {
             $role = "Unknown";
-        }    
-    
-        global $container;
+        }
+
         $csrfName = $container->get('csrf')->getTokenName();
         $csrfValue = $container->get('csrf')->getTokenValue();
         
-        return view($response,'admin/profile/profile.twig',['email' => $email, 'username' => $username, 'status' => $status, 'role' => $role, 'qrcodeDataUri' => $qrcodeDataUri, 'secret' => $secret, 'csrf_name' => $csrfName, 'csrf_value' => $csrfValue]);
+        $_SESSION['2fa_secret'] = $secret;
+        
+        $is_2fa_activated = $db->selectValue(
+            'SELECT tfa_enabled FROM users WHERE id = ? LIMIT 1',
+            [$userId]
+        );
+        if ($is_2fa_activated) {
+            return view($response,'admin/profile/profile.twig',['email' => $email, 'username' => $username, 'status' => $status, 'role' => $role, 'csrf_name' => $csrfName, 'csrf_value' => $csrfValue]);
+        } else {
+            return view($response,'admin/profile/profile.twig',['email' => $email, 'username' => $username, 'status' => $status, 'role' => $role, 'qrcodeDataUri' => $qrcodeDataUri, 'secret' => $secret, 'csrf_name' => $csrfName, 'csrf_value' => $csrfValue]);
+        }
+
+    }
+    
+    public function activate2fa(Request $request, Response $response)
+    {
+        global $container;
+        
+        if ($request->getMethod() === 'POST') {
+            // Retrieve POST data
+            $data = $request->getParsedBody();
+            $db = $container->get('db');
+            $verificationCode = $data['verificationCode'] ?? null;
+            $userId = $_SESSION['auth_user_id'];
+            $secret = $_SESSION['2fa_secret'];
+
+            $csrfName = $container->get('csrf')->getTokenName();
+            $csrfValue = $container->get('csrf')->getTokenValue();
+            $username = $_SESSION['auth_username'];
+            $email = $_SESSION['auth_email'];
+            $status = $_SESSION['auth_status'];
+
+            if ($status == 0) {
+                $status = "Confirmed";
+            } else {
+                $status = "Unknown";
+            }
+            $roles = $_SESSION['auth_roles'];
+            if ($roles == 0) {
+                $role = "Admin";
+            } else {
+                $role = "Unknown";
+            }
+            
+            try {
+                $db->update(
+                    'users',
+                    [
+                        'tfa_secret' => $secret,
+                        'tfa_enabled' => 1,
+                        'auth_method' => '2fa',
+                        'backup_codes' => null
+                    ],
+                    [
+                        'id' => $userId
+                    ]
+                );
+            } catch (Exception $e) {
+                return view($response,'admin/profile/profile.twig',['email' => $email, 'username' => $username, 'status' => $status, 'role' => $role, 'csrf_name' => $csrfName, 'csrf_value' => $csrfValue]);
+            }
+
+            return view($response,'admin/profile/profile.twig',['email' => $email, 'username' => $username, 'status' => $status, 'role' => $role, 'csrf_name' => $csrfName, 'csrf_value' => $csrfValue]);
+        }
     }
     
     public function getRegistrationChallenge(Request $request, Response $response)
     {
+        global $container;
         $userName = $_SESSION['auth_username'];
         $userEmail = $_SESSION['auth_email'];
         $userId = $_SESSION['auth_user_id'];
@@ -86,6 +153,7 @@ class ProfileController extends Controller
     
     public function verifyRegistration(Request $request, Response $response)
     {
+        global $container;
         $data = json_decode($request->getBody()->getContents());
 
         try {
@@ -100,7 +168,7 @@ class ProfileController extends Controller
             $credential = $this->webAuthn->processCreate($clientDataJSON, $attestationObject, $challenge, true, true, false);
 
             // Store the credential data in the database
-            $db = $this->container->get('db');
+            $db = $container->get('db');
             $db->insert(
                 'users_webauthn',
                 [

cp/resources/views/admin/profile/profile.twig

@@ -97,6 +97,9 @@
                   <div class="tab-pane" id="tabs-2fa">
                     <h4 class="card-title">Two-Factor Authentication (2FA)</h4>
                         <div class="card">
+                            {% if secret is defined %}
+                            <form action="{{route('activate2fa')}}" name="2fa" method="post">
+                            {{ csrf.field | raw }}
                             <div class="card-body">
                                 <p>Set up 2FA for additional security. Scan the QR code with your authentication app and enter the provided code below to verify.</p>
                                 <!-- QR Code Placeholder -->
@@ -114,14 +117,20 @@
                                 <!-- Verification Code Input -->
                                 <div class="mb-3">
                                     <label for="verificationCode" class="form-label">Verification Code</label>
-                                    <input type="text" class="form-control" id="verificationCode" placeholder="Enter code">
+                                    <input type="text" class="form-control" id="verificationCode" name="verificationCode" placeholder="Enter code">
                                     <small class="form-text text-muted">
                                         Enter the code generated by your authentication app. This code verifies that your 2FA setup is working correctly. Once entered, click 'Save 2FA Settings' to activate two-factor authentication for your account.
                                     </small>
                                 </div>
                                 <!-- Save Button -->
-                                <button type="button" class="btn btn-primary">Save 2FA Settings</button>
+                                <button type="submit" class="btn btn-primary">Save 2FA Settings</button>
                             </div>
+                            </form>
+                            {% else %}
+                            <div class="card-body">
+                                <p>2FA active</p>
+                            </div>
+                            {% endif %}
                         </div>
                   </div>
                   <div class="tab-pane" id="tabs-webauthn">

cp/routes/web.php

@@ -81,8 +81,9 @@ $app->group('', function ($route) {
     $route->map(['GET', 'POST'], '/support/new', SupportController::class .':newticket')->setName('newticket');
     $route->get('/support/docs', SupportController::class .':docs')->setName('docs');
     $route->get('/support/media', SupportController::class .':mediakit')->setName('mediakit');
-    
+
     $route->get('/profile', ProfileController::class .':profile')->setName('profile');
+    $route->post('/profile/2fa', ProfileController::class .':activate2fa')->setName('activate2fa');
     $route->get('/webauthn/register/challenge', ProfileController::class . ':getRegistrationChallenge')->setName('webauthn.register.challenge');
     $route->post('/webauthn/register/verify', ProfileController::class . ':verifyRegistration')->setName('webauthn.register.verify');