Improve 2 factor usage

src/Security/Authentication.php

@@ -144,7 +144,7 @@ class Authentication
 				// Renew the cookie
 				$this->cookie->send();
 
-				// Do the authentification if not done by now
+				// Do the authentication if not done by now
 				if (!$this->session->get('authenticated')) {
 					$this->setForUser($a, $user);
 
@@ -269,7 +269,11 @@ class Authentication
 		}
 
 		if (!$remember) {
+			$trusted = $this->cookie->get('2fa_cookie_hash') ?? null;
 			$this->cookie->clear();
+			if ($trusted) {
+				$this->cookie->set('2fa_cookie_hash', $trusted);
+			}
 		}
 
 		// if we haven't failed up this point, log them in.
@@ -407,11 +411,11 @@ class Authentication
 		}
 
 		// Case 1b: Check for trusted browser
-		if ($this->cookie->get('trusted')) {
+		if ($this->cookie->get('2fa_cookie_hash')) {
 			// Retrieve a trusted_browser model based on cookie hash
 			$trustedBrowserRepository = new TrustedBrowser($this->dba, $this->logger);
 			try {
-				$trustedBrowser = $trustedBrowserRepository->selectOneByHash($this->cookie->get('trusted'));
+				$trustedBrowser = $trustedBrowserRepository->selectOneByHash($this->cookie->get('2fa_cookie_hash'));
 				// Verify record ownership
 				if ($trustedBrowser->uid === $uid) {
 					// Update last_used date
@@ -420,10 +424,13 @@ class Authentication
 					// Save it to the database
 					$trustedBrowserRepository->save($trustedBrowser);
 
-					// Set 2fa session key and return
-					$this->session->set('2fa', true);
+					// Only use this entry, if its really trusted, otherwise just update the record and proceed
+					if ($trustedBrowser->trusted) {
+						// Set 2fa session key and return
+						$this->session->set('2fa', true);
 
-					return;
+						return;
+					}
 				} else {
 					// Invalid trusted cookie value, removing it
 					$this->cookie->unset('trusted');

src/Security/TwoFactor/Factory/TrustedBrowser.php

@@ -27,7 +27,7 @@ use Friendica\Util\Strings;
 
 class TrustedBrowser extends BaseFactory
 {
-	public function createForUserWithUserAgent($uid, $userAgent): \Friendica\Security\TwoFactor\Model\TrustedBrowser
+	public function createForUserWithUserAgent(int $uid, string $userAgent, bool $trusted): \Friendica\Security\TwoFactor\Model\TrustedBrowser
 	{
 		$trustedHash = Strings::getRandomHex();
 
@@ -35,6 +35,7 @@ class TrustedBrowser extends BaseFactory
 			$trustedHash,
 			$uid,
 			$userAgent,
+			$trusted,
 			DateTimeFormat::utcNow()
 		);
 	}
@@ -45,6 +46,7 @@ class TrustedBrowser extends BaseFactory
 			$row['cookie_hash'],
 			$row['uid'],
 			$row['user_agent'],
+			$row['trusted'],
 			$row['created'],
 			$row['last_used']
 		);

src/Security/TwoFactor/Model/TrustedBrowser.php

@@ -31,6 +31,7 @@ use Friendica\Util\DateTimeFormat;
  * @property-read $cookie_hash
  * @property-read $uid
  * @property-read $user_agent
+ * @property-read $trusted
  * @property-read $created
  * @property-read $last_used
  * @package Friendica\Model\TwoFactor
@@ -40,6 +41,7 @@ class TrustedBrowser extends BaseEntity
 	protected $cookie_hash;
 	protected $uid;
 	protected $user_agent;
+	protected $trusted;
 	protected $created;
 	protected $last_used;
 
@@ -51,16 +53,18 @@ class TrustedBrowser extends BaseEntity
 	 * @param string      $cookie_hash
 	 * @param int         $uid
 	 * @param string      $user_agent
+	 * @param bool        $trusted
 	 * @param string      $created
 	 * @param string|null $last_used
 	 */
-	public function __construct(string $cookie_hash, int $uid, string $user_agent, string $created, string $last_used = null)
+	public function __construct(string $cookie_hash, int $uid, string $user_agent, bool $trusted, string $created, string $last_used = null)
 	{
 		$this->cookie_hash = $cookie_hash;
-		$this->uid = $uid;
-		$this->user_agent = $user_agent;
-		$this->created = $created;
-		$this->last_used = $last_used;
+		$this->uid         = $uid;
+		$this->user_agent  = $user_agent;
+		$this->trusted     = $trusted;
+		$this->created     = $created;
+		$this->last_used   = $last_used;
 	}
 
 	public function recordUse()