Merge pull request #7135 from MrPetovan/task/two-factor-authentication

Add native two-factor authentication support
2025-04-19 09:50:11 +00:00 · 2019-05-14 07:07:03 +02:00 · 2019-05-14 07:07:03 +02:00 · 5e85bdecd0
commit 5e85bdecd0
parent 4161f5ebe0 78b651d2e8
29 changed files with 1497 additions and 211 deletions
--- a/src/Module/BaseSettingsModule.php
+++ b/src/Module/BaseSettingsModule.php
@ -0,0 +1,110 @@
+<?php
+
+namespace Friendica\Module;
+
+use Friendica\BaseModule;
+use Friendica\Content\Feature;
+use Friendica\Core\L10n;
+use Friendica\Core\Renderer;
+
+class BaseSettingsModule extends BaseModule
+{
+	public static function content()
+	{
+		$a = self::getApp();
+
+		$tpl = Renderer::getMarkupTemplate('settings/head.tpl');
+		$a->page['htmlhead'] .= Renderer::replaceMacros($tpl, [
+			'$ispublic' => L10n::t('everybody')
+		]);
+
+		$tabs = [];
+
+		$tabs[] = [
+			'label' => L10n::t('Account'),
+			'url' => 'settings',
+			'selected' => (($a->argc == 1) && ($a->argv[0] === 'settings') ? 'active' : ''),
+			'accesskey' => 'o',
+		];
+
+		$tabs[] = [
+			'label' => L10n::t('Two-factor authentication'),
+			'url' => 'settings/2fa',
+			'selected' => (($a->argc > 1) && ($a->argv[1] === '2fa') ? 'active' : ''),
+			'accesskey' => 'o',
+		];
+
+		$tabs[] = [
+			'label' => L10n::t('Profiles'),
+			'url' => 'profiles',
+			'selected' => (($a->argc == 1) && ($a->argv[0] === 'profiles') ? 'active' : ''),
+			'accesskey' => 'p',
+		];
+
+		if (Feature::get()) {
+			$tabs[] = [
+				'label' => L10n::t('Additional features'),
+				'url' => 'settings/features',
+				'selected' => (($a->argc > 1) && ($a->argv[1] === 'features') ? 'active' : ''),
+				'accesskey' => 't',
+			];
+		}
+
+		$tabs[] = [
+			'label' => L10n::t('Display'),
+			'url' => 'settings/display',
+			'selected' => (($a->argc > 1) && ($a->argv[1] === 'display') ? 'active' : ''),
+			'accesskey' => 'i',
+		];
+
+		$tabs[] = [
+			'label' => L10n::t('Social Networks'),
+			'url' => 'settings/connectors',
+			'selected' => (($a->argc > 1) && ($a->argv[1] === 'connectors') ? 'active' : ''),
+			'accesskey' => 'w',
+		];
+
+		$tabs[] = [
+			'label' => L10n::t('Addons'),
+			'url' => 'settings/addon',
+			'selected' => (($a->argc > 1) && ($a->argv[1] === 'addon') ? 'active' : ''),
+			'accesskey' => 'l',
+		];
+
+		$tabs[] = [
+			'label' => L10n::t('Delegations'),
+			'url' => 'delegate',
+			'selected' => (($a->argc == 1) && ($a->argv[0] === 'delegate') ? 'active' : ''),
+			'accesskey' => 'd',
+		];
+
+		$tabs[] = [
+			'label' => L10n::t('Connected apps'),
+			'url' => 'settings/oauth',
+			'selected' => (($a->argc > 1) && ($a->argv[1] === 'oauth') ? 'active' : ''),
+			'accesskey' => 'b',
+		];
+
+		$tabs[] = [
+			'label' => L10n::t('Export personal data'),
+			'url' => 'uexport',
+			'selected' => (($a->argc == 1) && ($a->argv[0] === 'uexport') ? 'active' : ''),
+			'accesskey' => 'e',
+		];
+
+		$tabs[] = [
+			'label' => L10n::t('Remove account'),
+			'url' => 'removeme',
+			'selected' => (($a->argc == 1) && ($a->argv[0] === 'removeme') ? 'active' : ''),
+			'accesskey' => 'r',
+		];
+
+
+		$tabtpl = Renderer::getMarkupTemplate("generic_links_widget.tpl");
+		$a->page['aside'] = Renderer::replaceMacros($tabtpl, [
+			'$title' => L10n::t('Settings'),
+			'$class' => 'settings-widget',
+			'$items' => $tabs,
+		]);
+	}
+}
--- a/src/Module/Help.php
+++ b/src/Module/Help.php
@ -21,35 +21,35 @@ class Help extends BaseModule
 		$text = '';
 		$filename = '';

-		$app = self::getApp();
-		$config = $app->getConfig();
+		$a = self::getApp();
+		$config = $a->getConfig();
 		$lang = $config->get('system', 'language');

 		// @TODO: Replace with parameter from router
-		if ($app->argc > 1) {
+		if ($a->argc > 1) {
 			$path = '';
 			// looping through the argv keys bigger than 0 to build
 			// a path relative to /help
-			for ($x = 1; $x < $app->argc; $x ++) {
+			for ($x = 1; $x < $a->argc; $x ++) {
 				if (strlen($path)) {
 					$path .= '/';
 				}

-				$path .= $app->getArgumentValue($x);
+				$path .= $a->getArgumentValue($x);
 			}
 			$title = basename($path);
 			$filename = $path;
 			$text = self::loadDocFile('doc/' . $path . '.md', $lang);
-			$app->page['title'] = L10n::t('Help:') . ' ' . str_replace('-', ' ', Strings::escapeTags($title));
+			$a->page['title'] = L10n::t('Help:') . ' ' . str_replace('-', ' ', Strings::escapeTags($title));
 		}

 		$home = self::loadDocFile('doc/Home.md', $lang);
 		if (!$text) {
 			$text = $home;
 			$filename = "Home";
-			$app->page['title'] = L10n::t('Help');
+			$a->page['title'] = L10n::t('Help');
 		} else {
-			$app->page['aside'] = Markdown::convert($home, false);
+			$a->page['aside'] = Markdown::convert($home, false);
 		}

 		if (!strlen($text)) {
@ -85,7 +85,7 @@ class Help extends BaseModule

 						$idNum[$level] ++;
 						$id = implode("_", array_slice($idNum, 1, $level));
-						$href = $app->getBaseURL() . "/help/{$filename}#{$id}";
+						$href = $a->getBaseURL() . "/help/{$filename}#{$id}";
 						$toc .= "<li><a href='{$href}'>" . strip_tags($line) . "</a></li>";
 						$line = "<a name='{$id}'></a>" . $line;
 						$lastLevel = $level;
--- a/src/Module/Login.php
+++ b/src/Module/Login.php
@ -12,6 +12,7 @@ use Friendica\Core\Hook;
 use Friendica\Core\L10n;
 use Friendica\Core\Logger;
 use Friendica\Core\Renderer;
+use Friendica\Core\Session;
 use Friendica\Core\System;
 use Friendica\Database\DBA;
 use Friendica\Model\User;
@ -160,7 +161,8 @@ class Login extends BaseModule
 		// if we haven't failed up this point, log them in.
 		$_SESSION['remember'] = $remember;
 		$_SESSION['last_login_date'] = DateTimeFormat::utcNow();
-		Authentication::setAuthenticatedSessionForUser($record, true, true);
+
+		Session::setAuthenticatedForUser($a, $record, true, true);

 		if (!empty($_SESSION['return_path'])) {
 			$return_path = $_SESSION['return_path'];
@ -210,7 +212,7 @@ class Login extends BaseModule

 					// Do the authentification if not done by now
 					if (!isset($_SESSION) || !isset($_SESSION['authenticated'])) {
-						Authentication::setAuthenticatedSessionForUser($user);
+						Session::setAuthenticatedForUser($a, $user);

 						if (Config::get('system', 'paranoia')) {
 							$_SESSION['addr'] = $data->ip;
@ -263,7 +265,8 @@ class Login extends BaseModule
 					$_SESSION['last_login_date'] = DateTimeFormat::utcNow();
 					$login_refresh = true;
 				}
-				Authentication::setAuthenticatedSessionForUser($user, false, false, $login_refresh);
+
+				Session::setAuthenticatedForUser($a, $user, false, false, $login_refresh);
 			}
 		}
 	}
--- a/src/Module/Settings/TwoFactor/Index.php
+++ b/src/Module/Settings/TwoFactor/Index.php
@ -0,0 +1,108 @@
+<?php
+
+
+namespace Friendica\Module\Settings\TwoFactor;
+
+
+use Friendica\Core\L10n;
+use Friendica\Core\PConfig;
+use Friendica\Core\Renderer;
+use Friendica\Core\Session;
+use Friendica\Model\TwoFactorRecoveryCode;
+use Friendica\Model\User;
+use Friendica\Module\BaseSettingsModule;
+use Friendica\Module\Login;
+use PragmaRX\Google2FA\Google2FA;
+
+class Index extends BaseSettingsModule
+{
+	public static function post()
+	{
+		if (!local_user()) {
+			return;
+		}
+
+		self::checkFormSecurityTokenRedirectOnError('settings/2fa', 'settings_2fa');
+
+		try {
+			User::getIdFromPasswordAuthentication(local_user(), defaults($_POST, 'password', ''));
+
+			$has_secret = (bool) PConfig::get(local_user(), '2fa', 'secret');
+			$verified = PConfig::get(local_user(), '2fa', 'verified');
+
+			switch (defaults($_POST, 'action', '')) {
+				case 'enable':
+					if (!$has_secret && !$verified) {
+						$Google2FA = new Google2FA();
+
+						PConfig::set(local_user(), '2fa', 'secret', $Google2FA->generateSecretKey(32));
+
+						self::getApp()->internalRedirect('settings/2fa/recovery?t=' . self::getFormSecurityToken('settings_2fa_password'));
+					}
+					break;
+				case 'disable':
+					if ($has_secret) {
+						TwoFactorRecoveryCode::deleteForUser(local_user());
+						PConfig::delete(local_user(), '2fa', 'secret');
+						PConfig::delete(local_user(), '2fa', 'verified');
+						Session::remove('2fa');
+
+						notice(L10n::t('Two-factor authentication successfully disabled.'));
+						self::getApp()->internalRedirect('settings/2fa');
+					}
+					break;
+				case 'recovery':
+					if ($has_secret) {
+						self::getApp()->internalRedirect('settings/2fa/recovery?t=' . self::getFormSecurityToken('settings_2fa_password'));
+					}
+					break;
+				case 'configure':
+					if (!$verified) {
+						self::getApp()->internalRedirect('settings/2fa/verify?t=' . self::getFormSecurityToken('settings_2fa_password'));
+					}
+					break;
+			}
+		} catch (\Exception $e) {
+			notice(L10n::t('Wrong Password'));
+		}
+	}
+
+	public static function content()
+	{
+		if (!local_user()) {
+			return Login::form('settings/2fa');
+		}
+
+		parent::content();
+
+		$has_secret = (bool) PConfig::get(local_user(), '2fa', 'secret');
+		$verified = PConfig::get(local_user(), '2fa', 'verified');
+
+		return Renderer::replaceMacros(Renderer::getMarkupTemplate('settings/twofactor/index.tpl'), [
+			'$form_security_token' => self::getFormSecurityToken('settings_2fa'),
+			'$title'               => L10n::t('Two-factor authentication'),
+			'$help_label'          => L10n::t('Help'),
+			'$status_title'        => L10n::t('Status'),
+			'$message'             => L10n::t('<p>Use an application on a mobile device to get two-factor authentication codes when prompted on login.</p>'),
+			'$has_secret'          => $has_secret,
+			'$verified'            => $verified,
+
+			'$auth_app_label'         => L10n::t('Authenticator app'),
+			'$app_status'             => $has_secret ? $verified ? L10n::t('Configured') : L10n::t('Not Configured') : L10n::t('Disabled'),
+			'$not_configured_message' => L10n::t('<p>You haven\'t finished configuring your authenticator app.</p>'),
+			'$configured_message'     => L10n::t('<p>Your authenticator app is correctly configured.</p>'),
+
+			'$recovery_codes_title'     => L10n::t('Recovery codes'),
+			'$recovery_codes_remaining' => L10n::t('Remaining valid codes'),
+			'$recovery_codes_count'     => TwoFactorRecoveryCode::countValidForUser(local_user()),
+			'$recovery_codes_message'   => L10n::t('<p>These one-use codes can replace an authenticator app code in case you have lost access to it.</p>'),
+
+			'$action_title'         => L10n::t('Actions'),
+			'$password'             => ['password', L10n::t('Current password:'), '', L10n::t('You need to provide your current password to change two-factor authentication settings.'), 'required', 'autofocus'],
+			'$enable_label'         => L10n::t('Enable two-factor authentication'),
+			'$disable_label'        => L10n::t('Disable two-factor authentication'),
+			'$recovery_codes_label' => L10n::t('Show recovery codes'),
+			'$configure_label'      => L10n::t('Finish app configuration'),
+		]);
+	}
+}
--- a/src/Module/Settings/TwoFactor/Recovery.php
+++ b/src/Module/Settings/TwoFactor/Recovery.php
@ -0,0 +1,86 @@
+<?php
+
+
+namespace Friendica\Module\Settings\TwoFactor;
+
+
+use Friendica\Core\L10n;
+use Friendica\Core\PConfig;
+use Friendica\Core\Renderer;
+use Friendica\Model\TwoFactorRecoveryCode;
+use Friendica\Module\BaseSettingsModule;
+use Friendica\Module\Login;
+
+/**
+ * // Page 3: 2FA enabled but not verified, show recovery codes
+ *
+ * @package Friendica\Module\TwoFactor
+ */
+class Recovery extends BaseSettingsModule
+{
+	public static function init()
+	{
+		if (!local_user()) {
+			return;
+		}
+
+		$secret = PConfig::get(local_user(), '2fa', 'secret');
+
+		if (!$secret) {
+			self::getApp()->internalRedirect('settings/2fa');
+		}
+
+		if (!self::checkFormSecurityToken('settings_2fa_password', 't')) {
+			notice(L10n::t('Please enter your password to access this page.'));
+			self::getApp()->internalRedirect('settings/2fa');
+		}
+	}
+
+	public static function post()
+	{
+		if (!local_user()) {
+			return;
+		}
+
+		if (!empty($_POST['action'])) {
+			self::checkFormSecurityTokenRedirectOnError('settings/2fa/recovery', 'settings_2fa_recovery');
+
+			if ($_POST['action'] == 'regenerate') {
+				TwoFactorRecoveryCode::regenerateForUser(local_user());
+				notice(L10n::t('New recovery codes successfully generated.'));
+				self::getApp()->internalRedirect('settings/2fa/recovery?t=' . self::getFormSecurityToken('settings_2fa_password'));
+			}
+		}
+	}
+
+	public static function content()
+	{
+		if (!local_user()) {
+			return Login::form('settings/2fa/recovery');
+		}
+
+		parent::content();
+
+		if (!TwoFactorRecoveryCode::countValidForUser(local_user())) {
+			TwoFactorRecoveryCode::generateForUser(local_user());
+		}
+
+		$recoveryCodes = TwoFactorRecoveryCode::getListForUser(local_user());
+
+		$verified = PConfig::get(local_user(), '2fa', 'verified');
+		
+		return Renderer::replaceMacros(Renderer::getMarkupTemplate('settings/twofactor/recovery.tpl'), [
+			'$form_security_token'     => self::getFormSecurityToken('settings_2fa_recovery'),
+			'$password_security_token' => self::getFormSecurityToken('settings_2fa_password'),
+
+			'$title'              => L10n::t('Two-factor recovery codes'),
+			'$help_label'         => L10n::t('Help'),
+			'$message'            => L10n::t('<p>Recovery codes can be used to access your account in the event you lose access to your device and cannot receive two-factor authentication codes.</p><p><strong>Put these in a safe spot!</strong> If you lose your device and don’t have the recovery codes you will lose access to your account.</p>'),
+			'$recovery_codes'     => $recoveryCodes,
+			'$regenerate_message' => L10n::t('When you generate new recovery codes, you must copy the new codes. Your old codes won’t work anymore.'),
+			'$regenerate_label'   => L10n::t('Generate new recovery codes'),
+			'$verified'           => $verified,
+			'$verify_label'       => L10n::t('Next: Verification'),
+		]);
+	}
+}
--- a/src/Module/Settings/TwoFactor/Verify.php
+++ b/src/Module/Settings/TwoFactor/Verify.php
@ -0,0 +1,130 @@
+<?php
+
+
+namespace Friendica\Module\Settings\TwoFactor;
+
+
+use BaconQrCode\Renderer\Image\SvgImageBackEnd;
+use BaconQrCode\Renderer\ImageRenderer;
+use BaconQrCode\Renderer\RendererStyle\RendererStyle;
+use BaconQrCode\Writer;
+use Friendica\BaseModule;
+use Friendica\Core\L10n;
+use Friendica\Core\PConfig;
+use Friendica\Core\Renderer;
+use Friendica\Core\Session;
+use Friendica\Module\BaseSettingsModule;
+use Friendica\Module\Login;
+use PragmaRX\Google2FA\Google2FA;
+
+/**
+ * // Page 4: 2FA enabled but not verified, QR code and verification
+ *
+ * @package Friendica\Module\TwoFactor\Settings
+ */
+class Verify extends BaseSettingsModule
+{
+	public static function init()
+	{
+		if (!local_user()) {
+			return;
+		}
+
+		$secret = PConfig::get(local_user(), '2fa', 'secret');
+		$verified = PConfig::get(local_user(), '2fa', 'verified');
+
+		if ($secret && $verified) {
+			self::getApp()->internalRedirect('settings/2fa');
+		}
+
+		if (!self::checkFormSecurityToken('settings_2fa_password', 't')) {
+			notice(L10n::t('Please enter your password to access this page.'));
+			self::getApp()->internalRedirect('settings/2fa');
+		}
+	}
+
+	public static function post()
+	{
+		if (!local_user()) {
+			return;
+		}
+
+		if (defaults($_POST, 'action', null) == 'verify') {
+			self::checkFormSecurityTokenRedirectOnError('settings/2fa/verify', 'settings_2fa_verify');
+
+			$google2fa = new Google2FA();
+
+			$valid = $google2fa->verifyKey(PConfig::get(local_user(), '2fa', 'secret'), defaults($_POST, 'verify_code', ''));
+
+			if ($valid) {
+				PConfig::set(local_user(), '2fa', 'verified', true);
+				Session::set('2fa', true);
+
+				notice(L10n::t('Two-factor authentication successfully activated.'));
+
+				self::getApp()->internalRedirect('settings/2fa');
+			} else {
+				notice(L10n::t('Invalid code, please retry.'));
+			}
+		}
+	}
+
+	public static function content()
+	{
+		if (!local_user()) {
+			return Login::form('settings/2fa/verify');
+		}
+
+		parent::content();
+
+		$company = 'Friendica';
+		$holder = Session::get('my_address');
+		$secret = PConfig::get(local_user(), '2fa', 'secret');
+
+		$otpauthUrl = (new Google2FA())->getQRCodeUrl($company, $holder, $secret);
+
+		$renderer = (new \BaconQrCode\Renderer\Image\Svg())
+			->setHeight(256)
+			->setWidth(256);
+
+		$writer = new Writer($renderer);
+
+		$qrcode_image = str_replace('<?xml version="1.0" encoding="UTF-8"?>', '', $writer->writeString($otpauthUrl));
+
+		$shortOtpauthUrl = explode('?', $otpauthUrl)[0];
+
+		$manual_message = L10n::t('<p>Or you can submit the authentication settings manually:</p>
+<dl>
+	<dt>Issuer</dt>
+	<dd>%s</dd>
+	<dt>Account Name</dt>
+	<dd>%s</dd>
+	<dt>Secret Key</dt>
+	<dd>%s</dd>
+	<dt>Type</dt>
+	<dd>Time-based</dd>
+	<dt>Number of digits</dt>
+	<dd>6</dd>
+	<dt>Hashing algorithm</dt>
+	<dd>SHA-1</dd>
+</dl>', $company, $holder, $secret);
+
+		return Renderer::replaceMacros(Renderer::getMarkupTemplate('settings/twofactor/verify.tpl'), [
+			'$form_security_token'     => self::getFormSecurityToken('settings_2fa_verify'),
+			'$password_security_token' => self::getFormSecurityToken('settings_2fa_password'),
+
+			'$title'              => L10n::t('Two-factor code verification'),
+			'$help_label'         => L10n::t('Help'),
+			'$message'            => L10n::t('<p>Please scan this QR Code with your authenticator app and submit the provided code.</p>'),
+			'$qrcode_image'       => $qrcode_image,
+			'$qrcode_url_message' => L10n::t('<p>Or you can open the following URL in your mobile devicde:</p><p><a href="%s">%s</a></p>', $otpauthUrl, $shortOtpauthUrl),
+			'$manual_message'     => $manual_message,
+			'$company'            => $company,
+			'$holder'             => $holder,
+			'$secret'             => $secret,
+
+			'$verify_code'  => ['verify_code', L10n::t('Please enter a code from your authentication app'), '', '', 'required', 'autofocus placeholder="000000"'],
+			'$verify_label' => L10n::t('Verify code and enable two-factor authentication'),
+		]);
+	}
+}
--- a/src/Module/TwoFactor/Recovery.php
+++ b/src/Module/TwoFactor/Recovery.php
@ -0,0 +1,72 @@
+<?php
+
+namespace Friendica\Module\TwoFactor;
+
+use Friendica\BaseModule;
+use Friendica\Core\L10n;
+use Friendica\Core\Renderer;
+use Friendica\Core\Session;
+use Friendica\Model\TwoFactorRecoveryCode;
+
+/**
+ * // Page 1a: Recovery code verification
+ *
+ * @package Friendica\Module\TwoFactor
+ */
+class Recovery extends BaseModule
+{
+	public static function init()
+	{
+		if (!local_user()) {
+			return;
+		}
+	}
+
+	public static function post()
+	{
+		if (!local_user()) {
+			return;
+		}
+
+		if (defaults($_POST, 'action', null) == 'recover') {
+			self::checkFormSecurityTokenRedirectOnError('2fa', 'twofactor_recovery');
+
+			$a = self::getApp();
+
+			$recovery_code = defaults($_POST, 'recovery_code', '');
+
+			if (TwoFactorRecoveryCode::existsForUser(local_user(), $recovery_code)) {
+				TwoFactorRecoveryCode::markUsedForUser(local_user(), $recovery_code);
+				Session::set('2fa', true);
+				notice(L10n::t('Remaining recovery codes: %d', TwoFactorRecoveryCode::countValidForUser(local_user())));
+
+				// Resume normal login workflow
+				Session::setAuthenticatedForUser($a, $a->user, true, true);
+			} else {
+				notice(L10n::t('Invalid code, please retry.'));
+			}
+		}
+	}
+
+	public static function content()
+	{
+		if (!local_user()) {
+			self::getApp()->internalRedirect();
+		}
+
+		// Already authenticated with 2FA token
+		if (Session::get('2fa')) {
+			self::getApp()->internalRedirect();
+		}
+
+		return Renderer::replaceMacros(Renderer::getMarkupTemplate('twofactor/recovery.tpl'), [
+			'$form_security_token' => self::getFormSecurityToken('twofactor_recovery'),
+
+			'$title'            => L10n::t('Two-factor recovery'),
+			'$message'          => L10n::t('<p>You can enter one of your one-time recovery codes in case you lost access to your mobile device.</p>'),
+			'$recovery_message' => L10n::t('Don’t have your phone? <a href="%s">Enter a two-factor recovery code</a>', '2fa/recovery'),
+			'$recovery_code'    => ['recovery_code', L10n::t('Please enter a recovery code'), '', '', '', 'placeholder="000000-000000"'],
+			'$recovery_label'   => L10n::t('Submit recovery code and complete login'),
+		]);
+	}
+}
--- a/src/Module/TwoFactor/Verify.php
+++ b/src/Module/TwoFactor/Verify.php
@ -0,0 +1,67 @@
+<?php
+
+namespace Friendica\Module\TwoFactor;
+
+use Friendica\BaseModule;
+use Friendica\Core\L10n;
+use Friendica\Core\PConfig;
+use Friendica\Core\Renderer;
+use Friendica\Core\Session;
+use PragmaRX\Google2FA\Google2FA;
+
+/**
+ * Page 1: Authenticator code verification
+ *
+ * @package Friendica\Module\TwoFactor
+ */
+class Verify extends BaseModule
+{
+	public static function post()
+	{
+		if (!local_user()) {
+			return;
+		}
+
+		if (defaults($_POST, 'action', null) == 'verify') {
+			self::checkFormSecurityTokenRedirectOnError('2fa', 'twofactor_verify');
+
+			$a = self::getApp();
+
+			$code = defaults($_POST, 'verify_code', '');
+
+			$valid = (new Google2FA())->verifyKey(PConfig::get(local_user(), '2fa', 'secret'), $code);
+
+			// The same code can't be used twice even if it's valid
+			if ($valid && Session::get('2fa') !== $code) {
+				Session::set('2fa', $code);
+
+				// Resume normal login workflow
+				Session::setAuthenticatedForUser($a, $a->user, true, true);
+			} else {
+				notice(L10n::t('Invalid code, please retry.'));
+			}
+		}
+	}
+
+	public static function content()
+	{
+		if (!local_user()) {
+			self::getApp()->internalRedirect();
+		}
+
+		// Already authenticated with 2FA token
+		if (Session::get('2fa')) {
+			self::getApp()->internalRedirect();
+		}
+
+		return Renderer::replaceMacros(Renderer::getMarkupTemplate('twofactor/verify.tpl'), [
+			'$form_security_token' => self::getFormSecurityToken('twofactor_verify'),
+
+			'$title'            => L10n::t('Two-factor authentication'),
+			'$message'          => L10n::t('<p>Open the two-factor authentication app on your device to get an authentication code and verify your identity.</p>'),
+			'$recovery_message' => L10n::t('Don’t have your phone? <a href="%s">Enter a two-factor recovery code</a>', '2fa/recovery'),
+			'$verify_code'      => ['verify_code', L10n::t('Please enter a code from your authentication app'), '', '', 'required', 'autofocus placeholder="000000"'],
+			'$verify_label'     => L10n::t('Verify code and complete login'),
+		]);
+	}
+}