go-gitea · zeripath · Jan 19, 2020 · Jan 18, 2020 · Jan 19, 2020 · Jan 19, 2020
diff --git a/routers/user/auth.go b/routers/user/auth.go
@@ -1284,7 +1284,7 @@ func ForgotPasswdPost(ctx *context.Context) {
  ctx.HTML(200, tplForgotPassword)
 }
 
-func commonResetPassword(ctx *context.Context) *models.User {
+func commonResetPassword(ctx *context.Context) (*models.User, *models.TwoFactor) {
  code := ctx.Query("code")
 
  ctx.Data["Title"] = ctx.Tr("auth.reset_password")
@@ -1296,46 +1296,90 @@ func commonResetPassword(ctx *context.Context) *models.User {
 
  if len(code) == 0 {
  ctx.Flash.Error(ctx.Tr("auth.invalid_code"))
- return nil
+ return nil, nil
  }
 
  // Fail early, don't frustrate the user
  u := models.VerifyUserActiveCode(code)
  if u == nil {
  ctx.Flash.Error(ctx.Tr("auth.invalid_code"))
- return nil
+ return nil, nil
+ }
+
+ twofa, err := models.GetTwoFactorByUID(u.ID)
+ if err != nil {
+ if !models.IsErrTwoFactorNotEnrolled(err) {
+ ctx.Error(http.StatusInternalServerError, "CommonResetPassword", err.Error())
+ return nil, nil
+ }
+ } else {
+ ctx.Data["has_two_factor"] = true
+ ctx.Data["scratch_code"] = ctx.QueryBool("scratch_code")
  }
 
  // Show the user that they are affecting the account that they intended to
  ctx.Data["user_email"] = u.Email
 
  if nil != ctx.User && u.ID != ctx.User.ID {
  ctx.Flash.Error(ctx.Tr("auth.reset_password_wrong_user", ctx.User.Email, u.Email))
- return nil
+ return nil, nil
  }
 
- return u
+ return u, twofa
 }
 
 // ResetPasswd render the account recovery page
 func ResetPasswd(ctx *context.Context) {
  ctx.Data["IsResetForm"] = true
 
  commonResetPassword(ctx)
+ if ctx.Written() {
+ return
+ }
 
  ctx.HTML(200, tplResetPassword)
 }
 
 // ResetPasswdPost response from account recovery request
 func ResetPasswdPost(ctx *context.Context) {
- u := commonResetPassword(ctx)
+ u, twofa := commonResetPassword(ctx)
+ if ctx.Written() {
+ return
+ }
 
  if u == nil {
  // Flash error has been set
  ctx.HTML(200, tplResetPassword)
  return
  }
 
+ if twofa != nil {
+ useScratch := ctx.QueryBool("scratch_code")
+ if useScratch {
+ token := ctx.Query("token")
+ ok := twofa.VerifyScratchToken(token)
+ if !ok {
+ ctx.Data["IsResetForm"] = true
+ ctx.Data["Err_Token"] = true
+ ctx.RenderWithErr(ctx.Tr("auth.twofa_scratch_token_incorrect"), tplResetPassword, nil)
+ return
+ }
+ } else {
+ code := ctx.Query("passcode")
+ ok, err := twofa.ValidateTOTP(code)
+ if err != nil {
+ ctx.Error(http.StatusInternalServerError, "ValidateTOTP", err.Error())
+ return
+ }
+ if !ok {
+ ctx.Data["IsResetForm"] = true
+ ctx.Data["Err_Passcode"] = true
+ ctx.RenderWithErr(ctx.Tr("auth.twofa_passcode_incorrect"), tplResetPassword, nil)
+ return
+ }
+ }
+ }
+
  // Validate password length.
  passwd := ctx.Query("password")
  if len(passwd) < setting.MinPasswordLength {

diff --git a/templates/user/auth/reset_passwd.tmpl b/templates/user/auth/reset_passwd.tmpl
@@ -18,7 +18,7 @@
  {{end}}
  {{if .IsResetForm}}
  <div class="required inline field {{if .Err_Password}}error{{end}}">
- <label for="password">{{.i18n.Tr "password"}}</label>
+ <label for="password">{{.i18n.Tr "settings.new_password"}}</label>
  <input id="password" name="password" type="password" value="{{.password}}" autocomplete="off" autofocus required>
  </div>
  {{if not .user_signed_in}}
@@ -30,10 +30,31 @@
  </div>
  </div>
  {{end}}
+ {{if .has_two_factor}}
+ <h4 class="ui dividing header">
+ {{.i18n.Tr "twofa"}}
+ </h4>
+ <div class="ui warning message">{{.i18n.Tr "settings.twofa_is_enrolled" | Str2html }}</div>
+ {{if .scratch_code}}
+ <div class="required inline field {{if .Err_Token}}error{{end}}">
+ <label for="token">{{.i18n.Tr "auth.scratch_code"}}</label>
+ <input id="token" name="token" type="text" autocomplete="off" autofocus required>
+ </div>
+ <input type="hidden" name="scratch_code" value="true">
+ {{else}}
+ <div class="required inline field {{if .Err_Passcode}}error{{end}}">
+ <label for="passcode">{{.i18n.Tr "passcode"}}</label>
+ <input id="passcode" name="passcode" type="number" autocomplete="off" autofocus required>
+ </div>
+ {{end}}
+ {{end}}
  <div class="ui divider"></div>
  <div class="inline field">
  <label></label>
  <button class="ui blue button">{{.i18n.Tr "auth.reset_password_helper"}}</button>
+ {{if and .has_two_factor (not .scratch_code)}}
+ <a href="{{.Link}}?code={{.Code}}&amp;scratch_code=true">{{.i18n.Tr "auth.use_scratch_code" | Str2html}}</a>
+ {{end}}
  </div>
  {{else}}
  <p class="center">{{.i18n.Tr "auth.invalid_code"}}</p>