Clean up MFA display

Added a new page so users are only prompted for MFA if it's enabled for their account. Also displays the blog domain properly in MFA applications.
2026-04-17 11:16:00 +05:30 · 2025-01-15 19:40:38 -05:00 · 2025-01-15 19:40:38 -05:00 · c46fa1985c
commit c46fa1985c
parent b7209e3ca5
4 changed files with 88 additions and 52 deletions
--- a/system/admin/views/edit-mfa.html.php
+++ b/system/admin/views/edit-mfa.html.php
@ -8,6 +8,9 @@ use PragmaRX\Google2FA\Google2FA;
 use BaconQrCode\Renderer\GDLibRenderer;
 use BaconQrCode\Writer;

+$domain = site_url();
+$domain = str_replace("https://", "", $domain);
+$domain = rtrim($domain, "/");
 $mfa_state = user('mfa_secret', $user);

 if (is_null($mfa_state) || $mfa_state == 'disabled') {
@ -19,7 +22,7 @@ if (is_null($mfa_state) || $mfa_state == 'disabled') {

        $g2faUrl = $google2fa->getQRCodeUrl(
            $user,
-            site_url(),
+            $domain,
            $mfasecret
        );

@ -60,7 +63,7 @@ if (is_null($mfa_state) || $mfa_state == 'disabled') {
            </div>
        </div>
        <input type="hidden" name="mfa_secret" value="<?php echo $mfasecret;?>">
-        <input type="submit" class="btn btn-primary" style="width:100px;" value="<?php echo i18n('Save');?>">'
+        <input type="submit" class="btn btn-primary" style="width:100px;" value="<?php echo i18n('Save');?>">
    <?php } else { ?>
        <input type="hidden" name="mfa_secret" value="disabled">    
            <div class="form-group row">
--- a/system/admin/views/login-mfa.html.php
+++ b/system/admin/views/login-mfa.html.php
@ -0,0 +1,15 @@
+<?php if (!defined('HTMLY')) die('HTMLy'); ?>
+<style>.error-message ul {margin:0;padding:0;}</style>
+<?php if (isset($error)) { ?>
+    <div class="error-message"><?php echo $error ?></div>
+<?php } ?>
+<h1><?php echo i18n('Login');?></h1>
+<form method="POST" action="login-mfa">
+    <input type="hidden" name="csrf_token" value="<?php echo get_csrf() ?>">
+    <input type="hidden" name="user" value="<?php echo $username; ?>">
+    <input type="hidden" name="password" value="<?php echo $password; ?>">
+    <label><?php echo i18n('MFACode');?></label>
+    <input type="text" class="form-control" name="mfacode" placeholder="<?php echo i18n('verify_code'); ?>"/>
+    <br>
+    <input type="submit" class="btn btn-primary" name="submit" value="<?php echo i18n('Login');?>"/>
+</form>
--- a/system/admin/views/login.html.php
+++ b/system/admin/views/login.html.php
@ -21,11 +21,6 @@
        } ?>" name="password" placeholder="<?php echo i18n('Password'); ?>"/>
        <br>
        <input type="hidden" name="csrf_token" value="<?php echo get_csrf() ?>">
-        <?php if (config('mfa.state') === 'true'): ?>
-            <label><?php echo i18n('MFACode');?></label>
-            <input type="text" class="form-control" name="mfacode" placeholder="<?php echo i18n('verify_code'); ?>"/>
-            <br>
-        <?php endif; ?>
        <?php if (config('login.protect.system') === 'google'): ?>
            <script src='https://www.google.com/recaptcha/api.js'></script>
            <div class="g-recaptcha" data-sitekey="<?php echo config("login.protect.public"); ?>"></div>
--- a/system/htmly.php
+++ b/system/htmly.php
@ -149,39 +149,13 @@ post('/login', function () {
    $mfa_secret = user('mfa_secret', $user);
    if ($proper && $captcha && !empty($user) && !empty($pass)) {
        if (!is_null($mfa_secret) && $mfa_secret !== "disabled") {
-            $mfacode = from($_REQUEST, 'mfacode');
-            $google2fa = new Google2FA();
-            if ($google2fa->verifyKey($mfa_secret, $mfacode, '1')) {
-                session($user, $pass);
-                $log = session($user, $pass);
-
-                if (!empty($log)) {
-
            config('views.root', 'system/admin/views');

-                    render('login', array(
+            render('login-mfa', array(
                'title' => generate_title('is_default', i18n('Login')),
                'description' => i18n('Login') . ' ' . blog_title(),
                'canonical' => site_url(),
                'metatags' => generate_meta(null, null),
-                        'error' => '<ul>' . $log . '</ul>',
-                        'type' => 'is_login',
-                        'is_login' => true,
-                        'bodyclass' => 'in-login',
-                        'breadcrumb' => '<a href="' . site_url() . '">' . config('breadcrumb.home') . '</a> &#187; ' . i18n('Login')
-                    ));
-                }
-            } else {
-                $message['error'] = '';
-                $message['error'] .= '<li class="alert alert-danger">' . i18n('MFA_Error') . '</li>';
-                config('views.root', 'system/admin/views');
-
-                render('login', array(
-                    'title' => generate_title('is_default', i18n('Login')),
-                    'description' => i18n('Login') . ' ' . blog_title(),
-                    'canonical' => site_url(),
-                    'metatags' => generate_meta(null, null),
-                    'error' => '<ul>' . $message['error'] . '</ul>',
                'username' => $user,
                'password' => $pass,
                'type' => 'is_login',
@ -189,7 +163,6 @@ post('/login', function () {
                'bodyclass' => 'in-login',
                'breadcrumb' => '<a href="' . site_url() . '">' . config('breadcrumb.home') . '</a> &#187; ' . i18n('Login')
            ));
-            }
        } else {
            session($user, $pass);
            $log = session($user, $pass);
@ -244,6 +217,56 @@ post('/login', function () {
    }
 });

+// Verify MFA 
+post('/login-mfa', function () {
+
+    $proper = is_csrf_proper(from($_REQUEST, 'csrf_token'));
+    $user = from($_REQUEST, 'user');
+    $pass = from($_REQUEST, 'password');
+    $mfacode = from($_REQUEST, 'mfacode');
+    $mfa_secret = user('mfa_secret', $user);
+    $google2fa = new Google2FA();
+    if ($google2fa->verifyKey($mfa_secret, $mfacode, '1')) {
+        session($user, $pass);
+        $log = session($user, $pass);
+
+        if (!empty($log)) {
+
+            config('views.root', 'system/admin/views');
+
+            render('login', array(
+                'title' => generate_title('is_default', i18n('Login')),
+                'description' => i18n('Login') . ' ' . blog_title(),
+                'canonical' => site_url(),
+                'metatags' => generate_meta(null, null),
+                'error' => '<ul>' . $log . '</ul>',
+                'type' => 'is_login',
+                'is_login' => true,
+                'bodyclass' => 'in-login',
+                'breadcrumb' => '<a href="' . site_url() . '">' . config('breadcrumb.home') . '</a> &#187; ' . i18n('Login')
+            ));
+        }
+    } else {
+        $message['error'] = '';
+        $message['error'] .= '<li class="alert alert-danger">' . i18n('MFA_Error') . '</li>';
+        config('views.root', 'system/admin/views');
+
+        render('login', array(
+            'title' => generate_title('is_default', i18n('Login')),
+            'description' => i18n('Login') . ' ' . blog_title(),
+            'canonical' => site_url(),
+            'metatags' => generate_meta(null, null),
+            'error' => '<ul>' . $message['error'] . '</ul>',
+            'username' => $user,
+            'password' => $pass,
+            'type' => 'is_login',
+            'is_login' => true,
+            'bodyclass' => 'in-login',
+            'breadcrumb' => '<a href="' . site_url() . '">' . config('breadcrumb.home') . '</a> &#187; ' . i18n('Login')
+        ));
+    }
+});
+
 // Show the author page
 get('/author/:name', function ($name) {