From 6d3e16dc07a8dd153748fc4dbeb02aa418eb2ee0 Mon Sep 17 00:00:00 2001
From: Matias Griese <matias@kunena.org>
Date: Thu, 10 May 2018 11:51:27 +0300
Subject: [PATCH] Fix session secret for 2FA

---
 classes/admincontroller.php                         | 13 +++++++------
 .../forms/fields/2fa_secret/2fa_secret.html.twig    | 10 ++++++----
 2 files changed, 13 insertions(+), 10 deletions(-)

diff --git a/classes/admincontroller.php b/classes/admincontroller.php
index fc483762..201e3e3d 100644
--- a/classes/admincontroller.php
+++ b/classes/admincontroller.php
@@ -176,25 +176,26 @@ class AdminController extends AdminBaseController
 
         try {
             /** @var User $user */
-            $user = clone $this->grav['user'];
+            $user = $this->grav['user'];
 
             /** @var TwoFactorAuth $twoFa */
             $twoFa = $this->grav['login']->twoFactorAuth();
             $secret = $twoFa->createSecret(160);
             $image = $twoFa->getQrImageData($user->username, $secret);
 
-            $user->twofa_secret = str_replace(' ','', $secret);
-            unset($user->authenticated);
-
+            // Save secret into the user file.
             $file = $user->file();
             if ($file->exists()) {
                 $content = $file->content();
-                $content['twofa_secret'] = $user->twofa_secret;
+                $content['twofa_secret'] = $secret;
                 $file->save($content);
                 $file->free();
             }
 
-            $this->admin->json_response = ['status' => 'success', 'image' => $image, 'secret' => trim(chunk_split($secret, 4, ' '))];
+            // Change secret in the session.
+            $user->twofa_secret = $secret;
+
+            $this->admin->json_response = ['status' => 'success', 'image' => $image, 'secret' => preg_replace('|(\w{4})|', '\\1 ', $secret)];
         } catch (\Exception $e) {
             $this->admin->json_response = ['status' => 'error', 'message' => $e->getMessage()];
             return false;
diff --git a/themes/grav/templates/forms/fields/2fa_secret/2fa_secret.html.twig b/themes/grav/templates/forms/fields/2fa_secret/2fa_secret.html.twig
index 59ec39c5..d9398089 100644
--- a/themes/grav/templates/forms/fields/2fa_secret/2fa_secret.html.twig
+++ b/themes/grav/templates/forms/fields/2fa_secret/2fa_secret.html.twig
@@ -3,16 +3,18 @@
 {% block input %}
     <div class="form-input-wrapper twofa-wrapper">
         {% try %}
-        {% set user = grav.user %}
-        {% set image = grav.login.twoFactorAuth.getQrImageData(user.username, user.twofa_secret) %}
+            {% set user = grav.user %}
+            {% set image = grav.login.twoFactorAuth.getQrImageData(user.username, user.twofa_secret) %}
+            {% set secret = user.twofa_secret|regex_replace('/(\\w{4})/', '\\1 ') %}
+
             <img style="border: 1px solid #ddd" data-2fa-image src="{{ image }}" />
             <div>
-                <span>{{ 'PLUGIN_ADMIN.2FA_SECRET'|tu }}: </span><span class="twofa-secret-code" data-2fa-secret>{{ user.twofa_secret }}</span>
+                <span>{{ 'PLUGIN_ADMIN.2FA_SECRET'|tu }}: </span><span class="twofa-secret-code" data-2fa-secret>{{ secret }}</span>
             </div>
             <div class="danger twofa-wrapper">
                 <button data-hint="{{ 'PLUGIN_ADMIN.2FA_REGEN_HINT'|tu }}" class="button button-small hint--bottom" data-2fa-regenerate><i class="fa fa-fw fa-refresh"></i> {{ 'PLUGIN_ADMIN.2FA_REGENERATE'|t }}</button>
             </div>
-            <input type="text" class="no-form" style="display:none;" name="{{ (scope ~ field.name)|fieldName }}" data-2fa-value value="{{ user.twofa_secret }}" />
+            <input type="text" class="no-form" style="display:none;" name="{{ (scope ~ field.name)|fieldName }}" data-2fa-value value="{{ secret }}" />
 
         {% catch %}
             <div class="notice error">