Bug 1199087 - extend 2fa protection beyond login

5 files changed, 74 insertions, 73 deletions

diff --git a/template/en/default/account/password/set-forgotten-password.html.tmpl b/template/en/default/account/password/set-forgotten-password.html.tmpl
index a2ae517c8..cfeacbb93 100644
--- a/template/en/default/account/password/set-forgotten-password.html.tmpl
+++ b/template/en/default/account/password/set-forgotten-password.html.tmpl
@@ -36,18 +36,19 @@
         (minimum [% constants.USER_PASSWORD_MIN_LENGTH FILTER none %] characters)
       </td>
     </tr>
-    
+
     <tr>
       <th align="right">New Password Again:</th>
       <td>
         <input type="password" name="matchpassword">
       </td>
     </tr>
-    
+
     <tr>
       <th align="right">&nbsp;</th>
       <td>
         <input type="submit" id="update" value="Submit">
+        [% INCLUDE mfa/protected.html.tmpl user=token_user %]
       </td>
     </tr>
   </table>
diff --git a/template/en/default/account/prefs/account.html.tmpl b/template/en/default/account/prefs/account.html.tmpl
index bfae7f071..3f838691b 100644
--- a/template/en/default/account/prefs/account.html.tmpl
+++ b/template/en/default/account/prefs/account.html.tmpl
@@ -72,6 +72,7 @@
         <th align="right">New password:</th>
         <td>
           <input type="password" name="new_password1">
+          [% INCLUDE "mfa/protected.html.tmpl" %]
         </td>
       </tr>
 
@@ -109,6 +110,7 @@
           <th align="right">New email address:</th>
           <td>
             <input size="35" name="new_login_name">
+            [% INCLUDE "mfa/protected.html.tmpl" %]
           </td>
         </tr>
       [% END %]
diff --git a/template/en/default/account/prefs/apikey.html.tmpl b/template/en/default/account/prefs/apikey.html.tmpl
index 8b740cf1e..926f3838b 100644
--- a/template/en/default/account/prefs/apikey.html.tmpl
+++ b/template/en/default/account/prefs/apikey.html.tmpl
@@ -14,8 +14,10 @@
 <p>
   API keys are used to authenticate WebService API calls. You can create more than
   one API key if required. Each API key has an optional description which can help
-  you record what each key is used for. Documentation on how to log in is available from
-  <a href="https://bugzilla.readthedocs.org/en/latest/api/core/v1/general.html#authentication">
+  you record what each key is used for.<br>
+  <br>
+  Documentation on how to log in is available
+  <a href="https://bmo.readthedocs.org/en/latest/api/core/v1/general.html#authentication">
     here</a>.
 </p>
 
@@ -33,7 +35,7 @@ here.</p>
   </tr>
 
   [% FOREACH api_key IN api_keys %]
-    <tr[% IF api_key.revoked %] class="apikey_revoked"[% END %]>
+    <tr[% IF api_key.revoked %] class="apikey_revoked bz_tui_hidden" style="display:none"[% END %]>
       <td>[% api_key.api_key FILTER html %]</td>
       <td>
         <input name="description_[% api_key.id FILTER html %]"
@@ -52,6 +54,9 @@ here.</p>
           name="revoked_[% api_key.id FILTER html %]"
           id="revoked_[% api_key.id FILTER html %]"
           [% IF api_key.revoked %] checked="checked" [% END %]>
+        [% IF api_key.revoked %]
+          [% INCLUDE "mfa/protected.html.tmpl" %]
+        [% END %]
       </td>
     </tr>
   [% END %]
@@ -61,15 +66,7 @@ here.</p>
 </table>
 
 [% IF any_revoked %]
-  <a id="apikey_revoked_controller" class="bz_default_hidden"
-     href="javascript:TUI_toggle_class('apikey_revoked')">Hide Revoked Keys</a>
-  [%# Show the link if the browser supports JS %]
-  <script type="text/javascript">
-    TUI_hide_default('apikey_revoked');
-    TUI_alternates['apikey_revoked'] = 'Show Revoked Keys';
-    YAHOO.util.Dom.removeClass('apikey_revoked_controller',
-                               'bz_default_hidden');
-  </script>
+  <a href="#" id="apikey-toggle-revoked">Show Revoked Keys</a>
 [% END %]
 
 <h3>New API key</h3>
@@ -79,10 +76,10 @@ providing a description for the API key. The API key will be randomly
 generated for you.</p>
 
 <p>
-  <input type="checkbox" name="new_key" id="new_key"
-         onchange="if (this.checked) YAHOO.util.Dom.get('new_description').focus();">
+  <input type="checkbox" name="new_key" id="new_key">
   <label for="new_key">
     Generate a new API key with optional description</label>
   <input name="new_description" id="new_description">
+  [% INCLUDE "mfa/protected.html.tmpl" %]
 </p>
 
diff --git a/template/en/default/account/prefs/mfa.html.tmpl b/template/en/default/account/prefs/mfa.html.tmpl
index e3751a5b7..5aed954f9 100644
--- a/template/en/default/account/prefs/mfa.html.tmpl
+++ b/template/en/default/account/prefs/mfa.html.tmpl
@@ -33,6 +33,7 @@
     <input type="hidden" name="mfa_action" id="mfa-action" value="disable">
 
     <button type="button" id="mfa-disable">Disable Two-factor Authentication</button>
+    [% INCLUDE "mfa/protected.html.tmpl" %]
 
     <div id="mfa-disable-container" style="display:none">
 
@@ -50,7 +51,7 @@
 
       [% IF user.mfa == "TOTP" %]
         <label class="mfa-totp">Code:</label>
-        <input type="text" name="mfa_disable_code" id="mfa-totp-disable-code"
+        <input type="text" name="code" id="mfa-totp-disable-code"
                placeholder="123456" maxlength="6" pattern="\d{6}" size="10"
                autocomplete="off" required autofocus>
       [% END %]
@@ -79,70 +80,67 @@
       Two-factor authentication is currently <b>disabled</b>.
     </p>
     <input type="hidden" name="mfa_action" id="mfa-action" value="enable">
+    <input type="hidden" name="mfa" id="mfa">
 
-    <button type="button" id="mfa-enable">Enable Two-factor Authentication</button>
-
-    <div id="mfa-enable-container" style="display:none">
-      <b>System:</b>
-      <select name="mfa" id="mfa">
-        <option value="" selected></option>
-        <option value="TOTP">Time-based One-Time Password (TOTP)</option>
-      </select>
+    <div id="mfa-select">
+      <p>
+        Select the two-factor system you want to use:
+      </p>
+      <button type="button" id="mfa-select-totp">Time-based One-Time Password (TOTP)</button>
+    </div>
 
-      [%# TOTP %]
-      <div id="mfa-enable-totp" class="mfa-provider" style="display:none">
+    [%# TOTP %]
+    <div id="mfa-enable-totp" class="mfa-provider" style="display:none">
 
-        <p>
-          Your current password is required to enable two-factor authentication.
-        </p>
-        <p>
-          <label class="mfa-totp">Current Password:</label>
-          <input type="password" name="password" id="mfa-password" required>
-        </p>
+      <p>
+        Your current password is required to enable two-factor authentication.
+      </p>
+      <p>
+        <label class="mfa-totp">Current Password:</label>
+        <input type="password" name="password" id="mfa-password" required>
+      </p>
 
-        <div id="mfa-totp-throbber">
-          Generating new QR code.. <img src="skins/standard/throbber.gif" width="16" height="11">
-        </div>
+      <div id="mfa-totp-throbber">
+        Generating new QR code.. <img src="skins/standard/throbber.gif" width="16" height="11">
+      </div>
 
-        <div id="mfa-totp-issued" style="display:none">
-          <iframe id="mfa-enable-totp-frame" src="userprefs.cgi?tab=mfa&frame=totp" tabindex="-1"></iframe>
-          <div id="mfa-totp-blurb">
-            Scan this QR code with your <a href="#" id="mfa-totp-apps">TOTP App</a>,
-            then enter the six digit code the app generates.<br>
-            <br>
-            <label class="mfa-totp">Code:</label>
-            <input type="text" name="mfa_enable_code" id="mfa-totp-enable-code"
-                   placeholder="123456" maxlength="6" pattern="\d{6}" size="10"
-                   autocomplete="off" required autofocus>
-          </div>
+      <div id="mfa-totp-issued" style="display:none">
+        <iframe id="mfa-enable-totp-frame" src="userprefs.cgi?tab=mfa&frame=totp" tabindex="-1"></iframe>
+        <div id="mfa-totp-blurb">
+          Scan this QR code with your <a href="#" id="mfa-totp-apps">TOTP App</a>,
+          then enter the six digit code the app generates.<br>
+          <br>
+          <label class="mfa-totp">Code:</label>
+          <input type="text" name="code" id="mfa-totp-enable-code"
+                  placeholder="123456" maxlength="6" pattern="\d{6}" size="10"
+                  autocomplete="off" required autofocus>
         </div>
+      </div>
 
-        <p>
-          If you have problems enrolling, this may be due to an inaccurate time on your device.<br>
-          Please check that the time on your device is accurate by visiting <b>http://time.is/</b>.
-        </p>
-
-        <div id="mfa-totp-apps-popup" class="mfa-totp-popup" style="display:none">
-          Example TOTP Applications:<br>
-          <ul>
-            <li>Android and iOS:
-              <a href="https://support.google.com/accounts/answer/1066447" target="_blank">Google Authenticator</a>,
-              <a href="https://fedorahosted.org/freeotp/" target="_blank">Red Hat FreeOTP</a>
-            </li>
-            <li>Firefox OS:
-              <a href="https://marketplace.firefox.com/app/firekey/" target="_blank">Firekey</a>
-            </li>
-            <li>Windows Phone:
-              <a href="http://www.windowsphone.com/en-us/store/app/authenticator/021dd79f-0598-e011-986b-78e7d1fa76f8"
-                 target="_blank">Authenticator</a>
-            </li>
-          </ul>
-          <a href="https://en.wikipedia.org/wiki/Time-based_One-time_Password_Algorithm#Client_implementations" target="_blank">
-            Other clients
-          </a>
-          <button type="button" class="mfa-totp-popup-close">Close</button>
-        </div>
+      <p>
+        If you have problems enrolling, this may be due to an inaccurate time on your device.<br>
+        Please check that the time on your device is accurate by visiting <b>http://time.is/</b>.
+      </p>
 
+      <div id="mfa-totp-apps-popup" class="mfa-totp-popup" style="display:none">
+        Example TOTP Applications:<br>
+        <ul>
+          <li>Android and iOS:
+            <a href="https://support.google.com/accounts/answer/1066447" target="_blank">Google Authenticator</a>,
+            <a href="https://fedorahosted.org/freeotp/" target="_blank">Red Hat FreeOTP</a>
+          </li>
+          <li>Firefox OS:
+            <a href="https://marketplace.firefox.com/app/firekey/" target="_blank">Firekey</a>
+          </li>
+          <li>Windows Phone:
+            <a href="http://www.windowsphone.com/en-us/store/app/authenticator/021dd79f-0598-e011-986b-78e7d1fa76f8"
+                target="_blank">Authenticator</a>
+          </li>
+        </ul>
+        <a href="https://en.wikipedia.org/wiki/Time-based_One-time_Password_Algorithm#Client_implementations" target="_blank">
+          Other clients
+        </a>
+        <button type="button" class="mfa-totp-popup-close">Close</button>
       </div>
 
     </div>
diff --git a/template/en/default/account/prefs/settings.html.tmpl b/template/en/default/account/prefs/settings.html.tmpl
index 65e31359b..0147f95ef 100644
--- a/template/en/default/account/prefs/settings.html.tmpl
+++ b/template/en/default/account/prefs/settings.html.tmpl
@@ -62,6 +62,9 @@
                 </option>
               [% END %]
             </select>
+            [% IF name == "api_key_only" %]
+              [% INCLUDE "mfa/protected.html.tmpl" %]
+            [% END %]
           [% ELSE %]
             <select name="[% name FILTER html %]" id="[% name FILTER html %]" disabled="disabled">
               <option value="[% default_name FILTER html %]">