From 5abefb689bc17dc26e747164f9251926faade358 Mon Sep 17 00:00:00 2001
From: Dylan William Hardison <dylan@hardison.net>
Date: Tue, 19 Sep 2017 11:46:25 -0400
Subject: Bug 1400419 - Direct GitHub-auth'd users that are required to use 2FA
 to issue a password reset

---
 Bugzilla.pm                                     |  3 ++-
 js/account.js                                   | 13 ++++++++++++-
 template/en/default/account/prefs/mfa.html.tmpl | 22 +++++++++++++++++++---
 3 files changed, 33 insertions(+), 5 deletions(-)

diff --git a/Bugzilla.pm b/Bugzilla.pm
index 96eff5df2..9234243f7 100644
--- a/Bugzilla.pm
+++ b/Bugzilla.pm
@@ -407,13 +407,14 @@ sub login {
         my $grace_period = Bugzilla->params->{mfa_group_grace_period};
         my $expired      = defined $date && $date < DateTime->now;
         my $on_mfa_page  = $cgi->script_name eq '/userprefs.cgi' && $cgi->param('tab') eq 'mfa';
+        my $on_token_page = $cgi->script_name eq '/token.cgi';
 
         Bugzilla->request_cache->{mfa_warning} = 1;
         Bugzilla->request_cache->{mfa_grace_period_expired} = $expired;
         Bugzilla->request_cache->{on_mfa_page} = $on_mfa_page;
 
         if ( $grace_period == 0 || $expired) {
-            if (!$on_mfa_page) {
+            if ( !( $on_mfa_page || $on_token_page ) ) {
                 print Bugzilla->cgi->redirect("userprefs.cgi?tab=mfa");
                 exit;
             }
diff --git a/js/account.js b/js/account.js
index c5557aa41..8642cadbd 100644
--- a/js/account.js
+++ b/js/account.js
@@ -287,7 +287,18 @@ $(function() {
         });
 
     if ($('#mfa-action').length) {
-        $('#update').attr('disabled', true);
+        if ($("#mfa-action").data('nopassword')) {
+            $('#update')
+                .attr('disabled', false)
+                .val("Reset Password")
+                .click(function(event) {
+                    event.preventDefault();
+                    $('#forgot-form').submit();
+                });
+        }
+        else {
+            $("#update").attr('disabled', true);
+        }
     }
 
     // api-key
diff --git a/template/en/default/account/prefs/mfa.html.tmpl b/template/en/default/account/prefs/mfa.html.tmpl
index 99a4b0f2a..482832f63 100644
--- a/template/en/default/account/prefs/mfa.html.tmpl
+++ b/template/en/default/account/prefs/mfa.html.tmpl
@@ -7,6 +7,13 @@
   #%]
 
 [% SET MFA_HOWTO = "https://wiki.mozilla.org/BMO/UserGuide/Two-Factor_Authentication" %]
+[% tab_footer = BLOCK %]
+  <form action="token.cgi" method="post" id="forgot-form">
+    <input type="hidden" name="loginname" value="[% user.login FILTER html %]">
+    <input type="hidden" name="a" value="reqpw">
+    <input type="hidden" name="token" value="[% issue_hash_token(['reqpw']) FILTER html %]">
+  </form>
+[% END %]
 
 [% IF NOT Bugzilla.feature('mfa') %]
   <input type="hidden" name="mfa_action" id="mfa-action" value="">
@@ -16,10 +23,19 @@
   [% RETURN %]
 [% END %]
 [% IF user.cryptpassword == '*' %]
-  <input type="hidden" name="mfa_action" id="mfa-action" value="">
+  <input type="hidden" name="mfa_action" id="mfa-action" value="" data-nopassword="true">
+  [% IF Bugzilla.request_cache.mfa_warning %]
+    <p>
+      Your account requires Two-Factor authentication to be configured before you can use [% terms.Bugzilla %]
+    </p>
+  [% END %]
+  <p>
+    Before you can enable two-factor authentication you must set a password on your account.
+    To do this on your account please click on "Reset Password";
+    this will email you instructions to start the password reset process.
+  </p>
   <p>
-    Two-factor Authentication is not available on your account because you are
-    using an external authentication provider.
+    As part of this transition you will no longer be able to use GitHub to log in to [% terms.Bugzilla %].
   </p>
   [% RETURN %]
 [% END %]
-- 
cgit v1.2.3-24-g4f1b