From 043c7523acd6af5288191b15f746fc360b73ab40 Mon Sep 17 00:00:00 2001
From: Byron Jones <glob@mozilla.com>
Date: Wed, 23 Sep 2015 11:54:41 +0800
Subject: Bug 1199087 - extend 2fa protection beyond login

---
 .../password/set-forgotten-password.html.tmpl      |   5 +-
 .../en/default/account/prefs/account.html.tmpl     |   2 +
 template/en/default/account/prefs/apikey.html.tmpl |  25 ++---
 template/en/default/account/prefs/mfa.html.tmpl    | 112 ++++++++++-----------
 .../en/default/account/prefs/settings.html.tmpl    |   3 +
 template/en/default/global/code-error.html.tmpl    |   3 +
 template/en/default/global/user-error.html.tmpl    |   9 +-
 template/en/default/mfa/protected.html.tmpl        |  12 +++
 template/en/default/mfa/totp/verify.html.tmpl      |  18 ++--
 9 files changed, 106 insertions(+), 83 deletions(-)
 create mode 100644 template/en/default/mfa/protected.html.tmpl

(limited to 'template')

diff --git a/template/en/default/account/password/set-forgotten-password.html.tmpl b/template/en/default/account/password/set-forgotten-password.html.tmpl
index a2ae517c8..cfeacbb93 100644
--- a/template/en/default/account/password/set-forgotten-password.html.tmpl
+++ b/template/en/default/account/password/set-forgotten-password.html.tmpl
@@ -36,18 +36,19 @@
         (minimum [% constants.USER_PASSWORD_MIN_LENGTH FILTER none %] characters)
       </td>
     </tr>
-    
+
     <tr>
       <th align="right">New Password Again:</th>
       <td>
         <input type="password" name="matchpassword">
       </td>
     </tr>
-    
+
     <tr>
       <th align="right">&nbsp;</th>
       <td>
         <input type="submit" id="update" value="Submit">
+        [% INCLUDE mfa/protected.html.tmpl user=token_user %]
       </td>
     </tr>
   </table>
diff --git a/template/en/default/account/prefs/account.html.tmpl b/template/en/default/account/prefs/account.html.tmpl
index bfae7f071..3f838691b 100644
--- a/template/en/default/account/prefs/account.html.tmpl
+++ b/template/en/default/account/prefs/account.html.tmpl
@@ -72,6 +72,7 @@
         <th align="right">New password:</th>
         <td>
           <input type="password" name="new_password1">
+          [% INCLUDE "mfa/protected.html.tmpl" %]
         </td>
       </tr>
 
@@ -109,6 +110,7 @@
           <th align="right">New email address:</th>
           <td>
             <input size="35" name="new_login_name">
+            [% INCLUDE "mfa/protected.html.tmpl" %]
           </td>
         </tr>
       [% END %]
diff --git a/template/en/default/account/prefs/apikey.html.tmpl b/template/en/default/account/prefs/apikey.html.tmpl
index 8b740cf1e..926f3838b 100644
--- a/template/en/default/account/prefs/apikey.html.tmpl
+++ b/template/en/default/account/prefs/apikey.html.tmpl
@@ -14,8 +14,10 @@
 <p>
   API keys are used to authenticate WebService API calls. You can create more than
   one API key if required. Each API key has an optional description which can help
-  you record what each key is used for. Documentation on how to log in is available from
-  <a href="https://bugzilla.readthedocs.org/en/latest/api/core/v1/general.html#authentication">
+  you record what each key is used for.<br>
+  <br>
+  Documentation on how to log in is available
+  <a href="https://bmo.readthedocs.org/en/latest/api/core/v1/general.html#authentication">
     here</a>.
 </p>
 
@@ -33,7 +35,7 @@ here.</p>
   </tr>
 
   [% FOREACH api_key IN api_keys %]
-    <tr[% IF api_key.revoked %] class="apikey_revoked"[% END %]>
+    <tr[% IF api_key.revoked %] class="apikey_revoked bz_tui_hidden" style="display:none"[% END %]>
       <td>[% api_key.api_key FILTER html %]</td>
       <td>
         <input name="description_[% api_key.id FILTER html %]"
@@ -52,6 +54,9 @@ here.</p>
           name="revoked_[% api_key.id FILTER html %]"
           id="revoked_[% api_key.id FILTER html %]"
           [% IF api_key.revoked %] checked="checked" [% END %]>
+        [% IF api_key.revoked %]
+          [% INCLUDE "mfa/protected.html.tmpl" %]
+        [% END %]
       </td>
     </tr>
   [% END %]
@@ -61,15 +66,7 @@ here.</p>
 </table>
 
 [% IF any_revoked %]
-  <a id="apikey_revoked_controller" class="bz_default_hidden"
-     href="javascript:TUI_toggle_class('apikey_revoked')">Hide Revoked Keys</a>
-  [%# Show the link if the browser supports JS %]
-  <script type="text/javascript">
-    TUI_hide_default('apikey_revoked');
-    TUI_alternates['apikey_revoked'] = 'Show Revoked Keys';
-    YAHOO.util.Dom.removeClass('apikey_revoked_controller',
-                               'bz_default_hidden');
-  </script>
+  <a href="#" id="apikey-toggle-revoked">Show Revoked Keys</a>
 [% END %]
 
 <h3>New API key</h3>
@@ -79,10 +76,10 @@ providing a description for the API key. The API key will be randomly
 generated for you.</p>
 
 <p>
-  <input type="checkbox" name="new_key" id="new_key"
-         onchange="if (this.checked) YAHOO.util.Dom.get('new_description').focus();">
+  <input type="checkbox" name="new_key" id="new_key">
   <label for="new_key">
     Generate a new API key with optional description</label>
   <input name="new_description" id="new_description">
+  [% INCLUDE "mfa/protected.html.tmpl" %]
 </p>
 
diff --git a/template/en/default/account/prefs/mfa.html.tmpl b/template/en/default/account/prefs/mfa.html.tmpl
index e3751a5b7..5aed954f9 100644
--- a/template/en/default/account/prefs/mfa.html.tmpl
+++ b/template/en/default/account/prefs/mfa.html.tmpl
@@ -33,6 +33,7 @@
     <input type="hidden" name="mfa_action" id="mfa-action" value="disable">
 
     <button type="button" id="mfa-disable">Disable Two-factor Authentication</button>
+    [% INCLUDE "mfa/protected.html.tmpl" %]
 
     <div id="mfa-disable-container" style="display:none">
 
@@ -50,7 +51,7 @@
 
       [% IF user.mfa == "TOTP" %]
         <label class="mfa-totp">Code:</label>
-        <input type="text" name="mfa_disable_code" id="mfa-totp-disable-code"
+        <input type="text" name="code" id="mfa-totp-disable-code"
                placeholder="123456" maxlength="6" pattern="\d{6}" size="10"
                autocomplete="off" required autofocus>
       [% END %]
@@ -79,70 +80,67 @@
       Two-factor authentication is currently <b>disabled</b>.
     </p>
     <input type="hidden" name="mfa_action" id="mfa-action" value="enable">
+    <input type="hidden" name="mfa" id="mfa">
 
-    <button type="button" id="mfa-enable">Enable Two-factor Authentication</button>
-
-    <div id="mfa-enable-container" style="display:none">
-      <b>System:</b>
-      <select name="mfa" id="mfa">
-        <option value="" selected></option>
-        <option value="TOTP">Time-based One-Time Password (TOTP)</option>
-      </select>
+    <div id="mfa-select">
+      <p>
+        Select the two-factor system you want to use:
+      </p>
+      <button type="button" id="mfa-select-totp">Time-based One-Time Password (TOTP)</button>
+    </div>
 
-      [%# TOTP %]
-      <div id="mfa-enable-totp" class="mfa-provider" style="display:none">
+    [%# TOTP %]
+    <div id="mfa-enable-totp" class="mfa-provider" style="display:none">
 
-        <p>
-          Your current password is required to enable two-factor authentication.
-        </p>
-        <p>
-          <label class="mfa-totp">Current Password:</label>
-          <input type="password" name="password" id="mfa-password" required>
-        </p>
+      <p>
+        Your current password is required to enable two-factor authentication.
+      </p>
+      <p>
+        <label class="mfa-totp">Current Password:</label>
+        <input type="password" name="password" id="mfa-password" required>
+      </p>
 
-        <div id="mfa-totp-throbber">
-          Generating new QR code.. <img src="skins/standard/throbber.gif" width="16" height="11">
-        </div>
+      <div id="mfa-totp-throbber">
+        Generating new QR code.. <img src="skins/standard/throbber.gif" width="16" height="11">
+      </div>
 
-        <div id="mfa-totp-issued" style="display:none">
-          <iframe id="mfa-enable-totp-frame" src="userprefs.cgi?tab=mfa&frame=totp" tabindex="-1"></iframe>
-          <div id="mfa-totp-blurb">
-            Scan this QR code with your <a href="#" id="mfa-totp-apps">TOTP App</a>,
-            then enter the six digit code the app generates.<br>
-            <br>
-            <label class="mfa-totp">Code:</label>
-            <input type="text" name="mfa_enable_code" id="mfa-totp-enable-code"
-                   placeholder="123456" maxlength="6" pattern="\d{6}" size="10"
-                   autocomplete="off" required autofocus>
-          </div>
+      <div id="mfa-totp-issued" style="display:none">
+        <iframe id="mfa-enable-totp-frame" src="userprefs.cgi?tab=mfa&frame=totp" tabindex="-1"></iframe>
+        <div id="mfa-totp-blurb">
+          Scan this QR code with your <a href="#" id="mfa-totp-apps">TOTP App</a>,
+          then enter the six digit code the app generates.<br>
+          <br>
+          <label class="mfa-totp">Code:</label>
+          <input type="text" name="code" id="mfa-totp-enable-code"
+                  placeholder="123456" maxlength="6" pattern="\d{6}" size="10"
+                  autocomplete="off" required autofocus>
         </div>
+      </div>
 
-        <p>
-          If you have problems enrolling, this may be due to an inaccurate time on your device.<br>
-          Please check that the time on your device is accurate by visiting <b>http://time.is/</b>.
-        </p>
-
-        <div id="mfa-totp-apps-popup" class="mfa-totp-popup" style="display:none">
-          Example TOTP Applications:<br>
-          <ul>
-            <li>Android and iOS:
-              <a href="https://support.google.com/accounts/answer/1066447" target="_blank">Google Authenticator</a>,
-              <a href="https://fedorahosted.org/freeotp/" target="_blank">Red Hat FreeOTP</a>
-            </li>
-            <li>Firefox OS:
-              <a href="https://marketplace.firefox.com/app/firekey/" target="_blank">Firekey</a>
-            </li>
-            <li>Windows Phone:
-              <a href="http://www.windowsphone.com/en-us/store/app/authenticator/021dd79f-0598-e011-986b-78e7d1fa76f8"
-                 target="_blank">Authenticator</a>
-            </li>
-          </ul>
-          <a href="https://en.wikipedia.org/wiki/Time-based_One-time_Password_Algorithm#Client_implementations" target="_blank">
-            Other clients
-          </a>
-          <button type="button" class="mfa-totp-popup-close">Close</button>
-        </div>
+      <p>
+        If you have problems enrolling, this may be due to an inaccurate time on your device.<br>
+        Please check that the time on your device is accurate by visiting <b>http://time.is/</b>.
+      </p>
 
+      <div id="mfa-totp-apps-popup" class="mfa-totp-popup" style="display:none">
+        Example TOTP Applications:<br>
+        <ul>
+          <li>Android and iOS:
+            <a href="https://support.google.com/accounts/answer/1066447" target="_blank">Google Authenticator</a>,
+            <a href="https://fedorahosted.org/freeotp/" target="_blank">Red Hat FreeOTP</a>
+          </li>
+          <li>Firefox OS:
+            <a href="https://marketplace.firefox.com/app/firekey/" target="_blank">Firekey</a>
+          </li>
+          <li>Windows Phone:
+            <a href="http://www.windowsphone.com/en-us/store/app/authenticator/021dd79f-0598-e011-986b-78e7d1fa76f8"
+                target="_blank">Authenticator</a>
+          </li>
+        </ul>
+        <a href="https://en.wikipedia.org/wiki/Time-based_One-time_Password_Algorithm#Client_implementations" target="_blank">
+          Other clients
+        </a>
+        <button type="button" class="mfa-totp-popup-close">Close</button>
       </div>
 
     </div>
diff --git a/template/en/default/account/prefs/settings.html.tmpl b/template/en/default/account/prefs/settings.html.tmpl
index 65e31359b..0147f95ef 100644
--- a/template/en/default/account/prefs/settings.html.tmpl
+++ b/template/en/default/account/prefs/settings.html.tmpl
@@ -62,6 +62,9 @@
                 </option>
               [% END %]
             </select>
+            [% IF name == "api_key_only" %]
+              [% INCLUDE "mfa/protected.html.tmpl" %]
+            [% END %]
           [% ELSE %]
             <select name="[% name FILTER html %]" id="[% name FILTER html %]" disabled="disabled">
               <option value="[% default_name FILTER html %]">
diff --git a/template/en/default/global/code-error.html.tmpl b/template/en/default/global/code-error.html.tmpl
index 316e98450..c4ff7e73a 100644
--- a/template/en/default/global/code-error.html.tmpl
+++ b/template/en/default/global/code-error.html.tmpl
@@ -453,6 +453,9 @@
   [% ELSIF error == "token_generation_error" %]
     Something is seriously wrong with the token generation system.
 
+  [% ELSIF error == "token_data_too_big" %]
+    The data is too large to store in a token.
+
   [% ELSIF error == "cancel_token_does_not_exist" %]
     The token to be cancelled does not exist.
 
diff --git a/template/en/default/global/user-error.html.tmpl b/template/en/default/global/user-error.html.tmpl
index 1ec3202bb..7a3a536cd 100644
--- a/template/en/default/global/user-error.html.tmpl
+++ b/template/en/default/global/user-error.html.tmpl
@@ -1215,6 +1215,11 @@
   [% ELSIF error == "mfa_totp_bad_code" %]
     Invalid verification code.
 
+  [% ELSIF error == "mfa_totp_bad_enrolment_code" %]
+    Invalid verification code.<br>
+    <br>
+    The QR code has been deleted - please generate and scan a new code.
+
   [% ELSIF error == "migrate_config_created" %]
     The file <kbd>[% file FILTER html %]</kbd> contains configuration
     variables that must be set before continuing with the migration.
@@ -1468,8 +1473,8 @@
     You did not enter your old password correctly.
 
   [% ELSIF error == "old_password_required" %]
-    [% title = "Old Password Required" %]
-    You must enter your old password to change your email address.
+    [% title = "Password Required" %]
+    You must enter your current password to change your email address.
 
   [% ELSIF error == "password_change_requests_not_allowed" %]
     [% title = "Password Change Requests Not Allowed" %]
diff --git a/template/en/default/mfa/protected.html.tmpl b/template/en/default/mfa/protected.html.tmpl
new file mode 100644
index 000000000..da945244d
--- /dev/null
+++ b/template/en/default/mfa/protected.html.tmpl
@@ -0,0 +1,12 @@
+[%# This Source Code Form is subject to the terms of the Mozilla Public
+  # License, v. 2.0. If a copy of the MPL was not distributed with this
+  # file, You can obtain one at http://mozilla.org/MPL/2.0/.
+  #
+  # This Source Code Form is "Incompatible With Secondary Licenses", as
+  # defined by the Mozilla Public License, v. 2.0.
+  #%]
+
+[% RETURN UNLESS user.mfa %]
+
+<img src="images/mfa.png" class="mfa-protected" width="16" height="16"
+     alt="2FA" title="Protected by Two-factor Authentication">
diff --git a/template/en/default/mfa/totp/verify.html.tmpl b/template/en/default/mfa/totp/verify.html.tmpl
index 3ff720d62..e61ee3866 100644
--- a/template/en/default/mfa/totp/verify.html.tmpl
+++ b/template/en/default/mfa/totp/verify.html.tmpl
@@ -13,17 +13,19 @@
 <h1>Account Verification</h1>
 
 <p>
+  <b>[% reason FILTER html %]</b> requires verification.<br>
   Please enter your verification code from your TOTP application:
 </p>
 
-<form method="POST" action="token.cgi">
-<input type="hidden" name="a" value="mfa">
-<input type="hidden" name="t" value="[% token FILTER html %]">
-<input type="text" name="code" id="code"
-       placeholder="123456" maxlength="6" pattern="\d{6}" size="10"
-       autocomplete="off" required autofocus><br>
-<br>
-<input type="submit" value="Submit">
+<form method="POST" action="[% postback.action FILTER none %]">
+  [% FOREACH field IN postback.fields.keys %]
+    <input type="hidden" name="[% field FILTER html %]" value="[% postback.fields.item(field) FILTER html %]">
+  [% END %]
+  <input type="text" name="code" id="code"
+        placeholder="123456" maxlength="6" pattern="\d{6}" size="10"
+        autocomplete="off" required autofocus><br>
+  <br>
+  <input type="submit" value="Submit">
 </form>
 
 [% INCLUDE global/footer.html.tmpl %]
-- 
cgit v1.2.3-24-g4f1b