[NEW] Setting to disable 2FA globally (#11328)

packages/rocketchat-2fa/client/accountSecurity.html

@@ -3,44 +3,46 @@
 			{{> header sectionName="Security"}}
 	<div class="preferences-page__content">
 		<form id="security" autocomplete="off" class="container">
-				<fieldset>
-					<div class="section">
-						<h1>{{_ "Two-factor_authentication"}}</h1>
-						<div class="section-content border-component-color">
-							{{#if isEnabled}}
-								<button class="button danger disable-2fa">{{_ "Disable_two-factor_authentication"}}</button>
-							{{else}}
-								{{#unless isRegistering}}
-									<p>{{_ "Two-factor_authentication_is_currently_disabled"}}</p>
-
-									<button class="button primary enable-2fa">{{_ "Enable_two-factor_authentication"}}</button>
+				{{# if isAllowed}}
+					<fieldset>
+						<div class="section">
+							<h1>{{_ "Two-factor_authentication"}}</h1>
+							<div class="section-content border-component-color">
+								{{#if isEnabled}}
+									<button class="button danger disable-2fa">{{_ "Disable_two-factor_authentication"}}</button>
 								{{else}}
-									<p>{{_ "Scan_QR_code"}}</p>
-									<p>{{_ "Scan_QR_code_alternative_s" code=imageSecret}}</p>
-
-									<img src="{{imageData}}">
+									{{#unless isRegistering}}
+										<p>{{_ "Two-factor_authentication_is_currently_disabled"}}</p>
 
-									<form class="inline">
-										<input type="text" class="rc-input__element" id="testCode" placeholder="{{_ "Enter_authentication_code"}}">
-										<button class="button primary verify-code">{{_ "Verify"}}</button>
-									</form>
-								{{/unless}}
-							{{/if}}
-						</div>
-					</div>
-				</fieldset>
+										<button class="button primary enable-2fa">{{_ "Enable_two-factor_authentication"}}</button>
+									{{else}}
+										<p>{{_ "Scan_QR_code"}}</p>
+										<p>{{_ "Scan_QR_code_alternative_s" code=imageSecret}}</p>
 
+										<img src="{{imageData}}">
 
-				{{#if isEnabled}}
-					<fieldset>
-						<div class="section">
-							<h1>{{_ "Backup_codes"}}</h1>
-							<div class="section-content border-component-color">
-								<p>{{codesRemaining}}</p>
-								<button class="button regenerate-codes">{{_ "Regenerate_codes"}}</button>
+										<form class="inline">
+											<input type="text" class="rc-input__element" id="testCode" placeholder="{{_ "Enter_authentication_code"}}">
+											<button class="button primary verify-code">{{_ "Verify"}}</button>
+										</form>
+									{{/unless}}
+								{{/if}}
 							</div>
 						</div>
 					</fieldset>
+
+
+					{{#if isEnabled}}
+						<fieldset>
+							<div class="section">
+								<h1>{{_ "Backup_codes"}}</h1>
+								<div class="section-content border-component-color">
+									<p>{{codesRemaining}}</p>
+									<button class="button regenerate-codes">{{_ "Regenerate_codes"}}</button>
+								</div>
+							</div>
+						</fieldset>
+					{{/if}}
 				{{/if}}
 			</form>
 		</div>

packages/rocketchat-2fa/client/accountSecurity.js

@@ -20,6 +20,9 @@ Template.accountSecurity.helpers({
 	isRegistering() {
 		return Template.instance().state.get() === 'registering';
 	},
+	isAllowed() {
+		return RocketChat.settings.get('Accounts_TwoFactorAuthentication_Enabled');
+	},
 	codesRemaining() {
 		if (Template.instance().codesRemaining.get()) {
 			return t('You_have_n_codes_remaining', { number: Template.instance().codesRemaining.get() });

packages/rocketchat-2fa/package.js

@@ -30,5 +30,6 @@ Package.onUse(function(api) {
 
 	api.addFiles('server/models/users.js', 'server');
 
+	api.addFiles('server/startup/settings.js', 'server');
 	api.addFiles('server/loginHandler.js', 'server');
 });

packages/rocketchat-2fa/server/loginHandler.js

@@ -7,6 +7,10 @@ Accounts.registerLoginHandler('totp', function(options) {
 });
 
 RocketChat.callbacks.add('onValidateLogin', (login) => {
+	if (!RocketChat.settings.get('Accounts_TwoFactorAuthentication_Enabled')) {
+		return;
+	}
+
 	if (login.type === 'password' && login.user.services && login.user.services.totp && login.user.services.totp.enabled === true) {
 		const { totp } = login.methodArguments[0];
 

packages/rocketchat-2fa/server/startup/settings.js

@@ -0,0 +1,19 @@
+RocketChat.settings.addGroup('Accounts', function() {
+	this.section('Two Factor Authentication', function() {
+		this.add('Accounts_TwoFactorAuthentication_Enabled', true, {
+			type: 'boolean',
+			public: true
+		});
+		this.add('Accounts_TwoFactorAuthentication_MaxDelta', 1, {
+			type: 'int',
+			public: true,
+			i18nLabel: 'Accounts_TwoFactorAuthentication_MaxDelta',
+			enableQuery: {
+				_id: 'Accounts_TwoFactorAuthentication_Enabled',
+				value: true
+			}
+		});
+	});
+});
+
+

packages/rocketchat-i18n/i18n/en.i18n.json

@@ -175,6 +175,7 @@
   "Accounts_SetDefaultAvatar": "Set Default Avatar",
   "Accounts_SetDefaultAvatar_Description": "Tries to determine default avatar based on OAuth Account or Gravatar",
   "Accounts_ShowFormLogin": "Show Default Login Form",
+  "Accounts_TwoFactorAuthentication_Enabled": "Enable Two Factor Authentication",
   "Accounts_TwoFactorAuthentication_MaxDelta": "Maximum Delta",
   "Accounts_TwoFactorAuthentication_MaxDelta_Description": "The Maximum Delta determines how many tokens are valid at any given time. Tokens are generated every 30 seconds, and are valid for (30 * Maximum Delta) seconds. <br/>Example: With a Maximum Delta set to 10, each token can be used up to 300 seconds before or after it's timestamp. This is useful when the client's clock is not properly synced with the server.",
   "Accounts_UseDefaultBlockedDomainsList": "Use Default Blocked Domains List",

packages/rocketchat-lib/server/startup/settings.js

@@ -88,14 +88,6 @@ RocketChat.settings.addGroup('Accounts', function() {
 		public: true
 	});
 
-	this.section('Two Factor Authentication', function() {
-		this.add('Accounts_TwoFactorAuthentication_MaxDelta', 1, {
-			type: 'int',
-			public: true,
-			i18nLabel: 'Accounts_TwoFactorAuthentication_MaxDelta'
-		});
-	});
-
 	this.section('Registration', function() {
 		this.add('Accounts_DefaultUsernamePrefixSuggestion', 'user', {
 			type: 'string'