From 7f7690d7d740315534c19e405eeff4178457dd99 Mon Sep 17 00:00:00 2001
From: "Pierre H. Lehnen" <Hudell@users.noreply.github.com>
Date: Sat, 21 Jul 2018 02:23:38 -0300
Subject: [PATCH] [NEW] Setting to disable 2FA globally (#11328)

---
 .../client/accountSecurity.html               | 64 ++++++++++---------
 .../rocketchat-2fa/client/accountSecurity.js  |  3 +
 packages/rocketchat-2fa/package.js            |  1 +
 .../rocketchat-2fa/server/loginHandler.js     |  4 ++
 .../rocketchat-2fa/server/startup/settings.js | 19 ++++++
 packages/rocketchat-i18n/i18n/en.i18n.json    |  1 +
 .../rocketchat-lib/server/startup/settings.js |  8 ---
 7 files changed, 61 insertions(+), 39 deletions(-)
 create mode 100644 packages/rocketchat-2fa/server/startup/settings.js

diff --git a/packages/rocketchat-2fa/client/accountSecurity.html b/packages/rocketchat-2fa/client/accountSecurity.html
index 8daba662f4c..3496ee8a53a 100644
--- a/packages/rocketchat-2fa/client/accountSecurity.html
+++ b/packages/rocketchat-2fa/client/accountSecurity.html
@@ -3,44 +3,46 @@
 			{{> header sectionName="Security"}}
 	<div class="preferences-page__content">
 		<form id="security" autocomplete="off" class="container">
-				<fieldset>
-					<div class="section">
-						<h1>{{_ "Two-factor_authentication"}}</h1>
-						<div class="section-content border-component-color">
-							{{#if isEnabled}}
-								<button class="button danger disable-2fa">{{_ "Disable_two-factor_authentication"}}</button>
-							{{else}}
-								{{#unless isRegistering}}
-									<p>{{_ "Two-factor_authentication_is_currently_disabled"}}</p>
-
-									<button class="button primary enable-2fa">{{_ "Enable_two-factor_authentication"}}</button>
+				{{# if isAllowed}}
+					<fieldset>
+						<div class="section">
+							<h1>{{_ "Two-factor_authentication"}}</h1>
+							<div class="section-content border-component-color">
+								{{#if isEnabled}}
+									<button class="button danger disable-2fa">{{_ "Disable_two-factor_authentication"}}</button>
 								{{else}}
-									<p>{{_ "Scan_QR_code"}}</p>
-									<p>{{_ "Scan_QR_code_alternative_s" code=imageSecret}}</p>
-
-									<img src="{{imageData}}">
+									{{#unless isRegistering}}
+										<p>{{_ "Two-factor_authentication_is_currently_disabled"}}</p>
 
-									<form class="inline">
-										<input type="text" class="rc-input__element" id="testCode" placeholder="{{_ "Enter_authentication_code"}}">
-										<button class="button primary verify-code">{{_ "Verify"}}</button>
-									</form>
-								{{/unless}}
-							{{/if}}
-						</div>
-					</div>
-				</fieldset>
+										<button class="button primary enable-2fa">{{_ "Enable_two-factor_authentication"}}</button>
+									{{else}}
+										<p>{{_ "Scan_QR_code"}}</p>
+										<p>{{_ "Scan_QR_code_alternative_s" code=imageSecret}}</p>
 
+										<img src="{{imageData}}">
 
-				{{#if isEnabled}}
-					<fieldset>
-						<div class="section">
-							<h1>{{_ "Backup_codes"}}</h1>
-							<div class="section-content border-component-color">
-								<p>{{codesRemaining}}</p>
-								<button class="button regenerate-codes">{{_ "Regenerate_codes"}}</button>
+										<form class="inline">
+											<input type="text" class="rc-input__element" id="testCode" placeholder="{{_ "Enter_authentication_code"}}">
+											<button class="button primary verify-code">{{_ "Verify"}}</button>
+										</form>
+									{{/unless}}
+								{{/if}}
 							</div>
 						</div>
 					</fieldset>
+
+
+					{{#if isEnabled}}
+						<fieldset>
+							<div class="section">
+								<h1>{{_ "Backup_codes"}}</h1>
+								<div class="section-content border-component-color">
+									<p>{{codesRemaining}}</p>
+									<button class="button regenerate-codes">{{_ "Regenerate_codes"}}</button>
+								</div>
+							</div>
+						</fieldset>
+					{{/if}}
 				{{/if}}
 			</form>
 		</div>
diff --git a/packages/rocketchat-2fa/client/accountSecurity.js b/packages/rocketchat-2fa/client/accountSecurity.js
index 51f4a4d6746..3207577d560 100644
--- a/packages/rocketchat-2fa/client/accountSecurity.js
+++ b/packages/rocketchat-2fa/client/accountSecurity.js
@@ -20,6 +20,9 @@ Template.accountSecurity.helpers({
 	isRegistering() {
 		return Template.instance().state.get() === 'registering';
 	},
+	isAllowed() {
+		return RocketChat.settings.get('Accounts_TwoFactorAuthentication_Enabled');
+	},
 	codesRemaining() {
 		if (Template.instance().codesRemaining.get()) {
 			return t('You_have_n_codes_remaining', { number: Template.instance().codesRemaining.get() });
diff --git a/packages/rocketchat-2fa/package.js b/packages/rocketchat-2fa/package.js
index 13cb5bcc0eb..591656592b4 100644
--- a/packages/rocketchat-2fa/package.js
+++ b/packages/rocketchat-2fa/package.js
@@ -30,5 +30,6 @@ Package.onUse(function(api) {
 
 	api.addFiles('server/models/users.js', 'server');
 
+	api.addFiles('server/startup/settings.js', 'server');
 	api.addFiles('server/loginHandler.js', 'server');
 });
diff --git a/packages/rocketchat-2fa/server/loginHandler.js b/packages/rocketchat-2fa/server/loginHandler.js
index 650b1f9d6df..e7656787507 100644
--- a/packages/rocketchat-2fa/server/loginHandler.js
+++ b/packages/rocketchat-2fa/server/loginHandler.js
@@ -7,6 +7,10 @@ Accounts.registerLoginHandler('totp', function(options) {
 });
 
 RocketChat.callbacks.add('onValidateLogin', (login) => {
+	if (!RocketChat.settings.get('Accounts_TwoFactorAuthentication_Enabled')) {
+		return;
+	}
+
 	if (login.type === 'password' && login.user.services && login.user.services.totp && login.user.services.totp.enabled === true) {
 		const { totp } = login.methodArguments[0];
 
diff --git a/packages/rocketchat-2fa/server/startup/settings.js b/packages/rocketchat-2fa/server/startup/settings.js
new file mode 100644
index 00000000000..98a16104945
--- /dev/null
+++ b/packages/rocketchat-2fa/server/startup/settings.js
@@ -0,0 +1,19 @@
+RocketChat.settings.addGroup('Accounts', function() {
+	this.section('Two Factor Authentication', function() {
+		this.add('Accounts_TwoFactorAuthentication_Enabled', true, {
+			type: 'boolean',
+			public: true
+		});
+		this.add('Accounts_TwoFactorAuthentication_MaxDelta', 1, {
+			type: 'int',
+			public: true,
+			i18nLabel: 'Accounts_TwoFactorAuthentication_MaxDelta',
+			enableQuery: {
+				_id: 'Accounts_TwoFactorAuthentication_Enabled',
+				value: true
+			}
+		});
+	});
+});
+
+
diff --git a/packages/rocketchat-i18n/i18n/en.i18n.json b/packages/rocketchat-i18n/i18n/en.i18n.json
index 19f424566da..8e13d7adb28 100644
--- a/packages/rocketchat-i18n/i18n/en.i18n.json
+++ b/packages/rocketchat-i18n/i18n/en.i18n.json
@@ -175,6 +175,7 @@
   "Accounts_SetDefaultAvatar": "Set Default Avatar",
   "Accounts_SetDefaultAvatar_Description": "Tries to determine default avatar based on OAuth Account or Gravatar",
   "Accounts_ShowFormLogin": "Show Default Login Form",
+  "Accounts_TwoFactorAuthentication_Enabled": "Enable Two Factor Authentication",
   "Accounts_TwoFactorAuthentication_MaxDelta": "Maximum Delta",
   "Accounts_TwoFactorAuthentication_MaxDelta_Description": "The Maximum Delta determines how many tokens are valid at any given time. Tokens are generated every 30 seconds, and are valid for (30 * Maximum Delta) seconds. <br/>Example: With a Maximum Delta set to 10, each token can be used up to 300 seconds before or after it's timestamp. This is useful when the client's clock is not properly synced with the server.",
   "Accounts_UseDefaultBlockedDomainsList": "Use Default Blocked Domains List",
diff --git a/packages/rocketchat-lib/server/startup/settings.js b/packages/rocketchat-lib/server/startup/settings.js
index 2802206283d..02139dc115b 100644
--- a/packages/rocketchat-lib/server/startup/settings.js
+++ b/packages/rocketchat-lib/server/startup/settings.js
@@ -88,14 +88,6 @@ RocketChat.settings.addGroup('Accounts', function() {
 		public: true
 	});
 
-	this.section('Two Factor Authentication', function() {
-		this.add('Accounts_TwoFactorAuthentication_MaxDelta', 1, {
-			type: 'int',
-			public: true,
-			i18nLabel: 'Accounts_TwoFactorAuthentication_MaxDelta'
-		});
-	});
-
 	this.section('Registration', function() {
 		this.add('Accounts_DefaultUsernamePrefixSuggestion', 'user', {
 			type: 'string'