From 528e7836549997fc5e1cf700df4545323f306c8a Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Kamil=20Doma=C5=84ski?= <kamil@domanski.co>
Date: Sat, 23 May 2020 00:35:36 +0200
Subject: [PATCH 1/5] stop requiring TOTP for U2F

---
 routers/user/setting/security.go          | 10 +++---
 templates/user/settings/security_u2f.tmpl | 44 +++++++++++------------
 2 files changed, 24 insertions(+), 30 deletions(-)

diff --git a/routers/user/setting/security.go b/routers/user/setting/security.go
index 87e2ba1c02ec3..fcd246ecaef27 100644
--- a/routers/user/setting/security.go
+++ b/routers/user/setting/security.go
@@ -63,12 +63,10 @@ func loadSecurityData(ctx *context.Context) {
 		}
 	}
 	ctx.Data["TwofaEnrolled"] = enrolled
-	if enrolled {
-		ctx.Data["U2FRegistrations"], err = models.GetU2FRegistrationsByUID(ctx.User.ID)
-		if err != nil {
-			ctx.ServerError("GetU2FRegistrationsByUID", err)
-			return
-		}
+	ctx.Data["U2FRegistrations"], err = models.GetU2FRegistrationsByUID(ctx.User.ID)
+	if err != nil {
+		ctx.ServerError("GetU2FRegistrationsByUID", err)
+		return
 	}
 
 	tokens, err := models.ListAccessTokens(models.ListAccessTokensOptions{UserID: ctx.User.ID})
diff --git a/templates/user/settings/security_u2f.tmpl b/templates/user/settings/security_u2f.tmpl
index 41bec78b7010e..6146997a3d3c3 100644
--- a/templates/user/settings/security_u2f.tmpl
+++ b/templates/user/settings/security_u2f.tmpl
@@ -3,32 +3,28 @@
 </h4>
 <div class="ui attached segment">
 	<p>{{.i18n.Tr "settings.u2f_desc" | Str2html}}</p>
-	{{if .TwofaEnrolled}}
-		<div class="ui key list">
-			{{range .U2FRegistrations}}
-			    <div class="item">
-			    	<div class="right floated content">
-			    		<button class="ui red tiny button delete-button" id="delete-registration" data-url="{{$.Link}}/u2f/delete" data-id="{{.ID}}">
-			    		{{$.i18n.Tr "settings.delete_key"}}
-			    		</button>
-			    	</div>
-			    	<div class="content">
-			    		<strong>{{.Name}}</strong>
-			    	</div>
-			    </div>
-			{{end}}
-		</div>
-		<div class="ui form">
-			{{.CsrfTokenHtml}}
-			<div class="required field">
-				<label for="nickname">{{.i18n.Tr "settings.u2f_nickname"}}</label>
-				<input id="nickname" name="nickname" type="text" required>
+	<div class="ui key list">
+		{{range .U2FRegistrations}}
+			<div class="item">
+				<div class="right floated content">
+					<button class="ui red tiny button delete-button" id="delete-registration" data-url="{{$.Link}}/u2f/delete" data-id="{{.ID}}">
+					{{$.i18n.Tr "settings.delete_key"}}
+					</button>
+				</div>
+				<div class="content">
+					<strong>{{.Name}}</strong>
+				</div>
 			</div>
-			<button id="register-security-key" class="ui green button">{{svg "octicon-key"}} {{.i18n.Tr "settings.u2f_register_key"}}</button>
+		{{end}}
+	</div>
+	<div class="ui form">
+		{{.CsrfTokenHtml}}
+		<div class="required field">
+			<label for="nickname">{{.i18n.Tr "settings.u2f_nickname"}}</label>
+			<input id="nickname" name="nickname" type="text" required>
 		</div>
-	{{else}}
-		<b>{{.i18n.Tr "settings.u2f_require_twofa"}}</b>
-	{{end}}
+		<button id="register-security-key" class="ui green button">{{svg "octicon-key"}} {{.i18n.Tr "settings.u2f_register_key"}}</button>
+	</div>
 </div>
 
 <div class="ui small modal" id="register-device">

From 71fc75974573f5361b066542e86a059cc8a77812 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Kamil=20Doma=C5=84ski?= <kamil@domanski.co>
Date: Sat, 23 May 2020 01:02:00 +0200
Subject: [PATCH 2/5] Check U2F if TOTP is not enrolled.

---
 routers/user/auth.go         | 33 ++++++++++++++++++++++++++-------
 templates/user/auth/u2f.tmpl |  8 +++++---
 2 files changed, 31 insertions(+), 10 deletions(-)

diff --git a/routers/user/auth.go b/routers/user/auth.go
index bb877767aef8a..b563e6be00b04 100644
--- a/routers/user/auth.go
+++ b/routers/user/auth.go
@@ -197,16 +197,22 @@ func SignInPost(ctx *context.Context) {
 		}
 		return
 	}
+
 	// If this user is enrolled in 2FA, we can't sign the user in just yet.
-	// Instead, redirect them to the 2FA authentication page.
+	// Instead, we check 2FA type and redirect them to the correct 2FA authentication page.
+
+	// Check whether the user is enrolled into TOTP 2FA.
 	_, err = models.GetTwoFactorByUID(u.ID)
-	if err != nil {
-		if models.IsErrTwoFactorNotEnrolled(err) {
-			handleSignIn(ctx, u, form.Remember)
-		} else {
+	if err == nil {
+		if err := ctx.Session.Set("totpEnrolled", u.ID); err != nil {
+			ctx.ServerError("UserSignIn: Unable to set twofaUid in session", err)
+			return
+		}
+	} else {
+		if !models.IsErrTwoFactorNotEnrolled(err) {
 			ctx.ServerError("UserSignIn", err)
+			return
 		}
-		return
 	}
 
 	// User needs to use 2FA, save data and redirect to 2FA page.
@@ -223,13 +229,21 @@ func SignInPost(ctx *context.Context) {
 		return
 	}
 
+	// Check whether the user has any U2F tokens registered.
 	regs, err := models.GetU2FRegistrationsByUID(u.ID)
 	if err == nil && len(regs) > 0 {
+		// If so, redirect to the U2F page.
 		ctx.Redirect(setting.AppSubURL + "/user/u2f")
 		return
 	}
 
-	ctx.Redirect(setting.AppSubURL + "/user/two_factor")
+	// Fallback to TOTP
+	if ctx.Session.Get("twofaUid") != nil {
+		ctx.Redirect(setting.AppSubURL + "/user/two_factor")
+	}
+
+	// No two factor auth configured.
+	handleSignIn(ctx, u, form.Remember)
 }
 
 // TwoFactor shows the user a two-factor authentication page.
@@ -392,6 +406,11 @@ func U2F(ctx *context.Context) {
 		return
 	}
 
+	// See whether TOTP is also available.
+	if ctx.Session.Get("totpEnrolled") != nil {
+		ctx.Data["TotpEnrolled"] = true
+	}
+
 	ctx.HTML(200, tplU2F)
 }
 
diff --git a/templates/user/auth/u2f.tmpl b/templates/user/auth/u2f.tmpl
index 2013d149377d9..a752ff77a77af 100644
--- a/templates/user/auth/u2f.tmpl
+++ b/templates/user/auth/u2f.tmpl
@@ -12,9 +12,11 @@
 				<p>{{.i18n.Tr "u2f_sign_in"}}</p>
 			</div>
 			<div id="wait-for-key" class="ui attached segment"><div class="ui active indeterminate inline loader"></div> {{.i18n.Tr "u2f_press_button"}} </div>
-			<div class="ui attached segment">
-				<a href="{{AppSubUrl}}/user/two_factor">{{.i18n.Tr "u2f_use_twofa"}}</a>
-			</div>
+			{{if .TotpEnrolled}}
+				<div class="ui attached segment">
+					<a href="{{AppSubUrl}}/user/two_factor">{{.i18n.Tr "u2f_use_twofa"}}</a>
+				</div>
+			{{end}}
 		</div>
 	</div>
 </div>

From f9751cbca295459acdac70cee9f55a1d45254e63 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Kamil=20Doma=C5=84ski?= <kamil@domanski.co>
Date: Sat, 23 May 2020 03:39:53 +0200
Subject: [PATCH 3/5] remove obsolete translation

---
 options/locale/locale_en-US.ini | 1 -
 1 file changed, 1 deletion(-)

diff --git a/options/locale/locale_en-US.ini b/options/locale/locale_en-US.ini
index a4b677e43baf7..9e5a294e3f400 100644
--- a/options/locale/locale_en-US.ini
+++ b/options/locale/locale_en-US.ini
@@ -632,7 +632,6 @@ twofa_enrolled = Your account has been enrolled into two-factor authentication.
 twofa_failed_get_secret = Failed to get secret.
 
 u2f_desc = Security keys are hardware devices containing cryptographic keys. They can be used for two-factor authentication. Security keys must support the <a rel="noreferrer" href="https://fidoalliance.org/">FIDO U2F</a> standard.
-u2f_require_twofa = Your account must be enrolled in two-factor authentication to use security keys.
 u2f_register_key = Add Security Key
 u2f_nickname = Nickname
 u2f_press_button = Press the button on your security key to register it.

From ef166ae40407132400b05d001e4917d88343405b Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Kamil=20Doma=C5=84ski?= <kamil@domanski.co>
Date: Fri, 29 May 2020 02:48:20 +0200
Subject: [PATCH 4/5] integration tests: don't secure the root account with U2F
 token

---
 models/fixtures/u2f_registration.yml |  2 +-
 models/fixtures/user.yml             | 16 ++++++++++++++++
 models/u2f_test.go                   |  2 +-
 models/user_test.go                  |  4 ++--
 4 files changed, 20 insertions(+), 4 deletions(-)

diff --git a/models/fixtures/u2f_registration.yml b/models/fixtures/u2f_registration.yml
index 4a9d1d9624a3b..636b0f950ff5b 100644
--- a/models/fixtures/u2f_registration.yml
+++ b/models/fixtures/u2f_registration.yml
@@ -1,7 +1,7 @@
 -
   id: 1
   name: "U2F Key"
-  user_id: 1
+  user_id: 31
   counter: 0
   created_unix: 946684800
   updated_unix: 946684800
diff --git a/models/fixtures/user.yml b/models/fixtures/user.yml
index d903a7942f81b..f7dc5afdc768f 100644
--- a/models/fixtures/user.yml
+++ b/models/fixtures/user.yml
@@ -525,3 +525,19 @@
   avatar_email: user30@example.com
   num_repos: 2
   is_active: true
+
+-
+  id: 31
+  lower_name: user31
+  name: user31
+  full_name: User 31 (U2F test)
+  email: user30@example.com
+  passwd: 7d93daa0d1e6f2305cc8fa496847d61dc7320bb16262f9c55dd753480207234cdd96a93194e408341971742f4701772a025a # password
+  type: 0 # individual
+  salt: ZogKvWdyEx
+  is_admin: false
+  is_restricted: true
+  avatar: avatar31
+  avatar_email: user30@example.com
+  num_repos: 0
+  is_active: true
diff --git a/models/u2f_test.go b/models/u2f_test.go
index 7a38334cf8c43..a97fedc882c85 100644
--- a/models/u2f_test.go
+++ b/models/u2f_test.go
@@ -26,7 +26,7 @@ func TestGetU2FRegistrationByID(t *testing.T) {
 func TestGetU2FRegistrationsByUID(t *testing.T) {
 	assert.NoError(t, PrepareTestDatabase())
 
-	res, err := GetU2FRegistrationsByUID(1)
+	res, err := GetU2FRegistrationsByUID(31)
 	assert.NoError(t, err)
 	assert.Len(t, res, 1)
 	assert.Equal(t, "U2F Key", res[0].Name)
diff --git a/models/user_test.go b/models/user_test.go
index ac40015969aed..4e46f81b84f2d 100644
--- a/models/user_test.go
+++ b/models/user_test.go
@@ -136,13 +136,13 @@ func TestSearchUsers(t *testing.T) {
 	}
 
 	testUserSuccess(&SearchUserOptions{OrderBy: "id ASC", ListOptions: ListOptions{Page: 1}},
-		[]int64{1, 2, 4, 5, 8, 9, 10, 11, 12, 13, 14, 15, 16, 18, 20, 21, 24, 27, 28, 29, 30})
+		[]int64{1, 2, 4, 5, 8, 9, 10, 11, 12, 13, 14, 15, 16, 18, 20, 21, 24, 27, 28, 29, 30, 31})
 
 	testUserSuccess(&SearchUserOptions{ListOptions: ListOptions{Page: 1}, IsActive: util.OptionalBoolFalse},
 		[]int64{9})
 
 	testUserSuccess(&SearchUserOptions{OrderBy: "id ASC", ListOptions: ListOptions{Page: 1}, IsActive: util.OptionalBoolTrue},
-		[]int64{1, 2, 4, 5, 8, 10, 11, 12, 13, 14, 15, 16, 18, 20, 21, 24, 28, 29, 30})
+		[]int64{1, 2, 4, 5, 8, 10, 11, 12, 13, 14, 15, 16, 18, 20, 21, 24, 28, 29, 30, 31})
 
 	testUserSuccess(&SearchUserOptions{Keyword: "user1", OrderBy: "id ASC", ListOptions: ListOptions{Page: 1}, IsActive: util.OptionalBoolTrue},
 		[]int64{1, 10, 11, 12, 13, 14, 15, 16, 18})

From 757122a52c7dc25e8e03f23298771a13c7a07ef3 Mon Sep 17 00:00:00 2001
From: Andrew Thornton <art27@cantab.net>
Date: Sat, 6 Nov 2021 17:51:28 +0000
Subject: [PATCH 5/5] fix-tests

Signed-off-by: Andrew Thornton <art27@cantab.net>
---
 models/fixtures/user.yml | 2 +-
 models/login/u2f_test.go | 4 ++--
 2 files changed, 3 insertions(+), 3 deletions(-)

diff --git a/models/fixtures/user.yml b/models/fixtures/user.yml
index 97fbb9c783617..cf07542eed16c 100644
--- a/models/fixtures/user.yml
+++ b/models/fixtures/user.yml
@@ -553,7 +553,7 @@
   type: 0 # individual
   salt: ZogKvWdyEx
   is_admin: false
-  is_restricted: true
+  is_restricted: false
   avatar: avatar32
   avatar_email: user30@example.com
   num_repos: 0
diff --git a/models/login/u2f_test.go b/models/login/u2f_test.go
index 310741c3dc33d..8f5cea61508a5 100644
--- a/models/login/u2f_test.go
+++ b/models/login/u2f_test.go
@@ -17,7 +17,7 @@ import (
 func TestGetU2FRegistrationByID(t *testing.T) {
 	assert.NoError(t, db.PrepareTestDatabase())
 
-	res, err := GetU2FRegistrationByID(32)
+	res, err := GetU2FRegistrationByID(1)
 	assert.NoError(t, err)
 	assert.Equal(t, "U2F Key", res.Name)
 
@@ -29,7 +29,7 @@ func TestGetU2FRegistrationByID(t *testing.T) {
 func TestGetU2FRegistrationsByUID(t *testing.T) {
 	assert.NoError(t, db.PrepareTestDatabase())
 
-	res, err := GetU2FRegistrationsByUID(1)
+	res, err := GetU2FRegistrationsByUID(32)
 
 	assert.NoError(t, err)
 	assert.Len(t, res, 1)