From db3659d665eac2898341dcdadc067f7038e73f9b Mon Sep 17 00:00:00 2001
From: Ylian Saint-Hilaire <ysainthilaire@hotmail.com>
Date: Sat, 11 Dec 2021 16:08:26 -0800
Subject: [PATCH] Added option to remove OTP 2FA.

---
 meshcentral-config-schema.json  | 1 +
 meshuser.js                     | 6 ++++++
 views/default-mobile.handlebars | 4 ++--
 views/default.handlebars        | 1 +
 webserver.js                    | 1 +
 5 files changed, 11 insertions(+), 2 deletions(-)

diff --git a/meshcentral-config-schema.json b/meshcentral-config-schema.json
index cb9e6397..50a5ce85 100644
--- a/meshcentral-config-schema.json
+++ b/meshcentral-config-schema.json
@@ -414,6 +414,7 @@
               "email2factor": { "type": "boolean", "default": true, "description": "Set to false to disable email 2FA." },
               "sms2factor": { "type": "boolean", "default": true, "description": "Set to false to disable SMS 2FA." },
               "push2factor": { "type": "boolean", "default": true, "description": "Set to false to disable push notification 2FA." },
+              "otp2factor": { "type": "boolean", "default": true, "description": "Set to false to disable one-time-password 2FA." },
               "force2factor": { "type": "boolean", "default": false, "description": "Requires that all accounts setup 2FA." },
               "skip2factor": { "type": "string", "description": "IP addresses where 2FA login is skipped, for example: 127.0.0.1,192.168.2.0/24" },
               "oldPasswordBan": { "type": "integer", "description": "Number of old passwords the server should remember and not allow the user to switch back to." },
diff --git a/meshuser.js b/meshuser.js
index 5ab049a9..c738232c 100644
--- a/meshuser.js
+++ b/meshuser.js
@@ -3493,6 +3493,9 @@ module.exports.CreateMeshUser = function (parent, db, ws, req, args, domain, use
                     // Do not allow this command when logged in using a login token
                     if (req.session.loginToken != null) break;
 
+                    // Check of OTP 2FA is allowed
+                    if ((domain.passwordrequirements) && (domain.passwordrequirements.otp2factor == false)) break;
+
                     if ((user.siteadmin != 0xFFFFFFFF) && ((user.siteadmin & 1024) != 0)) return; // If this account is settings locked, return here.
 
                     // Check if 2-step login is supported
@@ -3515,6 +3518,9 @@ module.exports.CreateMeshUser = function (parent, db, ws, req, args, domain, use
                     // Do not allow this command when logged in using a login token
                     if (req.session.loginToken != null) break;
 
+                    // Check of OTP 2FA is allowed
+                    if ((domain.passwordrequirements) && (domain.passwordrequirements.otp2factor == false)) break;
+
                     if ((user.siteadmin != 0xFFFFFFFF) && ((user.siteadmin & 1024) != 0)) return; // If this account is settings locked, return here.
 
                     // Check if 2-step login is supported
diff --git a/views/default-mobile.handlebars b/views/default-mobile.handlebars
index 6fdfdb32..19a1224a 100644
--- a/views/default-mobile.handlebars
+++ b/views/default-mobile.handlebars
@@ -1371,8 +1371,8 @@
             QV('p2AccountSecurity', ((features & 4) == 0) && (serverinfo.domainauth == false) && ((features & 4096) != 0) && (accountSettingsLocked == false)); // Hide Account Security if in single user mode or domain authentication, 2 factor auth not supported.
             QV('p2AccountImage', !accountSettingsLocked);
             QV('verifyEmailId', (userinfo.emailVerified !== true) && (userinfo.email != null) && (serverinfo.emailcheck == true));
-            QV('manageAuthApp', features & 4096);
-            QV('manageOtp', ((features & 4096) != 0) && ((userinfo.otpsecret == 1) || (userinfo.otphkeys > 0)));
+            QV('manageAuthApp', (features & 4096) && ((userinfo.otpsecret == 1) || ((features2 & 0x00020000) == 0)));
+            QV('manageOtp', (features & 4096) && ((userinfo.otpsecret == 1) || (userinfo.otphkeys > 0)));
             QV('authPhoneNumberCheck', (userinfo.phone != null));
             QV('authEmailSetupCheck', (userinfo.otpekey == 1) && (userinfo.email != null) && (userinfo.emailVerified == true));
             QV('authAppSetupCheck', userinfo.otpsecret == 1);
diff --git a/views/default.handlebars b/views/default.handlebars
index ee4a5c47..f0ac4001 100644
--- a/views/default.handlebars
+++ b/views/default.handlebars
@@ -2120,6 +2120,7 @@
             QV('authPhoneNumberCheck', (userinfo.phone != null));
             QV('authEmailSetupCheck', (userinfo.otpekey == 1) && (userinfo.email != null) && (userinfo.emailVerified == true));
             QV('authAppSetupCheck', userinfo.otpsecret == 1);
+            QV('manageAuthApp', (userinfo.otpsecret == 1) || ((features2 & 0x00020000) == 0));
             QV('authKeySetupCheck', userinfo.otphkeys > 0);
             QV('authPushAuthDevCheck', (userinfo.otpdev > 0) && ((features2 & 0x40) != 0));
             QV('authCodesSetupCheck', userinfo.otpkeys > 0);
diff --git a/webserver.js b/webserver.js
index 9d8e6ae2..98338413 100644
--- a/webserver.js
+++ b/webserver.js
@@ -2848,6 +2848,7 @@ module.exports.CreateWebServer = function (parent, db, args, certificates, doneF
         if (domain.mailserver != null) { features2 += 0x00004000; } // Indicates email server is active
         if (domain.devicesearchbarserverandclientname) { features2 += 0x00008000; } // Search bar will find both server name and client name
         if (domain.ipkvm) { features2 += 0x00010000; } // Indicates support for IP KVM device groups
+        if ((domain.passwordrequirements) && (domain.passwordrequirements.otp2factor == false)) { features2 += 0x00020000; } // Indicates support for OTP 2FA is disabled
         return { features: features, features2: features2 };
     }