Add Two-Factor Authentication

2FA class stolen from RobThree and stripped down.
Works best with qrencode utility installed, but will fall back to using
google charts if qrencode is missing.

classes/twofa.class.php

@@ -0,0 +1,153 @@
+<?php
+
+class TwoFactorAuth {
+  private $algorithm;
+  private $period;
+  private $digits;
+  private $issuer;
+  private static $_base32dict = 'ABCDEFGHIJKLMNOPQRSTUVWXYZ234567=';
+  private static $_base32;
+  private static $_base32lookup = array();
+  private static $_supportedalgos = array('sha1', 'sha256', 'sha512', 'md5');
+
+  function __construct($issuer = null, $digits = 6, $period = 60, $algorithm = 'sha1') {
+    $this->issuer = $issuer;
+    $this->digits = $digits;
+    $this->period = $period;
+
+    $algorithm = strtolower(trim($algorithm));
+    if (!in_array($algorithm, self::$_supportedalgos)){
+      $algorithm = 'sha1';
+    }
+    $this->algorithm = $algorithm;
+
+    self::$_base32 = str_split(self::$_base32dict);
+    self::$_base32lookup = array_flip(self::$_base32);
+  }
+
+  /**
+   * Create a new secret
+   */
+  public function createSecret($bits = 80) {
+    $secret = '';
+    $bytes = ceil($bits / 5);   //We use 5 bits of each byte (since we have a 32-character 'alphabet' / BASE32)
+    $rnd = random_bytes($bytes);
+    for ($i = 0; $i < $bytes; $i++)
+      $secret .= self::$_base32[ord($rnd[$i]) & 31];  //Mask out left 3 bits for 0-31 values
+    return $secret;
+  }
+
+  /**
+   * Calculate the code with given secret and point in time
+   */
+  public function getCode($secret, $time = null) {
+    $secretkey = $this->base32Decode($secret);
+
+    $timestamp = "\0\0\0\0" . pack('N*', $this->getTimeSlice($this->getTime($time)));  // Pack time into binary string
+    $hashhmac = hash_hmac($this->algorithm, $timestamp, $secretkey, true);             // Hash it with users secret key
+    $hashpart = substr($hashhmac, ord(substr($hashhmac, -1)) & 0x0F, 4);               // Use last nibble of result as index/offset and grab 4 bytes of the result
+    $value = unpack('N', $hashpart);                                                   // Unpack binary value
+    $value = $value[1] & 0x7FFFFFFF;                                                   // Drop MSB, keep only 31 bits
+
+    return str_pad($value % pow(10, $this->digits), $this->digits, '0', STR_PAD_LEFT);
+  }
+
+  /**
+   * Check if the code is correct. This will accept codes starting from ($discrepancy * $period) sec ago to ($discrepancy * period) sec from now
+   */
+  public function verifyCode($secret, $code, $discrepancy = 1, $time = null) {
+    $result = false;
+    $timetamp = $this->getTime($time);
+
+    // To keep safe from timing-attachs we iterate *all* possible codes even though we already may have verified a code is correct
+    for ($i = -$discrepancy; $i <= $discrepancy; $i++)
+      $result |= $this->codeEquals($this->getCode($secret, $timetamp + ($i * $this->period)), $code);
+
+    return (bool)$result;
+  }
+
+  /**
+   * Timing-attack safe comparison of 2 codes (see http://blog.ircmaxell.com/2014/11/its-all-about-time.html)
+   */
+  private function codeEquals($safe, $user) {
+    if (function_exists('hash_equals')) {
+      return hash_equals($safe, $user);
+    } else {
+      // In general, it's not possible to prevent length leaks. So it's OK to leak the length. The important part is that
+      // we don't leak information about the difference of the two strings.
+      if (strlen($safe)===strlen($user)) {
+        $result = 0;
+        for ($i = 0; $i < strlen($safe); $i++)
+          $result |= (ord($safe[$i]) ^ ord($user[$i]));
+        return $result === 0;
+      }
+    }
+    return false;
+  }
+
+  /**
+   * Get data-uri of QRCode
+   */
+  public function getQRCodeImageAsDataUri($label, $secret, $size = 300) {
+
+    if (exec('which qrencode')) {
+      $QRCodeImage = shell_exec("qrencode -s ".(int)($size/40)." -m 3 -o - '".$this->getQRText($label, $secret)."'");
+    } else {
+      $curlhandle = curl_init();
+
+      curl_setopt_array($curlhandle, array(
+        CURLOPT_URL => 'https://chart.googleapis.com/chart?cht=qr&chs='.$size.'x'.$size.'&chld=L|1&chl='.rawurlencode($this->getQRText($label, $secret)),
+        CURLOPT_RETURNTRANSFER => true,
+        CURLOPT_CONNECTTIMEOUT => 10,
+        CURLOPT_DNS_CACHE_TIMEOUT => 10,
+        CURLOPT_TIMEOUT => 10,
+        CURLOPT_SSL_VERIFYPEER => false,
+        CURLOPT_USERAGENT => 'TwoFactorAuth'
+      ));
+
+      $QRCodeImage = curl_exec($curlhandle);
+      curl_close($curlhandle);
+    }
+
+    return 'data:image/png;base64,'.base64_encode($QRCodeImage);
+  }
+
+  private function getTime($time) {
+    return ($time === null) ? time() : $time;
+  }
+
+  private function getTimeSlice($time = null, $offset = 0) {
+    return (int)floor($time / $this->period) + ($offset * $this->period);
+  }
+
+  /**
+   * Builds a string to be encoded in a QR code
+   */
+  public function getQRText($label, $secret) {
+    return 'otpauth://totp/' . rawurlencode($label)
+      . '?secret=' . rawurlencode($secret)
+      . '&issuer=' . rawurlencode($this->issuer)
+      . '&period=' . intval($this->period)
+      . '&algorithm=' . rawurlencode(strtoupper($this->algorithm))
+      . '&digits=' . intval($this->digits);
+  }
+
+  private function base32Decode($value) {
+    if (strlen($value)==0) { return ''; }
+
+    $buffer = '';
+    foreach (str_split($value) as $char) {
+      if ($char !== '=') {
+        $buffer .= str_pad(decbin(self::$_base32lookup[$char]), 5, 0, STR_PAD_LEFT);
+      }
+    }
+    $length = strlen($buffer);
+    $blocks = trim(chunk_split(substr($buffer, 0, $length - ($length % 8)), 8, ' '));
+
+    $output = '';
+    foreach (explode(' ', $blocks) as $block)
+      $output .= chr(bindec(str_pad($block, 8, 0, STR_PAD_RIGHT)));
+
+    return $output;
+  }
+}

gazelle.sql

@@ -1519,6 +1519,7 @@ CREATE TABLE `users_main` (
   `Username` varchar(20) NOT NULL,
   `Email` varchar(255) NOT NULL,
   `PassHash` varchar(60) NOT NULL,
+  `TwoFactor` varchar(255) DEFAULT NULL,
   `IRCKey` char(32) DEFAULT NULL,
   `LastLogin` datetime,
   `LastAccess` datetime,

sections/login/index.php

@@ -19,8 +19,11 @@ if (Tools::site_ban_ip($_SERVER['REMOTE_ADDR'])) {
   error('Your IP address has been banned.');
 }
 
-require(SERVER_ROOT.'/classes/validate.class.php');
-$Validate = NEW VALIDATE;
+require_once SERVER_ROOT.'/classes/twofa.class.php';
+require_once SERVER_ROOT.'/classes/validate.class.php';
+
+$Validate = new VALIDATE;
+$TwoFA = new TwoFactorAuth(SITE_NAME);
 
 if (array_key_exists('action', $_GET) && $_GET['action'] == 'disabled') {
   require('disabled.php');
@@ -231,11 +234,12 @@ else {
           PermissionID,
           CustomPermissions,
           PassHash,
+          TwoFactor,
           Enabled
         FROM users_main
         WHERE Username = '".db_string($_POST['username'])."'
           AND Username != ''");
-      list($UserID, $PermissionID, $CustomPermissions, $PassHash, $Enabled) = $DB->next_record(MYSQLI_NUM, array(2));
+      list($UserID, $PermissionID, $CustomPermissions, $PassHash, $TwoFactor, $Enabled) = $DB->next_record(MYSQLI_NUM, array(2));
       if (!$Banned) {
         if ($UserID && Users::check_password($_POST['password'], $PassHash)) {
           // Update hash if better algorithm available
@@ -245,110 +249,116 @@ else {
               SET PassHash = '".make_sec_hash($_POST['password'])."'
               WHERE Username = '".db_string($_POST['username'])."'");
           }
-          if ($Enabled == 1) {
 
-            // Check if the current login attempt is from a location previously logged in from
-            if (apc_exists('DBKEY')) {
-              $DB->query("
-                SELECT IP
-                FROM users_history_ips
-                WHERE UserID = $UserID");
-              $IPs = $DB->to_array(false, MYSQLI_NUM);
-              $QueryParts = array();
-              foreach ($IPs as $i => $IP) {
-                $IPs[$i] = DBCrypt::decrypt($IP[0]);
-              }
-              $IPs = array_unique($IPs);
-              if (count($IPs) > 0) { // Always allow first login
-                foreach ($IPs as $IP) {
-                  $QueryParts[] = "(StartIP<=INET6_ATON('$IP') AND EndIP>=INET6_ATON('$IP'))";
+          if (empty($TwoFactor) || $TwoFA->verifyCode($TwoFactor, $_POST['twofa'])) {
+            if ($Enabled == 1) {
+
+              // Check if the current login attempt is from a location previously logged in from
+              if (apc_exists('DBKEY')) {
+                $DB->query("
+                  SELECT IP
+                  FROM users_history_ips
+                  WHERE UserID = $UserID");
+                $IPs = $DB->to_array(false, MYSQLI_NUM);
+                $QueryParts = array();
+                foreach ($IPs as $i => $IP) {
+                  $IPs[$i] = DBCrypt::decrypt($IP[0]);
                 }
-                $DB->query('SELECT ASN FROM geoip_asn WHERE '.implode(' OR ', $QueryParts));
-                $PastASNs = array_column($DB->to_array(false, MYSQLI_NUM), 0);
-                $DB->query("SELECT ASN FROM geoip_asn WHERE StartIP<=INET6_ATON('$_SERVER[REMOTE_ADDR]') AND EndIP>=INET6_ATON('$_SERVER[REMOTE_ADDR]')");
-                list($CurrentASN) = $DB->next_record();
-
-                if (!in_array($CurrentASN, $PastASNs)) {
-                  // Never logged in from this location before
-                  if ($Cache->get_value('new_location_'.$UserID.'_'.$CurrentASN) !== true) {
-                    $DB->query("
-                      SELECT
-                        UserName,
-                        Email
-                      FROM users_main
-                      WHERE ID = $UserID");
-                    list($Username, $Email) = $DB->next_record();
-                    Users::auth_location($UserID, $Username, $CurrentASN, DBCrypt::decrypt($Email));
-                    require('newlocation.php');
-                    die();
+                $IPs = array_unique($IPs);
+                if (count($IPs) > 0) { // Always allow first login
+                  foreach ($IPs as $IP) {
+                    $QueryParts[] = "(StartIP<=INET6_ATON('$IP') AND EndIP>=INET6_ATON('$IP'))";
+                  }
+                  $DB->query('SELECT ASN FROM geoip_asn WHERE '.implode(' OR ', $QueryParts));
+                  $PastASNs = array_column($DB->to_array(false, MYSQLI_NUM), 0);
+                  $DB->query("SELECT ASN FROM geoip_asn WHERE StartIP<=INET6_ATON('$_SERVER[REMOTE_ADDR]') AND EndIP>=INET6_ATON('$_SERVER[REMOTE_ADDR]')");
+                  list($CurrentASN) = $DB->next_record();
+
+                  if (!in_array($CurrentASN, $PastASNs)) {
+                    // Never logged in from this location before
+                    if ($Cache->get_value('new_location_'.$UserID.'_'.$CurrentASN) !== true) {
+                      $DB->query("
+                        SELECT
+                          UserName,
+                          Email
+                        FROM users_main
+                        WHERE ID = $UserID");
+                      list($Username, $Email) = $DB->next_record();
+                      Users::auth_location($UserID, $Username, $CurrentASN, DBCrypt::decrypt($Email));
+                      require('newlocation.php');
+                      die();
+                    }
                   }
                 }
               }
-            }
 
-            $SessionID = Users::make_secret(64);
-            $KeepLogged = ($_POST['keeplogged'] ?? false) ? 1 : 0;
-            setcookie('session', $SessionID, (time()+60*60*24*365)*$KeepLogged, '/', '', true, true);
-            setcookie('userid', $UserID, (time()+60*60*24*365)*$KeepLogged, '/', '', true, true);
-
-            // Because we <3 our staff
-            $Permissions = Permissions::get_permissions($PermissionID);
-            $CustomPermissions = unserialize($CustomPermissions);
-            if (isset($Permissions['Permissions']['site_disable_ip_history'])
-              || isset($CustomPermissions['site_disable_ip_history'])
-            ) {
-              $_SERVER['REMOTE_ADDR'] = '127.0.0.1';
-            }
+              $SessionID = Users::make_secret(64);
+              $KeepLogged = ($_POST['keeplogged'] ?? false) ? 1 : 0;
+              setcookie('session', $SessionID, (time()+60*60*24*365)*$KeepLogged, '/', '', true, true);
+              setcookie('userid', $UserID, (time()+60*60*24*365)*$KeepLogged, '/', '', true, true);
+
+              // Because we <3 our staff
+              $Permissions = Permissions::get_permissions($PermissionID);
+              $CustomPermissions = unserialize($CustomPermissions);
+              if (isset($Permissions['Permissions']['site_disable_ip_history'])
+                || isset($CustomPermissions['site_disable_ip_history'])
+              ) {
+                $_SERVER['REMOTE_ADDR'] = '127.0.0.1';
+              }
 
-            $DB->query("
-              INSERT INTO users_sessions
-                (UserID, SessionID, KeepLogged, Browser, OperatingSystem, IP, LastUpdate, FullUA)
-              VALUES
-                ('$UserID', '".db_string($SessionID)."', '$KeepLogged', '$Browser', '$OperatingSystem', '".db_string(apc_exists('DBKEY')?DBCrypt::encrypt($_SERVER['REMOTE_ADDR']):'0.0.0.0')."', '".sqltime()."', '".db_string($_SERVER['HTTP_USER_AGENT'])."')");
-
-            $Cache->begin_transaction("users_sessions_$UserID");
-            $Cache->insert_front($SessionID, array(
-                'SessionID' => $SessionID,
-                'Browser' => $Browser,
-                'OperatingSystem' => $OperatingSystem,
-                'IP' => (apc_exists('DBKEY')?DBCrypt::encrypt($_SERVER['REMOTE_ADDR']):'0.0.0.0'),
-                'LastUpdate' => sqltime()
-                ));
-            $Cache->commit_transaction(0);
-
-            $Sql = "
-              UPDATE users_main
-              SET
-                LastLogin = '".sqltime()."',
-                LastAccess = '".sqltime()."'
-              WHERE ID = '".db_string($UserID)."'";
-
-            $DB->query($Sql);
-
-            if (!empty($_COOKIE['redirect'])) {
-              $URL = $_COOKIE['redirect'];
-              setcookie('redirect', '', time() - 60 * 60 * 24, '/', '', false);
-              header("Location: $URL");
-              die();
+              $DB->query("
+                INSERT INTO users_sessions
+                  (UserID, SessionID, KeepLogged, Browser, OperatingSystem, IP, LastUpdate, FullUA)
+                VALUES
+                  ('$UserID', '".db_string($SessionID)."', '$KeepLogged', '$Browser', '$OperatingSystem', '".db_string(apc_exists('DBKEY')?DBCrypt::encrypt($_SERVER['REMOTE_ADDR']):'0.0.0.0')."', '".sqltime()."', '".db_string($_SERVER['HTTP_USER_AGENT'])."')");
+
+              $Cache->begin_transaction("users_sessions_$UserID");
+              $Cache->insert_front($SessionID, array(
+                  'SessionID' => $SessionID,
+                  'Browser' => $Browser,
+                  'OperatingSystem' => $OperatingSystem,
+                  'IP' => (apc_exists('DBKEY')?DBCrypt::encrypt($_SERVER['REMOTE_ADDR']):'0.0.0.0'),
+                  'LastUpdate' => sqltime()
+                  ));
+              $Cache->commit_transaction(0);
+
+              $Sql = "
+                UPDATE users_main
+                SET
+                  LastLogin = '".sqltime()."',
+                  LastAccess = '".sqltime()."'
+                WHERE ID = '".db_string($UserID)."'";
+
+              $DB->query($Sql);
+
+              if (!empty($_COOKIE['redirect'])) {
+                $URL = $_COOKIE['redirect'];
+                setcookie('redirect', '', time() - 60 * 60 * 24, '/', '', false);
+                header("Location: $URL");
+                die();
+              } else {
+                header('Location: index.php');
+                die();
+              }
             } else {
-              header('Location: index.php');
-              die();
+              log_attempt();
+              if ($Enabled == 2) {
+
+                // Save the username in a cookie for the disabled page
+                setcookie('username', db_string($_POST['username']), time() + 60 * 60, '/', '', false);
+                header('Location: login.php?action=disabled');
+              } elseif ($Enabled == 0) {
+                $Err = 'Your account has not been confirmed.<br />Please check your email.';
+              }
+              setcookie('keeplogged', '', time() + 60 * 60 * 24 * 365, '/', '', false);
             }
           } else {
             log_attempt();
-            if ($Enabled == 2) {
-
-              // Save the username in a cookie for the disabled page
-              setcookie('username', db_string($_POST['username']), time() + 60 * 60, '/', '', false);
-              header('Location: login.php?action=disabled');
-            } elseif ($Enabled == 0) {
-              $Err = 'Your account has not been confirmed.<br />Please check your email.';
-            }
+            $Err = 'Two-factor authentication failed.';
             setcookie('keeplogged', '', time() + 60 * 60 * 24 * 365, '/', '', false);
           }
         } else {
           log_attempt();
-
           $Err = 'Your username or password was incorrect.';
           setcookie('keeplogged', '', time() + 60 * 60 * 24 * 365, '/', '', false);
         }

sections/login/login.php

@@ -27,10 +27,23 @@ if (!$Banned) {
         <input type="password" name="password" id="password" class="inputtext" required="required" maxlength="307200" pattern=".{6,307200}" placeholder="Password" />
       </td>
     </tr>
+    <tr id="2fa_tr">
+      <td>Two-factor&nbsp;</td>
+      <td colspan="2">
+        <input type="text" name="twofa" id="twofa" class="inputtext" maxlength="6" pattern="[0-9]{6}" placeholder="2FA Verification Code" />
+      </td>
+    </tr>
+    <tr>
+      <td></td>
+      <td>
+        <input type="checkbox" id="keep2fa" name="keep2fa" value="0">
+        <label for="keep2fa">Show 2FA</label>
+      </td>
+    </tr>
     <tr>
       <td></td>
       <td>
-        <input type="checkbox" id="keeplogged" name="keeplogged" value="1"<?=(isset($_REQUEST['keeplogged']) && $_REQUEST['keeplogged']) ? ' checked="checked"' : ''?> />
+        <input type="checkbox" id="keeplogged" name="keeplogged" value="1"<?=(isset($_REQUEST['keeplogged']) && $_REQUEST['keeplogged']) ? ' checked="checked"' : ''?>>
         <label for="keeplogged">Remember me</label>
       </td>
       <td><input type="submit" name="login" value="Log in" class="submit" /></td>

sections/user/edit.php

@@ -1,4 +1,5 @@
 <?
+require(SERVER_ROOT.'/classes/twofa.class.php');
 $UserID = $_REQUEST['userid'];
 if (!is_number($UserID)) {
   error(404);
@@ -7,6 +8,7 @@ if (!is_number($UserID)) {
 $DB->query("
   SELECT
     m.Username,
+    m.TwoFactor,
     m.Email,
     m.IRCKey,
     m.Paranoia,
@@ -23,7 +25,9 @@ $DB->query("
     JOIN users_info AS i ON i.UserID = m.ID
     LEFT JOIN permissions AS p ON p.ID = m.PermissionID
   WHERE m.ID = '".db_string($UserID)."'");
-list($Username, $Email, $IRCKey, $Paranoia, $Info, $Avatar, $StyleID, $StyleURL, $SiteOptions, $UnseededAlerts, $DownloadAlt, $Class, $InfoTitle) = $DB->next_record(MYSQLI_NUM, array(3, 8));
+list($Username, $TwoFactor, $Email, $IRCKey, $Paranoia, $Info, $Avatar, $StyleID, $StyleURL, $SiteOptions, $UnseededAlerts, $DownloadAlt, $Class, $InfoTitle) = $DB->next_record(MYSQLI_NUM, array(3, 8));
+
+$TwoFA = new TwoFactorAuth(SITE_NAME);
 
 $Email = apc_exists('DBKEY') ? DBCrypt::decrypt($Email) : '[Encrypted]';
 
@@ -774,11 +778,29 @@ list($ArtistsAdded) = $DB->next_record();
           <p class="min_padding">When changing your email address, you must enter your current password in the "Current password" field before saving your changes.</p>
         </td>
       </tr>
+      <tr id="acc_2fa_tr">
+        <td class="label tooltip" title="This will let you enable 2-Factor Auth for your <?=SITE_NAME?> account. The use of your 2FA client will be required whenever you login after enabling it."><strong>2-Factor Auth</strong></td>
+        <td>
+          <? $TwoFASecret = empty($TwoFactor) ? $TwoFA->createSecret() : $TwoFactor; ?>
+          <div class="field_div">
+            <? if (!empty($TwoFactor)) { ?>
+            <p>2FA is enabled for this account with the following secret:</p>
+            <? } ?>
+            <img src="<?=$TwoFA->getQRCodeImageAsDataUri(SITE_NAME, $TwoFASecret)?>">
+            <input type="text" size="20" name="twofasecret" id="twofasecret" value="<?=$TwoFASecret?>" readonly><br>
+            <? if (empty($TwoFactor)) { ?>
+            <input type="text" size="20" maxlength="6" name="twofa" id="twofa" placeholder="Verification Code">
+            <p class="min_padding">To enable 2FA, scan the above QR code (or add the secret below it) to your 2FA client of choice, and enter a verification code it generates. Note that the verification code must not have expired when you save your profile.</p>
+            <p class="min_padding">When setting up 2FA, you must enter your current password in the "Current password" field before saving your changes.</p>
+            <? } ?>
+          </div>
+        </td>
+      </tr>
       <tr id="acc_password_tr">
         <td class="label"><strong>Change password</strong></td>
         <td>
           <div class="field_div">
-            <label>Current password:<br />
+            <label>Current password:<br>
             <input type="password" size="40" name="cur_pass" id="cur_pass" maxlength="307200" value="" /></label>
           </div>
           <div class="field_div">

sections/user/take_edit.php

@@ -29,6 +29,7 @@ $Val->SetFields('postsperpage', 1, "number", "You forgot to select your posts pe
 $Val->SetFields('collagecovers', 1, "number", "You forgot to select your collage option.");
 $Val->SetFields('avatar', 0, "regex", "You did not enter a valid avatar URL.", array('regex' => "/^".IMAGE_REGEX."$/i"));
 $Val->SetFields('email', 1, "email", "You did not enter a valid email address.");
+$Val->SetFields('twofa', 0, "regex", "You did not enter a valid 2FA verification code.", array('regex' => '/^[0-9]{6}$/'));
 $Val->SetFields('irckey', 0, "string", "You did not enter a valid IRC key. An IRC key must be between 6 and 32 characters long.", array('minlength' => 6, 'maxlength' => 32));
 $Val->SetFields('new_pass_1', 0, "regex", "You did not enter a valid password. A valid password is 6 characters or longer.", array('regex' => '/(?=^.{6,}$).*$/'));
 $Val->SetFields('new_pass_2', 1, "compare", "Your passwords do not match.", array('comparefield' => 'new_pass_1'));
@@ -176,11 +177,38 @@ if ($CurEmail != $_POST['email']) {
     header("Location: user.php?action=edit&userid=$UserID");
     die();
   }
-
-
 }
 //End email change
 
+//2FA activation
+if (isset($_POST['twofa'])) {
+  $DB->query("
+    SELECT TwoFactor, PassHash
+    FROM users_main
+    WHERE ID = $UserID");
+  list($TwoFactor, $PassHash) = $DB->next_record();
+  if (empty($TwoFactor)) {
+    if (!Users::check_password($_POST['cur_pass'], $PassHash)) {
+      error('You did not enter the correct password.');
+      header("Location: user.php?action=edit&userid=$UserID");
+      die();
+    }
+    require_once SERVER_ROOT.'/classes/twofa.class.php';
+    $TwoFA = new TwoFactorAuth(SITE_NAME);
+    if ($TwoFA->verifyCode($_POST['twofasecret'], $_POST['twofa'])) {
+      $DB->query("
+        UPDATE users_main
+        SET TwoFactor='".db_string($_POST['twofasecret'])."'
+        WHERE ID = $UserID");
+    } else {
+      error('Invalid 2FA verification code.');
+      header("Location: user.php?action=edit&userid=$UserID");
+      die();
+    }
+  }
+}
+//End 2FA
+
 if (!$Err && ($_POST['cur_pass'] || $_POST['new_pass_1'] || $_POST['new_pass_2'])) {
   $DB->query("
     SELECT PassHash

static/functions/public.js

@@ -1,14 +1,21 @@
-if ($('#no-cookies')) {
-  cookie.set('cookie_test', 1, 1);
-  if (cookie.get('cookie_test') != null) {
-      cookie.del('cookie_test');
-  } else {
-      $('#no-cookies').gshow();
-  }
-}
-
 $(() => {
   if ($('#bg_data')) {
     $('#content')[0].style.backgroundImage = "url(/misc/bg/"+$('#bg_data')[0].attributes.bg.value+")";
   }
+
+  if ($('#no-cookies')) {
+    cookie.set('cookie_test', 1, 1);
+    if (cookie.get('cookie_test') != null) {
+        cookie.del('cookie_test');
+    } else {
+        $('#no-cookies').gshow();
+    }
+  }
+
+  if ($('#keep2fa')) {
+    $('#2fa_tr').ghide()
+    $('#keep2fa')[0].onclick = (e) => {
+      $('#2fa_tr')[$('#keep2fa')[0].checked ? 'gshow' : 'ghide']()
+    }
+  }
 })