From ac090767ca1a7db48ade899b9d2befbb3ad0b43d Mon Sep 17 00:00:00 2001
From: yflory <yann.flory@xwiki.com>
Date: Mon, 11 Dec 2023 16:40:05 +0100
Subject: [PATCH] Add admin panel option to enforce MFA

---
 lib/commands/admin-rpc.js |  1 +
 lib/decrees.js            |  3 +++
 www/admin/inner.js        | 26 ++++++++++++++++++++++++++
 3 files changed, 30 insertions(+)

diff --git a/lib/commands/admin-rpc.js b/lib/commands/admin-rpc.js
index 07a121909..3100194b4 100644
--- a/lib/commands/admin-rpc.js
+++ b/lib/commands/admin-rpc.js
@@ -495,6 +495,7 @@ var instanceStatus = function (Env, Server, cb) {
         instanceJurisdiction: Env.instanceJurisdiction,
         instanceName: Env.instanceName,
         instanceNotice: Env.instanceNotice,
+        enforceMFA: Env.enforceMFA,
     });
 };
 
diff --git a/lib/decrees.js b/lib/decrees.js
index 2e2ffd43a..1f81db056 100644
--- a/lib/decrees.js
+++ b/lib/decrees.js
@@ -107,6 +107,9 @@ var makeBooleanSetter = function (attr) {
 // CryptPad_AsyncStore.rpc.send('ADMIN', [ 'ADMIN_DECREE', ['DISABLE_EMBEDDING', [true]]], console.log)
 commands.ENABLE_EMBEDDING = makeBooleanSetter('enableEmbedding');
 
+// CryptPad_AsyncStore.rpc.send('ADMIN', [ 'ADMIN_DECREE', ['ENFORCE_MFA', [true]]], console.log)
+commands.ENFORCE_MFA = makeBooleanSetter('enforceMFA');
+
 // CryptPad_AsyncStore.rpc.send('ADMIN', [ 'ADMIN_DECREE', ['RESTRICT_REGISTRATION', [true]]], console.log)
 commands.RESTRICT_REGISTRATION = makeBooleanSetter('restrictRegistration');
 
diff --git a/www/admin/inner.js b/www/admin/inner.js
index 8155a1164..798c1ddcd 100644
--- a/www/admin/inner.js
+++ b/www/admin/inner.js
@@ -63,6 +63,7 @@ define([
             'cp-admin-update-limit',
             'cp-admin-registration',
             'cp-admin-enableembeds',
+            'cp-admin-forcemfa',
             'cp-admin-email',
 
             'cp-admin-instance-info-notice',
@@ -1527,6 +1528,31 @@ Example
         },
     });
 
+    // Msg.admin_forcemfaHint, .admin_forcemfaTitle
+    Messages.admin_forcemfaTitle = "Enforce MFA on this instance"; // XXX
+    Messages.admin_forcemfaHint = "All CryptPad users will be asked to set up a multi-factor authenticator (TOTP) to log in to their account."; // XXX
+    create['forcemfa'] = makeAdminCheckbox({
+        key: 'forcemfa',
+        getState: function () {
+            return APP.instanceStatus.enforceMFA;
+        },
+        query: function (val, setState) {
+            sFrameChan.query('Q_ADMIN_RPC', {
+                cmd: 'ADMIN_DECREE',
+                data: ['ENFORCE_MFA', [val]]
+            }, function (e, response) {
+                if (e || response.error) {
+                    UI.warn(Messages.error);
+                    console.error(e, response);
+                }
+                APP.updateStatus(function () {
+                    setState(APP.instanceStatus.enforceMFA);
+                    flushCacheNotice();
+                });
+            });
+        },
+    });
+
     create['email'] = function () {
         var key = 'email';
         var $div = makeBlock(key, true); // Msg.admin_emailHint, Msg.admin_emailTitle