require a valid TOTP code to show QR code, reset or remove the 2nd factor (beside already required password)

preferences/inc/class.preferences_password.inc.php

@@ -111,6 +111,16 @@ class preferences_password
 							break;
 
 						case 'two_factor_auth':
+							if (isset($content['2fa']['action']) && empty($content['2fa']['code']))
+							{
+								$tmpl->set_validation_error('code', lang('Code is required'), '2fa');
+								break;
+							}
+							if (!$google2fa->verifyKey($secret_key, $content['2fa']['code']))
+							{
+								$tmpl->set_validation_error('code', lang('Code is invalid'), '2fa');
+								break;
+							}
 							switch(key($content['2fa']['action'] ?? []))
 							{
 								case 'show':
@@ -132,11 +142,6 @@ class preferences_password
 									}
 									break;
 								default:	// no action, save secret
-									if (!$google2fa->verifyKey($secret_key, $content['2fa']['code']))
-									{
-										$tmpl->set_validation_error('code', lang('Code is invalid'), '2fa');
-										break 2;
-									}
 									if (($content['2fa']['cred_id'] = Credentials::write(0,
 										$GLOBALS['egw_info']['user']['account_lid'],
 										$secret_key, Credentials::TWOFA,

preferences/lang/egw_de.lang

@@ -23,6 +23,7 @@ charset for the csv export/import	preferences	de	Zeichensatz
 click to install	preferences	de	Klicken zum Installieren
 close after selection	preferences	de	Nach Auswahl schließen
 code is invalid	preferences	de	Der Code ist ungültig
+code is required	preferences	de	Der Code wird benötigt
 color	preferences	de	Farbe
 country	preferences	de	Land
 current password	preferences	de	Aktuelles Passwort
@@ -61,6 +62,7 @@ enables or disables dropdown selectbox resizing for ie in all applications. if t
 enables or disables selectbox dropdown resizing for ie in all applications. if the browser is not an ie , the option will not apply. this feature is experimental at the moment.	preferences	de	Schaltet die Selectbox-Drop-Down-Menue Grössenanpassung für den Internet Explorer in allen Anwendungen ein oder aus. Wenn der Browser kein Internet Explorer ist, wird diese Option ignoriert. Diese Option ist im Moment noch experimentell.
 enables or disables selectbox dropdown resizing for ie in all applications. if the browser is not an ie, the option will not apply. this feature is experimental at the moment.	preferences	de	Schaltet die Selectbox-Drop-Down-Menu Grössenanpassung für den Internet Explorer in allen Anwendungen ein oder aus. Wenn der Browser kein Internet Explorer ist,wird diese Option ignoriert.
 encrypted ldap connection is required to change passwords, but it is not configured in your installation.	preferences	de	Eine verschlüsselte LDAP Verbindung ist erforderlich um Passwörter zu ändern, aber in Ihre Installation nicht konfiguriert.
+enter code to authenticate the actions below	preferences	de	Geben Sie den Code zur Authentifizierung der folgenden Aktionen ein
 enter code to verify correct setup	preferences	de	Bitte geben sie den Code ein um die Einrichtung zu überprüfen
 enter your new password	preferences	de	Neues Passwort eingeben
 enter your old password	preferences	de	Altes Passwort eingeben

preferences/lang/egw_en.lang

@@ -23,6 +23,7 @@ charset for the csv export/import	preferences	en	Character set
 click to install	preferences	en	click to install
 close after selection	preferences	en	Close after selection
 code is invalid	preferences	en	Code is invalid
+code is required	preferences	en	Code is required
 color	preferences	en	Colour
 country	preferences	en	Country
 current password	preferences	en	Current password
@@ -61,6 +62,7 @@ enables or disables dropdown selectbox resizing for ie in all applications. if t
 enables or disables selectbox dropdown resizing for ie in all applications. if the browser is not an ie , the option will not apply. this feature is experimental at the moment.	preferences	en	Enables or disables selectbox dropdown resizing for IE in all applications. If the browser is not an IE , the option will not apply. This feature is experimental at the moment.
 enables or disables selectbox dropdown resizing for ie in all applications. if the browser is not an ie, the option will not apply. this feature is experimental at the moment.	preferences	en	Enables or disables selectbox dropdown resizing for IE in all applications. If the browser is not an IE, the option will not apply. This feature is experimental at the moment.
 encrypted ldap connection is required to change passwords, but it is not configured in your installation.	preferences	en	Encrypted LDAP connection is required to change passwords, but it is not configured in your installation.
+enter code to authenticate the actions below	preferences	en	Enter code to authenticate the actions below
 enter code to verify correct setup	preferences	en	Enter code to verify correct setup
 enter your new password	preferences	en	Enter new password
 enter your old password	preferences	en	Enter old password

preferences/templates/default/password.xet

@@ -33,6 +33,12 @@
 				<column/>
 			</columns>
 			<rows>
+				<row disabled="!@hide_qrc" valign="top">
+					<et2-hbox span="all">
+						<et2-textbox id="code" class="et2_required" placeholder="XXX XXX" disabled="!@hide_qrc" width="6em"></et2-textbox>
+						<et2-description value="Enter code to authenticate the actions below" style="align-items: center;"></et2-description>
+					</et2-hbox>
+				</row>
 				<row disabled="!@hide_qrc" valign="top">
 					<et2-vbox>
 						<et2-button  id="action[show]" label="Show QRCode" statustext="Show QRCode to enable on an additional device."></et2-button>
@@ -53,7 +59,7 @@
 					</et2-vbox>
 				</row>
 				<row disabled="@hide_qrc">
-					<et2-textbox  id="code" class="et2_required" placeholder="XXX XXX"></et2-textbox>
+					<et2-textbox  id="code" class="et2_required" placeholder="XXX XXX" disabled="@hide_qrc"></et2-textbox>
 					<et2-description  value="Enter code to verify correct setup"></et2-description>
 				</row>
 			</rows>