check form security token and require password to enable/diable mfa

Zotlabs/Module/Settings/Multifactor.php

@@ -12,10 +12,24 @@ use ParagonIE\ConstantTime\Base32;
 
 class Multifactor {
 	public function post() {
+		check_form_security_token_redirectOnErr('/settings/multifactor', 'settings_mfa');
+
 		$account = App::get_account();
 		if (!$account) {
 			return;
 		}
+
+		if (empty($_POST['password'])) {
+			notice(t('Password is required') . EOL);
+			return;
+		}
+
+		$password = trim($_POST['password']);
+		if(!account_verify_password($account['account_email'], $password)) {
+			notice(t('The provided password is not correct') . EOL);
+			return;
+		}
+
 		$enable_mfa = isset($_POST['enable_mfa']) ? (int) $_POST['enable_mfa'] : false;
 		AConfig::Set($account['account_id'], 'system', 'mfa_enabled', $enable_mfa);
 		if ($enable_mfa) {
@@ -67,6 +81,7 @@ class Multifactor {
 					t('Logging in will require you to be in possession of your smartphone with an authenticator app'),
 					[t('No'), t('Yes')]
 				],
+				'$password' => ['password', t('Please enter your password'), '', t('Required')],
 				'$submit' => t('Submit'),
 				'$test' => t('Test')
 			]

view/tpl/totp_setup.tpl

@@ -28,6 +28,7 @@
 		<div id="mfa-submit-wrapper" class="{{if !$enable_mfa.2}}d-none{{/if}}">
 			<form action="settings/multifactor" method="post">
 				<input type='hidden' name='form_security_token' value='{{$form_security_token}}'>
+				{{include file="field_password.tpl" field=$password}}
 				{{include file="field_checkbox.tpl" field=$enable_mfa}}
 				<div class="settings-submit-wrapper" >
 					<button id="otp-enable-submit" type="b" name="submit" class="btn btn-primary">