From 9f64d7834fdd2f371a50f68b9ec6981661999147 Mon Sep 17 00:00:00 2001
From: slawkens <slawkens@gmail.com>
Date: Sun, 18 Jan 2026 13:13:59 +0100
Subject: [PATCH] [WIP] 2fa, separate files, move twigs

---
 system/pages/account/2fa.php                  | 124 ------------------
 system/pages/account/2fa/app/activate.php     |   4 +
 system/pages/account/2fa/app/deactivate.php   |   5 +
 system/pages/account/2fa/base.php             |  29 ++++
 system/pages/account/2fa/email/activate.php   |  39 ++++++
 system/pages/account/2fa/email/deactivate.php |  37 ++++++
 .../pages/account/2fa/email/resend-code.php   |  17 +++
 system/src/TwoFactorAuth/TwoFactorAuth.php    |  14 +-
 system/templates/account.management.html.twig |   2 +-
 .../account/2fa/app/activate.html.twig        |   0
 .../2fa/connect.html.twig}                    |   2 +-
 .../2fa/email/activate.html.twig}             |   2 +-
 .../2fa/email/activated.html.twig}            |   4 +-
 .../2fa/email/deactivate.html.twig}           |   7 +-
 .../2fa/email/login.html.twig}                |   2 +-
 .../2fa/email/request.html.twig}              |   6 +-
 .../2fa/main.html.twig}                       |   0
 .../2fa/protected.html.twig}                  |   0
 .../mail.account.2fa.email-code.html.twig     |   2 +-
 .../tibiacom/account.management.html.twig     |   2 +-
 20 files changed, 151 insertions(+), 147 deletions(-)
 delete mode 100644 system/pages/account/2fa.php
 create mode 100644 system/pages/account/2fa/app/activate.php
 create mode 100644 system/pages/account/2fa/app/deactivate.php
 create mode 100644 system/pages/account/2fa/base.php
 create mode 100644 system/pages/account/2fa/email/activate.php
 create mode 100644 system/pages/account/2fa/email/deactivate.php
 create mode 100644 system/pages/account/2fa/email/resend-code.php
 create mode 100644 system/templates/account/2fa/app/activate.html.twig
 rename system/templates/{account.2fa.connect.html.twig => account/2fa/connect.html.twig} (92%)
 rename system/templates/{account.2fa.email.activate.html.twig => account/2fa/email/activate.html.twig} (92%)
 rename system/templates/{account.2fa.email.activated.html.twig => account/2fa/email/activated.html.twig} (81%)
 rename system/templates/{account.2fa.email.deactivate.html.twig => account/2fa/email/deactivate.html.twig} (94%)
 rename system/templates/{account.2fa.email.login.html.twig => account/2fa/email/login.html.twig} (97%)
 rename system/templates/{account.2fa.email_code.html.twig => account/2fa/email/request.html.twig} (93%)
 rename system/templates/{account.2fa.main.html.twig => account/2fa/main.html.twig} (100%)
 rename system/templates/{account.2fa.protected.html.twig => account/2fa/protected.html.twig} (100%)

diff --git a/system/pages/account/2fa.php b/system/pages/account/2fa.php
deleted file mode 100644
index e36c338c..00000000
--- a/system/pages/account/2fa.php
+++ /dev/null
@@ -1,124 +0,0 @@
-<?php
-/**
- * 2-factor authentication
- *
- * @package   MyAAC
- * @author    Slawkens <slawkens@gmail.com>
- * @copyright 2019 MyAAC
- * @link      https://my-aac.org
- */
-
-use MyAAC\TwoFactorAuth\TwoFactorAuth;
-
-defined('MYAAC') or die('Direct access not allowed!');
-
-$title = 'Two Factor Authentication';
-require __DIR__ . '/base.php';
-
-csrfProtect();
-
-/**
- * @var OTS_Account $account_logged
- */
-$step = $_REQUEST['step'] ?? '';
-$code = $_REQUEST['auth-code'] ?? '';
-
-if ((!setting('core.mail_enabled')) && ACTION == 'email-code') {
-	$twig->display('error_box.html.twig',  ['errors' => ['Account two-factor e-mail authentication disabled.']]);
-	return;
-}
-
-if (!isset($account_logged) || !$account_logged->isLoaded()) {
-	$current_session = getSession('account');
-	if($current_session) {
-		$account_logged = new OTS_Account();
-		$account_logged->load($current_session);
-	}
-}
-
-$twoFactorAuth = TwoFactorAuth::getInstance($account_logged);
-$twig->addGlobal('account_logged', $account_logged);
-
-if (ACTION == 'email-code') {
-	if ($step == 'resend') {
-		if ($twoFactorAuth->hasRecentEmailCode(15 * 60)) {
-			$errors = ['Sorry, one email per 15 minutes'];
-		}
-		else {
-			$twoFactorAuth->resendEmailCode();
-		}
-
-		if (!empty($errors)) {
-			$twig->display('error_box.html.twig',  ['errors' => $errors]);
-		}
-
-		$twig->display('account.2fa.email.login.html.twig');
-	}
-	else if ($step == 'activate') {
-		if (!$twoFactorAuth->hasRecentEmailCode(15 * 60)) {
-			$twoFactorAuth->resendEmailCode();
-		}
-
-		if (isset($_POST['save'])) {
-			if (!empty($code)) {
-				$twoFactorAuth->setAuthGateway(TwoFactorAuth::TYPE_EMAIL);
-				if ($twoFactorAuth->getAuthGateway()->verifyCode($code)) {
-					$serverName = configLua('serverName');
-
-					$twoFactorAuth->enable(TwoFactorAuth::TYPE_EMAIL);
-					$twoFactorAuth->deleteOldCodes();
-
-					$twig->display('success.html.twig', [
-						'title' => 'Email Code Authentication Activated',
-						'description' => sprintf('You have successfully activated <b>email code authentication</b> for your account. This means an <b>email code</b> will be sent to the email address assigned to your account whenever you try to log in to the %s client or the %s website. In order to log in, you will need to enter the <b>most recent email code</b> you have received.', $serverName, $serverName)
-					]);
-
-					return;
-				}
-				else {
-					$errors[] = 'Invalid email code!';
-				}
-			}
-		}
-
-		if (!empty($errors)) {
-			$twig->display('error_box.html.twig', ['errors' => $errors]);
-		}
-
-		$twig->display('account.2fa.email_code.html.twig', ['wrongCode' => count($errors) > 0]);
-	}
-	else if ($step == 'deactivate') {
-		//if (!$twoFactorAuth->hasRecentEmailCode(15 * 60)) {
-		//	$twoFactorAuth->resendEmailCode();
-		//}
-
-		/*if (isset($_POST['save'])) {
-			if (!empty($code)) {
-				if ($twoFactorAuth->getAuthGateway()->verifyCode($code)) {
-*/
-					$twoFactorAuth->disable();
-					$twoFactorAuth->deleteOldCodes();
-
-					$twig->display('success.html.twig',
-						[
-							'title' => 'Email Code Authentication Deactivated',
-							'description' => 'You have successfully <b>deactivated</b> the <b>Email Code Authentication</b> for your account.'
-						]
-					);
-					/*
-				}
-				else {
-					$errors[] = 'Invalid email code!';
-				}
-			}
-		}*/
-
-		/*
-		if (!empty($errors)) {
-			$twig->display('error_box.html.twig', ['errors' => $errors]);
-		}
-
-		$twig->display('account.2fa.email.deactivate.html.twig', ['wrongCode' => count($errors) > 0]);
-		*/
-	}
-}
diff --git a/system/pages/account/2fa/app/activate.php b/system/pages/account/2fa/app/activate.php
new file mode 100644
index 00000000..46e0c749
--- /dev/null
+++ b/system/pages/account/2fa/app/activate.php
@@ -0,0 +1,4 @@
+<?php
+defined('MYAAC') or die('Direct access not allowed!');
+
+require __DIR__ . '/../base.php';
diff --git a/system/pages/account/2fa/app/deactivate.php b/system/pages/account/2fa/app/deactivate.php
new file mode 100644
index 00000000..aea307c1
--- /dev/null
+++ b/system/pages/account/2fa/app/deactivate.php
@@ -0,0 +1,5 @@
+<?php
+defined('MYAAC') or die('Direct access not allowed!');
+
+require __DIR__ . '/../base.php';
+
diff --git a/system/pages/account/2fa/base.php b/system/pages/account/2fa/base.php
new file mode 100644
index 00000000..818db0fc
--- /dev/null
+++ b/system/pages/account/2fa/base.php
@@ -0,0 +1,29 @@
+<?php
+defined('MYAAC') or die('Direct access not allowed!');
+
+use MyAAC\TwoFactorAuth\TwoFactorAuth;
+
+csrfProtect();
+
+$title = 'Two Factor Authentication';
+
+/**
+ * @var OTS_Account $account_logged
+ */
+$code = $_REQUEST['auth-code'] ?? '';
+
+if ((!setting('core.mail_enabled')) && ACTION == 'email-code') {
+	$twig->display('error_box.html.twig',  ['errors' => ['Account two-factor e-mail authentication disabled.']]);
+	return;
+}
+
+if (!isset($account_logged) || !$account_logged->isLoaded()) {
+	$current_session = getSession('account');
+	if($current_session) {
+		$account_logged = new OTS_Account();
+		$account_logged->load($current_session);
+	}
+}
+
+$twoFactorAuth = TwoFactorAuth::getInstance($account_logged);
+$twig->addGlobal('account_logged', $account_logged);
diff --git a/system/pages/account/2fa/email/activate.php b/system/pages/account/2fa/email/activate.php
new file mode 100644
index 00000000..97cab77e
--- /dev/null
+++ b/system/pages/account/2fa/email/activate.php
@@ -0,0 +1,39 @@
+<?php
+
+use MyAAC\TwoFactorAuth\TwoFactorAuth;
+
+defined('MYAAC') or die('Direct access not allowed!');
+
+require __DIR__ . '/../base.php';
+
+if (!$twoFactorAuth->hasRecentEmailCode(15 * 60)) {
+	$twoFactorAuth->resendEmailCode();
+}
+
+if (isset($_POST['save'])) {
+	if (!empty($code)) {
+		$twoFactorAuth->setAuthGateway(TwoFactorAuth::TYPE_EMAIL);
+		if ($twoFactorAuth->getAuthGateway()->verifyCode($code)) {
+			$serverName = configLua('serverName');
+
+			$twoFactorAuth->enable(TwoFactorAuth::TYPE_EMAIL);
+			$twoFactorAuth->deleteOldCodes();
+
+			$twig->display('success.html.twig', [
+				'title' => 'Email Code Authentication Activated',
+				'description' => sprintf('You have successfully activated <b>email code authentication</b> for your account. This means an <b>email code</b> will be sent to the email address assigned to your account whenever you try to log in to the %s client or the %s website. In order to log in, you will need to enter the <b>most recent email code</b> you have received.', $serverName, $serverName)
+			]);
+
+			return;
+		}
+		else {
+			$errors[] = 'Invalid email code!';
+		}
+	}
+}
+
+if (!empty($errors)) {
+	$twig->display('error_box.html.twig', ['errors' => $errors]);
+}
+
+$twig->display('account/2fa/email/request.html.twig', ['wrongCode' => count($errors) > 0]);
diff --git a/system/pages/account/2fa/email/deactivate.php b/system/pages/account/2fa/email/deactivate.php
new file mode 100644
index 00000000..ba78e6d1
--- /dev/null
+++ b/system/pages/account/2fa/email/deactivate.php
@@ -0,0 +1,37 @@
+<?php
+defined('MYAAC') or die('Direct access not allowed!');
+
+require __DIR__ . '/../base.php';
+
+//if (!$twoFactorAuth->hasRecentEmailCode(15 * 60)) {
+//	$twoFactorAuth->resendEmailCode();
+//}
+
+/*if (isset($_POST['save'])) {
+	if (!empty($code)) {
+		if ($twoFactorAuth->getAuthGateway()->verifyCode($code)) {
+*/
+$twoFactorAuth->disable();
+$twoFactorAuth->deleteOldCodes();
+
+$twig->display('success.html.twig',
+	[
+		'title' => 'Email Code Authentication Deactivated',
+		'description' => 'You have successfully <b>deactivated</b> the <b>Email Code Authentication</b> for your account.'
+	]
+);
+/*
+}
+else {
+$errors[] = 'Invalid email code!';
+}
+}
+}*/
+
+/*
+if (!empty($errors)) {
+	$twig->display('error_box.html.twig', ['errors' => $errors]);
+}
+
+$twig->display('account/2fa/email/deactivate.html.twig', ['wrongCode' => count($errors) > 0]);
+*/
diff --git a/system/pages/account/2fa/email/resend-code.php b/system/pages/account/2fa/email/resend-code.php
new file mode 100644
index 00000000..f44e7513
--- /dev/null
+++ b/system/pages/account/2fa/email/resend-code.php
@@ -0,0 +1,17 @@
+<?php
+defined('MYAAC') or die('Direct access not allowed!');
+
+require __DIR__ . '/../base.php';
+
+if ($twoFactorAuth->hasRecentEmailCode(1 * 60)) {
+	$errors = ['Sorry, one email per 15 minutes'];
+}
+else {
+	$twoFactorAuth->resendEmailCode();
+}
+
+if (!empty($errors)) {
+	$twig->display('error_box.html.twig',  ['errors' => $errors]);
+}
+
+$twig->display('account/2fa/email/login.html.twig');
diff --git a/system/src/TwoFactorAuth/TwoFactorAuth.php b/system/src/TwoFactorAuth/TwoFactorAuth.php
index 68035bbc..80344758 100644
--- a/system/src/TwoFactorAuth/TwoFactorAuth.php
+++ b/system/src/TwoFactorAuth/TwoFactorAuth.php
@@ -60,7 +60,7 @@ class TwoFactorAuth
 				}
 
 				define('HIDE_LOGIN_BOX', true);
-				$twig->display('account.2fa.email.login.html.twig', [
+				$twig->display('account/2fa/email/login.html.twig', [
 					'account_login' => $login_account,
 					'password_login' => $login_password,
 					'remember_me' => $remember_me,
@@ -94,7 +94,7 @@ class TwoFactorAuth
 		$errors[] = 'Invalid email code!';
 		$twig->display('error_box.html.twig', ['errors' => $errors]);
 
-		$twig->display('account.2fa.email.login.html.twig',
+		$twig->display('account/2fa/email/login.html.twig',
 			[
 				'account_login' => $login_account,
 				'password_login' => $login_password,
@@ -118,16 +118,16 @@ class TwoFactorAuth
 
 	public function getAccountManageViews(): array
 	{
-		$twoFactorView = 'account.2fa.protected.html.twig';
+		$twoFactorView = 'account/2fa/protected.html.twig';
 		if ($this->authType == self::TYPE_EMAIL) {
-			$twoFactorView2 = 'account.2fa.email.activated.html.twig';
+			$twoFactorView2 = 'account/2fa/email/activated.html.twig';
 		}
 		elseif ($this->authType == self::TYPE_APP) {
-			$twoFactorView2 = 'account.2fa.app.activated.html.twig';
+			$twoFactorView2 = 'account/2fa/app/activated.html.twig';
 		}
 		else {
-			$twoFactorView = 'account.2fa.connect.html.twig';
-			$twoFactorView2 = 'account.2fa.email.activate.html.twig';
+			$twoFactorView = 'account/2fa/connect.html.twig';
+			$twoFactorView2 = 'account/2fa/email/activate.html.twig';
 		}
 
 		return [$twoFactorView, $twoFactorView2];
diff --git a/system/templates/account.management.html.twig b/system/templates/account.management.html.twig
index a3f77f0b..6cc2ce7f 100644
--- a/system/templates/account.management.html.twig
+++ b/system/templates/account.management.html.twig
@@ -148,7 +148,7 @@
 		</form>
 		<br/>
 
-		{{ include('account.2fa.main.html.twig') }}
+		{{ include('account/2fa/main.html.twig') }}
 
 		{{ hook('HOOK_ACCOUNT_MANAGE_BEFORE_ACCOUNT_LOGS') }}
 		<a name="Account+Logs" ></a>
diff --git a/system/templates/account/2fa/app/activate.html.twig b/system/templates/account/2fa/app/activate.html.twig
new file mode 100644
index 00000000..e69de29b
diff --git a/system/templates/account.2fa.connect.html.twig b/system/templates/account/2fa/connect.html.twig
similarity index 92%
rename from system/templates/account.2fa.connect.html.twig
rename to system/templates/account/2fa/connect.html.twig
index bfe70dd8..a936de9a 100644
--- a/system/templates/account.2fa.connect.html.twig
+++ b/system/templates/account/2fa/connect.html.twig
@@ -9,7 +9,7 @@
 					<tbody><tr>
 						<td class="LabelV"><b>Connect your {{ config.lua.serverName }} account to an authenticator app!</b>
 							<div style="float: right; font-size: 1px;">
-								<form action="{{ getLink('account/2fa') }}?action=email-code" method="post" style="margin: 0px; padding: 0px;">
+								<form action="{{ getLink('account/2fa/app/activate') }}" method="post" style="margin: 0; padding: 0;">
 									{{ csrf() }}
 									{% set button_name = 'Request' %}
 									{% include('buttons.base.html.twig') %}
diff --git a/system/templates/account.2fa.email.activate.html.twig b/system/templates/account/2fa/email/activate.html.twig
similarity index 92%
rename from system/templates/account.2fa.email.activate.html.twig
rename to system/templates/account/2fa/email/activate.html.twig
index a0220aab..32c56d24 100644
--- a/system/templates/account.2fa.email.activate.html.twig
+++ b/system/templates/account/2fa/email/activate.html.twig
@@ -10,7 +10,7 @@
 					<tr>
 						<td class="LabelV"><b>Activate email code authentication for your account!</b>
 							<div style="float: right; font-size: 1px;">
-								<form action="{{ getLink('account/2fa') }}?action=email-code&step=activate" method="post" style="margin: 0; padding: 0;">
+								<form action="{{ getLink('account/2fa/email/activate') }}" method="post" style="margin: 0; padding: 0;">
 									{{ csrf() }}
 									{% set button_name = 'Request' %}
 									{% include('buttons.base.html.twig') %}
diff --git a/system/templates/account.2fa.email.activated.html.twig b/system/templates/account/2fa/email/activated.html.twig
similarity index 81%
rename from system/templates/account.2fa.email.activated.html.twig
rename to system/templates/account/2fa/email/activated.html.twig
index 035a1276..95ac4387 100644
--- a/system/templates/account.2fa.email.activated.html.twig
+++ b/system/templates/account/2fa/email/activated.html.twig
@@ -6,9 +6,9 @@
 				<tr>
 					<td>
 						<div style="float: right; width: 135px;">
-							<form action="{{ getLink('account/2fa') }}?action=email-code" method="post" style="padding:0;margin:0;">
+							<form action="{{ getLink('account/2fa/email/deactivate') }}" method="post" style="padding:0;margin:0;">
 								{{ csrf() }}
-								<input type="hidden" name="step" value="deactivate">
+
 								{% set button_name = 'Deactivate' %}
 								{{ include('buttons.base.html.twig') }}
 							</form>
diff --git a/system/templates/account.2fa.email.deactivate.html.twig b/system/templates/account/2fa/email/deactivate.html.twig
similarity index 94%
rename from system/templates/account.2fa.email.deactivate.html.twig
rename to system/templates/account/2fa/email/deactivate.html.twig
index 5be208ad..9a0cc808 100644
--- a/system/templates/account.2fa.email.deactivate.html.twig
+++ b/system/templates/account/2fa/email/deactivate.html.twig
@@ -10,7 +10,7 @@
 						<tr>
 							<td>To deactivate <b>two-factor email code authentication</b> for your account, enter the
 								received <b>email code</b> below. Note, however, that <b>email code authentication</b>
-								is an important security feature which helps to prevent any unauthorised access to your
+								is an important security feature which helps to prevent any unauthorized access to your
 								Tibia account.
 							</td>
 						</tr>
@@ -28,7 +28,7 @@
 							<td>
 								<div style="float: right;">
 									<form
-										action="{{ getLink('account/2fa') }}?action=email-code&step=resend"
+										action="{{ getLink('account/2fa/email/resend-code') }}"
 										method="post"
 										style="padding:0;margin:0;"
 									>
@@ -86,10 +86,9 @@
 	<tbody>
 	<tr align="center" valign="top">
 		<td>
-			<form id="form-code" method="post" action="{{ getLink('account/2fa') }}?action=email-code">
+			<form id="form-code" method="post" action="{{ getLink('account/2fa/email/deactivate') }}">
 				{{ csrf() }}
 
-				<input type="hidden" name="step" value="deactivate">
 				<input type="hidden" name="save" value="1">
 
 				{% set button_name = 'Continue' %}
diff --git a/system/templates/account.2fa.email.login.html.twig b/system/templates/account/2fa/email/login.html.twig
similarity index 97%
rename from system/templates/account.2fa.email.login.html.twig
rename to system/templates/account/2fa/email/login.html.twig
index 658ad588..0c786b13 100644
--- a/system/templates/account.2fa.email.login.html.twig
+++ b/system/templates/account/2fa/email/login.html.twig
@@ -11,7 +11,7 @@
 						<td>
 							<div style="float: right;">
 								<form
-										action="{{ getLink('account/2fa') }}?action=email-code&step=resend"
+										action="{{ getLink('account/2fa/email/resend-code') }}"
 										method="post"
 										style="padding:0;margin:0;"
 								>
diff --git a/system/templates/account.2fa.email_code.html.twig b/system/templates/account/2fa/email/request.html.twig
similarity index 93%
rename from system/templates/account.2fa.email_code.html.twig
rename to system/templates/account/2fa/email/request.html.twig
index 009122cb..c8d934c1 100644
--- a/system/templates/account.2fa.email_code.html.twig
+++ b/system/templates/account/2fa/email/request.html.twig
@@ -31,14 +31,13 @@
 					<tr>
 						<td>
 							<div style="float: right;">
-								<form action="{{ getLink('account/2fa') }}?action=email-code"
+								<form action="{{ getLink('account/2fa/email/resend-code') }}"
 									method="post" style="padding:0;margin:0;">
 									{{ csrf() }}
 
 									{% if account_logged is defined %}
 										<input type="hidden" name="account_logged" value="{{ account_logged.getId() }}">
 									{% endif %}
-									<input type="hidden" name="step" value="resend">
 
 									{% set button_name = 'Resend Email Code' %}
 									{% include('buttons.base.html.twig') %}
@@ -88,10 +87,9 @@
 	<tbody>
 	<tr align="center" valign="top">
 		<td>
-			<form id="confirmActivateForm" action="{{ getLink('account/2fa') }}?action=email-code" method="post" style="padding:0;margin:0;">
+			<form id="confirmActivateForm" action="{{ getLink('account/2fa/email/activate') }}" method="post" style="padding:0;margin:0;">
 				{{ csrf() }}
 
-				<input type="hidden" name="step" value="activate">
 				<input type="hidden" name="save" value="1">
 
 				{% set button_color = 'green' %}
diff --git a/system/templates/account.2fa.main.html.twig b/system/templates/account/2fa/main.html.twig
similarity index 100%
rename from system/templates/account.2fa.main.html.twig
rename to system/templates/account/2fa/main.html.twig
diff --git a/system/templates/account.2fa.protected.html.twig b/system/templates/account/2fa/protected.html.twig
similarity index 100%
rename from system/templates/account.2fa.protected.html.twig
rename to system/templates/account/2fa/protected.html.twig
diff --git a/system/templates/mail.account.2fa.email-code.html.twig b/system/templates/mail.account.2fa.email-code.html.twig
index 18525511..53faca6d 100644
--- a/system/templates/mail.account.2fa.email-code.html.twig
+++ b/system/templates/mail.account.2fa.email-code.html.twig
@@ -2,7 +2,7 @@ Dear {{ config.lua.serverName}} player,
 <br/><br/>
 Your account is protected by email code authentication, and you requested a new email code:
 <br/><br/>
-<p>{{ code }}</p>
+<h1><strong>{{ code }}</strong></h1>
 <br/>
 Note that the code is only valid for 24 hours.
 <br/><br/>
diff --git a/templates/tibiacom/account.management.html.twig b/templates/tibiacom/account.management.html.twig
index 4f46b5d3..3ab4c971 100644
--- a/templates/tibiacom/account.management.html.twig
+++ b/templates/tibiacom/account.management.html.twig
@@ -291,7 +291,7 @@
 {% include 'tables.headline.html.twig' %}
 <br/>
 
-{{ include('account.2fa.main.html.twig') }}
+{{ include('account/2fa/main.html.twig') }}
 
 {{ hook('HOOK_ACCOUNT_MANAGE_BEFORE_ACCOUNT_LOGS') }}
 <a name="Account+Logs" ></a>