From a244d95224fb1aeef51b5d738c1efbceab8fab59 Mon Sep 17 00:00:00 2001
From: Dejan Savuljesku <d.savuljesku@gmail.com>
Date: Wed, 11 Sep 2019 10:29:43 +0200
Subject: [PATCH] Ask user to reauthenticate before changing 2FA method

Re-auth period set to 60s

Bug: T218211
Change-Id: I17a84b8e60da2ada35c6b86cf6b66d75fb3f13fe
---
 extension.json             | 3 +++
 src/Special/OATHManage.php | 9 +++++++--
 2 files changed, 10 insertions(+), 2 deletions(-)

diff --git a/extension.json b/extension.json
index a8ad8087..3f02c140 100644
--- a/extension.json
+++ b/extension.json
@@ -140,6 +140,9 @@
 			]
 		}
 	},
+	"ReauthenticateTime":  {
+		"oathauth-enable": 60
+	},
 	"load_composer_autoloader": true,
 	"LogTypes": [ "oath" ],
 	"LogNames": {
diff --git a/src/Special/OATHManage.php b/src/Special/OATHManage.php
index e7231d71..29ba9dd7 100644
--- a/src/Special/OATHManage.php
+++ b/src/Special/OATHManage.php
@@ -84,12 +84,12 @@ class OATHManage extends SpecialPage {
 	 * @return void
 	 */
 	public function execute( $subPage ) {
-		parent::execute( $subPage );
-
 		$this->getOutput()->enableOOUI();
 		$this->setAction();
 		$this->setModule();
 
+		parent::execute( $subPage );
+
 		if ( $this->requestedModule instanceof IModule ) {
 			// Performing an action on a requested module
 			$this->clearPage();
@@ -127,6 +127,11 @@ class OATHManage extends SpecialPage {
 			// No enabled module and cannot enable - nothing to do
 			$this->displayRestrictionError();
 		}
+
+		if ( $this->action === static::ACTION_ENABLE ) {
+			// Trying to change the 2FA method (one is already enabled)
+			$this->checkLoginSecurityLevel( 'oathauth-enable' );
+		}
 	}
 
 	private function setAction() {