From 68a216102e81531a170e9e86310adc6c46435b24 Mon Sep 17 00:00:00 2001
From: syeopite <syeopite@syeopite.dev>
Date: Thu, 15 Jul 2021 01:19:55 -0700
Subject: [PATCH] Add 2fa to change_password endpoint

---
 src/invidious/routes/account.cr | 8 +++++++-
 1 file changed, 7 insertions(+), 1 deletion(-)

diff --git a/src/invidious/routes/account.cr b/src/invidious/routes/account.cr
index f3241057..1b55db9e 100644
--- a/src/invidious/routes/account.cr
+++ b/src/invidious/routes/account.cr
@@ -23,6 +23,12 @@ module Invidious::Routes::Account
 
     user = user.as(User)
     sid = sid.as(String)
+
+    if user.totp_secret && env.response.cookies["2faVerified"]?.try &.value != "1" || nil
+      csrf_token = generate_response(sid, {":validate_2fa"}, HMAC_KEY)
+      next templated "account/validate_2fa?referer=#{env.get?("current_page")}"
+    end
+
     csrf_token = generate_response(sid, {":change_password"}, HMAC_KEY)
 
     templated "user/change_password"
@@ -362,7 +368,7 @@ module Invidious::Routes::Account
 
     user = env.get? "user"
     sid = env.get? "sid"
-    referer = get_referer(env)
+    referer = get_referer(env, unroll: false)
 
     user = user.as(User)
     sid = sid.as(String)