Add 2fa token login to oauth login form

src/oauth2views/login.ejs

@@ -31,6 +31,10 @@
             <label class="control-label" for="inputPassword">Password</label>
             <input type="password" class="form-control" name="password" id="inputPassword" value="<%= password %>" required>
           </div>
+          <div class="form-group">
+            <label class="control-label" for="inputPassword">2fa Token (if enabled)</label>
+            <input type="text" class="form-control" name="totpToken" id="inputTotpToken" value="">
+          </div>
           <input class="btn btn-primary btn-outline pull-right" type="submit" value="Sign in"/>
         </form>
         <a href="/api/v1/session/password/resetRequest.html">Reset password</a>

src/routes/oauth2.js

@@ -19,6 +19,7 @@ var apps = require('../apps'),
     querystring = require('querystring'),
     session = require('connect-ensure-login'),
     settings = require('../settings'),
+    speakeasy = require('speakeasy'),
     tokendb = require('../tokendb'),
     url = require('url'),
     user = require('../user.js'),
@@ -254,6 +255,19 @@ function login(req, res) {
     passport.authenticate('local', {
         failureRedirect: '/api/v1/session/login?' + failureQuery
     })(req, res, function () {
+        if (req.user.twoFactorAuthenticationEnabled) {
+            if (!req.body.totpToken) {
+                let failureQuery = querystring.stringify({ error: 'A 2fa token is required', returnTo: returnTo });
+                return res.redirect('/api/v1/session/login?' + failureQuery);
+            }
+
+            let verified = speakeasy.totp.verify({ secret: req.user.twoFactorAuthenticationSecret, encoding: 'base32', token: req.body.totpToken });
+            if (!verified) {
+                let failureQuery = querystring.stringify({ error: 'The 2fa token is invalid', returnTo: returnTo });
+                return res.redirect('/api/v1/session/login?' + failureQuery);
+            }
+        }
+
         res.redirect(returnTo);
     });
 }