From fb165ef28b4969c552ebd17f0d60e4a5c465d269 Mon Sep 17 00:00:00 2001
From: James Cole <thegrumpydictator@gmail.com>
Date: Sat, 19 Mar 2016 07:56:57 +0100
Subject: [PATCH] Do not give the user the secret.

---
 app/Http/Controllers/PreferencesController.php |  3 ++-
 app/Http/Requests/TokenFormRequest.php         |  3 +--
 app/Validation/FireflyValidator.php            |  6 ++----
 resources/views/preferences/code.twig          | 15 ++++-----------
 4 files changed, 9 insertions(+), 18 deletions(-)

diff --git a/app/Http/Controllers/PreferencesController.php b/app/Http/Controllers/PreferencesController.php
index 127c8dc9de..6205cc8a69 100644
--- a/app/Http/Controllers/PreferencesController.php
+++ b/app/Http/Controllers/PreferencesController.php
@@ -37,10 +37,11 @@ class PreferencesController extends Controller
     {
         $domain = $this->getDomain();
         $secret = $google2fa->generateSecretKey(16, Auth::user()->id);
+        Session::flash('two-factor-secret', $secret);
         $image  = $google2fa->getQRCodeInline('Firefly III at ' . $domain, null, $secret, 150);
 
 
-        return view('preferences.code', compact('secret', 'image'));
+        return view('preferences.code', compact('image'));
     }
 
     /**
diff --git a/app/Http/Requests/TokenFormRequest.php b/app/Http/Requests/TokenFormRequest.php
index c4badfd780..b5a2b4f8d4 100644
--- a/app/Http/Requests/TokenFormRequest.php
+++ b/app/Http/Requests/TokenFormRequest.php
@@ -29,8 +29,7 @@ class TokenFormRequest extends Request
     {
 
         $rules = [
-            'secret' => 'required',
-            'code'   => 'required|2faCode:secret',
+            'code'   => 'required|2faCode',
         ];
 
         return $rules;
diff --git a/app/Validation/FireflyValidator.php b/app/Validation/FireflyValidator.php
index d22271e8c3..1a14187fa3 100644
--- a/app/Validation/FireflyValidator.php
+++ b/app/Validation/FireflyValidator.php
@@ -18,8 +18,8 @@ use FireflyIII\Rules\Triggers\TriggerInterface;
 use FireflyIII\User;
 use Illuminate\Contracts\Encryption\DecryptException;
 use Illuminate\Validation\Validator;
-use Input;
 use Log;
+use Session;
 use Symfony\Component\Translation\TranslatorInterface;
 
 /**
@@ -59,9 +59,7 @@ class FireflyValidator extends Validator
             return false;
         }
 
-        // Retrieve the secret from our hidden form field.
-        $secret = Input::get($parameters[0]);
-
+        $secret    = Session::get('two-factor-secret');
         $google2fa = app('PragmaRX\Google2FA\Google2FA');
 
         return $google2fa->verifyKey($secret, $value);
diff --git a/resources/views/preferences/code.twig b/resources/views/preferences/code.twig
index edb0ce81e5..82fa73680f 100644
--- a/resources/views/preferences/code.twig
+++ b/resources/views/preferences/code.twig
@@ -6,8 +6,6 @@
 
 {% block content %}
     {{ Form.open({'class' : 'form-horizontal','id' : 'preferences.code'}) }}
-    <input type="hidden" name="secret" value="{{ secret }}"/>
-
     <div class="row">
         <div class="col-lg-6 col-md-6 col-sm-6">            
             <div class="box">
@@ -19,19 +17,14 @@
                         {{ 'pref_two_factor_auth_code_help'|_ }}
                     </p>
                     <div class="form group">
-                        
                         <div class="col-sm-8 col-md-offset-4">
-                            <img src="{{ image }}" />
+                            <img src="{{ image }}" alt="" title="" />
+                            <br /><br />
                         </div>
                         
                     </div>
-                    <div class="form group">
-                        <div class="col-sm-8 col-md-offset-4">
-                            <p>{{ secret }}</p>
-                        </div>
-                    </div>
-                    
-                    {{ ExpandedForm.text('code', code, {'label' : 'Code'}) }}
+
+                    {{ ExpandedForm.text('code', code) }}
                 </div>
             </div>            
         </div>