2 files changed, 16 insertions, 0 deletions

diff --git a/Zotlabs/Module/Settings/Multifactor.php b/Zotlabs/Module/Settings/Multifactor.php
index 191055e2c..4df718c6a 100644
--- a/Zotlabs/Module/Settings/Multifactor.php
+++ b/Zotlabs/Module/Settings/Multifactor.php
@@ -12,10 +12,24 @@ use ParagonIE\ConstantTime\Base32;
 
 class Multifactor {
 	public function post() {
+		check_form_security_token_redirectOnErr('/settings/multifactor', 'settings_mfa');
+
 		$account = App::get_account();
 		if (!$account) {
 			return;
 		}
+
+		if (empty($_POST['password'])) {
+			notice(t('Password is required') . EOL);
+			return;
+		}
+
+		$password = trim($_POST['password']);
+		if(!account_verify_password($account['account_email'], $password)) {
+			notice(t('The provided password is not correct') . EOL);
+			return;
+		}
+
 		$enable_mfa = isset($_POST['enable_mfa']) ? (int) $_POST['enable_mfa'] : false;
 		AConfig::Set($account['account_id'], 'system', 'mfa_enabled', $enable_mfa);
 		if ($enable_mfa) {
@@ -67,6 +81,7 @@ class Multifactor {
 					t('Logging in will require you to be in possession of your smartphone with an authenticator app'),
 					[t('No'), t('Yes')]
 				],
+				'$password' => ['password', t('Please enter your password'), '', t('Required')],
 				'$submit' => t('Submit'),
 				'$test' => t('Test')
 			]
diff --git a/view/tpl/totp_setup.tpl b/view/tpl/totp_setup.tpl
index 2ee79fae9..1301d0001 100644
--- a/view/tpl/totp_setup.tpl
+++ b/view/tpl/totp_setup.tpl
@@ -28,6 +28,7 @@
 		<div id="mfa-submit-wrapper" class="{{if !$enable_mfa.2}}d-none{{/if}}">
 			<form action="settings/multifactor" method="post">
 				<input type='hidden' name='form_security_token' value='{{$form_security_token}}'>
+				{{include file="field_password.tpl" field=$password}}
 				{{include file="field_checkbox.tpl" field=$enable_mfa}}
 				<div class="settings-submit-wrapper" >
 					<button id="otp-enable-submit" type="b" name="submit" class="btn btn-primary">