From f7957461a13dd09412b69fb253d8af2d2cede67f Mon Sep 17 00:00:00 2001
From: Christian Beeznest <christian.fasanando@beeznest.com>
Date: Thu, 10 Apr 2025 01:57:49 -0500
Subject: [PATCH 1/6] User: Add improvements to 2FA - refs #6162

---
 assets/vue/composables/auth/login.js          |  4 +-
 .../Controller/AccountController.php          | 87 +++++++++++++++----
 .../Controller/SecurityController.php         | 16 ++--
 src/CoreBundle/Form/ChangePasswordType.php    |  5 ++
 .../views/Account/change_password.html.twig   | 11 ++-
 5 files changed, 97 insertions(+), 26 deletions(-)

diff --git a/assets/vue/composables/auth/login.js b/assets/vue/composables/auth/login.js
index 2a132a02516..1955e734d8d 100644
--- a/assets/vue/composables/auth/login.js
+++ b/assets/vue/composables/auth/login.js
@@ -32,8 +32,8 @@ export function useLogin() {
     try {
       const responseData = await securityService.login(payload)
 
-      if (responseData.requires2FA) {
-        return { success: true, requires2FA: true };
+      if (responseData.error) {
+        return { success: false, requires2FA: true, error: responseData.error }
       }
 
       if (route.query.redirect) {
diff --git a/src/CoreBundle/Controller/AccountController.php b/src/CoreBundle/Controller/AccountController.php
index 4145966f3df..16fc11cfb99 100644
--- a/src/CoreBundle/Controller/AccountController.php
+++ b/src/CoreBundle/Controller/AccountController.php
@@ -92,7 +92,7 @@ public function edit(Request $request, UserRepository $userRepository, Illustrat
     }
 
     #[Route('/change-password', name: 'chamilo_core_account_change_password', methods: ['GET', 'POST'])]
-    public function changePassword(Request $request, UserRepository $userRepository, CsrfTokenManagerInterface $csrfTokenManager): Response
+    public function changePassword(Request $request, UserRepository $userRepository, CsrfTokenManagerInterface $csrfTokenManager, SettingsManager $settingsManager): Response
     {
         /** @var User $user */
         $user = $this->getUser();
@@ -107,11 +107,12 @@ public function changePassword(Request $request, UserRepository $userRepository,
         $form->handleRequest($request);
 
         $qrCodeBase64 = null;
+        $showQRCode = false;
         if ($user->getMfaEnabled() && 'TOTP' === $user->getMfaService() && $user->getMfaSecret()) {
             $decryptedSecret = $this->decryptTOTPSecret($user->getMfaSecret(), $_ENV['APP_SECRET']);
             $totp = TOTP::create($decryptedSecret);
-            $totp->setLabel($user->getEmail());
-
+            $portalName = $settingsManager->getSetting('platform.institution');
+            $totp->setLabel($user->getEmail() . ' (' . $portalName . ')');
             $qrCodeResult = Builder::create()
                 ->writer(new PngWriter())
                 ->data($totp->getProvisioningUri())
@@ -123,6 +124,7 @@ public function changePassword(Request $request, UserRepository $userRepository,
             ;
 
             $qrCodeBase64 = base64_encode($qrCodeResult->getString());
+            $showQRCode = true;
         }
 
         if ($form->isSubmitted() && $form->isValid()) {
@@ -136,14 +138,33 @@ public function changePassword(Request $request, UserRepository $userRepository,
                 $confirmPassword = $form->get('confirmPassword')->getData();
                 $enable2FA = $form->get('enable2FA')->getData();
 
+                if ($user->getMfaEnabled()) {
+                    $enteredCode = $form->get('confirm2FACode')->getData();
+                    if (empty($enteredCode) || !$this->isTOTPValid($user, $enteredCode)) {
+                        $form->get('confirm2FACode')->addError(new FormError('The 2FA code is invalid.'));
+                        return $this->render('@ChamiloCore/Account/change_password.html.twig', [
+                            'form' => $form->createView(),
+                            'qrCode' => $qrCodeBase64,
+                            'user' => $user,
+                            'showQRCode' => $qrCodeBase64 !== null || ($form->isSubmitted() && $form->get('enable2FA')->getData()),
+                        ]);
+                    }
+                }
+
                 if ($enable2FA && !$user->getMfaSecret()) {
-                    $totp = TOTP::create();
-                    $totp->setLabel($user->getEmail());
-                    $encryptedSecret = $this->encryptTOTPSecret($totp->getSecret(), $_ENV['APP_SECRET']);
-                    $user->setMfaSecret($encryptedSecret);
-                    $user->setMfaEnabled(true);
-                    $user->setMfaService('TOTP');
-                    $userRepository->updateUser($user);
+                    $session = $request->getSession();
+
+                    if (!$session->has('temporary_mfa_secret')) {
+                        $totp = TOTP::create();
+                        $secret = $totp->getSecret();
+                        $session->set('temporary_mfa_secret', $secret);
+                    } else {
+                        $secret = $session->get('temporary_mfa_secret');
+                        $totp = TOTP::create($secret);
+                    }
+
+                    $portalName = $settingsManager->getSetting('platform.institution');
+                    $totp->setLabel($user->getEmail() . ' (' . $portalName . ')');
 
                     $qrCodeResult = Builder::create()
                         ->writer(new PngWriter())
@@ -156,12 +177,36 @@ public function changePassword(Request $request, UserRepository $userRepository,
                     ;
 
                     $qrCodeBase64 = base64_encode($qrCodeResult->getString());
+                    $enteredCode = $form->get('confirm2FACode')->getData();
+
+                    if (!$enteredCode) {
+                        return $this->render('@ChamiloCore/Account/change_password.html.twig', [
+                            'form' => $form->createView(),
+                            'qrCode' => $qrCodeBase64,
+                            'user' => $user,
+                            'showQRCode' => true,
+                        ]);
+                    }
 
-                    return $this->render('@ChamiloCore/Account/change_password.html.twig', [
-                        'form' => $form->createView(),
-                        'qrCode' => $qrCodeBase64,
-                        'user' => $user,
-                    ]);
+                    if (!$totp->verify($enteredCode)) {
+                        $form->get('confirm2FACode')->addError(new FormError('The code is incorrect.'));
+                        return $this->render('@ChamiloCore/Account/change_password.html.twig', [
+                            'form' => $form->createView(),
+                            'qrCode' => $qrCodeBase64,
+                            'user' => $user,
+                            'showQRCode' => true,
+                        ]);
+                    }
+
+                    $encryptedSecret = $this->encryptTOTPSecret($secret, $_ENV['APP_SECRET']);
+                    $user->setMfaSecret($encryptedSecret);
+                    $user->setMfaEnabled(true);
+                    $user->setMfaService('TOTP');
+                    $userRepository->updateUser($user);
+                    $session->remove('temporary_mfa_secret');
+                    $this->addFlash('success', '2FA activated successfully.');
+
+                    return $this->redirectToRoute('chamilo_core_account_home');
                 }
                 if (!$enable2FA) {
                     $user->setMfaEnabled(false);
@@ -190,6 +235,7 @@ public function changePassword(Request $request, UserRepository $userRepository,
             'form' => $form->createView(),
             'qrCode' => $qrCodeBase64,
             'user' => $user,
+            'showQRCode' => $qrCodeBase64 !== null || ($form->isSubmitted() && $form->get('enable2FA')->getData()),
         ]);
     }
 
@@ -205,6 +251,17 @@ private function encryptTOTPSecret(string $secret, string $encryptionKey): strin
         return base64_encode($iv.'::'.$encryptedSecret);
     }
 
+    /**
+     * Validates the provided TOTP code for the given user.
+     */
+    private function isTOTPValid(User $user, string $totpCode): bool
+    {
+        $decryptedSecret = $this->decryptTOTPSecret($user->getMfaSecret(), $_ENV['APP_SECRET']);
+        $totp = TOTP::create($decryptedSecret);
+
+        return $totp->verify($totpCode);
+    }
+
     /**
      * Decrypts the TOTP secret using AES-256-CBC decryption.
      */
diff --git a/src/CoreBundle/Controller/SecurityController.php b/src/CoreBundle/Controller/SecurityController.php
index 47816e8854c..917775453df 100644
--- a/src/CoreBundle/Controller/SecurityController.php
+++ b/src/CoreBundle/Controller/SecurityController.php
@@ -66,19 +66,21 @@ public function loginJson(Request $request, EntityManager $entityManager, Settin
         }
 
         if ($user->getMfaEnabled()) {
-            $totpCode = null;
             $data = json_decode($request->getContent(), true);
-            if (isset($data['totp'])) {
-                $totpCode = $data['totp'];
+            $totpCode = $data['totp'] ?? null;
+
+            if (null === $totpCode) {
+                $tokenStorage->setToken(null);
+                $request->getSession()->invalidate();
+
+                return $this->json(['requires2FA' => true], 200);
             }
 
-            if (null === $totpCode || !$this->isTOTPValid($user, $totpCode)) {
+            if (!$this->isTOTPValid($user, $totpCode)) {
                 $tokenStorage->setToken(null);
                 $request->getSession()->invalidate();
 
-                return $this->json([
-                    'requires2FA' => true,
-                ], 200);
+                return $this->json(['error' => 'Invalid 2FA code.'], 401);
             }
         }
 
diff --git a/src/CoreBundle/Form/ChangePasswordType.php b/src/CoreBundle/Form/ChangePasswordType.php
index a6facbe6872..80845988206 100644
--- a/src/CoreBundle/Form/ChangePasswordType.php
+++ b/src/CoreBundle/Form/ChangePasswordType.php
@@ -9,6 +9,7 @@
 use Symfony\Component\Form\AbstractType;
 use Symfony\Component\Form\Extension\Core\Type\CheckboxType;
 use Symfony\Component\Form\Extension\Core\Type\PasswordType;
+use Symfony\Component\Form\Extension\Core\Type\TextType;
 use Symfony\Component\Form\FormBuilderInterface;
 use Symfony\Component\OptionsResolver\OptionsResolver;
 
@@ -38,6 +39,10 @@ public function buildForm(FormBuilderInterface $builder, array $options): void
                 'label' => 'Enable Two-Factor Authentication (2FA)',
                 'required' => false,
             ])
+            ->add('confirm2FACode', TextType::class, [
+                'label' => 'Enter your 2FA code',
+                'required' => false,
+            ])
         ;
     }
 
diff --git a/src/CoreBundle/Resources/views/Account/change_password.html.twig b/src/CoreBundle/Resources/views/Account/change_password.html.twig
index 4cda0f2bc19..c9690820b6d 100644
--- a/src/CoreBundle/Resources/views/Account/change_password.html.twig
+++ b/src/CoreBundle/Resources/views/Account/change_password.html.twig
@@ -55,6 +55,12 @@
                 {{ form_errors(form.enable2FA) }}
             </div>
 
+            <div id="confirm2fa-field" class="mb-4" style="{{ showQRCode is defined and showQRCode ? '' : 'display: none;' }}">
+                {{ form_label(form.confirm2FACode) }}
+                {{ form_widget(form.confirm2FACode, {'attr': {'class': 'shadow appearance-none border rounded w-full py-2 px-3 text-gray-700 leading-tight focus:outline-none focus:shadow-outline'}}) }}
+                {{ form_errors(form.confirm2FACode) }}
+            </div>
+
             <div class="flex items-center justify-center">
                 <input type="hidden" name="_token" value="{{ csrf_token('change_password') }}">
                 <button type="submit" class="btn btn--primary mt-4">
@@ -68,10 +74,11 @@
 
             {{ form_end(form) }}
 
-            {% if qrCode is defined and user.getMfaEnabled() %}
+            {% if qrCode is defined and showQRCode %}
                 <div class="mt-6 text-center">
                     <h3 class="text-lg font-medium">{{ 'Scan the QR Code to enable 2FA'|trans }}</h3>
-                    <img src="data:image/png;base64,{{ qrCode }}" alt="{{ 'QR Code for 2FA'|trans }}">
+                    <img src="data:image/png;base64,{{ qrCode }}" alt="{{ 'QR Code for 2FA'|trans }}" class="block m-auto">
+                    <p class="text-gray-600 mt-2">{{ 'Then enter the 6-digit code shown in your app below.'|trans }}</p>
                 </div>
             {% endif %}
 

From 5a5021b0d8449e3e0958c687aca37d934ecc574b Mon Sep 17 00:00:00 2001
From: Yannick Warnier <ywarnier@users.noreply.github.com>
Date: Tue, 22 Apr 2025 16:54:03 +0200
Subject: [PATCH 2/6] Minor: Update order for topt label

---
 src/CoreBundle/Controller/AccountController.php | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/src/CoreBundle/Controller/AccountController.php b/src/CoreBundle/Controller/AccountController.php
index 16fc11cfb99..48efbed3240 100644
--- a/src/CoreBundle/Controller/AccountController.php
+++ b/src/CoreBundle/Controller/AccountController.php
@@ -112,7 +112,7 @@ public function changePassword(Request $request, UserRepository $userRepository,
             $decryptedSecret = $this->decryptTOTPSecret($user->getMfaSecret(), $_ENV['APP_SECRET']);
             $totp = TOTP::create($decryptedSecret);
             $portalName = $settingsManager->getSetting('platform.institution');
-            $totp->setLabel($user->getEmail() . ' (' . $portalName . ')');
+            $totp->setLabel($portalName . ': '. $user->getEmail());
             $qrCodeResult = Builder::create()
                 ->writer(new PngWriter())
                 ->data($totp->getProvisioningUri())
@@ -164,7 +164,7 @@ public function changePassword(Request $request, UserRepository $userRepository,
                     }
 
                     $portalName = $settingsManager->getSetting('platform.institution');
-                    $totp->setLabel($user->getEmail() . ' (' . $portalName . ')');
+                    $totp->setLabel($portalName . ': '. $user->getEmail());
 
                     $qrCodeResult = Builder::create()
                         ->writer(new PngWriter())

From 0172b539124309852e232cc3595890104926b086 Mon Sep 17 00:00:00 2001
From: Yannick Warnier <ywarnier@users.noreply.github.com>
Date: Tue, 22 Apr 2025 17:00:20 +0200
Subject: [PATCH 3/6] Internal: Update topt label to not include a column

---
 src/CoreBundle/Controller/AccountController.php | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/src/CoreBundle/Controller/AccountController.php b/src/CoreBundle/Controller/AccountController.php
index 48efbed3240..a52bc10bb45 100644
--- a/src/CoreBundle/Controller/AccountController.php
+++ b/src/CoreBundle/Controller/AccountController.php
@@ -112,7 +112,7 @@ public function changePassword(Request $request, UserRepository $userRepository,
             $decryptedSecret = $this->decryptTOTPSecret($user->getMfaSecret(), $_ENV['APP_SECRET']);
             $totp = TOTP::create($decryptedSecret);
             $portalName = $settingsManager->getSetting('platform.institution');
-            $totp->setLabel($portalName . ': '. $user->getEmail());
+            $totp->setLabel($portalName . ' - '. $user->getEmail());
             $qrCodeResult = Builder::create()
                 ->writer(new PngWriter())
                 ->data($totp->getProvisioningUri())
@@ -164,7 +164,7 @@ public function changePassword(Request $request, UserRepository $userRepository,
                     }
 
                     $portalName = $settingsManager->getSetting('platform.institution');
-                    $totp->setLabel($portalName . ': '. $user->getEmail());
+                    $totp->setLabel($portalName . ' - '. $user->getEmail());
 
                     $qrCodeResult = Builder::create()
                         ->writer(new PngWriter())

From d766e242b803d770efd4c5559619d8b16cd8d42d Mon Sep 17 00:00:00 2001
From: Yannick Warnier <ywarnier@users.noreply.github.com>
Date: Tue, 22 Apr 2025 19:21:35 +0200
Subject: [PATCH 4/6] Language: Update language terms names

---
 .../Resources/views/Account/change_password.html.twig       | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/src/CoreBundle/Resources/views/Account/change_password.html.twig b/src/CoreBundle/Resources/views/Account/change_password.html.twig
index c9690820b6d..3ca2c7d294d 100644
--- a/src/CoreBundle/Resources/views/Account/change_password.html.twig
+++ b/src/CoreBundle/Resources/views/Account/change_password.html.twig
@@ -76,9 +76,9 @@
 
             {% if qrCode is defined and showQRCode %}
                 <div class="mt-6 text-center">
-                    <h3 class="text-lg font-medium">{{ 'Scan the QR Code to enable 2FA'|trans }}</h3>
-                    <img src="data:image/png;base64,{{ qrCode }}" alt="{{ 'QR Code for 2FA'|trans }}" class="block m-auto">
-                    <p class="text-gray-600 mt-2">{{ 'Then enter the 6-digit code shown in your app below.'|trans }}</p>
+                    <h3 class="text-lg font-medium">{{ 'Scan the QR code to enable 2FA'|trans }}</h3>
+                    <img src="data:image/png;base64,{{ qrCode }}" alt="{{ 'QR code for 2FA'|trans }}" class="block m-auto">
+                    <p class="text-gray-600 mt-2">{{ 'Then enter the 6-digit code shown in your app at the bottom of the form.'|trans }}</p>
                 </div>
             {% endif %}
 

From ff8f43bfb18477451aab9db08744b6479209196a Mon Sep 17 00:00:00 2001
From: Christian Beeznest <christian.fasanando@beeznest.com>
Date: Tue, 22 Apr 2025 19:59:51 -0500
Subject: [PATCH 5/6] User: Fix QR reappearance and enforce TOTP on login

---
 assets/vue/components/Login.vue               | 16 ++--
 assets/vue/composables/auth/login.js          | 37 ++++----
 .../Controller/AccountController.php          | 13 +--
 .../views/Account/change_password.html.twig   | 85 +++++++++++--------
 4 files changed, 84 insertions(+), 67 deletions(-)

diff --git a/assets/vue/components/Login.vue b/assets/vue/components/Login.vue
index 8b0c197bdaf..0d532ae4833 100644
--- a/assets/vue/components/Login.vue
+++ b/assets/vue/components/Login.vue
@@ -28,7 +28,10 @@
         />
       </div>
 
-      <div v-if="requires2FA" class="field">
+      <div
+        v-if="requires2FA"
+        class="field"
+      >
         <InputText
           v-model="totp"
           :placeholder="t('Enter 2FA code')"
@@ -90,18 +93,19 @@ import { useI18n } from "vue-i18n"
 import { useLogin } from "../composables/auth/login"
 import LoginOAuth2Buttons from "./login/LoginOAuth2Buttons.vue"
 import { usePlatformConfig } from "../store/platformConfig"
+import { useRouter } from "vue-router"
 
 const { t } = useI18n()
+const router = useRouter()
 const platformConfigStore = usePlatformConfig()
 const allowRegistration = computed(() => "false" !== platformConfigStore.getSetting("registration.allow_registration"))
 
-const { redirectNotAuthenticated, performLogin, isLoading } = useLogin()
+const { redirectNotAuthenticated, performLogin, isLoading, requires2FA } = useLogin()
 
 const login = ref("")
 const password = ref("")
 const totp = ref("")
 const remember = ref(false)
-const requires2FA = ref(false)
 
 redirectNotAuthenticated()
 
@@ -112,11 +116,5 @@ async function onSubmitLoginForm() {
     totp: requires2FA.value ? totp.value : null,
     _remember_me: remember.value,
   })
-
-  if (response.requires2FA) {
-    requires2FA.value = true
-  } else {
-    router.replace({ name: "Home" })
-  }
 }
 </script>
diff --git a/assets/vue/composables/auth/login.js b/assets/vue/composables/auth/login.js
index 1955e734d8d..7634b28cd34 100644
--- a/assets/vue/composables/auth/login.js
+++ b/assets/vue/composables/auth/login.js
@@ -25,44 +25,46 @@ export function useLogin() {
   const { showSuccessNotification, showErrorNotification } = useNotification()
 
   const isLoading = ref(false)
+  const requires2FA = ref(false)
 
   async function performLogin(payload) {
     isLoading.value = true
+    requires2FA.value = false
 
     try {
       const responseData = await securityService.login(payload)
 
-      if (responseData.error) {
-        return { success: false, requires2FA: true, error: responseData.error }
+      if (responseData.requires2FA && !payload.totp) {
+        requires2FA.value = true
+        return { success: false, requires2FA: true }
       }
 
-      if (route.query.redirect) {
-        // Check if 'redirect' is an absolute URL
-        if (isValidHttpUrl(route.query.redirect.toString())) {
-          // If it's an absolute URL, redirect directly
-          window.location.href = route.query.redirect.toString()
-
-          return
-        }
-      } else if (responseData.load_terms) {
-        window.location.href = responseData.redirect
-
-        return
+      if (responseData.error) {
+        showErrorNotification(responseData.error)
+        return { success: false, error: responseData.error }
       }
 
       securityStore.user = responseData
-
       await platformConfigurationStore.initialize()
 
       if (route.query.redirect) {
-        // If 'redirect' is a relative path, use 'router.push' to navigate
-        await router.replace({ path: route.query.redirect.toString() })
+        const redirect = route.query.redirect.toString()
+        if (isValidHttpUrl(redirect)) {
+          window.location.href = redirect
+        } else {
+          await router.replace({ path: redirect })
+        }
+      } else if (responseData.load_terms) {
+        window.location.href = responseData.redirect
       } else {
         await router.replace({ name: "Home" })
       }
+
+      return { success: true }
     } catch (error) {
       const errorMessage = error.response?.data?.error || "An error occurred during login."
       showErrorNotification(errorMessage)
+      return { success: false, error: errorMessage }
     } finally {
       isLoading.value = false
     }
@@ -84,5 +86,6 @@ export function useLogin() {
     isLoading,
     performLogin,
     redirectNotAuthenticated,
+    requires2FA,
   }
 }
diff --git a/src/CoreBundle/Controller/AccountController.php b/src/CoreBundle/Controller/AccountController.php
index a52bc10bb45..83e35eacd1b 100644
--- a/src/CoreBundle/Controller/AccountController.php
+++ b/src/CoreBundle/Controller/AccountController.php
@@ -108,11 +108,13 @@ public function changePassword(Request $request, UserRepository $userRepository,
 
         $qrCodeBase64 = null;
         $showQRCode = false;
-        if ($user->getMfaEnabled() && 'TOTP' === $user->getMfaService() && $user->getMfaSecret()) {
-            $decryptedSecret = $this->decryptTOTPSecret($user->getMfaSecret(), $_ENV['APP_SECRET']);
-            $totp = TOTP::create($decryptedSecret);
+        $session = $request->getSession();
+        if ($form->get('enable2FA')->getData() && !$user->getMfaSecret() && $session->has('temporary_mfa_secret')) {
+            $secret = $session->get('temporary_mfa_secret');
+            $totp = TOTP::create($secret);
             $portalName = $settingsManager->getSetting('platform.institution');
-            $totp->setLabel($portalName . ' - '. $user->getEmail());
+            $totp->setLabel($portalName . ' - ' . $user->getEmail());
+
             $qrCodeResult = Builder::create()
                 ->writer(new PngWriter())
                 ->data($totp->getProvisioningUri())
@@ -120,8 +122,7 @@ public function changePassword(Request $request, UserRepository $userRepository,
                 ->errorCorrectionLevel(new ErrorCorrectionLevelHigh())
                 ->size(300)
                 ->margin(10)
-                ->build()
-            ;
+                ->build();
 
             $qrCodeBase64 = base64_encode($qrCodeResult->getString());
             $showQRCode = true;
diff --git a/src/CoreBundle/Resources/views/Account/change_password.html.twig b/src/CoreBundle/Resources/views/Account/change_password.html.twig
index 3ca2c7d294d..cecc3836f9d 100644
--- a/src/CoreBundle/Resources/views/Account/change_password.html.twig
+++ b/src/CoreBundle/Resources/views/Account/change_password.html.twig
@@ -23,8 +23,8 @@
                 {{ form_label(form.currentPassword) }}
                 {{ form_widget(form.currentPassword, {'attr': {'class': 'shadow appearance-none border rounded w-full py-2 px-3 text-gray-700 leading-tight focus:outline-none focus:shadow-outline', 'id': 'change_password_currentPassword'}}) }}
                 <span class="toggle-password absolute inset-y-0 right-0 pr-3 flex items-center cursor-pointer" data-target="#change_password_currentPassword">
-                    <i class="mdi mdi-eye-outline text-gray-700"></i>
-                </span>
+                <i class="mdi mdi-eye-outline text-gray-700"></i>
+            </span>
                 {{ form_errors(form.currentPassword) }}
             </div>
 
@@ -32,8 +32,8 @@
                 {{ form_label(form.newPassword) }}
                 {{ form_widget(form.newPassword, {'attr': {'class': 'shadow appearance-none border rounded w-full py-2 px-3 text-gray-700 leading-tight focus:outline-none focus:shadow-outline', 'id': 'change_password_newPassword'}}) }}
                 <span class="toggle-password absolute inset-y-0 right-0 pr-3 flex items-center cursor-pointer" data-target="#change_password_newPassword">
-                    <i class="mdi mdi-eye-outline text-gray-700"></i>
-                </span>
+                <i class="mdi mdi-eye-outline text-gray-700"></i>
+            </span>
                 <ul id="password-requirements" class="text-sm text-red-500 mt-2" style="display: none;"></ul>
                 <div id="new-password-errors">
                     {{ form_errors(form.newPassword) }}
@@ -44,18 +44,18 @@
                 {{ form_label(form.confirmPassword) }}
                 {{ form_widget(form.confirmPassword, {'attr': {'class': 'shadow appearance-none border rounded w-full py-2 px-3 text-gray-700 leading-tight focus:outline-none focus:shadow-outline', 'id': 'change_password_confirmPassword'}}) }}
                 <span class="toggle-password absolute inset-y-0 right-0 pr-3 flex items-center cursor-pointer" data-target="#change_password_confirmPassword">
-                    <i class="mdi mdi-eye-outline text-gray-700"></i>
-                </span>
+                <i class="mdi mdi-eye-outline text-gray-700"></i>
+            </span>
                 {{ form_errors(form.confirmPassword) }}
             </div>
 
             <div class="mb-4">
                 {{ form_label(form.enable2FA) }}
-                {{ form_widget(form.enable2FA, {'attr': {'class': 'form-checkbox'}}) }}
+                {{ form_widget(form.enable2FA, {'attr': {'class': 'form-checkbox', 'id': 'change_password_enable2FA'}}) }}
                 {{ form_errors(form.enable2FA) }}
             </div>
 
-            <div id="confirm2fa-field" class="mb-4" style="{{ showQRCode is defined and showQRCode ? '' : 'display: none;' }}">
+            <div id="confirm2fa-field" class="mb-4" style="display: none;">
                 {{ form_label(form.confirm2FACode) }}
                 {{ form_widget(form.confirm2FACode, {'attr': {'class': 'shadow appearance-none border rounded w-full py-2 px-3 text-gray-700 leading-tight focus:outline-none focus:shadow-outline'}}) }}
                 {{ form_errors(form.confirm2FACode) }}
@@ -88,33 +88,48 @@
     {{ password_checker_js('#change_password_newPassword') }}
 
     <script>
-        document.addEventListener('DOMContentLoaded', function() {
-            const togglePasswordButtons = document.querySelectorAll('.toggle-password');
-            togglePasswordButtons.forEach(button => {
-                button.addEventListener('click', function() {
-                    const input = document.querySelector(this.getAttribute('data-target'));
-                    if (input) {
-                        const type = input.getAttribute('type') === 'password' ? 'text' : 'password';
-                        input.setAttribute('type', type);
-
-                        this.querySelector('i').classList.toggle('mdi-eye-outline');
-                        this.querySelector('i').classList.toggle('mdi-eye-off-outline');
-                    }
-                });
-            });
-
-            const newPasswordInput = document.querySelector('#change_password_newPassword');
-            const newPasswordErrors = document.querySelector('#new-password-errors');
-            const serverErrors = document.querySelector('#server-errors');
-
-            newPasswordInput.addEventListener('input', function() {
-                if (serverErrors) {
-                    serverErrors.style.display = 'none';
-                }
-                if (newPasswordErrors) {
-                    newPasswordErrors.style.display = 'none';
-                }
-            });
+      document.addEventListener('DOMContentLoaded', function () {
+        const togglePasswordButtons = document.querySelectorAll('.toggle-password');
+        togglePasswordButtons.forEach(button => {
+          button.addEventListener('click', function () {
+            const input = document.querySelector(this.getAttribute('data-target'));
+            if (input) {
+              const type = input.getAttribute('type') === 'password' ? 'text' : 'password';
+              input.setAttribute('type', type);
+              this.querySelector('i').classList.toggle('mdi-eye-outline');
+              this.querySelector('i').classList.toggle('mdi-eye-off-outline');
+            }
+          });
         });
+
+        const newPasswordInput = document.querySelector('#change_password_newPassword');
+        const newPasswordErrors = document.querySelector('#new-password-errors');
+        const serverErrors = document.querySelector('#server-errors');
+
+        newPasswordInput.addEventListener('input', function () {
+          if (serverErrors) serverErrors.style.display = 'none';
+          if (newPasswordErrors) newPasswordErrors.style.display = 'none';
+        });
+
+        const enable2FA = document.querySelector('#change_password_enable2FA');
+        const confirm2FAField = document.querySelector('#confirm2fa-field');
+        const hasMfa = {{ user.getMfaSecret() ? 'true' : 'false' }};
+
+        if (enable2FA && confirm2FAField) {
+          if (!hasMfa && enable2FA.checked) {
+            confirm2FAField.style.display = '';
+          }
+
+          enable2FA.addEventListener('change', function () {
+            if (hasMfa && !this.checked) {
+              confirm2FAField.style.display = '';
+            } else if (!hasMfa && this.checked) {
+              this.closest('form').submit();
+            } else {
+              confirm2FAField.style.display = 'none';
+            }
+          });
+        }
+      });
     </script>
 {% endblock %}

From 8969c26c867957782848bb3c614d4cc1d8c83f06 Mon Sep 17 00:00:00 2001
From: Christian Beeznest <christian.fasanando@beeznest.com>
Date: Fri, 23 May 2025 17:03:51 -0500
Subject: [PATCH 6/6] User: Improve 2FA validation and password change flow -
 refs #6162

---
 .../Controller/AccountController.php          | 165 +++++++-----------
 .../Controller/SocialController.php           |   3 +-
 src/CoreBundle/Entity/ExtraFieldOptions.php   |   5 +-
 src/CoreBundle/Form/ChangePasswordType.php    | 110 +++++++++++-
 .../views/Account/change_password.html.twig   | 134 +++++++-------
 5 files changed, 233 insertions(+), 184 deletions(-)

diff --git a/src/CoreBundle/Controller/AccountController.php b/src/CoreBundle/Controller/AccountController.php
index 83e35eacd1b..b48a70fc314 100644
--- a/src/CoreBundle/Controller/AccountController.php
+++ b/src/CoreBundle/Controller/AccountController.php
@@ -20,13 +20,12 @@
 use Endroid\QrCode\Writer\PngWriter;
 use OTPHP\TOTP;
 use Security;
-use Symfony\Component\Form\FormError;
 use Symfony\Component\HttpFoundation\RedirectResponse;
 use Symfony\Component\HttpFoundation\Request;
 use Symfony\Component\HttpFoundation\Response;
+use Symfony\Component\PasswordHasher\Hasher\UserPasswordHasherInterface;
 use Symfony\Component\Routing\Attribute\Route;
 use Symfony\Component\Security\Core\User\UserInterface;
-use Symfony\Component\Security\Csrf\CsrfToken;
 use Symfony\Component\Security\Csrf\CsrfTokenManagerInterface;
 use Symfony\Contracts\Translation\TranslatorInterface;
 
@@ -92,29 +91,50 @@ public function edit(Request $request, UserRepository $userRepository, Illustrat
     }
 
     #[Route('/change-password', name: 'chamilo_core_account_change_password', methods: ['GET', 'POST'])]
-    public function changePassword(Request $request, UserRepository $userRepository, CsrfTokenManagerInterface $csrfTokenManager, SettingsManager $settingsManager): Response
-    {
+    public function changePassword(
+        Request $request,
+        UserRepository $userRepository,
+        CsrfTokenManagerInterface $csrfTokenManager,
+        SettingsManager $settingsManager,
+        UserPasswordHasherInterface $passwordHasher
+    ): Response {
         /** @var User $user */
         $user = $this->getUser();
 
+        // Ensure user is authenticated and has proper interface
         if (!\is_object($user) || !$user instanceof UserInterface) {
             throw $this->createAccessDeniedException('This user does not have access to this section');
         }
 
+        // Build the form and inject user-related options
         $form = $this->createForm(ChangePasswordType::class, [
             'enable2FA' => $user->getMfaEnabled(),
+        ], [
+            'user' => $user,
+            'portal_name' => $settingsManager->getSetting('platform.institution'),
+            'password_hasher' => $passwordHasher,
         ]);
-        $form->handleRequest($request);
 
+        $form->handleRequest($request);
+        $session = $request->getSession();
         $qrCodeBase64 = null;
         $showQRCode = false;
-        $session = $request->getSession();
-        if ($form->get('enable2FA')->getData() && !$user->getMfaSecret() && $session->has('temporary_mfa_secret')) {
-            $secret = $session->get('temporary_mfa_secret');
+
+        // Generate TOTP secret and QR code for 2FA activation
+        if ($form->get('enable2FA')->getData() && !$user->getMfaSecret()) {
+            if (!$session->has('temporary_mfa_secret')) {
+                $totp = TOTP::create();
+                $secret = $totp->getSecret();
+                $session->set('temporary_mfa_secret', $secret);
+            } else {
+                $secret = $session->get('temporary_mfa_secret');
+            }
+
             $totp = TOTP::create($secret);
             $portalName = $settingsManager->getSetting('platform.institution');
             $totp->setLabel($portalName . ' - ' . $user->getEmail());
 
+            // Build QR code image
             $qrCodeResult = Builder::create()
                 ->writer(new PngWriter())
                 ->data($totp->getProvisioningUri())
@@ -128,115 +148,52 @@ public function changePassword(Request $request, UserRepository $userRepository,
             $showQRCode = true;
         }
 
+        // Handle form submission
         if ($form->isSubmitted() && $form->isValid()) {
-            $submittedToken = $request->request->get('_token');
+            $newPassword = $form->get('newPassword')->getData();
+            $enable2FA = $form->get('enable2FA')->getData();
 
-            if (!$csrfTokenManager->isTokenValid(new CsrfToken('change_password', $submittedToken))) {
-                $form->addError(new FormError($this->translator->trans('CSRF token is invalid. Please try again.')));
-            } else {
-                $currentPassword = $form->get('currentPassword')->getData();
-                $newPassword = $form->get('newPassword')->getData();
-                $confirmPassword = $form->get('confirmPassword')->getData();
-                $enable2FA = $form->get('enable2FA')->getData();
-
-                if ($user->getMfaEnabled()) {
-                    $enteredCode = $form->get('confirm2FACode')->getData();
-                    if (empty($enteredCode) || !$this->isTOTPValid($user, $enteredCode)) {
-                        $form->get('confirm2FACode')->addError(new FormError('The 2FA code is invalid.'));
-                        return $this->render('@ChamiloCore/Account/change_password.html.twig', [
-                            'form' => $form->createView(),
-                            'qrCode' => $qrCodeBase64,
-                            'user' => $user,
-                            'showQRCode' => $qrCodeBase64 !== null || ($form->isSubmitted() && $form->get('enable2FA')->getData()),
-                        ]);
-                    }
-                }
+            // Enable 2FA and store encrypted secret
+            if ($enable2FA && !$user->getMfaSecret() && $session->has('temporary_mfa_secret')) {
+                $secret = $session->get('temporary_mfa_secret');
+                $encryptedSecret = $this->encryptTOTPSecret($secret, $_ENV['APP_SECRET']);
 
-                if ($enable2FA && !$user->getMfaSecret()) {
-                    $session = $request->getSession();
-
-                    if (!$session->has('temporary_mfa_secret')) {
-                        $totp = TOTP::create();
-                        $secret = $totp->getSecret();
-                        $session->set('temporary_mfa_secret', $secret);
-                    } else {
-                        $secret = $session->get('temporary_mfa_secret');
-                        $totp = TOTP::create($secret);
-                    }
-
-                    $portalName = $settingsManager->getSetting('platform.institution');
-                    $totp->setLabel($portalName . ' - '. $user->getEmail());
-
-                    $qrCodeResult = Builder::create()
-                        ->writer(new PngWriter())
-                        ->data($totp->getProvisioningUri())
-                        ->encoding(new Encoding('UTF-8'))
-                        ->errorCorrectionLevel(new ErrorCorrectionLevelHigh())
-                        ->size(300)
-                        ->margin(10)
-                        ->build()
-                    ;
-
-                    $qrCodeBase64 = base64_encode($qrCodeResult->getString());
-                    $enteredCode = $form->get('confirm2FACode')->getData();
-
-                    if (!$enteredCode) {
-                        return $this->render('@ChamiloCore/Account/change_password.html.twig', [
-                            'form' => $form->createView(),
-                            'qrCode' => $qrCodeBase64,
-                            'user' => $user,
-                            'showQRCode' => true,
-                        ]);
-                    }
-
-                    if (!$totp->verify($enteredCode)) {
-                        $form->get('confirm2FACode')->addError(new FormError('The code is incorrect.'));
-                        return $this->render('@ChamiloCore/Account/change_password.html.twig', [
-                            'form' => $form->createView(),
-                            'qrCode' => $qrCodeBase64,
-                            'user' => $user,
-                            'showQRCode' => true,
-                        ]);
-                    }
-
-                    $encryptedSecret = $this->encryptTOTPSecret($secret, $_ENV['APP_SECRET']);
-                    $user->setMfaSecret($encryptedSecret);
-                    $user->setMfaEnabled(true);
-                    $user->setMfaService('TOTP');
-                    $userRepository->updateUser($user);
-                    $session->remove('temporary_mfa_secret');
-                    $this->addFlash('success', '2FA activated successfully.');
-
-                    return $this->redirectToRoute('chamilo_core_account_home');
-                }
-                if (!$enable2FA) {
-                    $user->setMfaEnabled(false);
-                    $user->setMfaSecret(null);
-                    $userRepository->updateUser($user);
-                    $this->addFlash('success', '2FA disabled successfully.');
-                }
+                $user->setMfaSecret($encryptedSecret);
+                $user->setMfaEnabled(true);
+                $user->setMfaService('TOTP');
 
-                if ($newPassword || $confirmPassword || $currentPassword) {
-                    if (!$userRepository->isPasswordValid($user, $currentPassword)) {
-                        $form->get('currentPassword')->addError(new FormError($this->translator->trans('The current password is incorrect')));
-                    } elseif ($newPassword !== $confirmPassword) {
-                        $form->get('confirmPassword')->addError(new FormError($this->translator->trans('Passwords do not match')));
-                    } else {
-                        $user->setPlainPassword($newPassword);
-                        $userRepository->updateUser($user);
-                        $this->addFlash('success', 'Password updated successfully');
-                    }
-                }
+                $userRepository->updateUser($user);
+                $session->remove('temporary_mfa_secret');
+
+                $this->addFlash('success', '2FA activated successfully.');
+                return $this->redirectToRoute('chamilo_core_account_home');
+            }
+
+            // Disable 2FA if it was previously enabled
+            if (!$enable2FA && $user->getMfaEnabled()) {
+                $user->setMfaEnabled(false);
+                $user->setMfaSecret(null);
+
+                $userRepository->updateUser($user);
+                $this->addFlash('success', '2FA disabled successfully.');
+                return $this->redirectToRoute('chamilo_core_account_home');
+            }
 
+            // Update password if provided
+            if (!empty($newPassword)) {
+                $user->setPlainPassword($newPassword);
+                $userRepository->updateUser($user);
+                $this->addFlash('success', 'Password updated successfully.');
                 return $this->redirectToRoute('chamilo_core_account_home');
             }
         }
 
+        // Render form with optional QR code for 2FA
         return $this->render('@ChamiloCore/Account/change_password.html.twig', [
             'form' => $form->createView(),
             'qrCode' => $qrCodeBase64,
             'user' => $user,
-            'showQRCode' => $qrCodeBase64 !== null || ($form->isSubmitted() && $form->get('enable2FA')->getData()),
+            'showQRCode' => $showQRCode,
         ]);
     }
 
diff --git a/src/CoreBundle/Controller/SocialController.php b/src/CoreBundle/Controller/SocialController.php
index aa35ae95906..e8e1beb24d7 100644
--- a/src/CoreBundle/Controller/SocialController.php
+++ b/src/CoreBundle/Controller/SocialController.php
@@ -553,11 +553,10 @@ private function getExtraFieldBlock(
                     );
                     if (!empty($extraFieldOptions)) {
                         $optionTexts = array_map(
-                            fn (ExtraFieldOptions $option) => $option['display_text'],
+                            fn (ExtraFieldOptions $option) => $option->getDisplayText(),
                             $extraFieldOptions
                         );
                         $fieldValue = implode(', ', $optionTexts);
-                        $fieldValue = $extraFieldOptions->getDisplayText();
                     }
 
                     break;
diff --git a/src/CoreBundle/Entity/ExtraFieldOptions.php b/src/CoreBundle/Entity/ExtraFieldOptions.php
index 8a0bf5da845..347a1380bcd 100644
--- a/src/CoreBundle/Entity/ExtraFieldOptions.php
+++ b/src/CoreBundle/Entity/ExtraFieldOptions.php
@@ -95,10 +95,7 @@ public function setValue(string $value): self
         return $this;
     }
 
-    /**
-     * @return string
-     */
-    public function getDisplayText()
+    public function getDisplayText(): ?string
     {
         return $this->displayText;
     }
diff --git a/src/CoreBundle/Form/ChangePasswordType.php b/src/CoreBundle/Form/ChangePasswordType.php
index 6ee78d407b6..ed854509388 100644
--- a/src/CoreBundle/Form/ChangePasswordType.php
+++ b/src/CoreBundle/Form/ChangePasswordType.php
@@ -6,11 +6,16 @@
 
 namespace Chamilo\CoreBundle\Form;
 
+use Chamilo\CoreBundle\Entity\User;
+use OTPHP\TOTP;
 use Symfony\Component\Form\AbstractType;
 use Symfony\Component\Form\Extension\Core\Type\CheckboxType;
 use Symfony\Component\Form\Extension\Core\Type\PasswordType;
 use Symfony\Component\Form\Extension\Core\Type\TextType;
 use Symfony\Component\Form\FormBuilderInterface;
+use Symfony\Component\Form\FormError;
+use Symfony\Component\Form\FormEvent;
+use Symfony\Component\Form\FormEvents;
 use Symfony\Component\OptionsResolver\OptionsResolver;
 
 /**
@@ -22,18 +27,22 @@ class ChangePasswordType extends AbstractType
 {
     public function buildForm(FormBuilderInterface $builder, array $options): void
     {
+        // Build form fields for password change and 2FA
         $builder
             ->add('currentPassword', PasswordType::class, [
                 'label' => 'Current password',
                 'required' => false,
+                'mapped' => false,
             ])
             ->add('newPassword', PasswordType::class, [
                 'label' => 'New password',
                 'required' => false,
+                'mapped' => false,
             ])
             ->add('confirmPassword', PasswordType::class, [
                 'label' => 'Confirm new password',
                 'required' => false,
+                'mapped' => false,
             ])
             ->add('enable2FA', CheckboxType::class, [
                 'label' => 'Enable two-factor authentication (2FA)',
@@ -42,16 +51,113 @@ public function buildForm(FormBuilderInterface $builder, array $options): void
             ->add('confirm2FACode', TextType::class, [
                 'label' => 'Enter your 2FA code',
                 'required' => false,
-            ])
-        ;
+                'mapped' => false,
+            ]);
+
+        // Add post-submit validation logic
+        $builder->addEventListener(FormEvents::POST_SUBMIT, function (FormEvent $event) use ($options) {
+            $form = $event->getForm();
+            $user = $form->getConfig()->getOption('user');
+
+            if (!$user instanceof User) {
+                return;
+            }
+
+            $currentPassword = $form->get('currentPassword')->getData();
+            $newPassword = $form->get('newPassword')->getData();
+            $confirmPassword = $form->get('confirmPassword')->getData();
+            $enable2FA = $form->get('enable2FA')->getData();
+            $code = $form->get('confirm2FACode')->getData();
+            $passwordHasher = $form->getConfig()->getOption('password_hasher');
+
+            // Validate current password and confirmation if user wants to update password
+            if (!empty($newPassword)) {
+                if (empty($currentPassword)) {
+                    $form->get('currentPassword')->addError(new FormError('Current password is required to change your password.'));
+                } elseif ($passwordHasher && !$passwordHasher->isPasswordValid($user, $currentPassword)) {
+                    $form->get('currentPassword')->addError(new FormError('The current password is incorrect.'));
+                }
+
+                // Apply password rules
+                foreach (self::validatePassword($newPassword) as $error) {
+                    $form->get('newPassword')->addError(new FormError($error));
+                }
+
+                // Ensure confirmation matches
+                if (!empty($confirmPassword) && $newPassword !== $confirmPassword) {
+                    $form->get('confirmPassword')->addError(new FormError('Passwords do not match.'));
+                }
+            }
+
+            // If 2FA is enabled (or already active), validate the code
+            if ($user->getMfaEnabled() || $enable2FA) {
+                if (empty($code)) {
+                    $form->get('confirm2FACode')->addError(new FormError('The 2FA code is required.'));
+                } elseif ($user->getMfaSecret()) {
+                    $parts = explode('::', base64_decode($user->getMfaSecret()));
+                    if (count($parts) === 2) {
+                        [$iv, $encryptedData] = $parts;
+                        $decryptedSecret = openssl_decrypt(
+                            $encryptedData,
+                            'aes-256-cbc',
+                            $_ENV['APP_SECRET'],
+                            0,
+                            $iv
+                        );
+
+                        // Validate 2FA code using decrypted TOTP secret
+                        $totp = TOTP::create($decryptedSecret);
+                        $portal = $options['portal_name'] ?? 'Chamilo';
+                        $totp->setLabel($portal . ' - ' . $user->getEmail());
+
+                        if (!$totp->verify($code)) {
+                            $form->get('confirm2FACode')->addError(new FormError('The 2FA code is invalid or expired.'));
+                        }
+                    } else {
+                        $form->get('confirm2FACode')->addError(new FormError('Invalid 2FA configuration.'));
+                    }
+                }
+            }
+        });
     }
 
     public function configureOptions(OptionsResolver $resolver): void
     {
+        // Define custom options required for validation logic
         $resolver->setDefaults([
             'csrf_protection' => true,
             'csrf_field_name' => '_token',
             'csrf_token_id' => 'change_password',
+            'user' => null,
+            'portal_name' => 'Chamilo',
+            'password_hasher' => null,
         ]);
     }
+
+    /**
+     * Validate password against security rules defined in settings.
+     */
+    private static function validatePassword(string $password): array
+    {
+        $errors = [];
+        $req = \Security::getPasswordRequirements()['min'];
+
+        if (\strlen($password) < $req['length']) {
+            $errors[] = 'Password must be at least ' . $req['length'] . ' characters long.';
+        }
+        if ($req['lowercase'] > 0 && !preg_match('/[a-z]/', $password)) {
+            $errors[] = 'Password must contain at least ' . $req['lowercase'] . ' lowercase characters.';
+        }
+        if ($req['uppercase'] > 0 && !preg_match('/[A-Z]/', $password)) {
+            $errors[] = 'Password must contain at least ' . $req['uppercase'] . ' uppercase characters.';
+        }
+        if ($req['numeric'] > 0 && !preg_match('/[0-9]/', $password)) {
+            $errors[] = 'Password must contain at least ' . $req['numeric'] . ' numeric characters.';
+        }
+        if ($req['specials'] > 0 && !preg_match('/[\W]/', $password)) {
+            $errors[] = 'Password must contain at least ' . $req['specials'] . ' special characters.';
+        }
+
+        return $errors;
+    }
 }
diff --git a/src/CoreBundle/Resources/views/Account/change_password.html.twig b/src/CoreBundle/Resources/views/Account/change_password.html.twig
index cecc3836f9d..a6785ac9f02 100644
--- a/src/CoreBundle/Resources/views/Account/change_password.html.twig
+++ b/src/CoreBundle/Resources/views/Account/change_password.html.twig
@@ -2,73 +2,78 @@
 
 {% block content %}
     <section id="change-password" class="py-8">
-        <div class="mx-auto w-full">
+        <div class="mx-auto w-full max-w-xl">
+            <a href="{{ path('chamilo_core_account_home') }}" class="inline-block mb-6 text-primary hover:underline">
+                ← {{ "Back to account"|trans }}
+            </a>
+
             <h2 class="text-2xl font-semibold text-center mb-6">{{ "Change Password"|trans }}</h2>
 
             {{ form_start(form, {'attr': {'class': 'bg-white shadow-md rounded px-8 pt-6 pb-8 mb-4'}}) }}
 
             {% for message in app.flashes('success') %}
-                <div class="alert alert-success">
-                    {{ message }}
-                </div>
+                <div class="alert alert-success">{{ message }}</div>
             {% endfor %}
 
             {% if form.vars.errors|length > 0 %}
-                <div class="alert alert-danger" id="server-errors">
+                <div class="text-danger text-sm mb-4" id="server-errors">
                     {{ form_errors(form) }}
                 </div>
             {% endif %}
 
-            <div class="mb-4 relative">
-                {{ form_label(form.currentPassword) }}
-                {{ form_widget(form.currentPassword, {'attr': {'class': 'shadow appearance-none border rounded w-full py-2 px-3 text-gray-700 leading-tight focus:outline-none focus:shadow-outline', 'id': 'change_password_currentPassword'}}) }}
-                <span class="toggle-password absolute inset-y-0 right-0 pr-3 flex items-center cursor-pointer" data-target="#change_password_currentPassword">
-                <i class="mdi mdi-eye-outline text-gray-700"></i>
-            </span>
-                {{ form_errors(form.currentPassword) }}
-            </div>
-
-            <div class="mb-4 relative">
-                {{ form_label(form.newPassword) }}
-                {{ form_widget(form.newPassword, {'attr': {'class': 'shadow appearance-none border rounded w-full py-2 px-3 text-gray-700 leading-tight focus:outline-none focus:shadow-outline', 'id': 'change_password_newPassword'}}) }}
-                <span class="toggle-password absolute inset-y-0 right-0 pr-3 flex items-center cursor-pointer" data-target="#change_password_newPassword">
-                <i class="mdi mdi-eye-outline text-gray-700"></i>
-            </span>
-                <ul id="password-requirements" class="text-sm text-red-500 mt-2" style="display: none;"></ul>
-                <div id="new-password-errors">
-                    {{ form_errors(form.newPassword) }}
+            {% set fields = ['currentPassword', 'newPassword', 'confirmPassword'] %}
+            {% for field in fields %}
+                <div class="mb-4 relative">
+                    {{ form_label(attribute(form, field)) }}
+                    {% set errorClass = attribute(form, field).vars.errors|length > 0 ? 'border-danger' : 'border-gray-300' %}
+                    {{ form_widget(attribute(form, field), {
+                        'attr': {
+                            'class': 'shadow appearance-none border ' ~ errorClass ~ ' rounded w-full py-2 px-3 text-gray-700 leading-tight focus:outline-none focus:shadow-outline',
+                            'id': 'change_password_' ~ field
+                        }
+                    }) }}
+                    <span class="toggle-password absolute inset-y-0 right-0 pr-3 flex items-center cursor-pointer" data-target="#change_password_{{ field }}">
+                    <i class="mdi mdi-eye-outline text-gray-700"></i>
+                </span>
+                    <div class="text-danger text-sm mt-1">
+                        {{ form_errors(attribute(form, field)) }}
+                    </div>
                 </div>
-            </div>
-
-            <div class="mb-4 relative">
-                {{ form_label(form.confirmPassword) }}
-                {{ form_widget(form.confirmPassword, {'attr': {'class': 'shadow appearance-none border rounded w-full py-2 px-3 text-gray-700 leading-tight focus:outline-none focus:shadow-outline', 'id': 'change_password_confirmPassword'}}) }}
-                <span class="toggle-password absolute inset-y-0 right-0 pr-3 flex items-center cursor-pointer" data-target="#change_password_confirmPassword">
-                <i class="mdi mdi-eye-outline text-gray-700"></i>
-            </span>
-                {{ form_errors(form.confirmPassword) }}
-            </div>
+            {% endfor %}
 
             <div class="mb-4">
                 {{ form_label(form.enable2FA) }}
-                {{ form_widget(form.enable2FA, {'attr': {'class': 'form-checkbox', 'id': 'change_password_enable2FA'}}) }}
-                {{ form_errors(form.enable2FA) }}
+                {{ form_widget(form.enable2FA, {
+                    'attr': {
+                        'class': 'form-checkbox',
+                        'id': 'change_password_enable2FA'
+                    }
+                }) }}
+                <div class="text-danger text-sm mt-1">
+                    {{ form_errors(form.enable2FA) }}
+                </div>
             </div>
 
-            <div id="confirm2fa-field" class="mb-4" style="display: none;">
-                {{ form_label(form.confirm2FACode) }}
-                {{ form_widget(form.confirm2FACode, {'attr': {'class': 'shadow appearance-none border rounded w-full py-2 px-3 text-gray-700 leading-tight focus:outline-none focus:shadow-outline'}}) }}
-                {{ form_errors(form.confirm2FACode) }}
-            </div>
+            {% set show2FAField = qrCode is defined and showQRCode or form.enable2FA.vars.data or user.getMfaEnabled() %}
+
+            {% if show2FAField %}
+                <div class="mb-4" id="confirm2fa-field" {% if not show2FAField %}style="display:none"{% endif %}>
+                    {{ form_label(form.confirm2FACode) }}
+                    {% set errorClass = form.confirm2FACode.vars.errors|length > 0 ? 'border-danger' : 'border-gray-300' %}
+                    {{ form_widget(form.confirm2FACode, {
+                        'attr': {
+                            'class': 'shadow appearance-none border ' ~ errorClass ~ ' rounded w-full py-2 px-3 text-gray-700 leading-tight focus:outline-none focus:shadow-outline'
+                        }
+                    }) }}
+                    <div class="text-danger text-sm mt-1">
+                        {{ form_errors(form.confirm2FACode) }}
+                    </div>
+                </div>
+            {% endif %}
 
-            <div class="flex items-center justify-center">
-                <input type="hidden" name="_token" value="{{ csrf_token('change_password') }}">
-                <button type="submit" class="btn btn--primary mt-4">
-                    {% if form.currentPassword.vars.value or form.newPassword.vars.value or form.confirmPassword.vars.value %}
-                        {{ "Change Password"|trans }}
-                    {% else %}
-                        {{ "Update settings"|trans }}
-                    {% endif %}
+            <div class="flex items-center justify-center mt-6">
+                <button type="submit" class="btn btn--primary">
+                    {{ "Update settings"|trans }}
                 </button>
             </div>
 
@@ -102,33 +107,18 @@
           });
         });
 
-        const newPasswordInput = document.querySelector('#change_password_newPassword');
-        const newPasswordErrors = document.querySelector('#new-password-errors');
-        const serverErrors = document.querySelector('#server-errors');
-
-        newPasswordInput.addEventListener('input', function () {
-          if (serverErrors) serverErrors.style.display = 'none';
-          if (newPasswordErrors) newPasswordErrors.style.display = 'none';
-        });
+        const enable2FAInput = document.querySelector('#change_password_enable2FA');
+        const confirm2FAField = document.querySelector('#change_password_confirm2FACode');
 
-        const enable2FA = document.querySelector('#change_password_enable2FA');
-        const confirm2FAField = document.querySelector('#confirm2fa-field');
-        const hasMfa = {{ user.getMfaSecret() ? 'true' : 'false' }};
-
-        if (enable2FA && confirm2FAField) {
-          if (!hasMfa && enable2FA.checked) {
-            confirm2FAField.style.display = '';
+        function update2FAVisibility() {
+          const shouldShow = enable2FAInput.checked || {{ user.getMfaEnabled() ? 'true' : 'false' }};
+          if (confirm2FAField) {
+            confirm2FAField.parentNode.style.display = shouldShow ? 'block' : 'none';
           }
+        }
 
-          enable2FA.addEventListener('change', function () {
-            if (hasMfa && !this.checked) {
-              confirm2FAField.style.display = '';
-            } else if (!hasMfa && this.checked) {
-              this.closest('form').submit();
-            } else {
-              confirm2FAField.style.display = 'none';
-            }
-          });
+        if (enable2FAInput && confirm2FAField) {
+          update2FAVisibility();
         }
       });
     </script>