[IMPROVE] Inconsistent and misleading 2FA settings

app/2fa/server/code/TOTPCheck.ts

@@ -7,7 +7,7 @@ export class TOTPCheck implements ICodeCheck {
 	public readonly name = 'totp';
 
 	public isEnabled(user: IUser): boolean {
-		if (!settings.get('Accounts_TwoFactorAuthentication_Enabled')) {
+		if (!settings.get('Accounts_TwoFactorAuthentication_By_TOTP_Enabled')) {
 			return false;
 		}
 

app/2fa/server/startup/settings.js

@@ -2,48 +2,65 @@ import { settings } from '../../../settings';
 
 settings.addGroup('Accounts', function() {
 	this.section('Two Factor Authentication', function() {
+		const enable2FA = {
+			_id: 'Accounts_TwoFactorAuthentication_Enabled',
+			value: true,
+		};
+
 		this.add('Accounts_TwoFactorAuthentication_Enabled', true, {
 			type: 'boolean',
 			public: true,
 		});
 		this.add('Accounts_TwoFactorAuthentication_MaxDelta', 1, {
 			type: 'int',
-			enableQuery: {
-				_id: 'Accounts_TwoFactorAuthentication_Enabled',
-				value: true,
-			},
+			enableQuery: enable2FA,
+		});
+
+		this.add('Accounts_TwoFactorAuthentication_By_TOTP_Enabled', true, {
+			type: 'boolean',
+			enableQuery: enable2FA,
+			public: true,
 		});
 
 		this.add('Accounts_TwoFactorAuthentication_By_Email_Enabled', true, {
 			type: 'boolean',
+			enableQuery: enable2FA,
 			public: true,
 		});
 		this.add('Accounts_TwoFactorAuthentication_By_Email_Auto_Opt_In', true, {
 			type: 'boolean',
-			enableQuery: {
-				_id: 'Accounts_TwoFactorAuthentication_By_Email_Enabled',
-				value: true,
-			},
+			enableQuery: [
+				enable2FA,
+				{
+					_id: 'Accounts_TwoFactorAuthentication_By_Email_Enabled',
+					value: true,
+				},
+			],
 			wizard: {
 				step: 3,
 				order: 3,
 			},
 		});
 		this.add('Accounts_TwoFactorAuthentication_By_Email_Code_Expiration', 3600, {
 			type: 'int',
-			enableQuery: {
-				_id: 'Accounts_TwoFactorAuthentication_By_Email_Enabled',
-				value: true,
-			},
+			enableQuery: [
+				enable2FA,
+				{
+					_id: 'Accounts_TwoFactorAuthentication_By_Email_Enabled',
+					value: true,
+				},
+			],
 		});
 
 		this.add('Accounts_TwoFactorAuthentication_RememberFor', 1800, {
 			type: 'int',
+			enableQuery: enable2FA,
 		});
 
 		// TODO: Remove this setting for version 4.0
 		this.add('Accounts_TwoFactorAuthentication_Enforce_Password_Fallback', true, {
 			type: 'boolean',
+			enableQuery: enable2FA,
 			public: true,
 		});
 	});

client/views/account/security/AccountSecurityPage.js

@@ -13,6 +13,7 @@ const AccountSecurityPage = () => {
 	const t = useTranslation();
 
 	const twoFactorEnabled = useSetting('Accounts_TwoFactorAuthentication_Enabled');
+	const twoFactorTOTP = useSetting('Accounts_TwoFactorAuthentication_By_TOTP_Enabled');
 	const twoFactorByEmailEnabled = useSetting('Accounts_TwoFactorAuthentication_By_Email_Enabled');
 	const e2eEnabled = useSetting('E2E_Enable');
 
@@ -26,9 +27,9 @@ const AccountSecurityPage = () => {
 			<Page.ScrollableContentWithShadow>
 				<Box maxWidth='x600' w='full' alignSelf='center'>
 					<Accordion>
-						{(twoFactorEnabled || twoFactorByEmailEnabled) && (
+						{(twoFactorTOTP || twoFactorByEmailEnabled) && twoFactorEnabled && (
 							<Accordion.Item title={t('Two Factor Authentication')} defaultExpanded>
-								{twoFactorEnabled && <TwoFactorTOTP />}
+								{twoFactorTOTP && <TwoFactorTOTP />}
 								{twoFactorByEmailEnabled && <TwoFactorEmail />}
 							</Accordion.Item>
 						)}

packages/rocketchat-i18n/i18n/en.i18n.json

@@ -225,13 +225,15 @@
   "Accounts_SetDefaultAvatar": "Set Default Avatar",
   "Accounts_SetDefaultAvatar_Description": "Tries to determine default avatar based on OAuth Account or Gravatar",
   "Accounts_ShowFormLogin": "Show Default Login Form",
+  "Accounts_TwoFactorAuthentication_By_TOTP_Enabled": "Enable Two Factor Authentication via TOTP",
+  "Accounts_TwoFactorAuthentication_By_TOTP_Enabled_Description": "Users can setup their Two Factor Authentication using any TOTP App, like Google Authenticator or Authy.",
   "Accounts_TwoFactorAuthentication_By_Email_Auto_Opt_In": "Auto opt in new users for Two Factor via Email",
   "Accounts_TwoFactorAuthentication_By_Email_Auto_Opt_In_Description": "New users will have the Two Factor Authentication via Email enabled by default. They will be able to disable it in their profile page.",
   "Accounts_TwoFactorAuthentication_By_Email_Code_Expiration": "Time to expire the code sent via email in seconds",
   "Accounts_TwoFactorAuthentication_By_Email_Enabled": "Enable Two Factor Authentication via Email",
   "Accounts_TwoFactorAuthentication_By_Email_Enabled_Description": "Users with email verified and the option enabled in their profile page will receive an email with a temporary code to authorize certain actions like login, save the profile, etc.",
-  "Accounts_TwoFactorAuthentication_Enabled": "Enable Two Factor Authentication via TOTP",
-  "Accounts_TwoFactorAuthentication_Enabled_Description": "Users can setup their Two Factor Authentication using any TOTP app, like Google Authenticator or Authy",
+  "Accounts_TwoFactorAuthentication_Enabled": "Enable Two Factor Authentication",
+  "Accounts_TwoFactorAuthentication_Enabled_Description": "If deactivated, this setting will deactivate all Two Factor Authentication.<br>In `Accounts` > `Registration` > `Registration with Authentication Services` is possible to force users to enable Two Factor Authentication based on their roles.",
   "Accounts_TwoFactorAuthentication_Enforce_Password_Fallback": "Enforce password fallback",
   "Accounts_TwoFactorAuthentication_Enforce_Password_Fallback_Description": "Users will be forced to enter their password, for important actions, if no other Two Factor Authentication method is enabled for that user and a password is set for him.",
   "Accounts_TwoFactorAuthentication_MaxDelta": "Maximum Delta",
@@ -4499,4 +4501,4 @@
   "Your_temporary_password_is_password": "Your temporary password is <strong>[password]</strong>.",
   "Your_TOTP_has_been_reset": "Your Two Factor TOTP has been reset.",
   "Your_workspace_is_ready": "Your workspace is ready to use 🎉"
-}
+}

packages/rocketchat-i18n/i18n/pt-BR.i18n.json

@@ -208,13 +208,15 @@
   "Accounts_SetDefaultAvatar": "Definir Avatar Padrão",
   "Accounts_SetDefaultAvatar_Description": "Tenta determinar o avatar padrão com base em OAuth Account ou Gravatar",
   "Accounts_ShowFormLogin": "Mostrar formulário de login padrão",
+  "Accounts_TwoFactorAuthentication_By_TOTP_Enabled": "Ativar autenticação de dois fatores por TOTP",
+  "Accounts_TwoFactorAuthentication_By_TOTP_Enabled_Description": "Os usuários podem configurar sua autenticação de dois fatores usando qualquer aplicativo de TOTP, como o Google Authenticator ou o Authy.",
   "Accounts_TwoFactorAuthentication_By_Email_Auto_Opt_In": "Auto ativar a autenticação de duas etapas via email para novos usuários",
   "Accounts_TwoFactorAuthentication_By_Email_Auto_Opt_In_Description": "Novos usuários terão a autenticação por duas etapas via email ativada por padrão. Eles poderão desabilitá-la em sua página de perfil.",
   "Accounts_TwoFactorAuthentication_By_Email_Code_Expiration": "Tempo para expirar o código enviado por email (em segundos)",
   "Accounts_TwoFactorAuthentication_By_Email_Enabled": "Ativar autenticação de dois fatores por Email",
   "Accounts_TwoFactorAuthentication_By_Email_Enabled_Description": "Usuários com email verificado e com a opção habilitada em seu perfil receberão um email com um código temporário para autorizar certas ações como o login, salvar o perfil, etc.",
-  "Accounts_TwoFactorAuthentication_Enabled": "Ativar autenticação de dois fatores por TOTP",
-  "Accounts_TwoFactorAuthentication_Enabled_Description": "Os usuários podem configurar sua autenticação de dois fatores usando qualquer aplicativo de TOTP, como o Google Authenticator ou o Authy",
+  "Accounts_TwoFactorAuthentication_Enabled": "Ativar autenticação de dois fatores",
+  "Accounts_TwoFactorAuthentication_Enabled_Description": "Se essa opção estiver desativada, toda a autenticação de dois fatores também será desativada.<br>Em `Contas` > `Registro` > `Registro com os Serviços de Autenticação` é possível forçar usuários a ativarem a autenticação de dois fatores com base em sua função.",
   "Accounts_TwoFactorAuthentication_MaxDelta": "Delta máximo",
   "Accounts_TwoFactorAuthentication_MaxDelta_Description": "O Delta máximo determina quantos tokens são válidos em qualquer momento. Os tokens são gerados a cada 30 segundos e são válidos por (30 * Delta máximo) segundos. <br/>Exemplo: com um Delta máximo configurado para 10, cada token pode ser usado até 300 segundos antes ou depois do timestamp. Isso é útil quando o relógio do cliente não está corretamente sincronizado com o servidor.",
   "Accounts_TwoFactorAuthentication_RememberFor": "Lembrar a autenticação por (segundos)",
@@ -3661,4 +3663,4 @@
   "Your_question": "A sua pergunta",
   "Your_server_link": "O link do seu servidor",
   "Your_workspace_is_ready": "O seu espaço de trabalho está pronto a usar 🎉"
-}
+}

tests/end-to-end/api/25-teams.js

@@ -5,7 +5,7 @@ import { updatePermission } from '../../data/permissions.helper.js';
 import { createUser, login } from '../../data/users.helper';
 import { password } from '../../data/user';
 
-describe.only('[Teams]', () => {
+describe('[Teams]', () => {
 	before((done) => getCredentials(done));
 
 	const community = `community${ Date.now() }`;