Don't show Link to TOTP if not set up (#27585) (#27588)

Backport #27585 by @JakobDev

Fixes https://codeberg.org/forgejo/forgejo/issues/1592

When login in with WebAuth, the page has a link to use TOTP instead.
This link is always displayed, no matter if the User has set up TOTP or
not, which do of cause not work for those who have not.

Co-authored-by: JakobDev <jakobdev@gmx.de>

2 files changed, 13 insertions, 3 deletions

diff --git a/routers/web/auth/webauthn.go b/routers/web/auth/webauthn.go
index 88413caea6..9b516ce396 100644
--- a/routers/web/auth/webauthn.go
+++ b/routers/web/auth/webauthn.go
@@ -37,6 +37,14 @@ func WebAuthn(ctx *context.Context) {
 		return
 	}
 
+	hasTwoFactor, err := auth.HasTwoFactorByUID(ctx, ctx.Session.Get("twofaUid").(int64))
+	if err != nil {
+		ctx.ServerError("HasTwoFactorByUID", err)
+		return
+	}
+
+	ctx.Data["HasTwoFactor"] = hasTwoFactor
+
 	ctx.HTML(http.StatusOK, tplWebAuthn)
 }
 
diff --git a/templates/user/auth/webauthn.tmpl b/templates/user/auth/webauthn.tmpl
index f738937025..722da02f54 100644
--- a/templates/user/auth/webauthn.tmpl
+++ b/templates/user/auth/webauthn.tmpl
@@ -14,9 +14,11 @@
 				<div class="is-loading" style="width: 40px; height: 40px"></div>
 				{{ctx.Locale.Tr "webauthn_press_button"}}
 			</div>
-			<div class="ui attached segment">
-				<a href="{{AppSubUrl}}/user/two_factor">{{ctx.Locale.Tr "webauthn_use_twofa"}}</a>
-			</div>
+			{{if .HasTwoFactor}}
+				<div class="ui attached segment">
+					<a href="{{AppSubUrl}}/user/two_factor">{{ctx.Locale.Tr "webauthn_use_twofa"}}</a>
+				</div>
+			{{end}}
 		</div>
 	</div>
 </div>