Two factor authentication support (#630)

* Initial commit for 2FA support

Signed-off-by: Andrew <write@imaginarycode.com>

* Add vendored files

* Add missing depends

* A few clean ups

* Added improvements, proper encryption

* Better encryption key

* Simplify "key" generation

* Make 2FA enrollment page more robust

* Fix typo

* Rename twofa/2FA to TwoFactor

* UNIQUE INDEX -> UNIQUE

cmd/web.go

@@ -203,6 +203,12 @@ func runWeb(ctx *cli.Context) error {
 		m.Post("/sign_up", bindIgnErr(auth.RegisterForm{}), user.SignUpPost)
 		m.Get("/reset_password", user.ResetPasswd)
 		m.Post("/reset_password", user.ResetPasswdPost)
+		m.Group("/two_factor", func() {
+			m.Get("", user.TwoFactor)
+			m.Post("", bindIgnErr(auth.TwoFactorAuthForm{}), user.TwoFactorPost)
+			m.Get("/scratch", user.TwoFactorScratch)
+			m.Post("/scratch", bindIgnErr(auth.TwoFactorScratchAuthForm{}), user.TwoFactorScratchPost)
+		})
 	}, reqSignOut)
 
 	m.Group("/user/settings", func() {
@@ -223,6 +229,13 @@ func runWeb(ctx *cli.Context) error {
 			Post(bindIgnErr(auth.NewAccessTokenForm{}), user.SettingsApplicationsPost)
 		m.Post("/applications/delete", user.SettingsDeleteApplication)
 		m.Route("/delete", "GET,POST", user.SettingsDelete)
+		m.Group("/two_factor", func() {
+			m.Get("", user.SettingsTwoFactor)
+			m.Post("/regenerate_scratch", user.SettingsTwoFactorRegenerateScratch)
+			m.Post("/disable", user.SettingsTwoFactorDisable)
+			m.Get("/enroll", user.SettingsTwoFactorEnroll)
+			m.Post("/enroll", bindIgnErr(auth.TwoFactorAuthForm{}), user.SettingsTwoFactorEnrollPost)
+		})
 	}, reqSignIn, func(ctx *context.Context) {
 		ctx.Data["PageIsUserSettings"] = true
 	})

models/error.go

@@ -787,6 +787,25 @@ func (err ErrTeamAlreadyExist) Error() string {
 	return fmt.Sprintf("team already exists [org_id: %d, name: %s]", err.OrgID, err.Name)
 }
 
+//
+// Two-factor authentication
+//
+
+// ErrTwoFactorNotEnrolled indicates that a user is not enrolled in two-factor authentication.
+type ErrTwoFactorNotEnrolled struct {
+	UID int64
+}
+
+// IsErrTwoFactorNotEnrolled checks if an error is a ErrTwoFactorNotEnrolled.
+func IsErrTwoFactorNotEnrolled(err error) bool {
+	_, ok := err.(ErrTwoFactorNotEnrolled)
+	return ok
+}
+
+func (err ErrTwoFactorNotEnrolled) Error() string {
+	return fmt.Sprintf("user not enrolled in 2FA [uid: %d]", err.UID)
+}
+
 //  ____ ___        .__                    .___
 // |    |   \______ |  |   _________     __| _/
 // |    |   /\____ \|  |  /  _ \__  \   / __ |

models/models.go

@@ -105,6 +105,7 @@ func init() {
 		new(Notification),
 		new(IssueUser),
 		new(LFSMetaObject),
+		new(TwoFactor),
 	)
 
 	gonicNames := []string{"SSL", "UID"}

models/twofactor.go

@@ -0,0 +1,141 @@
+// Copyright 2017 The Gitea Authors. All rights reserved.
+// Use of this source code is governed by a MIT-style
+// license that can be found in the LICENSE file.
+
+package models
+
+import (
+	"crypto/md5"
+	"crypto/subtle"
+	"encoding/base64"
+	"time"
+
+	"github.com/Unknwon/com"
+	"github.com/go-xorm/xorm"
+	"github.com/pquerna/otp/totp"
+
+	"code.gitea.io/gitea/modules/base"
+	"code.gitea.io/gitea/modules/setting"
+)
+
+// TwoFactor represents a two-factor authentication token.
+type TwoFactor struct {
+	ID           int64 `xorm:"pk autoincr"`
+	UID          int64 `xorm:"UNIQUE"`
+	Secret       string
+	ScratchToken string
+
+	Created     time.Time `xorm:"-"`
+	CreatedUnix int64     `xorm:"INDEX"`
+	Updated     time.Time `xorm:"-"` // Note: Updated must below Created for AfterSet.
+	UpdatedUnix int64     `xorm:"INDEX"`
+}
+
+// BeforeInsert will be invoked by XORM before inserting a record representing this object.
+func (t *TwoFactor) BeforeInsert() {
+	t.CreatedUnix = time.Now().Unix()
+}
+
+// BeforeUpdate is invoked from XORM before updating this object.
+func (t *TwoFactor) BeforeUpdate() {
+	t.UpdatedUnix = time.Now().Unix()
+}
+
+// AfterSet is invoked from XORM after setting the value of a field of this object.
+func (t *TwoFactor) AfterSet(colName string, _ xorm.Cell) {
+	switch colName {
+	case "created_unix":
+		t.Created = time.Unix(t.CreatedUnix, 0).Local()
+	case "updated_unix":
+		t.Updated = time.Unix(t.UpdatedUnix, 0).Local()
+	}
+}
+
+// GenerateScratchToken recreates the scratch token the user is using.
+func (t *TwoFactor) GenerateScratchToken() error {
+	token, err := base.GetRandomString(8)
+	if err != nil {
+		return err
+	}
+	t.ScratchToken = token
+	return nil
+}
+
+// VerifyScratchToken verifies if the specified scratch token is valid.
+func (t *TwoFactor) VerifyScratchToken(token string) bool {
+	if len(token) == 0 {
+		return false
+	}
+	return subtle.ConstantTimeCompare([]byte(token), []byte(t.ScratchToken)) == 1
+}
+
+func (t *TwoFactor) getEncryptionKey() []byte {
+	k := md5.Sum([]byte(setting.SecretKey))
+	return k[:]
+}
+
+// SetSecret sets the 2FA secret.
+func (t *TwoFactor) SetSecret(secret string) error {
+	secretBytes, err := com.AESEncrypt(t.getEncryptionKey(), []byte(secret))
+	if err != nil {
+		return err
+	}
+	t.Secret = base64.StdEncoding.EncodeToString(secretBytes)
+	return nil
+}
+
+// ValidateTOTP validates the provided passcode.
+func (t *TwoFactor) ValidateTOTP(passcode string) (bool, error) {
+	decodedStoredSecret, err := base64.StdEncoding.DecodeString(t.Secret)
+	if err != nil {
+		return false, err
+	}
+	secret, err := com.AESDecrypt(t.getEncryptionKey(), decodedStoredSecret)
+	if err != nil {
+		return false, err
+	}
+	secretStr := string(secret)
+	return totp.Validate(passcode, secretStr), nil
+}
+
+// NewTwoFactor creates a new two-factor authentication token.
+func NewTwoFactor(t *TwoFactor) error {
+	err := t.GenerateScratchToken()
+	if err != nil {
+		return err
+	}
+	_, err = x.Insert(t)
+	return err
+}
+
+// UpdateTwoFactor updates a two-factor authentication token.
+func UpdateTwoFactor(t *TwoFactor) error {
+	_, err := x.Id(t.ID).AllCols().Update(t)
+	return err
+}
+
+// GetTwoFactorByUID returns the two-factor authentication token associated with
+// the user, if any.
+func GetTwoFactorByUID(uid int64) (*TwoFactor, error) {
+	twofa := &TwoFactor{UID: uid}
+	has, err := x.Get(twofa)
+	if err != nil {
+		return nil, err
+	} else if !has {
+		return nil, ErrTwoFactorNotEnrolled{uid}
+	}
+	return twofa, nil
+}
+
+// DeleteTwoFactorByID deletes two-factor authentication token by given ID.
+func DeleteTwoFactorByID(id, userID int64) error {
+	cnt, err := x.Id(id).Delete(&TwoFactor{
+		UID: userID,
+	})
+	if err != nil {
+		return err
+	} else if cnt != 1 {
+		return ErrTwoFactorNotEnrolled{userID}
+	}
+	return nil
+}

modules/auth/user_form.go

@@ -173,3 +173,23 @@ type NewAccessTokenForm struct {
 func (f *NewAccessTokenForm) Validate(ctx *macaron.Context, errs binding.Errors) binding.Errors {
 	return validate(errs, ctx.Data, f, ctx.Locale)
 }
+
+// TwoFactorAuthForm for logging in with 2FA token.
+type TwoFactorAuthForm struct {
+	Passcode string `binding:"Required"`
+}
+
+// Validate valideates the fields
+func (f *TwoFactorAuthForm) Validate(ctx *macaron.Context, errs binding.Errors) binding.Errors {
+	return validate(errs, ctx.Data, f, ctx.Locale)
+}
+
+// TwoFactorScratchAuthForm for logging in with 2FA scratch token.
+type TwoFactorScratchAuthForm struct {
+	Token string `binding:"Required"`
+}
+
+// Validate valideates the fields
+func (f *TwoFactorScratchAuthForm) Validate(ctx *macaron.Context, errs binding.Errors) binding.Errors {
+	return validate(errs, ctx.Data, f, ctx.Locale)
+}

options/locale/locale_en-US.ini

@@ -23,6 +23,9 @@ email = Email
 password = Password
 re_type = Re-Type
 captcha = Captcha
+twofa = Two-factor authentication
+twofa_scratch = Two-factor scratch code
+passcode = Passcode
 
 repository = Repository
 organization = Organization
@@ -175,6 +178,12 @@ invalid_code = Sorry, your confirmation code has expired or not valid.
 reset_password_helper = Click here to reset your password
 password_too_short = Password length cannot be less then %d.
 non_local_account = Non-local accounts cannot change passwords through Gitea.
+verify = Verify
+scratch_code = Scratch code
+use_scratch_code = Use a scratch code
+twofa_scratch_used = You have used your scratch code. You have been redirected to the two-factor settings page so you may remove your device enrollment or generate a new scratch code.
+twofa_passcode_incorrect = Your passcode is not correct. If you misplaced your device, use your scratch code.
+twofa_scratch_token_incorrect = Your scratch code is not correct.
 
 [mail]
 activate_account = Please activate your account
@@ -266,6 +275,7 @@ social = Social Accounts
 applications = Applications
 orgs = Organizations
 delete = Delete Account
+twofa = Two-Factor Authentication
 uid = Uid
 
 public_profile = Public Profile
@@ -351,6 +361,23 @@ access_token_deletion = Personal Access Token Deletion
 access_token_deletion_desc = Delete this personal access token will remove all related accesses of application. Do you want to continue?
 delete_token_success = Personal access token has been removed successfully! Don't forget to update your application as well.
 
+twofa_desc = Gitea supports two-factor authentication to provide additional security for your account.
+twofa_is_enrolled = Your account is <strong>enrolled</strong> into two-factor authentication.
+twofa_not_enrolled = Your account is not currently enrolled into two-factor authentication.
+twofa_disable = Disable two-factor authentication
+twofa_scratch_token_regenerate = Regenerate scratch token
+twofa_scratch_token_regenerated = Your scratch token has been regenerated. It is now %s. Keep it in a safe place.
+twofa_enroll = Enroll into two-factor authentication
+twofa_disable_note = If needed, you can disable two-factor authentication.
+twofa_disable_desc = Disabling two-factor authentication will make your account less secure. Are you sure you want to proceed?
+regenerate_scratch_token_desc = If you misplaced your scratch token, or had to use it to log in, you can reset it.
+twofa_disabled = Two-factor authentication has been disabled.
+scan_this_image = Scan this image with your authentication application:
+or_enter_secret = Or enter the secret: %s
+then_enter_passcode = Then enter the passcode the application gives you:
+passcode_invalid = That passcode is invalid. Try again.
+twofa_enrolled = Your account has now been enrolled in two-factor authentication. Make sure to save your scratch token (%s), as it will only be shown once!
+
 delete_account = Delete Your Account
 delete_prompt = The operation will delete your account permanently, and <strong>CANNOT</strong> be undone!
 confirm_delete_account = Confirm Deletion

routers/user/auth.go

@@ -5,6 +5,7 @@
 package user
 
 import (
+	"errors"
 	"fmt"
 	"net/url"
 
@@ -27,6 +28,8 @@ const (
 	TplActivate       base.TplName = "user/auth/activate"
 	tplForgotPassword base.TplName = "user/auth/forgot_passwd"
 	tplResetPassword  base.TplName = "user/auth/reset_passwd"
+	tplTwofa          base.TplName = "user/auth/twofa"
+	tplTwofaScratch   base.TplName = "user/auth/twofa_scratch"
 )
 
 // AutoSignIn reads cookie and try to auto-login.
@@ -69,15 +72,12 @@ func AutoSignIn(ctx *context.Context) (bool, error) {
 	return true, nil
 }
 
-// SignIn render sign in page
-func SignIn(ctx *context.Context) {
-	ctx.Data["Title"] = ctx.Tr("sign_in")
-
+func checkAutoLogin(ctx *context.Context) bool {
 	// Check auto-login.
 	isSucceed, err := AutoSignIn(ctx)
 	if err != nil {
 		ctx.Handle(500, "AutoSignIn", err)
-		return
+		return true
 	}
 
 	redirectTo := ctx.Query("redirect_to")
@@ -94,6 +94,18 @@ func SignIn(ctx *context.Context) {
 		} else {
 			ctx.Redirect(setting.AppSubURL + "/")
 		}
+		return true
+	}
+
+	return false
+}
+
+// SignIn render sign in page
+func SignIn(ctx *context.Context) {
+	ctx.Data["Title"] = ctx.Tr("sign_in")
+
+	// Check auto-login.
+	if checkAutoLogin(ctx) {
 		return
 	}
 
@@ -119,13 +131,158 @@ func SignInPost(ctx *context.Context, form auth.SignInForm) {
 		return
 	}
 
-	if form.Remember {
+	// If this user is enrolled in 2FA, we can't sign the user in just yet.
+	// Instead, redirect them to the 2FA authentication page.
+	_, err = models.GetTwoFactorByUID(u.ID)
+	if err != nil {
+		if models.IsErrTwoFactorNotEnrolled(err) {
+			handleSignIn(ctx, u, form.Remember)
+		} else {
+			ctx.Handle(500, "UserSignIn", err)
+		}
+		return
+	}
+
+	// User needs to use 2FA, save data and redirect to 2FA page.
+	ctx.Session.Set("twofaUid", u.ID)
+	ctx.Session.Set("twofaRemember", form.Remember)
+	ctx.Redirect(setting.AppSubURL + "/user/two_factor")
+}
+
+// TwoFactor shows the user a two-factor authentication page.
+func TwoFactor(ctx *context.Context) {
+	ctx.Data["Title"] = ctx.Tr("twofa")
+
+	// Check auto-login.
+	if checkAutoLogin(ctx) {
+		return
+	}
+
+	// Ensure user is in a 2FA session.
+	if ctx.Session.Get("twofaUid") == nil {
+		ctx.Handle(500, "UserSignIn", errors.New("not in 2FA session"))
+		return
+	}
+
+	ctx.HTML(200, tplTwofa)
+}
+
+// TwoFactorPost validates a user's two-factor authentication token.
+func TwoFactorPost(ctx *context.Context, form auth.TwoFactorAuthForm) {
+	ctx.Data["Title"] = ctx.Tr("twofa")
+
+	// Ensure user is in a 2FA session.
+	idSess := ctx.Session.Get("twofaUid")
+	if idSess == nil {
+		ctx.Handle(500, "UserSignIn", errors.New("not in 2FA session"))
+		return
+	}
+
+	id := idSess.(int64)
+	twofa, err := models.GetTwoFactorByUID(id)
+	if err != nil {
+		ctx.Handle(500, "UserSignIn", err)
+		return
+	}
+
+	// Validate the passcode with the stored TOTP secret.
+	ok, err := twofa.ValidateTOTP(form.Passcode)
+	if err != nil {
+		ctx.Handle(500, "UserSignIn", err)
+		return
+	}
+
+	if ok {
+		remember := ctx.Session.Get("twofaRemember").(bool)
+		u, err := models.GetUserByID(id)
+		if err != nil {
+			ctx.Handle(500, "UserSignIn", err)
+			return
+		}
+
+		handleSignIn(ctx, u, remember)
+		return
+	}
+
+	ctx.RenderWithErr(ctx.Tr("auth.twofa_passcode_incorrect"), tplTwofa, auth.TwoFactorAuthForm{})
+}
+
+// TwoFactorScratch shows the scratch code form for two-factor authentication.
+func TwoFactorScratch(ctx *context.Context) {
+	ctx.Data["Title"] = ctx.Tr("twofa_scratch")
+
+	// Check auto-login.
+	if checkAutoLogin(ctx) {
+		return
+	}
+
+	// Ensure user is in a 2FA session.
+	if ctx.Session.Get("twofaUid") == nil {
+		ctx.Handle(500, "UserSignIn", errors.New("not in 2FA session"))
+		return
+	}
+
+	ctx.HTML(200, tplTwofaScratch)
+}
+
+// TwoFactorScratchPost validates and invalidates a user's two-factor scratch token.
+func TwoFactorScratchPost(ctx *context.Context, form auth.TwoFactorScratchAuthForm) {
+	ctx.Data["Title"] = ctx.Tr("twofa_scratch")
+
+	// Ensure user is in a 2FA session.
+	idSess := ctx.Session.Get("twofaUid")
+	if idSess == nil {
+		ctx.Handle(500, "UserSignIn", errors.New("not in 2FA session"))
+		return
+	}
+
+	id := idSess.(int64)
+	twofa, err := models.GetTwoFactorByUID(id)
+	if err != nil {
+		ctx.Handle(500, "UserSignIn", err)
+		return
+	}
+
+	// Validate the passcode with the stored TOTP secret.
+	if twofa.VerifyScratchToken(form.Token) {
+		// Invalidate the scratch token.
+		twofa.ScratchToken = ""
+		if err = models.UpdateTwoFactor(twofa); err != nil {
+			ctx.Handle(500, "UserSignIn", err)
+			return
+		}
+
+		remember := ctx.Session.Get("twofaRemember").(bool)
+		u, err := models.GetUserByID(id)
+		if err != nil {
+			ctx.Handle(500, "UserSignIn", err)
+			return
+		}
+
+		handleSignInFull(ctx, u, remember, false)
+		ctx.Flash.Info(ctx.Tr("auth.twofa_scratch_used"))
+		ctx.Redirect(setting.AppSubURL + "/user/settings/two_factor")
+		return
+	}
+
+	ctx.RenderWithErr(ctx.Tr("auth.twofa_scratch_token_incorrect"), tplTwofaScratch, auth.TwoFactorScratchAuthForm{})
+}
+
+// This handles the final part of the sign-in process of the user.
+func handleSignIn(ctx *context.Context, u *models.User, remember bool) {
+	handleSignInFull(ctx, u, remember, true)
+}
+
+func handleSignInFull(ctx *context.Context, u *models.User, remember bool, obeyRedirect bool) {
+	if remember {
 		days := 86400 * setting.LogInRememberDays
 		ctx.SetCookie(setting.CookieUserName, u.Name, days, setting.AppSubURL)
 		ctx.SetSuperSecureCookie(base.EncodeMD5(u.Rands+u.Passwd),
 			setting.CookieRememberName, u.Name, days, setting.AppSubURL)
 	}
 
+	ctx.Session.Delete("twofaUid")
+	ctx.Session.Delete("twofaRemember")
 	ctx.Session.Set("uid", u.ID)
 	ctx.Session.Set("uname", u.Name)
 
@@ -141,11 +298,15 @@ func SignInPost(ctx *context.Context, form auth.SignInForm) {
 
 	if redirectTo, _ := url.QueryUnescape(ctx.GetCookie("redirect_to")); len(redirectTo) > 0 {
 		ctx.SetCookie("redirect_to", "", -1, setting.AppSubURL)
+		if obeyRedirect {
 			ctx.Redirect(redirectTo)
+		}
 		return
 	}
 
+	if obeyRedirect {
 		ctx.Redirect(setting.AppSubURL + "/")
+	}
 }
 
 // SignOut sign out from login status

routers/user/setting.go

@@ -5,12 +5,19 @@
 package user
 
 import (
+	"bytes"
 	"errors"
 	"fmt"
 	"io/ioutil"
 	"strings"
 
 	"github.com/Unknwon/com"
+	"github.com/pquerna/otp"
+	"github.com/pquerna/otp/totp"
+
+	"encoding/base64"
+	"html/template"
+	"image/png"
 
 	"code.gitea.io/gitea/models"
 	"code.gitea.io/gitea/modules/auth"
@@ -28,6 +35,8 @@ const (
 	tplSettingsSSHKeys      base.TplName = "user/settings/sshkeys"
 	tplSettingsSocial       base.TplName = "user/settings/social"
 	tplSettingsApplications base.TplName = "user/settings/applications"
+	tplSettingsTwofa        base.TplName = "user/settings/twofa"
+	tplSettingsTwofaEnroll  base.TplName = "user/settings/twofa_enroll"
 	tplSettingsDelete       base.TplName = "user/settings/delete"
 	tplSecurity             base.TplName = "user/security"
 )
@@ -437,6 +446,191 @@ func SettingsDeleteApplication(ctx *context.Context) {
 	})
 }
 
+// SettingsTwoFactor renders the 2FA page.
+func SettingsTwoFactor(ctx *context.Context) {
+	ctx.Data["Title"] = ctx.Tr("settings")
+	ctx.Data["PageIsSettingsTwofa"] = true
+
+	enrolled := true
+	_, err := models.GetTwoFactorByUID(ctx.User.ID)
+	if err != nil {
+		if models.IsErrTwoFactorNotEnrolled(err) {
+			enrolled = false
+		} else {
+			ctx.Handle(500, "SettingsTwoFactor", err)
+			return
+		}
+	}
+
+	ctx.Data["TwofaEnrolled"] = enrolled
+	ctx.HTML(200, tplSettingsTwofa)
+}
+
+// SettingsTwoFactorRegenerateScratch regenerates the user's 2FA scratch code.
+func SettingsTwoFactorRegenerateScratch(ctx *context.Context) {
+	ctx.Data["Title"] = ctx.Tr("settings")
+	ctx.Data["PageIsSettingsTwofa"] = true
+
+	t, err := models.GetTwoFactorByUID(ctx.User.ID)
+	if err != nil {
+		ctx.Handle(500, "SettingsTwoFactor", err)
+		return
+	}
+
+	if err = t.GenerateScratchToken(); err != nil {
+		ctx.Handle(500, "SettingsTwoFactor", err)
+		return
+	}
+
+	if err = models.UpdateTwoFactor(t); err != nil {
+		ctx.Handle(500, "SettingsTwoFactor", err)
+		return
+	}
+
+	ctx.Flash.Success(ctx.Tr("settings.twofa_scratch_token_regenerated", t.ScratchToken))
+	ctx.Redirect(setting.AppSubURL + "/user/settings/two_factor")
+}
+
+// SettingsTwoFactorDisable deletes the user's 2FA settings.
+func SettingsTwoFactorDisable(ctx *context.Context) {
+	ctx.Data["Title"] = ctx.Tr("settings")
+	ctx.Data["PageIsSettingsTwofa"] = true
+
+	t, err := models.GetTwoFactorByUID(ctx.User.ID)
+	if err != nil {
+		ctx.Handle(500, "SettingsTwoFactor", err)
+		return
+	}
+
+	if err = models.DeleteTwoFactorByID(t.ID, ctx.User.ID); err != nil {
+		ctx.Handle(500, "SettingsTwoFactor", err)
+		return
+	}
+
+	ctx.Flash.Success(ctx.Tr("settings.twofa_disabled"))
+	ctx.Redirect(setting.AppSubURL + "/user/settings/two_factor")
+}
+
+func twofaGenerateSecretAndQr(ctx *context.Context) bool {
+	var otpKey *otp.Key
+	var err error
+	uri := ctx.Session.Get("twofaUri")
+	if uri != nil {
+		otpKey, err = otp.NewKeyFromURL(uri.(string))
+	}
+	if otpKey == nil {
+		err = nil // clear the error, in case the URL was invalid
+		otpKey, err = totp.Generate(totp.GenerateOpts{
+			Issuer:      setting.AppName,
+			AccountName: ctx.User.Name,
+		})
+		if err != nil {
+			ctx.Handle(500, "SettingsTwoFactor", err)
+			return false
+		}
+	}
+
+	ctx.Data["TwofaSecret"] = otpKey.Secret()
+	img, err := otpKey.Image(320, 240)
+	if err != nil {
+		ctx.Handle(500, "SettingsTwoFactor", err)
+		return false
+	}
+
+	var imgBytes bytes.Buffer
+	if err = png.Encode(&imgBytes, img); err != nil {
+		ctx.Handle(500, "SettingsTwoFactor", err)
+		return false
+	}
+
+	ctx.Data["QrUri"] = template.URL("data:image/png;base64," + base64.StdEncoding.EncodeToString(imgBytes.Bytes()))
+	ctx.Session.Set("twofaSecret", otpKey.Secret())
+	ctx.Session.Set("twofaUri", otpKey.String())
+	return true
+}
+
+// SettingsTwoFactorEnroll shows the page where the user can enroll into 2FA.
+func SettingsTwoFactorEnroll(ctx *context.Context) {
+	ctx.Data["Title"] = ctx.Tr("settings")
+	ctx.Data["PageIsSettingsTwofa"] = true
+
+	t, err := models.GetTwoFactorByUID(ctx.User.ID)
+	if t != nil {
+		// already enrolled
+		ctx.Handle(500, "SettingsTwoFactor", err)
+		return
+	}
+	if err != nil && !models.IsErrTwoFactorNotEnrolled(err) {
+		ctx.Handle(500, "SettingsTwoFactor", err)
+		return
+	}
+
+	if !twofaGenerateSecretAndQr(ctx) {
+		return
+	}
+
+	ctx.HTML(200, tplSettingsTwofaEnroll)
+}
+
+// SettingsTwoFactorEnrollPost handles enrolling the user into 2FA.
+func SettingsTwoFactorEnrollPost(ctx *context.Context, form auth.TwoFactorAuthForm) {
+	ctx.Data["Title"] = ctx.Tr("settings")
+	ctx.Data["PageIsSettingsTwofa"] = true
+
+	t, err := models.GetTwoFactorByUID(ctx.User.ID)
+	if t != nil {
+		// already enrolled
+		ctx.Handle(500, "SettingsTwoFactor", err)
+		return
+	}
+	if err != nil && !models.IsErrTwoFactorNotEnrolled(err) {
+		ctx.Handle(500, "SettingsTwoFactor", err)
+		return
+	}
+
+	if ctx.HasError() {
+		if !twofaGenerateSecretAndQr(ctx) {
+			return
+		}
+		ctx.HTML(200, tplSettingsTwofaEnroll)
+		return
+	}
+
+	secret := ctx.Session.Get("twofaSecret").(string)
+	if !totp.Validate(form.Passcode, secret) {
+		if !twofaGenerateSecretAndQr(ctx) {
+			return
+		}
+		ctx.Flash.Error(ctx.Tr("settings.passcode_invalid"))
+		ctx.HTML(200, tplSettingsTwofaEnroll)
+		return
+	}
+
+	t = &models.TwoFactor{
+		UID: ctx.User.ID,
+	}
+	err = t.SetSecret(secret)
+	if err != nil {
+		ctx.Handle(500, "SettingsTwoFactor", err)
+		return
+	}
+	err = t.GenerateScratchToken()
+	if err != nil {
+		ctx.Handle(500, "SettingsTwoFactor", err)
+		return
+	}
+
+	if err = models.NewTwoFactor(t); err != nil {
+		ctx.Handle(500, "SettingsTwoFactor", err)
+		return
+	}
+
+	ctx.Session.Delete("twofaSecret")
+	ctx.Session.Delete("twofaUri")
+	ctx.Flash.Success(ctx.Tr("settings.twofa_enrolled", t.ScratchToken))
+	ctx.Redirect(setting.AppSubURL + "/user/settings/two_factor")
+}
+
 // SettingsDelete render user suicide page and response for delete user himself
 func SettingsDelete(ctx *context.Context) {
 	ctx.Data["Title"] = ctx.Tr("settings")

templates/user/auth/twofa.tmpl

@@ -0,0 +1,27 @@
+{{template "base/head" .}}
+<div class="user signin">
+	<div class="ui middle very relaxed page grid">
+		<div class="column">
+			<form class="ui form" action="{{.Link}}" method="post">
+				{{.CsrfTokenHtml}}
+				<h3 class="ui top attached header">
+					{{.i18n.Tr "twofa"}}
+				</h3>
+				<div class="ui attached segment">
+					{{template "base/alert" .}}
+					<div class="required inline field">
+						<label for="passcode">{{.i18n.Tr "passcode"}}</label>
+						<input id="passcode" name="passcode" type="text" autocomplete="off" required>
+					</div>
+
+					<div class="inline field">
+						<label></label>
+						<button class="ui green button">{{.i18n.Tr "auth.verify"}}</button>
+                        <a href="{{AppSubUrl}}/user/two_factor/scratch">{{.i18n.Tr "auth.use_scratch_code" | Str2html}}</a>
+					</div>
+				</div>
+			</form>
+		</div>
+	</div>
+</div>
+{{template "base/footer" .}}

templates/user/auth/twofa_scratch.tmpl

@@ -0,0 +1,26 @@
+{{template "base/head" .}}
+<div class="user signin">
+	<div class="ui middle very relaxed page grid">
+		<div class="column">
+			<form class="ui form" action="{{.Link}}" method="post">
+				{{.CsrfTokenHtml}}
+				<h3 class="ui top attached header">
+					{{.i18n.Tr "twofa_scratch"}}
+				</h3>
+				<div class="ui attached segment">
+					{{template "base/alert" .}}
+					<div class="required inline field">
+						<label for="token">{{.i18n.Tr "auth.scratch_code"}}</label>
+						<input id="token" name="token" type="text" autocomplete="off" required>
+					</div>
+
+					<div class="inline field">
+						<label></label>
+						<button class="ui green button">{{.i18n.Tr "auth.verify"}}</button>
+					</div>
+				</div>
+			</form>
+		</div>
+	</div>
+</div>
+{{template "base/footer" .}}

templates/user/settings/navbar.tmpl

@@ -19,6 +19,9 @@
 		<a class="{{if .PageIsSettingsApplications}}active{{end}} item" href="{{AppSubUrl}}/user/settings/applications">
 			{{.i18n.Tr "settings.applications"}}
 		</a>
+		<a class="{{if .PageIsSettingsTwofa}}active{{end}} item" href="{{AppSubUrl}}/user/settings/two_factor">
+			{{.i18n.Tr "settings.twofa"}}
+		</a>
 		<a class="{{if .PageIsSettingsDelete}}active{{end}} item" href="{{AppSubUrl}}/user/settings/delete">
 			{{.i18n.Tr "settings.delete"}}
 		</a>

templates/user/settings/twofa.tmpl

@@ -0,0 +1,48 @@
+{{template "base/head" .}}
+<div class="user settings delete">
+	<div class="ui container">
+		<div class="ui grid">
+			{{template "user/settings/navbar" .}}
+			<div class="twelve wide column content">
+				{{template "base/alert" .}}
+				<h4 class="ui top attached header">
+					{{.i18n.Tr "settings.twofa"}}
+				</h4>
+				<div class="ui attached segment">
+					<p>{{.i18n.Tr "settings.twofa_desc"}}</p>
+					{{if .TwofaEnrolled}}
+                    <p>{{$.i18n.Tr "settings.twofa_is_enrolled" | Str2html }}</p>
+                    <form class="ui form" action="{{.Link}}/regenerate_scratch" method="post" enctype="multipart/form-data">
+						{{.CsrfTokenHtml}}
+                        <p>{{.i18n.Tr "settings.regenerate_scratch_token_desc"}}</p>
+                        <button class="ui blue button">{{$.i18n.Tr "settings.twofa_scratch_token_regenerate"}}</button>
+                    </form>
+                    <form class="ui form" action="{{.Link}}/disable" method="post" enctype="multipart/form-data" id="disable-form">
+						{{.CsrfTokenHtml}}
+						<p>{{.i18n.Tr "settings.twofa_disable_note"}}</p>
+						<div class="ui red button delete-button" data-type="form" data-form="#disable-form">{{$.i18n.Tr "settings.twofa_disable"}}</div>
+                    </form>
+                    {{else}}
+                    <p>{{.i18n.Tr "settings.twofa_not_enrolled"}}</p>
+                    <div class="inline field">
+						<a class="ui green button" href="{{.Link}}/enroll">{{$.i18n.Tr "settings.twofa_enroll"}}</a>
+					</div>
+                    {{end}}
+				</div>
+			</div>
+		</div>
+	</div>
+</div>
+
+<div class="ui small basic delete modal">
+	<div class="ui icon header">
+		<i class="trash icon"></i>
+		{{.i18n.Tr "settings.twofa_disable"}}
+	</div>
+	<div class="content">
+		<p>{{.i18n.Tr "settings.twofa_disable_desc"}}</p>
+	</div>
+	{{template "base/delete_modal_actions" .}}
+</div>
+
+{{template "base/footer" .}}

templates/user/settings/twofa_enroll.tmpl

@@ -0,0 +1,33 @@
+{{template "base/head" .}}
+<div class="user settings delete">
+	<div class="ui container">
+		<div class="ui grid">
+			{{template "user/settings/navbar" .}}
+			<div class="twelve wide column content">
+				{{template "base/alert" .}}
+				<h4 class="ui top attached header">
+					{{.i18n.Tr "settings.twofa_enroll"}}
+				</h4>
+				<div class="ui attached segment">
+					<p>{{.i18n.Tr "settings.scan_this_image"}}</p>
+                    <img src="{{.QrUri}}" alt="{{.TwofaSecret}}">
+                    <p>{{.i18n.Tr "settings.or_enter_secret" .TwofaSecret}}
+                    <p>{{.i18n.Tr "settings.then_enter_passcode"}}
+                    <form class="ui form" action="{{.Link}}" method="post">
+						{{.CsrfTokenHtml}}
+						<div class="inline required field {{if .Err_Passcode}}error{{end}}">
+							<label for="passcode">{{.i18n.Tr "passcode"}}</label>
+							<input id="passcode" name="passcode" autofocus required>
+						</div>
+						<div class="inline field">
+							<label></label>
+							<button class="ui green button">{{.i18n.Tr "auth.verify"}}</button>
+						</div>
+					</form>
+				</div>
+			</div>
+		</div>
+	</div>
+</div>
+
+{{template "base/footer" .}}

vendor/github.com/boombuler/barcode/LICENSE

@@ -0,0 +1,21 @@
+The MIT License (MIT)
+
+Copyright (c) 2014 Florian Sundermann
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.

vendor/github.com/boombuler/barcode/README.md

@@ -0,0 +1,18 @@
+##Introduction##
+This is a package for GO which can be used to create different types of barcodes.
+
+##Supported Barcode Types##
+* Aztec Code
+* Codabar
+* Code 128
+* Code 39
+* EAN 8
+* EAN 13
+* Datamatrix
+* QR Codes
+* 2 of 5
+
+##Documentation##
+See [GoDoc](https://godoc.org/github.com/boombuler/barcode)
+
+To create a barcode use the Encode function from one of the subpackages.

vendor/github.com/boombuler/barcode/barcode.go

@@ -0,0 +1,21 @@
+package barcode
+
+import "image"
+
+// Contains some meta information about a barcode
+type Metadata struct {
+	// the name of the barcode kind
+	CodeKind string
+	// contains 1 for 1D barcodes or 2 for 2D barcodes
+	Dimensions byte
+}
+
+// a rendered and encoded barcode
+type Barcode interface {
+	image.Image
+	// returns some meta information about the barcode
+	Metadata() Metadata
+	// the data that was encoded in this barcode
+	Content() string
+	CheckSum() int
+}

vendor/github.com/boombuler/barcode/qr/alphanumeric.go

@@ -0,0 +1,66 @@
+package qr
+
+import (
+	"errors"
+	"fmt"
+	"strings"
+
+	"github.com/boombuler/barcode/utils"
+)
+
+const charSet string = "0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZ $%*+-./:"
+
+func stringToAlphaIdx(content string) <-chan int {
+	result := make(chan int)
+	go func() {
+		for _, r := range content {
+			idx := strings.IndexRune(charSet, r)
+			result <- idx
+			if idx < 0 {
+				break
+			}
+		}
+		close(result)
+	}()
+
+	return result
+}
+
+func encodeAlphaNumeric(content string, ecl ErrorCorrectionLevel) (*utils.BitList, *versionInfo, error) {
+
+	contentLenIsOdd := len(content)%2 == 1
+	contentBitCount := (len(content) / 2) * 11
+	if contentLenIsOdd {
+		contentBitCount += 6
+	}
+	vi := findSmallestVersionInfo(ecl, alphaNumericMode, contentBitCount)
+	if vi == nil {
+		return nil, nil, errors.New("To much data to encode")
+	}
+
+	res := new(utils.BitList)
+	res.AddBits(int(alphaNumericMode), 4)
+	res.AddBits(len(content), vi.charCountBits(alphaNumericMode))
+
+	encoder := stringToAlphaIdx(content)
+
+	for idx := 0; idx < len(content)/2; idx++ {
+		c1 := <-encoder
+		c2 := <-encoder
+		if c1 < 0 || c2 < 0 {
+			return nil, nil, fmt.Errorf("\"%s\" can not be encoded as %s", content, AlphaNumeric)
+		}
+		res.AddBits(c1*45+c2, 11)
+	}
+	if contentLenIsOdd {
+		c := <-encoder
+		if c < 0 {
+			return nil, nil, fmt.Errorf("\"%s\" can not be encoded as %s", content, AlphaNumeric)
+		}
+		res.AddBits(c, 6)
+	}
+
+	addPaddingAndTerminator(res, vi)
+
+	return res, vi, nil
+}

vendor/github.com/boombuler/barcode/qr/automatic.go

@@ -0,0 +1,23 @@
+package qr
+
+import (
+	"fmt"
+
+	"github.com/boombuler/barcode/utils"
+)
+
+func encodeAuto(content string, ecl ErrorCorrectionLevel) (*utils.BitList, *versionInfo, error) {
+	bits, vi, _ := Numeric.getEncoder()(content, ecl)
+	if bits != nil && vi != nil {
+		return bits, vi, nil
+	}
+	bits, vi, _ = AlphaNumeric.getEncoder()(content, ecl)
+	if bits != nil && vi != nil {
+		return bits, vi, nil
+	}
+	bits, vi, _ = Unicode.getEncoder()(content, ecl)
+	if bits != nil && vi != nil {
+		return bits, vi, nil
+	}
+	return nil, nil, fmt.Errorf("No encoding found to encode \"%s\"", content)
+}

vendor/github.com/boombuler/barcode/qr/blocks.go

@@ -0,0 +1,59 @@
+package qr
+
+type block struct {
+	data []byte
+	ecc  []byte
+}
+type blockList []*block
+
+func splitToBlocks(data <-chan byte, vi *versionInfo) blockList {
+	result := make(blockList, vi.NumberOfBlocksInGroup1+vi.NumberOfBlocksInGroup2)
+
+	for b := 0; b < int(vi.NumberOfBlocksInGroup1); b++ {
+		blk := new(block)
+		blk.data = make([]byte, vi.DataCodeWordsPerBlockInGroup1)
+		for cw := 0; cw < int(vi.DataCodeWordsPerBlockInGroup1); cw++ {
+			blk.data[cw] = <-data
+		}
+		blk.ecc = ec.calcECC(blk.data, vi.ErrorCorrectionCodewordsPerBlock)
+		result[b] = blk
+	}
+
+	for b := 0; b < int(vi.NumberOfBlocksInGroup2); b++ {
+		blk := new(block)
+		blk.data = make([]byte, vi.DataCodeWordsPerBlockInGroup2)
+		for cw := 0; cw < int(vi.DataCodeWordsPerBlockInGroup2); cw++ {
+			blk.data[cw] = <-data
+		}
+		blk.ecc = ec.calcECC(blk.data, vi.ErrorCorrectionCodewordsPerBlock)
+		result[int(vi.NumberOfBlocksInGroup1)+b] = blk
+	}
+
+	return result
+}
+
+func (bl blockList) interleave(vi *versionInfo) []byte {
+	var maxCodewordCount int
+	if vi.DataCodeWordsPerBlockInGroup1 > vi.DataCodeWordsPerBlockInGroup2 {
+		maxCodewordCount = int(vi.DataCodeWordsPerBlockInGroup1)
+	} else {
+		maxCodewordCount = int(vi.DataCodeWordsPerBlockInGroup2)
+	}
+	resultLen := (vi.DataCodeWordsPerBlockInGroup1+vi.ErrorCorrectionCodewordsPerBlock)*vi.NumberOfBlocksInGroup1 +
+		(vi.DataCodeWordsPerBlockInGroup2+vi.ErrorCorrectionCodewordsPerBlock)*vi.NumberOfBlocksInGroup2
+
+	result := make([]byte, 0, resultLen)
+	for i := 0; i < maxCodewordCount; i++ {
+		for b := 0; b < len(bl); b++ {
+			if len(bl[b].data) > i {
+				result = append(result, bl[b].data[i])
+			}
+		}
+	}
+	for i := 0; i < int(vi.ErrorCorrectionCodewordsPerBlock); i++ {
+		for b := 0; b < len(bl); b++ {
+			result = append(result, bl[b].ecc[i])
+		}
+	}
+	return result
+}

vendor/github.com/boombuler/barcode/qr/errorcorrection.go

@@ -0,0 +1,29 @@
+package qr
+
+import (
+	"github.com/boombuler/barcode/utils"
+)
+
+type errorCorrection struct {
+	rs *utils.ReedSolomonEncoder
+}
+
+var ec = newErrorCorrection()
+
+func newErrorCorrection() *errorCorrection {
+	fld := utils.NewGaloisField(285, 256, 0)
+	return &errorCorrection{utils.NewReedSolomonEncoder(fld)}
+}
+
+func (ec *errorCorrection) calcECC(data []byte, eccCount byte) []byte {
+	dataInts := make([]int, len(data))
+	for i := 0; i < len(data); i++ {
+		dataInts[i] = int(data[i])
+	}
+	res := ec.rs.Encode(dataInts, int(eccCount))
+	result := make([]byte, len(res))
+	for i := 0; i < len(res); i++ {
+		result[i] = byte(res[i])
+	}
+	return result
+}

vendor/github.com/boombuler/barcode/qr/numeric.go

@@ -0,0 +1,56 @@
+package qr
+
+import (
+	"errors"
+	"fmt"
+	"strconv"
+
+	"github.com/boombuler/barcode/utils"
+)
+
+func encodeNumeric(content string, ecl ErrorCorrectionLevel) (*utils.BitList, *versionInfo, error) {
+	contentBitCount := (len(content) / 3) * 10
+	switch len(content) % 3 {
+	case 1:
+		contentBitCount += 4
+	case 2:
+		contentBitCount += 7
+	}
+	vi := findSmallestVersionInfo(ecl, numericMode, contentBitCount)
+	if vi == nil {
+		return nil, nil, errors.New("To much data to encode")
+	}
+	res := new(utils.BitList)
+	res.AddBits(int(numericMode), 4)
+	res.AddBits(len(content), vi.charCountBits(numericMode))
+
+	for pos := 0; pos < len(content); pos += 3 {
+		var curStr string
+		if pos+3 <= len(content) {
+			curStr = content[pos : pos+3]
+		} else {
+			curStr = content[pos:]
+		}
+
+		i, err := strconv.Atoi(curStr)
+		if err != nil || i < 0 {
+			return nil, nil, fmt.Errorf("\"%s\" can not be encoded as %s", content, Numeric)
+		}
+		var bitCnt byte
+		switch len(curStr) % 3 {
+		case 0:
+			bitCnt = 10
+		case 1:
+			bitCnt = 4
+			break
+		case 2:
+			bitCnt = 7
+			break
+		}
+
+		res.AddBits(i, bitCnt)
+	}
+
+	addPaddingAndTerminator(res, vi)
+	return res, vi, nil
+}

vendor/github.com/boombuler/barcode/qr/qrcode.go

@@ -0,0 +1,170 @@
+package qr
+
+import (
+	"image"
+	"image/color"
+	"math"
+
+	"github.com/boombuler/barcode"
+	"github.com/boombuler/barcode/utils"
+)
+
+type qrcode struct {
+	dimension int
+	data      *utils.BitList
+	content   string
+}
+
+func (qr *qrcode) Content() string {
+	return qr.content
+}
+
+func (qr *qrcode) Metadata() barcode.Metadata {
+	return barcode.Metadata{"QR Code", 2}
+}
+
+func (qr *qrcode) ColorModel() color.Model {
+	return color.Gray16Model
+}
+
+func (qr *qrcode) Bounds() image.Rectangle {
+	return image.Rect(0, 0, qr.dimension, qr.dimension)
+}
+
+func (qr *qrcode) At(x, y int) color.Color {
+	if qr.Get(x, y) {
+		return color.Black
+	}
+	return color.White
+}
+
+func (qr *qrcode) Get(x, y int) bool {
+	return qr.data.GetBit(x*qr.dimension + y)
+}
+
+func (qr *qrcode) Set(x, y int, val bool) {
+	qr.data.SetBit(x*qr.dimension+y, val)
+}
+
+func (qr *qrcode) CheckSum() int {
+	return 0
+}
+
+func (qr *qrcode) calcPenalty() uint {
+	return qr.calcPenaltyRule1() + qr.calcPenaltyRule2() + qr.calcPenaltyRule3() + qr.calcPenaltyRule4()
+}
+
+func (qr *qrcode) calcPenaltyRule1() uint {
+	var result uint
+	for x := 0; x < qr.dimension; x++ {
+		checkForX := false
+		var cntX uint
+		checkForY := false
+		var cntY uint
+
+		for y := 0; y < qr.dimension; y++ {
+			if qr.Get(x, y) == checkForX {
+				cntX++
+			} else {
+				checkForX = !checkForX
+				if cntX >= 5 {
+					result += cntX - 2
+				}
+				cntX = 1
+			}
+
+			if qr.Get(y, x) == checkForY {
+				cntY++
+			} else {
+				checkForY = !checkForY
+				if cntY >= 5 {
+					result += cntY - 2
+				}
+				cntY = 1
+			}
+		}
+
+		if cntX >= 5 {
+			result += cntX - 2
+		}
+		if cntY >= 5 {
+			result += cntY - 2
+		}
+	}
+
+	return result
+}
+
+func (qr *qrcode) calcPenaltyRule2() uint {
+	var result uint
+	for x := 0; x < qr.dimension-1; x++ {
+		for y := 0; y < qr.dimension-1; y++ {
+			check := qr.Get(x, y)
+			if qr.Get(x, y+1) == check && qr.Get(x+1, y) == check && qr.Get(x+1, y+1) == check {
+				result += 3
+			}
+		}
+	}
+	return result
+}
+
+func (qr *qrcode) calcPenaltyRule3() uint {
+	pattern1 := []bool{true, false, true, true, true, false, true, false, false, false, false}
+	pattern2 := []bool{false, false, false, false, true, false, true, true, true, false, true}
+
+	var result uint
+	for x := 0; x <= qr.dimension-len(pattern1); x++ {
+		for y := 0; y < qr.dimension; y++ {
+			pattern1XFound := true
+			pattern2XFound := true
+			pattern1YFound := true
+			pattern2YFound := true
+
+			for i := 0; i < len(pattern1); i++ {
+				iv := qr.Get(x+i, y)
+				if iv != pattern1[i] {
+					pattern1XFound = false
+				}
+				if iv != pattern2[i] {
+					pattern2XFound = false
+				}
+				iv = qr.Get(y, x+i)
+				if iv != pattern1[i] {
+					pattern1YFound = false
+				}
+				if iv != pattern2[i] {
+					pattern2YFound = false
+				}
+			}
+			if pattern1XFound || pattern2XFound {
+				result += 40
+			}
+			if pattern1YFound || pattern2YFound {
+				result += 40
+			}
+		}
+	}
+
+	return result
+}
+
+func (qr *qrcode) calcPenaltyRule4() uint {
+	totalNum := qr.data.Len()
+	trueCnt := 0
+	for i := 0; i < totalNum; i++ {
+		if qr.data.GetBit(i) {
+			trueCnt++
+		}
+	}
+	percDark := float64(trueCnt) * 100 / float64(totalNum)
+	floor := math.Abs(math.Floor(percDark/5) - 10)
+	ceil := math.Abs(math.Ceil(percDark/5) - 10)
+	return uint(math.Min(floor, ceil) * 10)
+}
+
+func newBarcode(dim int) *qrcode {
+	res := new(qrcode)
+	res.dimension = dim
+	res.data = utils.NewBitList(dim * dim)
+	return res
+}

vendor/github.com/boombuler/barcode/qr/unicode.go

@@ -0,0 +1,27 @@
+package qr
+
+import (
+	"errors"
+
+	"github.com/boombuler/barcode/utils"
+)
+
+func encodeUnicode(content string, ecl ErrorCorrectionLevel) (*utils.BitList, *versionInfo, error) {
+	data := []byte(content)
+
+	vi := findSmallestVersionInfo(ecl, byteMode, len(data)*8)
+	if vi == nil {
+		return nil, nil, errors.New("To much data to encode")
+	}
+
+	// It's not correct to add the unicode bytes to the result directly but most readers can't handle the
+	// required ECI header...
+	res := new(utils.BitList)
+	res.AddBits(int(byteMode), 4)
+	res.AddBits(len(content), vi.charCountBits(byteMode))
+	for _, b := range data {
+		res.AddByte(b)
+	}
+	addPaddingAndTerminator(res, vi)
+	return res, vi, nil
+}

vendor/github.com/boombuler/barcode/scaledbarcode.go

@@ -0,0 +1,115 @@
+package barcode
+
+import (
+	"errors"
+	"fmt"
+	"image"
+	"image/color"
+	"math"
+)
+
+type wrapFunc func(x, y int) color.Color
+
+type scaledBarcode struct {
+	wrapped     Barcode
+	wrapperFunc wrapFunc
+	rect        image.Rectangle
+}
+
+func (bc *scaledBarcode) Content() string {
+	return bc.wrapped.Content()
+}
+
+func (bc *scaledBarcode) Metadata() Metadata {
+	return bc.wrapped.Metadata()
+}
+
+func (bc *scaledBarcode) ColorModel() color.Model {
+	return bc.wrapped.ColorModel()
+}
+
+func (bc *scaledBarcode) Bounds() image.Rectangle {
+	return bc.rect
+}
+
+func (bc *scaledBarcode) At(x, y int) color.Color {
+	return bc.wrapperFunc(x, y)
+}
+
+func (bc *scaledBarcode) CheckSum() int {
+	return bc.wrapped.CheckSum()
+}
+
+// Scale returns a resized barcode with the given width and height.
+func Scale(bc Barcode, width, height int) (Barcode, error) {
+	switch bc.Metadata().Dimensions {
+	case 1:
+		return scale1DCode(bc, width, height)
+	case 2:
+		return scale2DCode(bc, width, height)
+	}
+
+	return nil, errors.New("unsupported barcode format")
+}
+
+func scale2DCode(bc Barcode, width, height int) (Barcode, error) {
+	orgBounds := bc.Bounds()
+	orgWidth := orgBounds.Max.X - orgBounds.Min.X
+	orgHeight := orgBounds.Max.Y - orgBounds.Min.Y
+
+	factor := int(math.Min(float64(width)/float64(orgWidth), float64(height)/float64(orgHeight)))
+	if factor <= 0 {
+		return nil, fmt.Errorf("can not scale barcode to an image smaller then %dx%d", orgWidth, orgHeight)
+	}
+
+	offsetX := (width - (orgWidth * factor)) / 2
+	offsetY := (height - (orgHeight * factor)) / 2
+
+	wrap := func(x, y int) color.Color {
+		if x < offsetX || y < offsetY {
+			return color.White
+		}
+		x = (x - offsetX) / factor
+		y = (y - offsetY) / factor
+		if x >= orgWidth || y >= orgHeight {
+			return color.White
+		}
+		return bc.At(x, y)
+	}
+
+	return &scaledBarcode{
+		bc,
+		wrap,
+		image.Rect(0, 0, width, height),
+	}, nil
+}
+
+func scale1DCode(bc Barcode, width, height int) (Barcode, error) {
+	orgBounds := bc.Bounds()
+	orgWidth := orgBounds.Max.X - orgBounds.Min.X
+	factor := int(float64(width) / float64(orgWidth))
+
+	if factor <= 0 {
+		return nil, fmt.Errorf("can not scale barcode to an image smaller then %dx1", orgWidth)
+	}
+	offsetX := (width - (orgWidth * factor)) / 2
+
+	wrap := func(x, y int) color.Color {
+		if x < offsetX {
+			return color.White
+		}
+		x = (x - offsetX) / factor
+
+		if x >= orgWidth {
+			return color.White
+		}
+		return bc.At(x, 0)
+	}
+
+	return &scaledBarcode{
+		bc,
+		wrap,
+		image.Rect(0, 0, width, height),
+	}, nil
+
+}

vendor/github.com/boombuler/barcode/utils/base1dcode.go

@@ -0,0 +1,48 @@
+// Package utils contain some utilities which are needed to create barcodes
+package utils
+
+import (
+	"image"
+	"image/color"
+
+	"github.com/boombuler/barcode"
+)
+
+type base1DCode struct {
+	*BitList
+	kind     string
+	content  string
+	checksum int
+}
+
+func (c *base1DCode) Content() string {
+	return c.content
+}
+
+func (c *base1DCode) Metadata() barcode.Metadata {
+	return barcode.Metadata{c.kind, 1}
+}
+
+func (c *base1DCode) ColorModel() color.Model {
+	return color.Gray16Model
+}
+
+func (c *base1DCode) Bounds() image.Rectangle {
+	return image.Rect(0, 0, c.Len(), 1)
+}
+
+func (c *base1DCode) At(x, y int) color.Color {
+	if c.GetBit(x) {
+		return color.Black
+	}
+	return color.White
+}
+
+func (c *base1DCode) CheckSum() int {
+	return c.checksum
+}
+
+// New1DCode creates a new 1D barcode where the bars are represented by the bits in the bars BitList
+func New1DCode(codeKind, content string, bars *BitList, checksum int) barcode.Barcode {
+	return &base1DCode{bars, codeKind, content, checksum}
+}

vendor/github.com/boombuler/barcode/utils/bitlist.go

@@ -0,0 +1,119 @@
+package utils
+
+// BitList is a list that contains bits
+type BitList struct {
+	count int
+	data  []int32
+}
+
+// NewBitList returns a new BitList with the given length
+// all bits are initialize with false
+func NewBitList(capacity int) *BitList {
+	bl := new(BitList)
+	bl.count = capacity
+	x := 0
+	if capacity%32 != 0 {
+		x = 1
+	}
+	bl.data = make([]int32, capacity/32+x)
+	return bl
+}
+
+// Len returns the number of contained bits
+func (bl *BitList) Len() int {
+	return bl.count
+}
+
+func (bl *BitList) grow() {
+	growBy := len(bl.data)
+	if growBy < 128 {
+		growBy = 128
+	} else if growBy >= 1024 {
+		growBy = 1024
+	}
+
+	nd := make([]int32, len(bl.data)+growBy)
+	copy(nd, bl.data)
+	bl.data = nd
+}
+
+// AddBit appends the given bits to the end of the list
+func (bl *BitList) AddBit(bits ...bool) {
+	for _, bit := range bits {
+		itmIndex := bl.count / 32
+		for itmIndex >= len(bl.data) {
+			bl.grow()
+		}
+		bl.SetBit(bl.count, bit)
+		bl.count++
+	}
+}
+
+// SetBit sets the bit at the given index to the given value
+func (bl *BitList) SetBit(index int, value bool) {
+	itmIndex := index / 32
+	itmBitShift := 31 - (index % 32)
+	if value {
+		bl.data[itmIndex] = bl.data[itmIndex] | 1<<uint(itmBitShift)
+	} else {
+		bl.data[itmIndex] = bl.data[itmIndex] & ^(1 << uint(itmBitShift))
+	}
+}
+
+// GetBit returns the bit at the given index
+func (bl *BitList) GetBit(index int) bool {
+	itmIndex := index / 32
+	itmBitShift := 31 - (index % 32)
+	return ((bl.data[itmIndex] >> uint(itmBitShift)) & 1) == 1
+}
+
+// AddByte appends all 8 bits of the given byte to the end of the list
+func (bl *BitList) AddByte(b byte) {
+	for i := 7; i >= 0; i-- {
+		bl.AddBit(((b >> uint(i)) & 1) == 1)
+	}
+}
+
+// AddBits appends the last (LSB) 'count' bits of 'b' the the end of the list
+func (bl *BitList) AddBits(b int, count byte) {
+	for i := int(count) - 1; i >= 0; i-- {
+		bl.AddBit(((b >> uint(i)) & 1) == 1)
+	}
+}
+
+// GetBytes returns all bits of the BitList as a []byte
+func (bl *BitList) GetBytes() []byte {
+	len := bl.count >> 3
+	if (bl.count % 8) != 0 {
+		len++
+	}
+	result := make([]byte, len)
+	for i := 0; i < len; i++ {
+		shift := (3 - (i % 4)) * 8
+		result[i] = (byte)((bl.data[i/4] >> uint(shift)) & 0xFF)
+	}
+	return result
+}
+
+// IterateBytes iterates through all bytes contained in the BitList
+func (bl *BitList) IterateBytes() <-chan byte {
+	res := make(chan byte)
+
+	go func() {
+		c := bl.count
+		shift := 24
+		i := 0
+		for c > 0 {
+			res <- byte((bl.data[i] >> uint(shift)) & 0xFF)
+			shift -= 8
+			if shift < 0 {
+				shift = 24
+				i++
+			}
+			c -= 8
+		}
+		close(res)
+	}()
+
+	return res
+}

vendor/github.com/boombuler/barcode/utils/galoisfield.go

@@ -0,0 +1,65 @@
+package utils
+
+// GaloisField encapsulates galois field arithmetics
+type GaloisField struct {
+	Size    int
+	Base    int
+	ALogTbl []int
+	LogTbl  []int
+}
+
+// NewGaloisField creates a new galois field
+func NewGaloisField(pp, fieldSize, b int) *GaloisField {
+	result := new(GaloisField)
+
+	result.Size = fieldSize
+	result.Base = b
+	result.ALogTbl = make([]int, fieldSize)
+	result.LogTbl = make([]int, fieldSize)
+
+	x := 1
+	for i := 0; i < fieldSize; i++ {
+		result.ALogTbl[i] = x
+		x = x * 2
+		if x >= fieldSize {
+			x = (x ^ pp) & (fieldSize - 1)
+		}
+	}
+
+	for i := 0; i < fieldSize; i++ {
+		result.LogTbl[result.ALogTbl[i]] = int(i)
+	}
+
+	return result
+}
+
+func (gf *GaloisField) Zero() *GFPoly {
+	return NewGFPoly(gf, []int{0})
+}
+
+// AddOrSub add or substract two numbers
+func (gf *GaloisField) AddOrSub(a, b int) int {
+	return a ^ b
+}
+
+// Multiply multiplys two numbers
+func (gf *GaloisField) Multiply(a, b int) int {
+	if a == 0 || b == 0 {
+		return 0
+	}
+	return gf.ALogTbl[(gf.LogTbl[a]+gf.LogTbl[b])%(gf.Size-1)]
+}
+
+// Divide divides two numbers
+func (gf *GaloisField) Divide(a, b int) int {
+	if b == 0 {
+		panic("divide by zero")
+	} else if a == 0 {
+		return 0
+	}
+	return gf.ALogTbl[(gf.LogTbl[a]-gf.LogTbl[b])%(gf.Size-1)]
+}
+
+func (gf *GaloisField) Invers(num int) int {
+	return gf.ALogTbl[(gf.Size-1)-gf.LogTbl[num]]
+}

vendor/github.com/boombuler/barcode/utils/gfpoly.go

@@ -0,0 +1,103 @@
+package utils
+
+type GFPoly struct {
+	gf           *GaloisField
+	Coefficients []int
+}
+
+func (gp *GFPoly) Degree() int {
+	return len(gp.Coefficients) - 1
+}
+
+func (gp *GFPoly) Zero() bool {
+	return gp.Coefficients[0] == 0
+}
+
+// GetCoefficient returns the coefficient of x ^ degree
+func (gp *GFPoly) GetCoefficient(degree int) int {
+	return gp.Coefficients[gp.Degree()-degree]
+}
+
+func (gp *GFPoly) AddOrSubstract(other *GFPoly) *GFPoly {
+	if gp.Zero() {
+		return other
+	} else if other.Zero() {
+		return gp
+	}
+	smallCoeff := gp.Coefficients
+	largeCoeff := other.Coefficients
+	if len(smallCoeff) > len(largeCoeff) {
+		largeCoeff, smallCoeff = smallCoeff, largeCoeff
+	}
+	sumDiff := make([]int, len(largeCoeff))
+	lenDiff := len(largeCoeff) - len(smallCoeff)
+	copy(sumDiff, largeCoeff[:lenDiff])
+	for i := lenDiff; i < len(largeCoeff); i++ {
+		sumDiff[i] = int(gp.gf.AddOrSub(int(smallCoeff[i-lenDiff]), int(largeCoeff[i])))
+	}
+	return NewGFPoly(gp.gf, sumDiff)
+}
+
+func (gp *GFPoly) MultByMonominal(degree int, coeff int) *GFPoly {
+	if coeff == 0 {
+		return gp.gf.Zero()
+	}
+	size := len(gp.Coefficients)
+	result := make([]int, size+degree)
+	for i := 0; i < size; i++ {
+		result[i] = int(gp.gf.Multiply(int(gp.Coefficients[i]), int(coeff)))
+	}
+	return NewGFPoly(gp.gf, result)
+}
+
+func (gp *GFPoly) Multiply(other *GFPoly) *GFPoly {
+	if gp.Zero() || other.Zero() {
+		return gp.gf.Zero()
+	}
+	aCoeff := gp.Coefficients
+	aLen := len(aCoeff)
+	bCoeff := other.Coefficients
+	bLen := len(bCoeff)
+	product := make([]int, aLen+bLen-1)
+	for i := 0; i < aLen; i++ {
+		ac := int(aCoeff[i])
+		for j := 0; j < bLen; j++ {
+			bc := int(bCoeff[j])
+			product[i+j] = int(gp.gf.AddOrSub(int(product[i+j]), gp.gf.Multiply(ac, bc)))
+		}
+	}
+	return NewGFPoly(gp.gf, product)
+}
+
+func (gp *GFPoly) Divide(other *GFPoly) (quotient *GFPoly, remainder *GFPoly) {
+	quotient = gp.gf.Zero()
+	remainder = gp
+	fld := gp.gf
+	denomLeadTerm := other.GetCoefficient(other.Degree())
+	inversDenomLeadTerm := fld.Invers(int(denomLeadTerm))
+	for remainder.Degree() >= other.Degree() && !remainder.Zero() {
+		degreeDiff := remainder.Degree() - other.Degree()
+		scale := int(fld.Multiply(int(remainder.GetCoefficient(remainder.Degree())), inversDenomLeadTerm))
+		term := other.MultByMonominal(degreeDiff, scale)
+		itQuot := NewMonominalPoly(fld, degreeDiff, scale)
+		quotient = quotient.AddOrSubstract(itQuot)
+		remainder = remainder.AddOrSubstract(term)
+	}
+	return
+}
+
+func NewMonominalPoly(field *GaloisField, degree int, coeff int) *GFPoly {
+	if coeff == 0 {
+		return field.Zero()
+	}
+	result := make([]int, degree+1)
+	result[0] = coeff
+	return NewGFPoly(field, result)
+}
+
+func NewGFPoly(field *GaloisField, coefficients []int) *GFPoly {
+	for len(coefficients) > 1 && coefficients[0] == 0 {
+		coefficients = coefficients[1:]
+	}
+	return &GFPoly{field, coefficients}
+}