Add a two-step setup of OTP

Before this change, 2FA with OTP was enabled before the user was able to
submit a code to validate the setup. Thus, this could lead to a
situation where the user is locked out of her account if there was an
issue setting up her application.

Now we rely on a new boolean property that is set to true only after the
user submits a valid code during the setup phase.

Fixes #4867

Signed-off-by: Kevin Decherf <kevin@kdecherf.com>

src/Controller/ConfigController.php

@@ -313,6 +313,7 @@ class ConfigController extends AbstractController
         $user = $this->getUser();
 
         $user->setGoogleAuthenticatorSecret('');
+        $user->setGoogleAuthenticator(false);
         $user->setBackupCodes(null);
 
         $this->userManager->updateUser($user);
@@ -354,11 +355,6 @@ class ConfigController extends AbstractController
         $this->userManager->updateUser($user);
         $this->entityManager->flush();
 
-        $this->addFlash(
-            'notice',
-            'flashes.config.notice.otp_enabled'
-        );
-
         return $this->render('Config/otp_app.html.twig', [
             'backupCodes' => $backupCodes,
             'qr_code' => $googleAuthenticator->getQRContent($user),
@@ -408,6 +404,9 @@ class ConfigController extends AbstractController
                 'notice',
                 'flashes.config.notice.otp_enabled'
             );
+            $user->setGoogleAuthenticator(true);
+            $this->userManager->updateUser($user);
+            $this->entityManager->flush();
 
             return $this->redirect($this->generateUrl('config') . '#set3');
         }
@@ -421,8 +420,9 @@ class ConfigController extends AbstractController
         $user->setBackupCodes(null);
 
         $this->userManager->updateUser($user);
+        $this->entityManager->flush();
 
-        return $this->redirect($this->generateUrl('config') . '#set3');
+        return $this->redirect($this->generateUrl('config_otp_app'), 307);
     }
 
     /**