fix(web): use a distinct salt for TOTP authentication

If TOTP is enabled for a user, it will be disabled until the user
configure it again, which will generate a new private salt.

UI/WebServerResources/js/Common/Authentication.service.js

@@ -97,6 +97,13 @@
               if (typeof data.totpMissingKey != 'undefined' && response.status == 202) {
                 d.resolve({totpmissingkey: 1});
               }
+              else if (typeof data.totpDisabled != 'undefined') {
+                d.resolve({
+                  cn: data.cn,
+                  url: redirectUrl(username, domain),
+                  totpdisabled: 1
+                });
+              }
               // Check password policy
               else if (typeof data.expire != 'undefined' && typeof data.grace != 'undefined') {
                 if (data.expire < 0 && data.grace > 0) {

UI/WebServerResources/js/Common/sgQrCode.directive.js

@@ -26,6 +26,7 @@
     function link(scope, element, attrs) {
       var width = parseInt(scope.width) || 256,
           height = parseInt(scope.height) || width,
+          // See https://github.com/google/google-authenticator/wiki/Key-Uri-Format
           uri = 'otpauth://totp/SOGo:' + Settings.activeUser('email') + '?secret=' + scope.text.replace(/=+$/, '') + '&issuer=SOGo';
       new QRCode(element[0], {
         text: uri,

UI/WebServerResources/js/Main/Main.app.js

@@ -44,6 +44,11 @@
           if (data.totpmissingkey) {
             vm.loginState = 'totpcode';
           }
+          else if (data.totpdisabled) {
+            vm.loginState = 'totpdisabled';
+            vm.cn = data.cn;
+            vm.url = data.url;
+          }
           else {
             vm.loginState = 'logged';
             vm.cn = data.cn;