Add an option to skip two factor authentication on trusted devices.

A checkbox is added to the two factor verification page.  If that is
checked, then a signed cookie (separate from the session cookie) is set.
If that cookie is set, then two factor verification is skipped for sign
in attempts.

lib/WeBWorK/Authen.pm

@@ -156,12 +156,38 @@ sub verify {
 
 	$self->{was_verified} = $self->do_verify;
 
+	my $remember_2fa = $c->signed_cookie('WeBWorK.2FA.' . $c->ce->{courseName});
+
+	if ($self->{was_verified}
+		&& $self->{login_type} eq 'normal'
+		&& !$self->{external_auth}
+		&& (!$c->{rpc} || ($c->{rpc} && !$c->stash->{disable_cookies}))
+		&& $remember_2fa
+		&& !$c->db->getPassword($self->{user_id})->otp_secret)
+	{
+		# If there is not a otp secret saved in the database, and there is a cookie saved to skip two factor
+		# authentication, then delete it.  The user needs to set up two factor authentication again.
+		$c->signed_cookie(
+			'WeBWorK.2FA.' . $c->ce->{courseName} => 1,
+			{
+				max_age  => 0,
+				expires  => 1,
+				path     => $c->ce->{webworkURLRoot},
+				samesite => $c->ce->{CookieSameSite},
+				secure   => $c->ce->{CookieSecure},
+				httponly => 1
+			}
+		);
+		$remember_2fa = 0;
+	}
+
 	if ($self->{was_verified}
 		&& $self->{login_type} eq 'normal'
 		&& !$self->{external_auth}
 		&& (!$c->{rpc} || ($c->{rpc} && !$c->stash->{disable_cookies}))
 		&& $c->ce->two_factor_authentication_enabled
-		&& ($self->{initial_login} || $self->session->{two_factor_verification_needed}))
+		&& ($self->{initial_login} || $self->session->{two_factor_verification_needed})
+		&& !$remember_2fa)
 	{
 		$self->{was_verified} = 0;
 		$self->session(two_factor_verification_needed => 1);
@@ -446,6 +472,20 @@ sub verify_normal_user {
 				{
 					delete $self->session->{two_factor_verification_needed};
 
+					# Store a cookie that signifies this devices skips two factor
+					# authentication if the skip_2fa checkbox was checked.
+					$c->signed_cookie(
+						'WeBWorK.2FA.' . $c->ce->{courseName} => 1,
+						{
+							max_age  => 3600 * 24 * 365,            # This cookie is valid for one year.
+							expires  => time + 3600 * 24 * 365,
+							path     => $c->ce->{webworkURLRoot},
+							samesite => $c->ce->{CookieSameSite},
+							secure   => $c->ce->{CookieSecure},
+							httponly => 1
+						}
+					) if $c->param('skip_2fa');
+
 					# This is the case of initial setup. Save the secret from the session to the database.
 					if ($self->session->{otp_secret}) {
 						$password->otp_secret($self->session->{otp_secret});

templates/ContentGenerator/TwoFactorAuthentication.html.ep

@@ -36,12 +36,21 @@
 <%= form_for current_route, method => 'POST', begin =%>
 	<%= $hidden_fields =%>
 	%
-	<div class="col-xl-5 col-lg-6 col-md-7 col-sm-8 my-3">
+	<div class="col-xl-9 col-lg-10 col-md-11 my-3">
 		<div class="form-floating mb-2">
 			<%= text_field otp_code => '', id => 'otp_code', class => 'form-control', placeholder => '',
 				autocomplete => 'off', autocapitalize => 'none', spellcheck => 'false' =%>
 			<%= label_for otp_code => maketext('One-Time Code') =%>
 		</div>
+		<div class="form-check mb-2">
+			<%= check_box(skip_2fa => 1, id => 'skip_2fa', class => 'form-check-input') =%>
+			<%= label_for skip_2fa => maketext('Skip two factor verification on this device.') =%>
+		</div>
+		<div class="alert alert-warning mb-2">
+			<%= maketext('If you check the box above, then two factor verification will be skipped from now on when '
+				. 'signing in with this browser. This feature is not safe for public workstations, untrusted machines, '
+				. 'and machines over which you do not have direct control.') =%>
+		</div>
 		% if ($authen_error) {
 			<div class="alert alert-danger" tabindex="0"><%= $authen_error =%></div>
 		% }