+ if ( $return eq 'ok' || $return eq 'additional-auth-needed' ) {
+ $userid = $session->param('id');
+ }
+
+ $additional_auth_needed = ( $return eq 'additional-auth-needed' ) ? 1 : 0;
+
+ # We are at the second screen if the waiting-for-2FA is set in session
+ # and otp_token param has been passed
+ if ( $require_2FA
+ && $additional_auth_needed
+ && ( my $otp_token = $query->param('otp_token') ) )
+ {
+ my $patron = Koha::Patrons->find( { userid => $userid } );
+ my $auth = Koha::Auth::TwoFactorAuth::get_auth( { patron => $patron } );
+ my $verified = $auth->verify($otp_token);
+ $auth->clear;
+ if ( $verified ) {
+ # The token is correct, the user is fully logged in!
+ $additional_auth_needed = 0;
+ $session->param( 'waiting-for-2FA', 0 );
+ $return = "ok";
+ $auth_challenge_complete = 1;
+
+ # This is an ugly trick to pass the test
+ # $query->param('koha_login_context') && ( $q_userid ne $userid )
+ # few lines later
+ $q_userid = $userid;
+ }
+ else {
+ $invalid_otp_token = 1;
+ }
+ }
+