[Web] Add forced 2FA setup and password update enforcement

data/web/sogo-auth.php

@@ -50,6 +50,11 @@ elseif (isset($_GET['login'])) {
     (($_SESSION['acl']['login_as'] == "1" && $ALLOW_ADMIN_EMAIL_LOGIN !== 0) || ($is_dual === false && $login == $_SESSION['mailcow_cc_username']))) {
     if (filter_var($login, FILTER_VALIDATE_EMAIL)) {
       if (user_get_alias_details($login) !== false) {
+        // Block SOGo access if pending actions (2FA setup, password update)
+        if (!empty($_SESSION['pending_tfa_setup']) || !empty($_SESSION['pending_pw_update'])) {
+          header("Location: /");
+          exit;
+        }
         // register username in session
         $_SESSION[$session_var_user_allowed][] = $login;
         // set dual login
@@ -94,7 +99,8 @@ elseif (isset($_SERVER['HTTP_X_ORIGINAL_URI']) && strcasecmp(substr($_SERVER['HT
         filter_var($email, FILTER_VALIDATE_EMAIL) &&
         is_array($_SESSION[$session_var_user_allowed]) &&
         in_array($email, $_SESSION[$session_var_user_allowed]) &&
-        !$_SESSION['pending_pw_update']
+        !$_SESSION['pending_pw_update'] &&
+        !$_SESSION['pending_tfa_setup']
     ) {
       $username = $email;
       $password = file_get_contents("/etc/sogo-sso/sogo-sso.pass");