Checklist

• [X] I have checked my stack trace and logs.
• [X] I can reproduce this in isolation.
• [ ] I can suggest a workaround or PR.

Dependencies

• PHP: 8.1.3 Linux
• Laravel: 9.1.0

Description

This is NOT a bug report at the moment.

I just upgraded the project I'm working on to L9. As such I had to move from darkghosthunter/laraguard to laragear/two-factor. This change required a lot of code change and now I'm not so sure if I took the best path.

My app has no frontend. It's just a backend where all the action happens. All users must be logged in, but not everyone may have 2FA enabled. The 2fa_code is asked on a dedicated form just after the login one IF the user has 2FA enabled.

So I thought to do this in routes/web.php:

Route::post('/', 'Auth\LoginController@login')
    ->name('login.submit')
    ->middleware('2fa.confirm');

But nope... it won't work that way. At least it didn't here. Users with 2FA enabled are just logged in as soon as they submit their login credentials. No 2FA form page presented as it used to be in darkghosthunter/laraguard wonderful magic listeners.

After thoroughly reading this package README and many attempts later, the only way I found to accomplish the old behavior was to override L9's Auth\LoginController@login. I'm not so confident if I got right and what kind of security holes I may have opened. Here's how it looks now:

<?php

namespace App\Http\Controllers\Auth;

use App\Http\Controllers\Controller;
use App\Providers\RouteServiceProvider;
use Auth;
use DB;
use Illuminate\Http\JsonResponse;
use Illuminate\Http\RedirectResponse;
use Illuminate\Http\Request;
use Illuminate\Http\Response;
use Laragear\TwoFactor\TwoFactor;
use Symfony\Component\HttpFoundation\Response as SymfonyResponse;

class LoginController extends Controller
{
    /**
     * Where to redirect users after login.
     *
     * @var string
     */
    protected $redirectTo = RouteServiceProvider::HOME;

    /**
     * Override AuthenticatesUsers::login() to implement 2FA.
     *
     * @see AuthenticatesUsers::login() To the original login implementation.
     * @see https://github.com/Laragear/TwoFactor#logging-in To the Laragear\TwoFactor login implementation.
     *
     * @param Request $request
     *
     * @return JsonResponse|RedirectResponse|Response|SymfonyResponse
     */
    public function login(Request $request) {
        $credentials = $request->validate([
            $this->username() => 'required|string',
            'password' => 'required|string',
        ]);

        if (method_exists($this, 'hasTooManyLoginAttempts') &&
            $this->hasTooManyLoginAttempts($request)) {
            $this->fireLockoutEvent($request);

            return $this->sendLockoutResponse($request);
        }

        $twoFactor = DB::table('two_factor_authentications')->where('label', $credentials['email'])->count();
        if ($twoFactor && ! $request->filled(config('app.2fa_field'))) {
            return response()->view(
                'two-factor::confirm',
                [
                    'credentials' => $credentials,
                    'remember' => $request->filled('remember'),
                ]
            );
        } else {
            if (Auth::attemptWhen($credentials, TwoFactor::hasCodeOrFails(), $request->filled('remember'))) {
                if ($request->hasSession()) {
                    $request->session()->put('auth.password_confirmed_at', time());
                }

                return $this->sendLoginResponse($request);
            }
        }

        $this->incrementLoginAttempts($request);

        return $this->sendFailedLoginResponse($request);
    }
}

It worked as expected, except that if users type a wrong 2FA code shw will be redirected back to login page (user/password). I can live with that, as it won't make explicit to an attacker if the wrong piece of data was the email, password or the TOTP code.

But at the end, is that right? Can it be improved somehow? Did I broke my auth toy?

PS: The documentation is far from clear when someone needs a custom login method like the case above (TOTP code in it's own form). But as I'm not sure if this is a bug with the middleware not attaching to POST login method, I will leave this as is for now.

Reproduction

Not available yet.

Expected behavior

It would be really nice if Route::post()->middleware('2fa.confirm') just worked as expected (i.e. force a user with 2FA enabled to enter TOTP code on it's own form page, leave users with 2FA disabled alone and just log them in). This would also leave such a critical method as Auth\LoginController@login alone.

Stack Trace

The issue generates no stack trace.

PHP & Platform

8.1.7 - Fedora 35 x64

Laravel verion

9.17.0

Have you done this?

• [X] I am willing to share my stack trace and logs
• [X] I can reproduce this bug in isolation (vanilla Laravel install)
• [ ] I can suggest a workaround as a Pull Request

Expectation

When a user with 2FA enabled logs in and confirms their TOTP, they should be redirected to the application as authenticated.

Description

The user is redirected back to the login page with an error stating that their credentials are invalid. This seems to be caused by the session flash not being set. Looking into TwoFactorLoginHelper.php I identified that Illuminate\Contracts\Session\Session does not have flash() as a member function https://laravel.com/api/9.x/Illuminate/Contracts/Session/Session.html

protected function flashData(array $credentials, bool $remember): void
    {
        foreach ($credentials as $key => $value) {
            $credentials[$key] = Crypt::encryptString($value);
        }

        $this->session->flash($this->sessionKey, ['credentials' => $credentials, 'remember' => $remember]);
    }

As a result, when the TOTP form is submitted the credentials are blank. And since validation is overridden due to 2fa_code being present, the app kicks back a credentials not found error. You may want to use $this->session->put(...) and $this->session->forget(...) in combination with flashData() and getFlashedData() to approximate flash() or instead use the $request->session() which does have flash().

Reproduction

// https://github.com/Laragear/TwoFactor

Stack trace & logs

No response

Are you a Patreon supporter?

No, don't give priority to this

PHP & Platform

8.1.6 Windows

Database

mysqlnd 8.1.6

Laravel version

9.43.0

Have you done this?

• [X] I have checked my logs and I'm sure is a bug in this package.
• [X] I can reproduce this bug in isolation (vanilla Laravel install)
• [ ] I can suggest a workaround as a Pull Request

Expectation

No warnings should be issued

Description

When using this line:

$attempt = Auth2FA::attempt($request->only('email', 'password'), $request->filled('remember'));

like in the documentation VSCode intelephense marks it as: "Non static method 'attempt' should not be called statically."

Reproduction

/**
     * Handle an authentication attempt.
     *
     * @param  \Illuminate\Http\Request  $request
     * @return \Illuminate\Http\Response
     */
    public function authenticate(Request $request)
    {
        // If the user is trying for the first time, ensure both email and the password are
        // required to log in. If it's not, then he would issue its 2FA code. This ensures
        // the credentials are not required again when is just issuing his 2FA code alone.
        if ($request->isNotFilled('2fa_code')) {
            $request->validate([
                'email' => 'required|email',
                'password' => 'required|string'
            ]);
        }
        
        $attempt = Auth2FA::guard('admin')->attempt($request->only('email', 'password'), $request->filled('remember'));
    
        if ($attempt) {
            return redirect()->intended('/');
        }
 
        return back()->withErrors([
            'email' => 'The provided credentials do not match our records.',
        ])->onlyInput('email');
    }

Stack trace & logs

No response

Most probably I have done something wrong while setting everything up (this project is very early development still).

So for this project, all users are required to enable 2fa; so on my authenticated routes, I have added the 2fa.enabled middleware. While I am using Laravel Breeze, for now I am mostly using your original views (though I created a 'confirm', 'prepare' and 'recovery' view to also use during the setup of 2fa for a user). I am also using the Facade to handle the login (as per the readme, set in the LoginRequest).

I further copied the "ConfirmtwoFactorCodeController" over to my other controllers, and modified it to also handle the setup of the 2fa for a user, using the following routes:

Route::get('2fa-notice', [\App\Http\Controllers\Frontend\ConfirmTwoFactorCodeController::class, 'notifyTwoFactor'])->name('2fa.notice');
Route::get('2fa-prepare', [\App\Http\Controllers\Frontend\ConfirmTwoFactorCodeController::class, 'prepareTwoFactor'])->name('2fa.prepare');
Route::post('2fa-prepare', [\App\Http\Controllers\Frontend\ConfirmTwoFactorCodeController::class, 'confirmTwoFactor'])->name('2fa.confirm');
Route::get('2fa-recovery', [\App\Http\Controllers\Frontend\ConfirmTwoFactorCodeController::class, 'showRecoveryCodes'])->name('2fa.recovery');

So the setup part is working, and the app code, verifies correctly.

The issue is happening when I attempt to log in. I provide the email and password, and then see the screen asking for the code (weird thing here is it immediately shows the field as having an error, saying the code is either wrong or expired - this is prior to me providing any code). Then when I provide the correct code, it tells me the login was unsuccessful (basically that both the email and password fields are required).

Any idea how I can solve this issue.

Description

The twoFactorAuth relation always returns an instance of the base TwoFactorAuthentication class, regardless of the config model value.

Updated the relation to return an instance of the config model.

Description

The recovery code logic is great! If you use multiple two-factor options for the application, you may want to reuse the recovery code logic independently of the TOTP method.

This PR simply changes the logic so that recovery codes are not deleted when disabled. This allows the developer to use the recovery code system independently and make sure recovery codes are not generated or deleted when enabling or disabling TOTP.

The attributes id and name are empty in the form

https://github.com/Laragear/TwoFactor/blob/aed2545da20cad2958733f26af69d9bcdfb7c8d3/resources/views/confirm.blade.php#L20

Please check these requirements

• [X] This feature helps everyone using this package
• [X] It's feasible and maintainable
• [X] It's non breaking
• [ ] I issued a PR with the implementation (optional)

Description

I've installed the package following the readme.md. I still don't understand how to turn the login process into a two-step process for users who have enabled 2fa. As I've read in the instructions I should add a field to the login form for the 2fa_code, and this works. Users without 2fa enabled are logged in without entering anything, and users who do have one must enter a code.

However, I would prefer the user to first enter a valid username/password and then be asked for the 2fa_code. It would be great if the readme was a bit more explanatory on implementing the login routine. Alternatively, an example package that implements the functionality would be valuable.

Thanks for your great work!

Code sample

- i have no idea on how to write that code.

Are you a Patreon supporter?

No, don't give priority to this

PHP & Platform

8.0.12

Laravel verion

9.17.0

Have you done this?

• [X] I am willing to share my stack trace and logs
• [X] I can reproduce this bug in isolation (vanilla Laravel install)
• [ ] I can suggest a workaround as a Pull Request

Expectation

When totp code is correct i expect the user to be logged in.

Description

Users not using 2fa gets logged inn correctly. Users who has activated 2fa are getting the login page again with no error message.

Reproduction

//To activate sanctum for api calls (SPA authentication) i  uncommented EnsureFrontendRequestsAreStateful in app/http/Kernel.php. That is when this "bug" sets in.

'api' => [
            \Laravel\Sanctum\Http\Middleware\EnsureFrontendRequestsAreStateful::class,
            'throttle:api',
            \Illuminate\Routing\Middleware\SubstituteBindings::class,
        ],

Stack trace & logs

no stacktrace and nothing logged in laravel.log

Are you a Patreon supporter?

No, don't give priority to this

Description

This feature allows to login users with a helper. This helper will throw a response with a form to issue or re-issue a 2FA Code. It will capture and persist the encrypted credentials for the next request.

Also includes a code generator for Recovery Codes.

Code samples

(Included in the README)

PHP & Platform

8.1.3

Laravel verion

9.5.1

Have you done this?

• [X] I am willing to share my stack trace and logs
• [X] I can reproduce this bug in isolation (vanilla Laravel install)
• [ ] I can suggest a workaround as a Pull Request

Expectation

The migration included in this package should be optional.

Description

I'm migrating from the old Laraguard package. I already have a database table called two_factor_authentications, from a migration that has a slightly different name than the migration included with this package.

This causes a Table 'two_factor_authentications' already exists error when running php artisan migrate, where the migration included in this package is called because it is not listed in my migrations table.

As far as I can see I cannot cancel this migration.

Reproduction

Schema::create('two_factor_authentications', function (Blueprint $table) {
            $table->bigIncrements('id');
});

then run php artisan migrate

Stack trace & logs

No response

Are you a Patreon supporter?

No, don't give priority to this

Please check these requirements

• [X] This feature helps everyone using this package
• [X] It's feasible and maintainable
• [X] It's non breaking
• [ ] I issued a PR with the implementation (optional)

Description

Hi.

Thanks! Great package, it has everything that Fortify lacks and is much more customizable.

One small feature Im missing is telling if the user is logged in with a real 2-factor authentication challenge or bypassed the auth with a "safe device". It would be optimal if the validate() method could set some session variable when bypassing the two-factor challenge. Or vice versa, some session variable being set only when the user did a real 2-factor auth.

I will have a middleware forcing users to confirm important actions if:

• They bypassed the 2 factor auth in the login
• Havent authenticated in xx time, since last time.

Maybe this feature exists but I've missed it somewhere? Thanks.

Code sample

// If safe devices are enabled, and this is a safe device, bypass.
      if ($this->isSafeDevicesEnabled() && $user->isSafeDevice($this->request)) {
        
      **ADD**
        $this->request->session()->put("bypassed_two_factor", $time);
        
          return true;
      }

PHP & Platform

8.1.6 & Windows (localhost)

Database

mysqlnd 8.1.6

Laravel version

9.43.0

Have you done this?

• [X] I have checked my logs and I'm sure is a bug in this package.
• [X] I can reproduce this bug in isolation (vanilla Laravel install)
• [ ] I can suggest a workaround as a Pull Request

Expectation

2FA code not requested on next login on same device when safe_devices enabled = true.

Description

2FA code is requested on every login on the same device.

Column safe_devices stays on value null.

No additional browser cookie stored (2 cookies in use: session and csrf)

Reproduction

'safe_devices' => [
        'enabled'         => true,
        'cookie'          => '_2fa_remember',
        'max_devices'     => 3,
        'expiration_days' => 14,
    ],

Stack trace & logs

No response