Don't overwrite an already two factor secret unless force = true (#518)

* Update EnableTwoFactorAuthentication.php

Add a force parameter that only overwrites existing two factor information if it's null / has been disabled.

* Update TwoFactorAuthenticationController.php

Allow users to pass force = true to the post request to enable forcing overwriting of current secret keys.

* Update TwoFactorAuthenticationControllerTest.php

Add tests for 'force' request parameter

* Passing tests.

* StyleCI

* formatting

* formatting

---------

Co-authored-by: Taylor Otwell <[email protected]>

Author: danmatthews

src/Actions/EnableTwoFactorAuthentication.php

@@ -31,17 +31,20 @@ public function __construct(TwoFactorAuthenticationProvider $provider)
      * Enable two factor authentication for the user.
      *
      * @param  mixed  $user
+     * @param  bool $force
      * @return void
      */
-    public function __invoke($user)
+    public function __invoke($user, $force = false)
     {
-        $user->forceFill([
-            'two_factor_secret' => encrypt($this->provider->generateSecretKey()),
-            'two_factor_recovery_codes' => encrypt(json_encode(Collection::times(8, function () {
-                return RecoveryCode::generate();
-            })->all())),
-        ])->save();
+        if (empty($user->two_factor_secret) || $force === true) {
+            $user->forceFill([
+                'two_factor_secret' => encrypt($this->provider->generateSecretKey()),
+                'two_factor_recovery_codes' => encrypt(json_encode(Collection::times(8, function () {
+                    return RecoveryCode::generate();
+                })->all())),
+            ])->save();
 
-        TwoFactorAuthenticationEnabled::dispatch($user);
+            TwoFactorAuthenticationEnabled::dispatch($user);
+        }
     }
 }

src/Http/Controllers/TwoFactorAuthenticationController.php

@@ -20,7 +20,7 @@ class TwoFactorAuthenticationController extends Controller
      */
     public function store(Request $request, EnableTwoFactorAuthentication $enable)
     {
-        $enable($request->user());
+        $enable($request->user(), $request->boolean('force', false));
 
         return app(TwoFactorEnabledResponse::class);
     }

tests/TwoFactorAuthenticationControllerTest.php

@@ -46,6 +46,88 @@ public function test_two_factor_authentication_can_be_enabled()
         $this->assertNotNull($user->twoFactorQrCodeSvg());
     }
 
+    #[ResetRefreshDatabaseState]
+    public function test_calling_two_factor_authentication_endpoint_will_not_overwrite_without_force_parameter()
+    {
+        Event::fake();
+
+        $user = TestTwoFactorAuthenticationUser::forceCreate([
+            'name' => 'Taylor Otwell',
+            'email' => '[email protected]',
+            'password' => bcrypt('secret'),
+        ]);
+
+        $response = $this->withoutExceptionHandling()->actingAs($user)->postJson(
+            '/user/two-factor-authentication'
+        );
+
+        $response->assertStatus(200);
+
+        Event::assertDispatched(TwoFactorAuthenticationEnabled::class);
+
+        $user = $user->fresh();
+
+        $old_value = $user->two_factor_secret;
+
+        $response = $this->withoutExceptionHandling()->actingAs($user)->postJson(
+            '/user/two-factor-authentication'
+        );
+
+        $response->assertStatus(200);
+
+        $this->assertNotNull($user->two_factor_secret);
+        $this->assertNotNull($user->two_factor_recovery_codes);
+        $this->assertEquals($old_value, $user->fresh()->two_factor_secret);
+        $this->assertNull($user->two_factor_confirmed_at);
+        $this->assertIsArray(json_decode(decrypt($user->two_factor_recovery_codes), true));
+        $this->assertNotNull($user->twoFactorQrCodeSvg());
+    }
+
+    #[ResetRefreshDatabaseState]
+    public function test_calling_two_factor_authentication_endpoint_will_overwrite_with_force_parameter()
+    {
+        Event::fake();
+
+        $user = TestTwoFactorAuthenticationUser::forceCreate([
+            'name' => 'Taylor Otwell',
+            'email' => '[email protected]',
+            'password' => bcrypt('secret'),
+        ]);
+
+        $response = $this->withoutExceptionHandling()->actingAs($user)->postJson(
+            '/user/two-factor-authentication',
+            [
+                'force' => true,
+            ]
+        );
+
+        $response->assertStatus(200);
+
+        Event::assertDispatched(TwoFactorAuthenticationEnabled::class);
+
+        $user = $user->fresh();
+
+        $old_value = $user->two_factor_secret;
+
+        $response = $this->withoutExceptionHandling()->actingAs($user)->postJson(
+            '/user/two-factor-authentication',
+            [
+                'force' => true,
+            ]
+        );
+
+        $response->assertStatus(200);
+
+        $user = $user->fresh();
+
+        $this->assertNotNull($user->two_factor_secret);
+        $this->assertNotNull($user->two_factor_recovery_codes);
+        $this->assertNotEquals($old_value, $user->fresh()->two_factor_secret);
+        $this->assertNull($user->two_factor_confirmed_at);
+        $this->assertIsArray(json_decode(decrypt($user->two_factor_recovery_codes), true));
+        $this->assertNotNull($user->twoFactorQrCodeSvg());
+    }
+
     public function test_two_factor_authentication_secret_key_can_be_retrieved()
     {
         Event::fake();