[1.x] Confirmable 2FA (#358)

* first pass at confirmable 2fa

* working on tests

* additional tests

* Apply fixes from StyleCI

* dont interact with column in feature not enabled

* adjust migration

* Apply fixes from StyleCI

* adjust tests

* [2FA] Change to use timestamp for confirming 2fa (#359)

* Change to use timestamp for confirming 2fa

* Fix nullable column

* Fix nullable column in tests

* Add unsaved changes

* update check and test

Co-authored-by: Taylor Otwell <[email protected]>
Co-authored-by: StyleCI Bot <[email protected]>
Co-authored-by: Julius Kiekbusch <[email protected]>

Author: 4 people

database/migrations/2014_10_12_200000_add_two_factor_columns_to_users_table.php

@@ -3,6 +3,7 @@
 use Illuminate\Database\Migrations\Migration;
 use Illuminate\Database\Schema\Blueprint;
 use Illuminate\Support\Facades\Schema;
+use Laravel\Fortify\Fortify;
 
 return new class extends Migration
 {
@@ -21,6 +22,12 @@ public function up()
             $table->text('two_factor_recovery_codes')
                     ->after('two_factor_secret')
                     ->nullable();
+
+            if (Fortify::confirmsTwoFactorAuthentication()) {
+                $table->timestamp('two_factor_confirmed_at')
+                        ->after('two_factor_recovery_codes')
+                        ->nullable();
+            }
         });
     }
 
@@ -32,7 +39,12 @@ public function up()
     public function down()
     {
         Schema::table('users', function (Blueprint $table) {
-            $table->dropColumn('two_factor_secret', 'two_factor_recovery_codes');
+            $table->dropColumn([
+                'two_factor_secret',
+                'two_factor_recovery_codes',
+            ] + Fortify::confirmsTwoFactorAuthentication() ? [
+                'two_factor_confirmed_at',
+            ] : []);
         });
     }
 };

routes/routes.php

@@ -5,6 +5,7 @@
 use Laravel\Fortify\Http\Controllers\AuthenticatedSessionController;
 use Laravel\Fortify\Http\Controllers\ConfirmablePasswordController;
 use Laravel\Fortify\Http\Controllers\ConfirmedPasswordStatusController;
+use Laravel\Fortify\Http\Controllers\ConfirmedTwoFactorAuthenticationController;
 use Laravel\Fortify\Http\Controllers\EmailVerificationNotificationController;
 use Laravel\Fortify\Http\Controllers\EmailVerificationPromptController;
 use Laravel\Fortify\Http\Controllers\NewPasswordController;
@@ -141,6 +142,10 @@
             ->middleware($twoFactorMiddleware)
             ->name('two-factor.enable');
 
+        Route::post('/user/confirmed-two-factor-authentication', [ConfirmedTwoFactorAuthenticationController::class, 'store'])
+            ->middleware($twoFactorMiddleware)
+            ->name('two-factor.confirm');
+
         Route::delete('/user/two-factor-authentication', [TwoFactorAuthenticationController::class, 'destroy'])
             ->middleware($twoFactorMiddleware)
             ->name('two-factor.disable');

src/Actions/ConfirmTwoFactorAuthentication.php

@@ -0,0 +1,51 @@
+<?php
+
+namespace Laravel\Fortify\Actions;
+
+use Illuminate\Validation\ValidationException;
+use Laravel\Fortify\Contracts\TwoFactorAuthenticationProvider;
+use Laravel\Fortify\Events\TwoFactorAuthenticationConfirmed;
+
+class ConfirmTwoFactorAuthentication
+{
+    /**
+     * The two factor authentication provider.
+     *
+     * @var \Laravel\Fortify\Contracts\TwoFactorAuthenticationProvider
+     */
+    protected $provider;
+
+    /**
+     * Create a new action instance.
+     *
+     * @param  \Laravel\Fortify\Contracts\TwoFactorAuthenticationProvider  $provider
+     * @return void
+     */
+    public function __construct(TwoFactorAuthenticationProvider $provider)
+    {
+        $this->provider = $provider;
+    }
+
+    /**
+     * Confirm the two factor authentication configuration for the user.
+     *
+     * @param  mixed  $user
+     * @param  string  $code
+     * @return void
+     */
+    public function __invoke($user, $code)
+    {
+        if (empty($user->two_factor_secret) ||
+            ! $this->provider->verify(decrypt($user->two_factor_secret), $code)) {
+            throw ValidationException::withMessages([
+                'code' => [__('The provided two factor authentication code was invalid.')],
+            ])->errorBag('confirmTwoFactorAuthentication');
+        }
+
+        $user->forceFill([
+            'two_factor_confirmed_at' => now(),
+        ])->save();
+
+        TwoFactorAuthenticationConfirmed::dispatch($user);
+    }
+}

src/Actions/DisableTwoFactorAuthentication.php

@@ -3,6 +3,7 @@
 namespace Laravel\Fortify\Actions;
 
 use Laravel\Fortify\Events\TwoFactorAuthenticationDisabled;
+use Laravel\Fortify\Fortify;
 
 class DisableTwoFactorAuthentication
 {
@@ -17,7 +18,9 @@ public function __invoke($user)
         $user->forceFill([
             'two_factor_secret' => null,
             'two_factor_recovery_codes' => null,
-        ])->save();
+        ] + (Fortify::confirmsTwoFactorAuthentication() ? [
+            'two_factor_confirmed_at' => null,
+        ] : []))->save();
 
         TwoFactorAuthenticationDisabled::dispatch($user);
     }

src/Actions/RedirectIfTwoFactorAuthenticatable.php

@@ -50,6 +50,16 @@ public function handle($request, $next)
     {
         $user = $this->validateCredentials($request);
 
+        if (Fortify::confirmsTwoFactorAuthentication()) {
+            if (optional($user)->two_factor_secret &&
+                ! is_null(optional($user)->two_factor_confirmed_at) &&
+                in_array(TwoFactorAuthenticatable::class, class_uses_recursive($user))) {
+                return $this->twoFactorChallengeResponse($request, $user);
+            } else {
+                return $next($request);
+            }
+        }
+
         if (optional($user)->two_factor_secret &&
             in_array(TwoFactorAuthenticatable::class, class_uses_recursive($user))) {
             return $this->twoFactorChallengeResponse($request, $user);

src/Events/TwoFactorAuthenticationConfirmed.php

@@ -0,0 +1,8 @@
+<?php
+
+namespace Laravel\Fortify\Events;
+
+class TwoFactorAuthenticationConfirmed extends TwoFactorAuthenticationEvent
+{
+    //
+}

src/Fortify.php

@@ -283,6 +283,17 @@ public static function resetUserPasswordsUsing(string $callback)
         app()->singleton(ResetsUserPasswords::class, $callback);
     }
 
+    /**
+     * Determine if Fortify is confirming two factor authentication configurations.
+     *
+     * @return bool
+     */
+    public static function confirmsTwoFactorAuthentication()
+    {
+        return Features::enabled(Features::twoFactorAuthentication()) &&
+               Features::optionEnabled(Features::twoFactorAuthentication(), 'confirm');
+    }
+
     /**
      * Configure Fortify to not register its routes.
      *

src/Http/Controllers/ConfirmedTwoFactorAuthenticationController.php

@@ -0,0 +1,27 @@
+<?php
+
+namespace Laravel\Fortify\Http\Controllers;
+
+use Illuminate\Http\JsonResponse;
+use Illuminate\Http\Request;
+use Illuminate\Routing\Controller;
+use Laravel\Fortify\Actions\ConfirmTwoFactorAuthentication;
+
+class ConfirmedTwoFactorAuthenticationController extends Controller
+{
+    /**
+     * Enable two factor authentication for the user.
+     *
+     * @param  \Illuminate\Http\Request  $request
+     * @param  \Laravel\Fortify\Actions\ConfirmTwoFactorAuthentication  $confirm
+     * @return \Symfony\Component\HttpFoundation\Response
+     */
+    public function store(Request $request, ConfirmTwoFactorAuthentication $confirm)
+    {
+        $confirm($request->user(), $request->input('code'));
+
+        return $request->wantsJson()
+                    ? new JsonResponse('', 200)
+                    : back()->with('status', 'two-factor-authentication-confirmed');
+    }
+}

src/TwoFactorAuthenticatable.php

@@ -19,6 +19,11 @@ trait TwoFactorAuthenticatable
      */
     public function hasEnabledTwoFactorAuthentication()
     {
+        if (Fortify::confirmsTwoFactorAuthentication()) {
+            return ! is_null($this->two_factor_secret) &&
+                   ! is_null($this->two_factor_confirmed_at);
+        }
+
         return ! is_null($this->two_factor_secret);
     }
 

tests/AuthenticatedSessionControllerTest.php

@@ -79,6 +79,70 @@ public function test_user_is_redirected_to_challenge_when_using_two_factor_authe
         Event::assertDispatched(TwoFactorAuthenticationChallenged::class);
     }
 
+    public function test_user_is_not_redirected_to_challenge_when_using_two_factor_authentication_that_has_not_been_confirmed_and_confirmation_is_enabled()
+    {
+        Event::fake();
+
+        app('config')->set('auth.providers.users.model', TestTwoFactorAuthenticationSessionUser::class);
+        app('config')->set('fortify.features', [
+            Features::registration(),
+            Features::twoFactorAuthentication(['confirm' => true]),
+        ]);
+
+        $this->loadLaravelMigrations(['--database' => 'testbench']);
+
+        Schema::table('users', function ($table) {
+            $table->text('two_factor_secret')->nullable();
+        });
+
+        TestTwoFactorAuthenticationSessionUser::forceCreate([
+            'name' => 'Taylor Otwell',
+            'email' => '[email protected]',
+            'password' => bcrypt('secret'),
+            'two_factor_secret' => 'test-secret',
+        ]);
+
+        $response = $this->withoutExceptionHandling()->post('/login', [
+            'email' => '[email protected]',
+            'password' => 'secret',
+        ]);
+
+        $response->assertRedirect('/home');
+    }
+
+    public function test_user_is_redirected_to_challenge_when_using_two_factor_authentication_that_has_been_confirmed_and_confirmation_is_enabled()
+    {
+        Event::fake();
+
+        app('config')->set('auth.providers.users.model', TestTwoFactorAuthenticationSessionUser::class);
+        app('config')->set('fortify.features', [
+            Features::registration(),
+            Features::twoFactorAuthentication(['confirm' => true]),
+        ]);
+
+        $this->loadLaravelMigrations(['--database' => 'testbench']);
+
+        Schema::table('users', function ($table) {
+            $table->text('two_factor_secret')->nullable();
+            $table->timestamp('two_factor_confirmed_at')->nullable();
+        });
+
+        TestTwoFactorAuthenticationSessionUser::forceCreate([
+            'name' => 'Taylor Otwell',
+            'email' => '[email protected]',
+            'password' => bcrypt('secret'),
+            'two_factor_secret' => 'test-secret',
+            'two_factor_confirmed_at' => now(),
+        ]);
+
+        $response = $this->withoutExceptionHandling()->post('/login', [
+            'email' => '[email protected]',
+            'password' => 'secret',
+        ]);
+
+        $response->assertRedirect('/two-factor-challenge');
+    }
+
     public function test_user_can_authenticate_when_two_factor_challenge_is_disabled()
     {
         app('config')->set('auth.providers.users.model', TestTwoFactorAuthenticationSessionUser::class);

tests/TwoFactorAuthenticationControllerTest.php

@@ -4,10 +4,13 @@
 
 use Illuminate\Foundation\Auth\User;
 use Illuminate\Support\Facades\Event;
+use Laravel\Fortify\Events\TwoFactorAuthenticationConfirmed;
 use Laravel\Fortify\Events\TwoFactorAuthenticationDisabled;
 use Laravel\Fortify\Events\TwoFactorAuthenticationEnabled;
+use Laravel\Fortify\Features;
 use Laravel\Fortify\FortifyServiceProvider;
 use Laravel\Fortify\TwoFactorAuthenticatable;
+use PragmaRX\Google2FA\Google2FA;
 
 class TwoFactorAuthenticationControllerTest extends OrchestraTestCase
 {
@@ -32,14 +35,92 @@ public function test_two_factor_authentication_can_be_enabled()
 
         Event::assertDispatched(TwoFactorAuthenticationEnabled::class);
 
-        $user->fresh();
+        $user = $user->fresh();
 
         $this->assertNotNull($user->two_factor_secret);
         $this->assertNotNull($user->two_factor_recovery_codes);
+        $this->assertNull($user->two_factor_confirmed_at);
         $this->assertIsArray(json_decode(decrypt($user->two_factor_recovery_codes), true));
         $this->assertNotNull($user->twoFactorQrCodeSvg());
     }
 
+    public function test_two_factor_authentication_can_be_confirmed()
+    {
+        Event::fake();
+
+        app('config')->set('fortify.features', [
+            Features::twoFactorAuthentication(['confirm' => true]),
+        ]);
+
+        $this->loadLaravelMigrations(['--database' => 'testbench']);
+        $this->artisan('migrate', ['--database' => 'testbench'])->run();
+
+        $tfaEngine = app(Google2FA::class);
+        $userSecret = $tfaEngine->generateSecretKey();
+        $validOtp = $tfaEngine->getCurrentOtp($userSecret);
+
+        $user = TestTwoFactorAuthenticationUser::forceCreate([
+            'name' => 'Taylor Otwell',
+            'email' => '[email protected]',
+            'password' => bcrypt('secret'),
+            'two_factor_secret' => encrypt($userSecret),
+            'two_factor_confirmed_at' => null,
+        ]);
+
+        $response = $this->withoutExceptionHandling()->actingAs($user)->postJson(
+            '/user/confirmed-two-factor-authentication', ['code' => $validOtp],
+        );
+
+        $response->assertStatus(200);
+
+        Event::assertDispatched(TwoFactorAuthenticationConfirmed::class);
+
+        $user = $user->fresh();
+
+        $this->assertNotNull($user->two_factor_confirmed_at);
+        $this->assertTrue($user->hasEnabledTwoFactorAuthentication());
+
+        // Ensure two factor authentication not considered enabled if not confirmed...
+        $user->forceFill(['two_factor_confirmed_at' => null])->save();
+
+        $this->assertFalse($user->hasEnabledTwoFactorAuthentication());
+    }
+
+    public function test_two_factor_authentication_can_not_be_confirmed_with_invalid_code()
+    {
+        Event::fake();
+
+        app('config')->set('fortify.features', [
+            Features::twoFactorAuthentication(['confirm' => true]),
+        ]);
+
+        $this->loadLaravelMigrations(['--database' => 'testbench']);
+        $this->artisan('migrate', ['--database' => 'testbench'])->run();
+
+        $tfaEngine = app(Google2FA::class);
+        $userSecret = $tfaEngine->generateSecretKey();
+
+        $user = TestTwoFactorAuthenticationUser::forceCreate([
+            'name' => 'Taylor Otwell',
+            'email' => '[email protected]',
+            'password' => bcrypt('secret'),
+            'two_factor_secret' => encrypt($userSecret),
+            'two_factor_confirmed_at' => null,
+        ]);
+
+        $response = $this->withExceptionHandling()->actingAs($user)->postJson(
+            '/user/confirmed-two-factor-authentication', ['code' => 'invalid-otp'],
+        );
+
+        $response->assertStatus(422);
+
+        Event::assertNotDispatched(TwoFactorAuthenticationConfirmed::class);
+
+        $user = $user->fresh();
+
+        $this->assertNull($user->two_factor_confirmed_at);
+    }
+
     public function test_two_factor_authentication_can_be_disabled()
     {
         Event::fake();