[2FA] Change to use timestamp for confirming 2fa (#359)

* Change to use timestamp for confirming 2fa

* Fix nullable column

* Fix nullable column in tests

* Add unsaved changes

Author: Jubeki

database/migrations/2014_10_12_200000_add_two_factor_columns_to_users_table.php

@@ -24,9 +24,9 @@ public function up()
                     ->nullable();
 
             if (Fortify::confirmsTwoFactorAuthentication()) {
-                $table->boolean('two_factor_confirmed')
+                $table->timestamp('two_factor_confirmed_at')
                         ->after('two_factor_recovery_codes')
-                        ->default(false);
+                        ->nullable();
             }
         });
     }
@@ -43,7 +43,7 @@ public function down()
                 'two_factor_secret',
                 'two_factor_recovery_codes',
             ] + Fortify::confirmsTwoFactorAuthentication() ? [
-                'two_factor_confirmed',
+                'two_factor_confirmed_at',
             ] : []);
         });
     }

src/Actions/ConfirmTwoFactorAuthentication.php

@@ -43,7 +43,7 @@ public function __invoke($user, $code)
         }
 
         $user->forceFill([
-            'two_factor_confirmed' => true,
+            'two_factor_confirmed_at' => now(),
         ])->save();
 
         TwoFactorAuthenticationConfirmed::dispatch($user);

src/Actions/DisableTwoFactorAuthentication.php

@@ -19,7 +19,7 @@ public function __invoke($user)
             'two_factor_secret' => null,
             'two_factor_recovery_codes' => null,
         ] + (Fortify::confirmsTwoFactorAuthentication() ? [
-            'two_factor_confirmed' => false,
+            'two_factor_confirmed_at' => null,
         ] : []))->save();
 
         TwoFactorAuthenticationDisabled::dispatch($user);

src/Actions/RedirectIfTwoFactorAuthenticatable.php

@@ -52,7 +52,7 @@ public function handle($request, $next)
 
         if (Fortify::confirmsTwoFactorAuthentication()) {
             if (optional($user)->two_factor_secret &&
-                optional($user)->two_factor_confirmed &&
+                ! is_null(optional($user)->two_factor_confirmed_at) &&
                 in_array(TwoFactorAuthenticatable::class, class_uses_recursive($user))) {
                 return $this->twoFactorChallengeResponse($request, $user);
             } else {

tests/AuthenticatedSessionControllerTest.php

@@ -124,15 +124,15 @@ public function test_user_is_redirected_to_challenge_when_using_two_factor_authe
 
         Schema::table('users', function ($table) {
             $table->text('two_factor_secret')->nullable();
-            $table->boolean('two_factor_confirmed')->default(true);
+            $table->timestamp('two_factor_confirmed_at')->nullable();
         });
 
         TestTwoFactorAuthenticationSessionUser::forceCreate([
             'name' => 'Taylor Otwell',
             'email' => '[email protected]',
             'password' => bcrypt('secret'),
             'two_factor_secret' => 'test-secret',
-            'two_factor_confirmed' => true,
+            'two_factor_confirmed_at' => now(),
         ]);
 
         $response = $this->withoutExceptionHandling()->post('/login', [

tests/TwoFactorAuthenticationControllerTest.php

@@ -39,7 +39,7 @@ public function test_two_factor_authentication_can_be_enabled()
 
         $this->assertNotNull($user->two_factor_secret);
         $this->assertNotNull($user->two_factor_recovery_codes);
-        $this->assertEquals(0, $user->two_factor_confirmed);
+        $this->assertNull($user->two_factor_confirmed_at);
         $this->assertIsArray(json_decode(decrypt($user->two_factor_recovery_codes), true));
         $this->assertNotNull($user->twoFactorQrCodeSvg());
     }
@@ -64,7 +64,7 @@ public function test_two_factor_authentication_can_be_confirmed()
             'email' => '[email protected]',
             'password' => bcrypt('secret'),
             'two_factor_secret' => encrypt($userSecret),
-            'two_factor_confirmed' => false,
+            'two_factor_confirmed_at' => null,
         ]);
 
         $response = $this->withoutExceptionHandling()->actingAs($user)->postJson(
@@ -77,7 +77,7 @@ public function test_two_factor_authentication_can_be_confirmed()
 
         $user = $user->fresh();
 
-        $this->assertEquals(1, $user->two_factor_confirmed);
+        $this->assertNotNull($user->two_factor_confirmed_at);
     }
 
     public function test_two_factor_authentication_can_not_be_confirmed_with_invalid_code()
@@ -99,7 +99,7 @@ public function test_two_factor_authentication_can_not_be_confirmed_with_invalid
             'email' => '[email protected]',
             'password' => bcrypt('secret'),
             'two_factor_secret' => encrypt($userSecret),
-            'two_factor_confirmed' => false,
+            'two_factor_confirmed_at' => null,
         ]);
 
         $response = $this->withExceptionHandling()->actingAs($user)->postJson(
@@ -112,7 +112,7 @@ public function test_two_factor_authentication_can_not_be_confirmed_with_invalid
 
         $user = $user->fresh();
 
-        $this->assertEquals(0, $user->two_factor_confirmed);
+        $this->assertNull($user->two_factor_confirmed_at);
     }
 
     public function test_two_factor_authentication_can_be_disabled()