Adding Two Factor Auth Feature

.gitignore

@@ -7,6 +7,7 @@
 /storage/*.key
 /storage/pail
 /vendor
+.DS_Store
 .env
 .env.backup
 .env.production

app/Actions/TwoFactorAuth/CompleteTwoFactorAuthentication.php

@@ -0,0 +1,24 @@
+<?php
+
+namespace App\Actions\TwoFactorAuth;
+
+use Illuminate\Support\Facades\Auth;
+use Illuminate\Support\Facades\Session;
+
+class CompleteTwoFactorAuthentication
+{
+    /**
+     * Complete the two-factor authentication process.
+     *
+     * @param  mixed  $user The user to authenticate
+     * @return void
+     */
+    public function __invoke($user): void
+    {
+        // Log the user in
+        Auth::login($user);
+
+        // Clear the session that is used to determine if the user can visit the 2fa challenge page
+        Session::forget('login.id');
+    }
+}

app/Actions/TwoFactorAuth/ConfirmTwoFactorAuthentication.php

@@ -0,0 +1,21 @@
+<?php
+
+namespace App\Actions\TwoFactorAuth;
+
+class ConfirmTwoFactorAuthentication
+{
+    /**
+     * Confirm two factor authentication for the user.
+     *
+     * @param mixed $user
+     * @return bool
+     */
+    public function __invoke($user)
+    {
+        $user->forceFill([
+            'two_factor_confirmed_at' => now(),
+        ])->save();
+
+        return true;
+    }
+}

app/Actions/TwoFactorAuth/DisableTwoFactorAuthentication.php

@@ -0,0 +1,26 @@
+<?php
+
+namespace App\Actions\TwoFactorAuth;
+
+use App\Models\User;
+
+class DisableTwoFactorAuthentication
+{
+    /**
+     * Disable two factor authentication for the user.
+     *
+     * @return void
+     */
+    public function __invoke($user)
+    {
+        if (! is_null($user->two_factor_secret) ||
+            ! is_null($user->two_factor_recovery_codes) ||
+            ! is_null($user->two_factor_confirmed_at)) {
+            $user->forceFill([
+                'two_factor_secret' => null,
+                'two_factor_recovery_codes' => null,
+                'two_factor_confirmed_at' => null,
+            ])->save();
+        }
+    }
+}

app/Actions/TwoFactorAuth/GenerateNewRecoveryCodes.php

@@ -0,0 +1,27 @@
+<?php
+
+namespace App\Actions\TwoFactorAuth;
+
+use Illuminate\Support\Collection;
+use Illuminate\Support\Str;
+
+class GenerateNewRecoveryCodes
+{
+    /**
+     * Generate new recovery codes for the user.
+     *
+     * @param  mixed  $user
+     * @return void
+     */
+    public function __invoke($user): Collection
+    {
+        return Collection::times(8, function () {
+            return $this->generate();
+        });
+    }
+
+    public function generate()
+    {
+        return Str::random(10).'-'.Str::random(10);
+    }
+}

app/Actions/TwoFactorAuth/GenerateQrCodeAndSecretKey.php

@@ -0,0 +1,54 @@
+<?php
+
+namespace App\Actions\TwoFactorAuth;
+
+use BaconQrCode\Renderer\Image\SvgImageBackEnd;
+use BaconQrCode\Renderer\ImageRenderer;
+use BaconQrCode\Renderer\RendererStyle\RendererStyle;
+use BaconQrCode\Writer;
+use App\Models\User;
+use PragmaRX\Google2FA\Google2FA;
+
+class GenerateQrCodeAndSecretKey
+{
+    public string $companyName;
+
+    /**
+     * Generate new recovery codes for the user.
+     *
+     * @return array{string, string}
+     */
+    public function __invoke($user): array
+    {
+        // Create a new Google2FA instance with explicit configuration
+        $google2fa = new Google2FA();
+        $google2fa->setOneTimePasswordLength(6);
+
+        // Generate a standard 16-character secret key
+        $secret_key = $google2fa->generateSecretKey(16);
+
+        // Set company name from config
+        $this->companyName = config('app.name', 'Laravel');
+
+        // Generate the QR code URL
+        $g2faUrl = $google2fa->getQRCodeUrl(
+            $this->companyName,
+            $user->email,
+            $secret_key
+        );
+
+        // Create the QR code image
+        $writer = new Writer(
+            new ImageRenderer(
+                new RendererStyle(400),
+                new SvgImageBackEnd()
+            )
+        );
+
+        // Generate the QR code as a base64 encoded SVG
+        $qrcode_image = base64_encode($writer->writeString($g2faUrl));
+
+        return [$qrcode_image, $secret_key];
+
+    }
+}

app/Actions/TwoFactorAuth/GetTwoFactorAuthenticatableUser.php

@@ -0,0 +1,27 @@
+<?php
+
+namespace App\Actions\TwoFactorAuth;
+
+use Illuminate\Support\Facades\Session;
+
+class GetTwoFactorAuthenticatableUser
+{
+    /**
+     * Get the user that is in the process of two-factor authentication.
+     *
+     * @return mixed|null The user model instance or null if not found
+     */
+    public function __invoke()
+    {
+        $userId = Session::get('login.id');
+
+        if (!$userId) {
+            return null;
+        }
+
+        // Get the user model from auth config
+        $userModel = app(config('auth.providers.users.model'));
+
+        return $userModel::find($userId);
+    }
+}

app/Actions/TwoFactorAuth/ProcessRecoveryCode.php

@@ -0,0 +1,34 @@
+<?php
+
+namespace App\Actions\TwoFactorAuth;
+
+class ProcessRecoveryCode
+{
+    /**
+     * Verify a recovery code and remove it from the list if valid.
+     *
+     * @param  array  $recoveryCodes The array of recovery codes
+     * @param  string  $submittedCode The code submitted by the user
+     * @return array|false Returns the updated array of recovery codes if valid, or false if invalid
+     */
+    public function __invoke(array $recoveryCodes, string $submittedCode)
+    {
+        // Clean the submitted code
+        $submittedCode = trim($submittedCode);
+
+        // If the user has entered multiple codes, only validate the first one
+        $submittedCode = explode(" ", $submittedCode)[0];
+
+        // Check if the code is valid
+        if (!in_array($submittedCode, $recoveryCodes)) {
+            return false;
+        }
+
+        // Remove the used recovery code from the list
+        $updatedCodes = array_values(array_filter($recoveryCodes, function($code) use ($submittedCode) {
+            return $code !== $submittedCode;
+        }));
+
+        return $updatedCodes;
+    }
+}

app/Actions/TwoFactorAuth/VerifyTwoFactorCode.php

@@ -0,0 +1,32 @@
+<?php
+
+namespace App\Actions\TwoFactorAuth;
+
+use PragmaRX\Google2FA\Google2FA;
+
+class VerifyTwoFactorCode
+{
+    /**
+     * Verify a two-factor authentication code.
+     *
+     * @param  string  $secret The decrypted secret key
+     * @param  string  $code The code to verify
+     * @return bool
+     */
+    public function __invoke(string $secret, string $code): bool
+    {
+        // Clean the code (remove spaces and non-numeric characters)
+        $code = preg_replace('/[^0-9]/', '', $code);
+
+        // Create a new Google2FA instance with explicit configuration
+        $google2fa = new Google2FA();
+        $google2fa->setWindow(8); // Allow for some time drift
+        $google2fa->setOneTimePasswordLength(6); // Ensure 6-digit codes
+
+        try {
+            return $google2fa->verify($code, $secret);
+        } catch (\Exception $e) {
+            return false;
+        }
+    }
+}

app/Http/Controllers/Auth/AuthenticatedSessionController.php

@@ -4,6 +4,7 @@
 
 use App\Http\Controllers\Controller;
 use App\Http\Requests\Auth\LoginRequest;
+use App\Models\User;
 use Illuminate\Http\RedirectResponse;
 use Illuminate\Http\Request;
 use Illuminate\Support\Facades\Auth;
@@ -29,8 +30,18 @@ public function create(Request $request): Response
      */
     public function store(LoginRequest $request): RedirectResponse
     {
-        $request->authenticate();
+        // Find user by email
+        $user = User::where('email', $request->email)->first();
+
+        // If user exists, password is correct, and 2FA is enabled, redirect to challenge
+        if ($user && $user->two_factor_confirmed_at && \Illuminate\Support\Facades\Hash::check($request->password, $user->password)) {
+            $request->session()->put('login.id', $user->getKey());
+            // Optionally clear any previous errors
+            return redirect()->route('two-factor.challenge');
+        }
 
+        // Proceed with normal authentication (this will handle errors and login)
+        $request->authenticate();
         $request->session()->regenerate();
 
         return redirect()->intended(route('dashboard', absolute: false));

app/Http/Controllers/Auth/TwoFactorAuthenticatedSessionController.php

@@ -0,0 +1,89 @@
+<?php
+
+namespace App\Http\Controllers\Auth;
+
+use App\Actions\TwoFactorAuth\CompleteTwoFactorAuthentication;
+use App\Actions\TwoFactorAuth\ProcessRecoveryCode;
+use App\Http\Controllers\Controller;
+use App\Models\User;
+use Illuminate\Http\Request;
+use Illuminate\Support\Facades\Auth;
+use Inertia\Inertia;
+
+
+class TwoFactorAuthenticatedSessionController extends Controller
+{
+    /**
+     * Display the two factor authentication challenge view.
+     *
+     * @param  \Illuminate\Http\Request  $request
+     * @return \Inertia\Response
+     */
+    public function create(Request $request)
+    {
+        if (! $request->session()->has('login.id')) {
+            return redirect()->route('login');
+        }
+
+        return Inertia::render('auth/two-factor-challenge');
+    }
+
+    /**
+     * Attempt to authenticate a new session using the two factor authentication code.
+     *
+     * @param  \Illuminate\Http\Request  $request
+     * @return mixed
+     */
+    public function store(Request $request)
+    {
+        $request->validate([
+            'code' => 'nullable|string',
+            'recovery_code' => 'nullable|string',
+        ]);
+
+        $userId = $request->session()->get('login.id');
+        $user = User::find($userId);
+
+        if (! $user) {
+            return redirect()->route('login');
+        }
+
+        // Handle TOTP code
+        if ($request->filled('code')) {
+            $secret = decrypt($user->two_factor_secret);
+            $valid = app(\App\Actions\TwoFactorAuth\VerifyTwoFactorCode::class)($secret, $request->code);
+            if ($valid) {
+                app(CompleteTwoFactorAuthentication::class)($user);
+                return redirect()->intended(route('dashboard', absolute: false));
+            }
+            return back()->withErrors(['code' => __('The provided two factor authentication code was invalid.')]);
+        }
+
+        // Handle recovery code
+        if ($request->filled('recovery_code')) {
+            $recoveryCodes = json_decode(decrypt($user->two_factor_recovery_codes), true);
+            $provided = $request->recovery_code;
+            $match = collect($recoveryCodes)->first(function ($code) use ($provided) {
+                return hash_equals($code, $provided);
+            });
+            if (! $match) {
+                return back()->withErrors(['recovery_code' => __('The provided two factor authentication recovery code was invalid.')]);
+            }
+            // Remove used recovery code using the ProcessRecoveryCode action
+            $updatedCodes = app(ProcessRecoveryCode::class)($recoveryCodes, $match);
+            if ($updatedCodes === false) {
+                return back()->withErrors(['recovery_code' => __('The provided two factor authentication recovery code was invalid.')]);
+            }
+            $user->two_factor_recovery_codes = encrypt(json_encode($updatedCodes));
+            $user->save();
+            // Complete the authentication process
+            app(CompleteTwoFactorAuthentication::class)($user);
+
+            // Redirect to the intended page
+            return redirect()->intended(route('dashboard', absolute: false));
+        }
+
+        return back()->withErrors(['code' => __('Please provide a valid two factor authentication code.')]);
+    }
+}
+