laragear / twofactor Goto Github PK

PHP & Platform

8.2.9 - MacOSX

Database

PostgreSQL 15

Laravel version

10.21.0

Have you done this?

• I have checked my logs and I'm sure is a bug in this package.
• I can reproduce this bug in isolation (vanilla Laravel install)
• I can suggest a workaround as a Pull Request

Expectation

I expect to be able to use uuids as the authenticable id

Description

• My users table uses uuids ``

• I've updated the 2fa migration to use $table->uuidMorphs('authenticatable', '2fa_auth_type_auth_id_index');

• $twoFactorModel->authenticable throws an error because of the 'authenticatable_id' => 'int', attempting to cast the string uuid to a int.

Reproduction

// user migration
$table->uuid('userId')->primary()->unique();

// two-factor migration
$table->uuidMorphs('authenticatable', '2fa_auth_type_auth_id_index');

// attempt to retrive the user from the 2fa model - results in an error because uuid is cast to int e.g.
// "97d08fcf-6639-4e66-a301-d325e7f7435b" -> 97
$twoFactorModel->authenticable

// Error Message
// PDOException: SQLSTATE[22P02]: Invalid text representation: 7 ERROR:  invalid input syntax for type uuid: "97"

Stack trace & logs

No response

PHP & Platform

8.1.17

Database

Mysql 8.0.32

Laravel version

10

Have you done this?

• I have checked my logs and I'm sure is a bug in this package.
• I can reproduce this bug in isolation (vanilla Laravel install)
• I can suggest a workaround as a Pull Request

Expectation

It should be able to create createTwoFactorAuth for logged in user.
I see that the secret key are stored differently in two version. Did I miss any documentation to migrate properly?

Description

So I updated laravel from 8 to 10, and also have migrated from
darkghosthunter/laraguard => Laragear/TwoFactor.
So there is no any issue with doing new setup, but for the one which was setup from old version it gives payload issue. Please check the attachment.

Reproduction

$secret = $this->loggedInUser->createTwoFactorAuth();

Stack trace & logs

No response

PHP & Platform

8.1.3

Laravel verion

9.5.1

Have you done this?

• I am willing to share my stack trace and logs
• I can reproduce this bug in isolation (vanilla Laravel install)
• I can suggest a workaround as a Pull Request

Expectation

The migration included in this package should be optional.

Description

I'm migrating from the old Laraguard package. I already have a database table called two_factor_authentications, from a migration that has a slightly different name than the migration included with this package.

This causes a Table 'two_factor_authentications' already exists error when running php artisan migrate, where the migration included in this package is called because it is not listed in my migrations table.

As far as I can see I cannot cancel this migration.

Reproduction

Schema::create('two_factor_authentications', function (Blueprint $table) {
            $table->bigIncrements('id');
});

then run php artisan migrate

Stack trace & logs

No response

Are you a Patreon supporter?

No, don't give priority to this

PHP & Platform

8.11 Mac M1

Database

No response

Laravel version

10

Have you done this?

• I have checked my logs and I'm sure is a bug in this package.
• I can reproduce this bug in isolation (vanilla Laravel install)
• I can suggest a workaround as a Pull Request

Expectation

Description

Reproduction

$authFA = Auth2FA::attempt($request->only('email', 'password'), $request->filled('remember'));

Stack trace & logs

The MAC is invalid.

Please check these requirements

• This feature helps everyone using this package
• It's feasible and maintainable
• It's non breaking
• I issued a PR with the implementation (optional)

Description

Just wanted to clarify that currently there is an internal logic that will disallow same 2FA code from being used twice?
Is there a way to disable this or this is part of the requirement for TOTP?

My use case:

1. User with administrative rights tries to login to the portal
2. User prompted to enter 2FA
3. User successfully login to portal
4. User tries to access privilege module
5. User prompted to confirm 2FA again (still within 30 seconds)
6. Authenticator app is still showing same 2FA
7. User tries to enter same 2FA and failed.
8. User waits for 2FA on Authenticator app to "refresh"
9. User enters new 2FA
10. User able to access privilege module

Code sample

This post was meant as a clarification

PHP & Platform

8.1.6 Windows

Database

mysqlnd 8.1.6

Laravel version

9.43.0

Have you done this?

• I have checked my logs and I'm sure is a bug in this package.
• I can reproduce this bug in isolation (vanilla Laravel install)
• I can suggest a workaround as a Pull Request

Expectation

No warnings should be issued

Description

When using this line:

$attempt = Auth2FA::attempt($request->only('email', 'password'), $request->filled('remember'));

like in the documentation VSCode intelephense marks it as: "Non static method 'attempt' should not be called statically."

Reproduction

/**
     * Handle an authentication attempt.
     *
     * @param  \Illuminate\Http\Request  $request
     * @return \Illuminate\Http\Response
     */
    public function authenticate(Request $request)
    {
        // If the user is trying for the first time, ensure both email and the password are
        // required to log in. If it's not, then he would issue its 2FA code. This ensures
        // the credentials are not required again when is just issuing his 2FA code alone.
        if ($request->isNotFilled('2fa_code')) {
            $request->validate([
                'email' => 'required|email',
                'password' => 'required|string'
            ]);
        }
        
        $attempt = Auth2FA::guard('admin')->attempt($request->only('email', 'password'), $request->filled('remember'));
    
        if ($attempt) {
            return redirect()->intended('/');
        }
 
        return back()->withErrors([
            'email' => 'The provided credentials do not match our records.',
        ])->onlyInput('email');
    }

Stack trace & logs

No response

Please check these requirements

• This feature helps everyone using this package
• It's feasible and maintainable
• It's non breaking
• I issued a PR with the implementation (optional)

Description

This would enable support for things like Inertiajs where views aren't really used a such but if we can use a route, it's more flexible. Would be super handy in my current project :)

Code sample

instead of
 $attempt = Auth2FA::attempt($request->only('email', 'password'), $request->filled('remember'))->view('custom2faview');

have 
 $attempt = Auth2FA::attempt($request->only('email', 'password'), $request->filled('remember'))->route('custom2faroute', [params]);

Please check these requirements

• This feature helps everyone using this package
• It's feasible and maintainable
• It's non breaking
• I issued a PR with the implementation (optional)

Description

I've installed the package following the readme.md. I still don't understand how to turn the login process into a two-step process for users who have enabled 2fa. As I've read in the instructions I should add a field to the login form for the 2fa_code, and this works. Users without 2fa enabled are logged in without entering anything, and users who do have one must enter a code.

However, I would prefer the user to first enter a valid username/password and then be asked for the 2fa_code. It would be great if the readme was a bit more explanatory on implementing the login routine. Alternatively, an example package that implements the functionality would be valuable.

Thanks for your great work!

Code sample

- i have no idea on how to write that code.

Are you a Patreon supporter?

No, don't give priority to this

How can I get the secret for use outside the Laravel application? I have a Node application the interfaces with this application. When passing in shared_secret to verify the 2fa code they gave it always returns false. So how can I derive the secret from the shared_secret?

For example notp requires the secret key for the user

Most probably I have done something wrong while setting everything up (this project is very early development still).

So for this project, all users are required to enable 2fa; so on my authenticated routes, I have added the 2fa.enabled middleware. While I am using Laravel Breeze, for now I am mostly using your original views (though I created a 'confirm', 'prepare' and 'recovery' view to also use during the setup of 2fa for a user). I am also using the Facade to handle the login (as per the readme, set in the LoginRequest).

I further copied the "ConfirmtwoFactorCodeController" over to my other controllers, and modified it to also handle the setup of the 2fa for a user, using the following routes:

Route::get('2fa-notice', [\App\Http\Controllers\Frontend\ConfirmTwoFactorCodeController::class, 'notifyTwoFactor'])->name('2fa.notice');
Route::get('2fa-prepare', [\App\Http\Controllers\Frontend\ConfirmTwoFactorCodeController::class, 'prepareTwoFactor'])->name('2fa.prepare');
Route::post('2fa-prepare', [\App\Http\Controllers\Frontend\ConfirmTwoFactorCodeController::class, 'confirmTwoFactor'])->name('2fa.confirm');
Route::get('2fa-recovery', [\App\Http\Controllers\Frontend\ConfirmTwoFactorCodeController::class, 'showRecoveryCodes'])->name('2fa.recovery');

So the setup part is working, and the app code, verifies correctly.

The issue is happening when I attempt to log in. I provide the email and password, and then see the screen asking for the code (weird thing here is it immediately shows the field as having an error, saying the code is either wrong or expired - this is prior to me providing any code). Then when I provide the correct code, it tells me the login was unsuccessful (basically that both the email and password fields are required).

Any idea how I can solve this issue.

PHP & Platform

8.2 Ubuntu-20.04

Database

MySql 8

Laravel version

10

Have you done this?

• I have checked my logs and I'm sure is a bug in this package.
• I can reproduce this bug in isolation (vanilla Laravel install)
• I can suggest a workaround as a Pull Request

Expectation

I try to modify App\Http\Requests\Auth\LoginRequest::authenticate() by replacing Auth with Auth2FA, but it does not work.
I cannot use Auth::user() or Auth2FA::user() to get login user session.
How should I do?

Description

It prompts to ask 2FA form, but it does not work, no matter I enter correct 2fa code or not.

Reproduction

public function authenticate()
    {
        $this->ensureIsNotRateLimited();

        if (!Auth2FA::attempt($this->only('email', 'password'), $this->boolean('remember'))) { 
            RateLimiter::hit($this->throttleKey());

            throw ValidationException::withMessages([
                'email' => trans('auth.failed'),
            ]);
        }

        RateLimiter::clear($this->throttleKey());
    }
// what else I should do to make it work

Stack trace & logs

No response

Please check these requirements

• This feature helps everyone using this package
• It's feasible and maintainable
• It's non breaking
• I issued a PR with the implementation (optional)

Description

Hi.

Thanks!
Great package, it has everything that Fortify lacks and is much more customizable.

One small feature Im missing is telling if the user is logged in with a real 2-factor authentication challenge or bypassed the auth with a "safe device". It would be optimal if the validate() method could set some session variable when bypassing the two-factor challenge. Or vice versa, some session variable being set only when the user did a real 2-factor auth.

I will have a middleware forcing users to confirm important actions if:

• They bypassed the 2 factor auth in the login
• Havent authenticated in xx time, since last time.

Maybe this feature exists but I've missed it somewhere?
Thanks.

Code sample

// If safe devices are enabled, and this is a safe device, bypass.
      if ($this->isSafeDevicesEnabled() && $user->isSafeDevice($this->request)) {
        
      **ADD**
        $this->request->session()->put("bypassed_two_factor", $time);
        
          return true;
      }

PHP & Platform

8.1.6 & Windows (localhost)

Database

mysqlnd 8.1.6

Laravel version

9.43.0

Have you done this?

• I have checked my logs and I'm sure is a bug in this package.
• I can reproduce this bug in isolation (vanilla Laravel install)
• I can suggest a workaround as a Pull Request

Expectation

2FA code not requested on next login on same device when safe_devices enabled = true.

Description

2FA code is requested on every login on the same device.

Column safe_devices stays on value null.

No additional browser cookie stored (2 cookies in use: session and csrf)

Reproduction

'safe_devices' => [
        'enabled'         => true,
        'cookie'          => '_2fa_remember',
        'max_devices'     => 3,
        'expiration_days' => 14,
    ],

Stack trace & logs

No response

Please check these requirements

• This feature helps everyone using this package
• It's feasible and maintainable
• It's non breaking
• I issued a PR with the implementation (optional)

Description

Is it possible to use 6 inputs for entering the 2fa_code ? I tried adding

public function prepareForValidation()
{
$this->merge([
'2fa_code' => $this->code1 . $this->code2 . $this->code3 . $this->code4 . $this->code5 . $this->code6
]);
}

and I do receive the 2fa_code
// 123456

but it doesn't work or gets validated, I would like to know if its possible? Thank you

Code sample

<!--begin::Section-->
								<div class="mb-10">
									<!--begin::Label-->
									<div class="fw-bold text-start text-dark fs-6 mb-1 ms-1" data-kt-translate="two-step-label">Type your 6 digit security code</div>
									<!--end::Label-->
									<!--begin::Input group-->
									<div class="d-flex flex-wrap flex-stack">
										<input type="text" name="code_1" data-inputmask="'mask': '9', 'placeholder': ''" maxlength="1" class="form-control form-control-solid h-60px w-60px fs-2qx text-center border-primary border-hover mx-1 my-2" value="" />
										<input type="text" name="code_2" data-inputmask="'mask': '9', 'placeholder': ''" maxlength="1" class="form-control form-control-solid h-60px w-60px fs-2qx text-center border-primary border-hover mx-1 my-2" value="" />
										<input type="text" name="code_3" data-inputmask="'mask': '9', 'placeholder': ''" maxlength="1" class="form-control form-control-solid h-60px w-60px fs-2qx text-center border-primary border-hover mx-1 my-2" value="" />
										<input type="text" name="code_4" data-inputmask="'mask': '9', 'placeholder': ''" maxlength="1" class="form-control form-control-solid h-60px w-60px fs-2qx text-center border-primary border-hover mx-1 my-2" value="" />
										<input type="text" name="code_5" data-inputmask="'mask': '9', 'placeholder': ''" maxlength="1" class="form-control form-control-solid h-60px w-60px fs-2qx text-center border-primary border-hover mx-1 my-2" value="" />
										<input type="text" name="code_6" data-inputmask="'mask': '9', 'placeholder': ''" maxlength="1" class="form-control form-control-solid h-60px w-60px fs-2qx text-center border-primary border-hover mx-1 my-2" value="" />
									</div>
									<!--begin::Input group-->
								</div>
								<!--end::Section-->

PHP & Platform

8.1.7 - Fedora 35 x64

Laravel verion

9.17.0

Have you done this?

• I am willing to share my stack trace and logs
• I can reproduce this bug in isolation (vanilla Laravel install)
• I can suggest a workaround as a Pull Request

Expectation

When a user with 2FA enabled logs in and confirms their TOTP, they should be redirected to the application as authenticated.

Description

The user is redirected back to the login page with an error stating that their credentials are invalid. This seems to be caused by the session flash not being set. Looking into TwoFactorLoginHelper.php I identified that Illuminate\Contracts\Session\Session does not have flash() as a member function https://laravel.com/api/9.x/Illuminate/Contracts/Session/Session.html

protected function flashData(array $credentials, bool $remember): void
    {
        foreach ($credentials as $key => $value) {
            $credentials[$key] = Crypt::encryptString($value);
        }

        $this->session->flash($this->sessionKey, ['credentials' => $credentials, 'remember' => $remember]);
    }

As a result, when the TOTP form is submitted the credentials are blank. And since validation is overridden due to 2fa_code being present, the app kicks back a credentials not found error.
You may want to use $this->session->put(...) and $this->session->forget(...) in combination with flashData() and getFlashedData() to approximate flash() or instead use the $request->session() which does have flash().

Reproduction

// https://github.com/Laragear/TwoFactor

Stack trace & logs

No response

Are you a Patreon supporter?

No, don't give priority to this

PHP & Platform

8.3 MacOS Sonoma 14.4.4

Database

MySQL 8.0.33

Laravel version

10.43.0

Have you done this?

• I have checked my logs and I'm sure is a bug in this package.
• I can reproduce this bug in isolation (vanilla Laravel install)
• I can suggest a workaround as a Pull Request

Expectation

When I run the migrations I expect it to add all the 2fa table without erroring

Description

After running the migrations command I get this MySQL Error:

SQLSTATE[42000]: Syntax error or access violation: 1059 Identifier name 'two_factor_authentications_authenticatable_type_authenticatable_id_index' is too long (Connection: mysql, SQL: alter table two_factor_authentications add index two_factor_authentications_authenticatable_type_authenticatable_id_index(authenticatable_type, authenticatable_id))

Reproduction

php artisan two-factor:install
php artisan migrate

Stack trace & logs

No response

PHP & Platform

8.1 - Ubuntu 22.04

Database

No response

Laravel version

10.x

Have you done this?

• I have checked my logs and I'm sure is a bug in this package.
• I can reproduce this bug in isolation (vanilla Laravel install)
• I can suggest a workaround as a Pull Request

Expectation

• The label is properly URL encoded when generating the url.
• The label does not contain the issuer twice.

Description

Hi,

I found 2 bugs during testing on an Apple device (IPhone 6S, Ios 15.7.1)

When using generating the QR code
\Laragear\TwoFactor\Models\Concerns\SerializesSharedSecret::toQr It uses \Laragear\TwoFactor\Models\Concerns\SerializesSharedSecret::toUri to build the otpauth uri.

It returns the url like this:
return 'otpauth://totp/'.rawurlencode($issuer).'%3A'.$this->attributes['label']."?$query";

The $this->attributes['label'] is not urlencoded like the issuer and this causes an issue when testing generating a QR code on an Apple device.

Instead of 'App name:[email protected]' the user was rendered as 'App%20name:[email protected]'.

There's a second issue to this, of which I think also is unwanted behavior, it by defaults creates a label based on the issuer + the e-mail of the user. https://github.com/Laragear/TwoFactor/blob/v1.2.2/src/TwoFactorAuthentication.php#L106

But the specs (think these are the official specs, could not find any other)

• https://github.com/google/google-authenticator/wiki/Key-Uri-Format#introduction
• https://docs.yubico.com/yesdk/users-manual/application-oath/uri-string-format.html#label

State:
otpauth://TYPE/LABEL?PARAMETERS

Instead of just passing on the label or using label + email, the module combines label + (label + email), which includes the label unnecessary twice. So I think the default label twoFactorLabel() should not include the issuer by default and think it would be a good practice to always include it in the otpauth url.

Can't find label as an official parameter for otpauth://TYPE/LABEL?PARAMETERS either, although the module adds it to the query parameters, I don't think it's used.

Summary;

1. Encode the full concat string: rawurlencode($issuer . ':' . $this->attributes['label']).
2. Remove issuer from label when always adding / forcing an issuer on the url.

I've mitigated this issue by overriding the following method on the model
protected function twoFactorLabel(): string

Reproduction

* Set APP name with space like: 'The Application'
* Create TwoFactorAuthentication model
* Create QR code for the model
* Scan the code
* View result on a IOS device

Stack trace & logs

No response

PHP & Platform

8.1 ubuntu 22

Database

mysql 8

Laravel version

10.*

Have you done this?

• I have checked my logs and I'm sure is a bug in this package.
• I can reproduce this bug in isolation (vanilla Laravel install)
• I can suggest a workaround as a Pull Request

Expectation

hasTwoFactorEnabled function not work because enabled_at still null

Description

hasTwoFactorEnabled function not work because enabled_at still null

Reproduction

hasTwoFactorEnabled function not work because enabled_at still null

Stack trace & logs

No response

Please check these requirements

• This feature helps everyone using this package
• It's feasible and maintainable
• It's non breaking
• I issued a PR with the implementation (optional)

Description

Hey,

This won't be an issue that's structured the way your forced issue templates are set. It's just a quick issue.

Documentation confused me for a good 5 minutes basically.

The repo is set as 2.x as the default branch. So I landed on that branch and this is what happened.

I installed the package as instructed via composer.

Ran the command two-factor:install.

No command in that namespace was found.

I checked the package files in the Vendor namespace, and there was no command so it wasn't an autoload issue.

I checked packagist and then saw that 2.x is not yet stable. (It also said release on the right of the repository I'm just blind).

Also, when I went to switch branches, you had master listed as a branch, so I clicked that. It's stale but, it could confuse others but I jumped to the 1.x branch.

Now, I seem to be implementing your package smoothly after reading the correct documentation 😄

I can submit a PR with a notice in the README where the installation instructions are informing the visitor to visit the other documentation as a fix? I think the correct solution is to use the 1.x branch as the default branch on this repository.

I assume you guys just aren't setting that as the default branch because some of Github's stuff and some tools always default to the default branch which makes things confusing if you guys are mainly spending time on version 2.x

Code sample

try {
} catch ($exception e) {
throw new Exception();
}

Checklist

• I have checked my stack trace and logs.
• I can reproduce this in isolation.
• I can suggest a workaround or PR.

Dependencies

• PHP: 8.1.3 Linux
• Laravel: 9.1.0

Description

This is NOT a bug report at the moment.

I just upgraded the project I'm working on to L9. As such I had to move from darkghosthunter/laraguard to laragear/two-factor. This change required a lot of code change and now I'm not so sure if I took the best path.

My app has no frontend. It's just a backend where all the action happens. All users must be logged in, but not everyone may have 2FA enabled. The 2fa_code is asked on a dedicated form just after the login one IF the user has 2FA enabled.

So I thought to do this in routes/web.php:

Route::post('/', 'Auth\LoginController@login')
    ->name('login.submit')
    ->middleware('2fa.confirm');

But nope... it won't work that way. At least it didn't here. Users with 2FA enabled are just logged in as soon as they submit their login credentials. No 2FA form page presented as it used to be in darkghosthunter/laraguard wonderful magic listeners.

After thoroughly reading this package README and many attempts later, the only way I found to accomplish the old behavior was to override L9's Auth\LoginController@login. I'm not so confident if I got right and what kind of security holes I may have opened. Here's how it looks now:

<?php

namespace App\Http\Controllers\Auth;

use App\Http\Controllers\Controller;
use App\Providers\RouteServiceProvider;
use Auth;
use DB;
use Illuminate\Http\JsonResponse;
use Illuminate\Http\RedirectResponse;
use Illuminate\Http\Request;
use Illuminate\Http\Response;
use Laragear\TwoFactor\TwoFactor;
use Symfony\Component\HttpFoundation\Response as SymfonyResponse;

class LoginController extends Controller
{
    /**
     * Where to redirect users after login.
     *
     * @var string
     */
    protected $redirectTo = RouteServiceProvider::HOME;

    /**
     * Override AuthenticatesUsers::login() to implement 2FA.
     *
     * @see AuthenticatesUsers::login() To the original login implementation.
     * @see https://github.com/Laragear/TwoFactor#logging-in To the Laragear\TwoFactor login implementation.
     *
     * @param Request $request
     *
     * @return JsonResponse|RedirectResponse|Response|SymfonyResponse
     */
    public function login(Request $request) {
        $credentials = $request->validate([
            $this->username() => 'required|string',
            'password' => 'required|string',
        ]);

        if (method_exists($this, 'hasTooManyLoginAttempts') &&
            $this->hasTooManyLoginAttempts($request)) {
            $this->fireLockoutEvent($request);

            return $this->sendLockoutResponse($request);
        }

        $twoFactor = DB::table('two_factor_authentications')->where('label', $credentials['email'])->count();
        if ($twoFactor && ! $request->filled(config('app.2fa_field'))) {
            return response()->view(
                'two-factor::confirm',
                [
                    'credentials' => $credentials,
                    'remember' => $request->filled('remember'),
                ]
            );
        } else {
            if (Auth::attemptWhen($credentials, TwoFactor::hasCodeOrFails(), $request->filled('remember'))) {
                if ($request->hasSession()) {
                    $request->session()->put('auth.password_confirmed_at', time());
                }

                return $this->sendLoginResponse($request);
            }
        }

        $this->incrementLoginAttempts($request);

        return $this->sendFailedLoginResponse($request);
    }
}

It worked as expected, except that if users type a wrong 2FA code shw will be redirected back to login page (user/password). I can live with that, as it won't make explicit to an attacker if the wrong piece of data was the email, password or the TOTP code.

But at the end, is that right? Can it be improved somehow? Did I broke my auth toy?

PS: The documentation is far from clear when someone needs a custom login method like the case above (TOTP code in it's own form). But as I'm not sure if this is a bug with the middleware not attaching to POST login method, I will leave this as is for now.

Reproduction

Not available yet.

Expected behavior

It would be really nice if Route::post()->middleware('2fa.confirm') just worked as expected (i.e. force a user with 2FA enabled to enter TOTP code on it's own form page, leave users with 2FA disabled alone and just log them in). This would also leave such a critical method as Auth\LoginController@login alone.

Stack Trace

The issue generates no stack trace.

Please check these requirements

• This feature helps everyone using this package
• It's feasible and maintainable
• It's non breaking
• I issued a PR with the implementation (optional)

Description

can you support SMS.

Code sample

no code

Are you a Patreon supporter?

No, don't give priority to this

PHP & Platform

8.2.4

Database

No response

Laravel version

10.13.5

Have you done this?

• I have checked my logs and I'm sure is a bug in this package.
• I can reproduce this bug in isolation (vanilla Laravel install)
• I can suggest a workaround as a Pull Request

Expectation

Expected result
otpauth://totp/Laravel:[email protected]?secret=THISISMYSECRETPLEASEDONOTSHAREIT&issuer=Laravel&label=taylor%40laravel.com&algorithm=SHA1&digits=6&period=30

Description

Result without setting the issuer config variable
otpauth://totp/%3A:[email protected]?label=%3Ataylor%40laravel.com&secret=THISISMYSECRETPLEASEDONOTSHAREIT&algorithm=SHA1&digits=6

Result with setting the issuer config variable
otpauth://totp/Name%3AName:[email protected]?issuer=Name&label=Name%3Ataylor%40laravel.com&secret=THISISMYSECRETPLEASEDONOTSHAREIT&algorithm=SHA1&digits=6

Reproduction

$secret = $user->createTwoFactorAuth();

Stack trace & logs

No response

Please check these requirements

• This feature helps everyone using this package
• It's feasible and maintainable
• It's non breaking
• I issued a PR with the implementation (optional)

Description

It will be nice to have an option to add U2F from hardware token like the Yubikey 5 NFC

Code sample

tbd

Please check these requirements

• This feature helps everyone using this package
• It's feasible and maintainable
• It's non breaking
• I issued a PR with the implementation: #41

Description

Since Laravel 10 was released.

Code sample

N/A

PHP & Platform

8.0.12

Laravel verion

9.17.0

Have you done this?

• I am willing to share my stack trace and logs
• I can reproduce this bug in isolation (vanilla Laravel install)
• I can suggest a workaround as a Pull Request

Expectation

When totp code is correct i expect the user to be logged in.

Description

Users not using 2fa gets logged inn correctly. Users who has activated 2fa are getting the login page again with no error message.

Reproduction

//To activate sanctum for api calls (SPA authentication) i  uncommented EnsureFrontendRequestsAreStateful in app/http/Kernel.php. That is when this "bug" sets in.

'api' => [
            \Laravel\Sanctum\Http\Middleware\EnsureFrontendRequestsAreStateful::class,
            'throttle:api',
            \Illuminate\Routing\Middleware\SubstituteBindings::class,
        ],

Stack trace & logs

no stacktrace and nothing logged in laravel.log

Are you a Patreon supporter?

No, don't give priority to this

PHP & Platform

8.1 - Ubuntu

Laravel version

9.3.4

Have you done this?

• I am willing to share my stack trace and logs
• I can reproduce this bug in isolation (vanilla Laravel install)
• I can suggest a workaround as a Pull Request

Expectation

I want to have all the files (views, configs) from the provider.

Description

When I try to run the vendor publish command i am getting this info:

No publishable resources for tag [migrations].

And I even tried to add the provider to config/app.php

Reproduction

I normally installed the package like it says in the installation:
composer require laragear/two-factor

Then I am trying to publish the files with:
php artisan vendor:publish --provider="Laragear\TwoFactor\TwoFactorServiceProvider" --tag="migrations"

Stack trace & logs

No response

Are you a Patreon supporter?

No, don't give priority to this

PHP & Platform

8.2.3

Database

MySQL 8

Laravel version

10.1.5

Have you done this?

• I have checked my logs and I'm sure is a bug in this package.
• I can reproduce this bug in isolation (vanilla Laravel install)
• I can suggest a workaround as a Pull Request

Expectation

I treid to make it work on Laravel 10 with Breeze installed but it's not working. Is it Laravel 10 compatible?

Description

The docs seem to be for older Laravel version.

For example I am getting this error when I try to add traits as in your docs: Undefined type 'Laragear\TwoFactor\Contracts\TwoFactorAuthenticatable'.intelephense(1009)

Reproduction

Also the implementation with routing and/or breeze etc. is missing in the docs as well.

By the way, is there any demo app or existing app where we can look how it should be implemented? I am especially interested in routes in the final app. But also final controllers.

Stack trace & logs

No response