0

I am building an API by using Laravel 8 with Fortify and without Jetstream. I enabled and integrated two-factor authentication and it works well, but just stumbled upon an issue which I do not know if it's by design or a bug.

So, the problem is when user is logging in and he enters the 2fa code wrongly for the first time. In this case, on all subsequent entries, even if the code is correct and valid, it will reject it. After some digging around, I noticed that the login.id stored in session in Laravel\Fortify\Actions\RedirectIfTwoFactorAuthenticatable::twoFactorChallengeResponse is cleared out if the code entered first time is invalid. On all subsequent requests, the login.id in Laravel\Fortify\Http\Requests\TwoFactorLoginRequest::challengedUser() is returning null.

So, my question is: is this intentional and by design? Or did I discover a bug?

My reasoning is that this is a bug because user already provided username and password, now he only needs to enter valid 2fa code to login completely, so not sure why forcing user to enter username and password again if they typed 2fa code wrongly for the first time.

Improve this question

1 Answer 1

Reset to default
1

Apparently I will answer another question on my own. It's by design. Not sure why they opted this way, but the issue happens in Laravel\Fortify\Http\Requests\TwoFactorLoginRequest::challengedUser() where the code executes $model::find($this->session()->pull('login.id')). pull() is designed to get an item from session storage and then forget it immediately after. Once I changed that into get(), it started working as it should. I also updated the store() function in TwoFactorAuthenticatedSessionController, so that after user logs in successfully, it forgets the login.id.

Naturally I didn't update vendor files, but created my own copies with changes above.

Improve this answer
Sign up to request clarification or add additional context in comments.

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.