security: enforce global 2FA toggles on login challenges and controller endpoints
This commit is contained in:
@@ -35,8 +35,25 @@ class AuthenticatedSessionController extends Controller
|
||||
|
||||
$user = Auth::user();
|
||||
|
||||
// If user has 2FA enabled, redirect to challenge screen
|
||||
if ($user->two_factor_confirmed_at && $user->two_factor_secret) {
|
||||
// Check global 2FA toggles
|
||||
$totpAllowed = true;
|
||||
$emailAllowed = true;
|
||||
try {
|
||||
$settings = \Illuminate\Support\Facades\Cache::rememberForever('system_settings', function () {
|
||||
return \App\Models\Setting::all()->pluck('value', 'key')->toArray();
|
||||
});
|
||||
if (isset($settings['two_factor_totp_enabled'])) {
|
||||
$totpAllowed = $settings['two_factor_totp_enabled'] === '1' || $settings['two_factor_totp_enabled'] === true;
|
||||
}
|
||||
if (isset($settings['two_factor_email_enabled'])) {
|
||||
$emailAllowed = $settings['two_factor_email_enabled'] === '1' || $settings['two_factor_email_enabled'] === true;
|
||||
}
|
||||
} catch (\Exception $e) {
|
||||
// DB not ready or migrated
|
||||
}
|
||||
|
||||
// If user has 2FA enabled, and it's globally allowed, redirect to challenge screen
|
||||
if ($totpAllowed && $user->two_factor_confirmed_at && $user->two_factor_secret) {
|
||||
$request->session()->put('two_factor_user_id', $user->id);
|
||||
$request->session()->put('two_factor_type', 'totp');
|
||||
Auth::guard('web')->logout();
|
||||
@@ -45,8 +62,8 @@ class AuthenticatedSessionController extends Controller
|
||||
return redirect()->route('two-factor.challenge');
|
||||
}
|
||||
|
||||
// If user has Email 2FA enabled, redirect to email challenge
|
||||
if ($user->email_2fa_enabled) {
|
||||
// If user has Email 2FA enabled, and it's globally allowed, redirect to email challenge
|
||||
if ($emailAllowed && $user->email_2fa_enabled) {
|
||||
$code = str_pad(mt_rand(100000, 999999), 6, '0', STR_PAD_LEFT);
|
||||
$user->update([
|
||||
'email_2fa_code' => $code,
|
||||
|
||||
Reference in New Issue
Block a user