security: enforce global 2FA toggles on login challenges and controller endpoints

app/Http/Controllers/TwoFactorController.php

@@ -56,11 +56,45 @@ class TwoFactorController extends Controller
         ]);
     }
 
+    private function isTotpAllowed(): bool
+    {
+        try {
+            $settings = \Illuminate\Support\Facades\Cache::rememberForever('system_settings', function () {
+                return \App\Models\Setting::all()->pluck('value', 'key')->toArray();
+            });
+            if (isset($settings['two_factor_totp_enabled'])) {
+                return $settings['two_factor_totp_enabled'] === '1' || $settings['two_factor_totp_enabled'] === true;
+            }
+        } catch (\Exception $e) {
+            // DB not ready or migrated
+        }
+        return true;
+    }
+
+    private function isEmailAllowed(): bool
+    {
+        try {
+            $settings = \Illuminate\Support\Facades\Cache::rememberForever('system_settings', function () {
+                return \App\Models\Setting::all()->pluck('value', 'key')->toArray();
+            });
+            if (isset($settings['two_factor_email_enabled'])) {
+                return $settings['two_factor_email_enabled'] === '1' || $settings['two_factor_email_enabled'] === true;
+            }
+        } catch (\Exception $e) {
+            // DB not ready or migrated
+        }
+        return true;
+    }
+
     /**
      * Confirm & enable 2FA.
      */
     public function enable(Request $request)
     {
+        if (!$this->isTotpAllowed()) {
+            abort(403, 'Google Authenticator (TOTP) is globally disabled by the administrator.');
+        }
+
         $request->validate([
             'code' => 'required|string',
         ]);
@@ -111,6 +145,10 @@ class TwoFactorController extends Controller
             'enabled' => 'required|boolean',
         ]);
 
+        if ($request->enabled && !$this->isEmailAllowed()) {
+            abort(403, 'Email Two-Factor Authentication is globally disabled by the administrator.');
+        }
+
         $user = auth()->user();
         if ($request->enabled) {
             // Live-verify SMTP configuration by sending a test validation email