Skip to content
New issue

Have a question about this project? # for a free GitHub account to open an issue and contact its maintainers and the community.

#

By clicking “#”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? # to your account

Jump to bottom

two-factor.disable not deleting the two_factor_confirmed_at #588

Closed
PatrickCaneloDigital opened this issue Jan 16, 2025 · 1 comment · Fixed by #589
Closed

two-factor.disable not deleting the two_factor_confirmed_at #588

PatrickCaneloDigital opened this issue Jan 16, 2025 · 1 comment · Fixed by #589
Labels
bug

Comments

@PatrickCaneloDigital
Copy link

PatrickCaneloDigital commented Jan 16, 2025
edited
Loading

Fortify Version

1.25.1

Laravel Version

11.37

PHP Version

8.3

Database Driver & Version

No response

Description

I am successfully using Fortify to activate 2FA with Free OTP in a laravel/Inertia/Fortify/Vue Setup, but when I deactivate it the confirmed_at field is not nulled. Is that by design? or a problem with my usecase-understanding?

Please excuse me in advance if I it's an issue with my usecase or an outdated version.
By successfuly I mean I made a vue component which via a slider button activates and deactivates 2FA
If it gets activated, QR, recovery codes and confirmation field is shown, and if code is entered, the correspondig post is called and two_factor_confirmed_at is set.
If it gets deactivated, secret and recovery-codes get deleted but NOT the two_factor_confirmed_at field.

As the confirm is a separate post call, I thought perhaps there is a separate call to unconfirm, but I only see one delete route,
Route::delete(RoutePath::for('two-factor.disable', '/user/two-factor-authentication'), [TwoFactorAuthenticationController::class, 'destroy'])
->middleware($twoFactorMiddleware)
->name('two-factor.disable');

So my issue is: why is the two_factor_confirmed_at field not nulled when 2FA is disabled?

Steps To Reproduce

Setup 2FA with a separate POST request to the /user/confirmed-two-factor-authentication endpoint
and then
axios.delete('/user/two-factor-authentication')

Expected would be that all 3 fields
two_factor_secret
two_factor_recovery_codes
two_factor_confirmed_at
would get nulled,
but only first two are nulled.
@PatrickCaneloDigital
Copy link
Author

I just followed the fortify code and saw that it depended on an entry in the config/fortify.php

i followed an implementation tutorial where it recommended to set 'confirm' => false, in the config/fortify.php (and also confirmPassword)

Features::twoFactorAuthentication([
'confirm' => false,
'confirmPassword' => false,
// 'window' => 0,
]),

But apparently if that is false, the confirmed_at field remains untouched when 2FA is deactivated, and thus not deleted (but it is set when the POST request to the /user/confirmed-two-factor-authentication endpoint is made).
This is actually quite confusing, as it may be set as false, but if the confirmed endpoint is called, it gets a date which is later never deleted.
My I ask how the setting in fortify.php is mean to work? I mean a 2FA always needs to be confirmed, isn't it? And also it is inconsistent behaviour if it can be set, even though the config sets confirm to false, but then never gets deleted.

@crynobone crynobone added the bug label Jan 17, 2025
crynobone added a commit that referenced this issue Jan 17, 2025
@crynobone
DisableTwoFactorAuthentication should always set `two_factor_confir…
f2e738d 
…med_at` to `null` when it has a value

fixes #588
@crynobone crynobone mentioned this issue Jan 17, 2025
Merged
taylorotwell pushed a commit that referenced this issue Jan 17, 2025
@crynobone
DisableTwoFactorAuthentication should always set `two_factor_confir…
ee35e5b 
…med_at` to `null` when it has a value (#589)

fixes #588
# for free to join this conversation on GitHub. Already have an account? # to comment
Assignees
No one assigned
Labels
bug
Projects
None yet
Milestone
No milestone
2 participants
@crynobone @PatrickCaneloDigital