Is TwoFactorAuthenticatedSessionController missing PrepareAuthenticatedSession? #171
Description
- Fortify Version: 1.7.2
- Laravel Version: 8.19
- PHP Version: 7.4
Description:
Authentication with vs. without 2fa
When authenticating without the Features::twoFactorAuthentication() feature then AuthenticatedSessionController pipes $request through PrepareAuthenticatedSession. If 2fa is used, though, then this step is skipped and we continue in TwoFactorAuthenticatedSessionController.
The latter still performs a $session->migrate(true) through $guard->login(...) (like AttemptToAuthenticate for non-2fa logins), but does not regenerate the CSRF token ($session->regenerate()), like PrepareAuthenticatedSession would perform for non-2fa logins. Neither is the limiter cleared after successful 2fa login. These points made me wonder if TwoFactorAuthenticatedSessionController was missing a continuation of AuthenticatedSessionController's login pipeline.
Missing login rate limiter increment at failed 2fa challenge
When failing to enter the correct 2fa code, LoginRateLimiter::increment() is not called - only if the initial password challenge fails. Doesn't this make brute-forcing the second factor possible?
Using existing user provider methods
On a side note, I noticed that RedirectIfTwoFactorAuthenticatable::validateCredentials() performs its own credentials check, where AttemptToAuthenticate::handle() uses the provider's retrieveByCredentials() method. It might make sense to use \Illuminate\Contracts\Auth\UserProvider::retrieveByCredentials() and \Illuminate\Contracts\Auth\UserProvider::validateCredentials() in RedirectIfTwoFactorAuthenticatable as well, instead of the current custom ad-hoc implementations, even if Fortify is meant to depend on Eloquent as users provider.