Skip to content

Is TwoFactorAuthenticatedSessionController missing PrepareAuthenticatedSession? #171

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
LeoniePhiline opened this issue Dec 21, 2020 · 6 comments
Closed

Is TwoFactorAuthenticatedSessionController missing PrepareAuthenticatedSession? #171

LeoniePhiline opened this issue Dec 21, 2020 · 6 comments
Assignees
@taylorotwell
Labels
bug

Comments

@LeoniePhiline
Copy link

  • Fortify Version: 1.7.2
  • Laravel Version: 8.19
  • PHP Version: 7.4

Description:

Authentication with vs. without 2fa

When authenticating without the Features::twoFactorAuthentication() feature then AuthenticatedSessionController pipes $request through PrepareAuthenticatedSession. If 2fa is used, though, then this step is skipped and we continue in TwoFactorAuthenticatedSessionController.
The latter still performs a $session->migrate(true) through $guard->login(...) (like AttemptToAuthenticate for non-2fa logins), but does not regenerate the CSRF token ($session->regenerate()), like PrepareAuthenticatedSession would perform for non-2fa logins. Neither is the limiter cleared after successful 2fa login. These points made me wonder if TwoFactorAuthenticatedSessionController was missing a continuation of AuthenticatedSessionController's login pipeline.

Missing login rate limiter increment at failed 2fa challenge

When failing to enter the correct 2fa code, LoginRateLimiter::increment() is not called - only if the initial password challenge fails. Doesn't this make brute-forcing the second factor possible?

Using existing user provider methods

On a side note, I noticed that RedirectIfTwoFactorAuthenticatable::validateCredentials() performs its own credentials check, where AttemptToAuthenticate::handle() uses the provider's retrieveByCredentials() method. It might make sense to use \Illuminate\Contracts\Auth\UserProvider::retrieveByCredentials() and \Illuminate\Contracts\Auth\UserProvider::validateCredentials() in RedirectIfTwoFactorAuthenticatable as well, instead of the current custom ad-hoc implementations, even if Fortify is meant to depend on Eloquent as users provider.
@driesvints
Copy link
Member

Thanks for the clear issue. I'll let Taylor check in on these.

This was referenced Dec 29, 2020
Closed
Closed
@driesvints driesvints mentioned this issue Dec 29, 2020
Merged
@driesvints
Copy link
Member

driesvints commented Dec 29, 2020
edited
Loading

@LeoniePhiline I think I got all of them. Taylor is going to review the PRs I made. Thanks for reporting 👍

@driesvints
Copy link
Member

I'm going to close this now that we merged the main PR for this.

@andreasnij
Copy link

@driesvints The rate limiter still doesn't seem to be cleared after two factor login. This line is missing from the two factor login flow:
https://github.com/laravel/fortify/blob/master/src/Actions/PrepareAuthenticatedSession.php#L38

@driesvints
Copy link
Member

@jandreasn can you send in a PR?

@andreasnij
Copy link

andreasnij commented Dec 23, 2021
edited
Loading

@driesvints I was planning to but after looking into it a bit more I'm not sure what the best solution is. Clearing just the LoginRateLimiter is easy but there's another separate two factor limiter now too.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@taylorotwell taylorotwell

Labels
bug
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@taylorotwell @driesvints @andreasnij @LeoniePhiline