Closed bskl closed 4 years ago
DarkGhostHunter
commented
4 years ago It will fail if the user is not an instance of 2FA. It also confirms the code instead of just validating it.
Instead, you could make a rule to just check if the code is valid. If the user is not 2FA, it should return false.
bskl
commented
4 years ago Ok, I'll make the changes soon.
DarkGhostHunter
commented
4 years ago The idea is to make the rule enforceable anywhere. The rule should be called totp_code, since its the name of the implementation.
It should only succeed if the string is, well, a string, the user is an instance of TwoFactorAuthenticatable and the code is correct.
public function __construct(Authenticatable $user = null)
{
$this->user = $user
}
public function passes()
{
if ($this->user instanceof TwoFactorAuthenticatable) {
// ... check if the code is a string and is correct.
}
return false;
}Of course this would bypass safe devices. You could use this validation rule to set manually the device as "safe" in any part of your code:
public function setSafeDevice(Request $request, Authenticatable $user)
{
$request->validate('required|totp_code');
$user->addSafeDevice($request);
session()->flash('message', "This device has been added as safe and the app won't ask for codes");
}I made some updates for translations.
DarkGhostHunter
commented
4 years ago Closing pending inactivity.
bskl
commented
4 years ago Hi, Was a different change necessary? I implemented it as you wrote in your last comment.
DarkGhostHunter
commented
4 years ago Sorry about the latter, I didn't hit F5 enough times.
I arranged your code and made the implementation on 2.0. You rock.
With custom validation rule we can easily to redirect form page when the pin code is invalid.