search

antonioribeiro / google2fa-laravel

A One Time Password Authentication package, compatible with Google Authenticator for Laravel
MIT License
928 stars 180 forks source link

Old-Timestamp saved in session instead of database? #107

Open frknakk opened 4 years ago

frknakk commented 4 years ago

https://github.com/antonioribeiro/google2fa-laravel/blob/master/src/Google2FA.php#L140

Shouldn't the old timestamp be stored in the database rather than in the session for security reasons?

willpower232 commented 1 year ago

For anyone else stumbling upon this in the future, it is supported by the underlying google2fa package but not implemented in this package.

You would currently need to write your own middleware referencing the middleware here but using verifyKeyNewer somewhere in the chain as documented here https://github.com/antonioribeiro/google2fa#validation-window

willpower232 commented 1 year ago

It turns out you can resolve this yourself by using the laravel service container.

AppServiceProvider

$this->app->bind(\PragmaRX\Google2FALaravel\Support\Authenticator::class, function ($app) {
    return new \App\Services\TwoFactorAuthService(request());
});

TwoFactorAuthService

<?php

namespace App\Services;

use PragmaRX\Google2FALaravel\Support\Authenticator;

class TwoFactorAuthService extends Authenticator
{
    /**
     * Store the old OTP timestamp.
     *
     * @param $key
     *
     * @return mixed
     */
    protected function storeOldTimestamp($key)
    {
        if ($key !== false) {
            auth()->user()->google2fa_timestamp = $key;
            auth()->user()->save();
        }

        return $key;
    }

    /**
     * Get the previous OTP timestamp.
     *
     * @return null|mixed
     */
    protected function getOldTimestamp()
    {
        return auth()->user()->google2fa_timestamp;
    }
}