search

joelbutcher / socialstream

OAuth for Laravel, simplified.
https://docs.socialstream.dev
MIT License
428 stars 64 forks source link

Bug where custom fortify pipeline is impossible with Socialstream #378

Closed miguilimzero closed 2 hours ago

miguilimzero commented 2 hours ago

Stack

Jetstream – Vue with Inertia

Package Version

v6.1.7

Laravel Version

v11.23.5

Livewire Version

No response

react Version

No response

Vue Version

No response

PHP Version

PHP 8.3.11

Problem description

The bug is happening because the RedirectIfTwoFactorAuthenticatable::class step from the Fortify pipeline will try to validate the user credentials when it doesn't have since it is authenticating by the Socialstream.

By not validating it successfully, it will throw a validation exception, but there is a Google redirect in the flash session, so at the end, the user will be redirected to the "my google account" page.

This bug doesn't happen without a custom pipeline, because Socialstream has its own Fortify pipeline which uses a different RedirectIfTwoFactorAuthenticatable::class than the Fortify original one.

Expected behavior

To not get stuck on the two-factor authentication step.

Steps to reproduce

By just copying and pasting the example from the documentation in the FortifyServiceProvider the bug will appear.

https://laravel.com/docs/11.x/fortify.

use Laravel\Fortify\Actions\AttemptToAuthenticate;
use Laravel\Fortify\Actions\CanonicalizeUsername;
use Laravel\Fortify\Actions\EnsureLoginIsNotThrottled;
use Laravel\Fortify\Actions\PrepareAuthenticatedSession;
use Laravel\Fortify\Actions\RedirectIfTwoFactorAuthenticatable;
use Laravel\Fortify\Features;
use Laravel\Fortify\Fortify;
use Illuminate\Http\Request;

Fortify::authenticateThrough(function (Request $request) {
    return array_filter([
            config('fortify.limiters.login') ? null : EnsureLoginIsNotThrottled::class,
            config('fortify.lowercase_usernames') ? CanonicalizeUsername::class : null,
            Features::enabled(Features::twoFactorAuthentication()) ? RedirectIfTwoFactorAuthenticatable::class : null,
            AttemptToAuthenticate::class,
            PrepareAuthenticatedSession::class,
    ]);
});
  1. Create an account using Google Login (The account creation from a provider is fine).
  2. Log out from the account.
  3. Try to login again.

Reproduction repository

Not needed.

Relevant log output

No response

github-actions[bot] commented 2 hours ago

Hey @miguilimzero! We're sorry to hear that you've hit this issue. 💙

However, it looks like you forgot to fill in the reproduction repository URL. Can you edit your original post and then we'll look at your issue?

We need a public GitHub repository which contains a Laravel app with the minimal amount of Socialstream code to reproduce the problem. Please do not link to your actual project, what we need instead is a minimal reproduction in a fresh project without any unnecessary code. This means it doesn't matter if your real project is private / confidential, since we want a link to a separate, isolated reproduction. That would allow us to download it and review your bug much easier, so it can be fixed quicker. Please make sure to include a database seeder with everything we need to set the app up quickly.

miguilimzero commented 2 hours ago

Even without the two factor authentication it will not work. Because the custom pipeline will try to use the AttemptToAuthenticate::class while Socialstream has a custom one.