lahaxearnaud
commented
5 years ago Hello @timhaakenson,
This behavior is quite normal but you can disable it by changing the config byPassUserWithoutKey to false
https://github.com/lahaxearnaud/laravel-u2f/blob/master/config/u2f.php#L19
This is the code that skip the protection for user without u2f protection:
https://github.com/lahaxearnaud/laravel-u2f/blob/master/src/http/Middleware/U2f.php#L54
Arnaud
I have found that the u2f protection is skipped, if the device is not registered.
If I create a new user with a password and then log them into Laravel without first registering the u2f device, the route /admin/profile can be accessed without the u2f device. However, once the device is registered, /admin/profile is properly protected and u2f authentication is required.
Shouldn't a request to a u2f protected route redirect to the registration page if the user/device is not registered?
Thank you.