search

laravel / fortify

Backend controllers and scaffolding for Laravel authentication.
https://laravel.com/docs/fortify
MIT License
1.61k stars 294 forks source link

Spaces in 2FA codes #196

Closed oberrich closed 3 years ago

oberrich commented 3 years ago

Google Authenticator formats 2FA codes as 000 000 which leads some users to enter 2FA codes with a space as well in which case their login will be rejected. In my opinion it's reasonable to expect 2FA codes to get stripped of whitespaces.

I have implemented this in my app by changing https://github.com/laravel/fortify/blob/2ca0c06bf7385d26730cfc3783865a9c06a51f63/src/Http/Requests/TwoFactorLoginRequest.php#L55-L60 to

    public function hasValidCode()
    {
        if (! $this->code) {
            return false;
        }

        $code = str_replace(' ', '', $this->code);

        return app(TwoFactorAuthenticationProvider::class)->verify(
            decrypt($this->challengedUser()->two_factor_secret), $code
        );
    }
driesvints commented 3 years ago

I've tried both Twitter and GitHub which enforce input validation to provide a proper formatted 2FA code (without spaces). This should therefor be enforced in userland, not in Fortify.