Level 80
@cookiemonster Why not just use a package like Fortify or Jetstream that has this functionality already built for you?
Aug 25, 2023
3
Level 6
Google authenticator after login?
I want to add google authenticator TOTP in my laravel app. I am using this package pragmarx/google2fa-laravel
Link to package: https://github.com/antonioribeiro/google2fa-laravel
I was wondering do I need to store the secret key in users table google2fa_secret column after initial login (email and password) or only store in the database after user has successful verify the OTP?
I assume if I store the secret as a session and not in the users table then user can easily bypass the otp verification by changing the url ?
And what happens if user logout and login again, do they need to enter OTP again?
Login method:
.....
if ($userInfo["login_attempt"] < 5 || $allowLogin == true) {
if ($this->attemptLogin($request)) {
if ($request->hasSession()) {
$request->session()->put('auth.password_confirmed_at', time());
}
$userInfo->update(array("login_attempt" => 0, "unlock_login_attempt"=> null, "status" => 1));
if (!$userInfo->google2fa_secret) {
$google2fa = app('pragmarx.google2fa');
$google2fa_secret = $google2fa->generateSecretKey();
$qrCodeUrl = $google2fa->getQRCodeInline(
"app name",
$userInfo->email,
$google2fa_secret
);
$userInfo->update([
'google2fa_secret' => $google2fa_secret
]);
session()->put('qrCodeUrl', $qrCodeUrl); // Store $test in the session
return redirect()->route('admin.2fa');
}
return $this->sendLoginResponse($request);
}
Blade file :
<!DOCTYPE html>
<html lang="en">
<head>
<meta charset="UTF-8">
<meta name="viewport" content="width=device-width, initial-scale=1.0">
<title>2FA Verification</title>
<link rel="stylesheet" href="https://stackpath.bootstrapcdn.com/bootstrap/4.5.2/css/bootstrap.min.css">
</head>
<body>
<div class="container mt-5">
<div class="row justify-content-center">
<div class="col-md-6">
<div class="card">
<div class="card-header">2FA Verification</div>
<div class="card-body">
<form method="POST" action="">
@csrf
<div class="form-group">
<label for="one_time_password">Enter 6-digit OTP from your Authenticator App</label>
<input id="one_time_password" type="text" class="form-control @error('one_time_password') is-invalid @enderror" name="one_time_password" required autofocus>
@error('one_time_password')
<span class="invalid-feedback" role="alert">
<strong>{{ $message }}</strong>
</span>
@enderror
</div>
<div class="form-group">
<button type="submit" class="btn btn-primary">
Verify OTP
</button>
</div>
</form>
</div>
</div>
<!-- Add the QR code below the form -->
<div class="mt-4 text-center">
<p>Scan this QR code with your authenticator app:</p>
{!! session('qrCodeUrl') !!}
</div>
</div>
</div>
</div>
</body>
</html>
What is the proper flow to implement it?
Level 6
@martinbean I see. I am currently using this package for the authentication: https://github.com/jeroennoten/Laravel-AdminLTE
in my existing system. If I were to install fortify to use the 2FA built in functionality, would it be a hassle? Any complication that I should be aware?
Level 80
@CookieMonster https://github.com/jeroennoten/Laravel-AdminLTE/wiki/Installation:
Important: The authentication scaffolding offers features like login, logout and registration. It is a recommendation to always read the Laravel Authentication Documentation for details about the authentication scaffolding. Note that Laravel offers some starter kits (like Laravel-Breeze) besides the legacy laravel/ui package. So, using the authentication views from this package is OPTIONALLY and UP TO YOU.
Please or to participate in this conversation.