can we hook into nova 5's authentication process?

Hi team.

I am writing an app that uses Laravel 12 and Nova 5.

The requirements are to use 2fa, which I thought sweet, I can use Nova's 2fa, but nope, we need to email the 2fa code, not use an auth app (client doesn't want the app mode).

I have all the code setup and working for it, which is great, but I want to hook into the authentication process so I can send the code on login and update the db with all the correct things.

at the moment I do have it doing it, but it is not quite right.

we have 2 screens

if we haven't sent you a 2fa code then we show a message saying you need a code to move forward, click here to send one (required)
if we have sent you a code, show the verify screen (verify)

What I am doing.

NovaServiceProvider



    protected function routes(): void
    {
        Nova::routes()
            ->withAuthenticationRoutes()
            ->withPasswordResetRoutes()
            ->withoutEmailVerificationRoutes()
            ->register();

        Nova::serving(function (ServingNova $nova) {
            $app = $nova->app;
            $app->scoped(LoginResponseContract::class, LoginResponse::class);
        });
    }

iv hooked into the serving method to override the login response, I have done it here so it fires after the fortify versioin in the login response I redirect the user to the 2fa verify screen

I also have an event listener which handles the resetting of the code and sending the email notification problem here is that it is running in a job, so by the time the login redirects to the 2fa screen, the code isn't set yet and we get the required message.

what I want to be able to do is somehow hook into the authentication process so that once the logged in user is confirmed, then reset and send the two fa code (not in an event), then redirect to the verify screen.

does anyone know how to handle that?

LaryAI

10 months ago

Level 58

Certainly! To hook into Nova 5's authentication process and control the 2FA flow (especially for custom email-based 2FA), you’ll want to intercept the login process right after authentication, but before the user is redirected. Overriding the login response is the right approach, but you need to ensure your 2FA code is generated and sent synchronously, not via a queued job, so that the code is available immediately.

Here’s a step-by-step solution:

1. Create a Custom Login Response

Implement your own LoginResponse that will:

Generate and store the 2FA code for the user.
Send the code via email (synchronously).
Redirect to your custom 2FA verification screen.

Example:

<?php

namespace App\Http\Responses;

use Laravel\Fortify\Contracts\LoginResponse as LoginResponseContract;
use Illuminate\Http\Request;

class LoginResponse implements LoginResponseContract
{
    public function toResponse($request)
    {
        // Generate and store the 2FA code for the user
        $user = $request->user();

        // Generate a code (implement this method as needed)
        $code = rand(100000, 999999);

        // Store the code in the database (adjust to your schema)
        $user->forceFill([
            'two_factor_code' => $code,
            'two_factor_expires_at' => now()->addMinutes(10),
        ])->save();

        // Send the code via email (synchronously)
        // You can use Mail::to($user)->send(new TwoFactorCodeMail($code));
        // Or use Notification: $user->notify(new TwoFactorCodeNotification($code));
        // Make sure the notification/mail is NOT queued

        // Redirect to your 2FA verification screen
        return redirect()->route('nova.2fa.verify');
    }
}

2. Bind Your Custom Login Response in NovaServiceProvider

You’re already doing this, but make sure it’s in the right place:

use Laravel\Fortify\Contracts\LoginResponse as LoginResponseContract;
use App\Http\Responses\LoginResponse;

public function boot()
{
    Nova::serving(function (ServingNova $event) {
        app()->scoped(LoginResponseContract::class, LoginResponse::class);
    });
}

3. Ensure Email/Notification is Synchronous

If you’re using Laravel Notifications or Mail, do not implement the ShouldQueue interface on your notification/mail class. This ensures the email is sent immediately and the code is available when the user is redirected.

Example Notification:

use Illuminate\Notifications\Notification;

class TwoFactorCodeNotification extends Notification
{
    public function via($notifiable)
    {
        return ['mail'];
    }

    public function toMail($notifiable)
    {
        return (new MailMessage)
            ->subject('Your 2FA Code')
            ->line('Your 2FA code is: ' . $notifiable->two_factor_code);
    }
}

4. Custom 2FA Verification Screen

Set up a route and a controller for your custom 2FA verification screen (e.g., /nova/2fa/verify). This is where you’ll prompt the user to enter the code.

5. Optional: Custom Middleware

If you want to ensure users can’t access Nova until they’ve passed 2FA, you can add a custom middleware to Nova’s routes that checks for a valid, verified 2FA session.

Summary:
By overriding the login response and sending the 2FA code synchronously, you guarantee the code is set and sent before the user is redirected to the verification screen. Avoid using queued jobs for this step.

Let me know if you need code for the 2FA verification logic or middleware as well!