darkghosthunter / laraguard Goto Github PK

The current table does not accommodate a User table using uuids as the primary key.

I suggest making the migration publishable so the consumer can make this adjustment. Also, being able to change the timestamp in the migration name would give greater control over when it is run.

I'll fork and submit the PR shortly.

I currently want to implement the 2FA into a project. Everything works fine except for the logging in part (https://github.com/DarkGhostHunter/Laraguard#logging-in). I added the example code in the login controller but get the following error: https://github.com/DarkGhostHunter/Laraguard#logging-in.

This is the full code of the controller:

<?php

namespace Slim\Controllers\Backend\Auth;

use Illuminate\Foundation\Auth\AuthenticatesUsers;
use Illuminate\Http\Request;
use Slim\Controllers\Backend\BackendController;
use Slim\Models\User\Backend;
use DarkGhostHunter\Laraguard\Laraguard;
use Illuminate\Support\Facades\Auth;

class LoginController extends BackendController
{

    //
   
    public function login(Request $request)
    {
        $this->validateLogin($request);

        // If the class is using the ThrottlesLogins trait, we can automatically throttle
        // the login attempts for this application. We'll key this by the username and
        // the IP address of the client making these requests into this application.
        if (method_exists($this, 'hasTooManyLoginAttempts') &&
            $this->hasTooManyLoginAttempts($request)) {
            $this->fireLockoutEvent($request);

            return $this->sendLockoutResponse($request);
        }

        if ($this->attemptLogin($request)) {

            $credentials = $request->only('email', 'password');

            if (Auth::attemptWhen($credentials, Laraguard::hasCode(), $request->filled('remember'))) {
                return $this->sendLoginResponse($request);
            }
        }

        // If the login attempt was unsuccessful we will increment the number of attempts
        // to login and redirect the user back to the login form. Of course, when this
        // user surpasses their maximum number of attempts they will get locked out.
        $this->incrementLoginAttempts($request);

        return $this->sendFailedLoginResponse($request);
    }
}

Also when I check the folder in the vendor directory I can't find the class Laraguard. Am I missing something?

• Laravel Version: 6.14.0
• PHP Version: 7.3
• Database Driver & Version: MySQL 5.7.27

When running included migration I get the following error:

SQLSTATE[42000]: Syntax error or access violation: 
1059 Identifier name 'two_factor_authentications_authenticatable_type_authenticatable_id_index' is too long 
(SQL: alter table `two_factor_authentications` add index `two_factor_authentications_authenticatable_type_authenticatable_id_index`(`authenticatable_type`, `authenticatable_id`))

A shorter index name here should fix this I guess?

Is the package usable for rest api backend?

Hello,
I've just detected a bug when we use recovery code in login instead of TOTP, the reason is the rule validation here :

 protected function requestHasCode(): bool
    {
        return !validator($this->request->only($this->input), [
            $this->input => 'required|numeric',
        ])->fails();
    }

You need to remove 'numeric' to get true for recovery code.
Regards

The migration uses JSON field types which are not supported by MySQL 5.6.

Changing the fields to TEXT appears to work fine, but there is no way to publish the migration file to persist this change in our application.

Laravel 7.12

Exception
Serialization of 'Closure' is not allowed

error appear when Laraguard package is installed. It appears on successfull request login and only on no 2fa user accounts

Dear

Upgrading v2 to v4 results in the login process skipping checks for users that have enabled 2FA. To simplify things I installed a clean Laravel v8.62 / PHP v8.0.11 to test it from scratch and the check / validation is not being executed.

'How it works' says no extra code is needed.
https://github.com/DarkGhostHunter/Laraguard#how-this-works

It includes a custom view and a callback to handle the Two-Factor authentication itself during login attempts.
Works without middleware or new guards, but you can go full manual if you want.

Contract & trait are added to my User model
https://github.com/DarkGhostHunter/Laraguard#usage

Login part mentions overriding Login in LoginController. Is this needed for v4 please?
https://github.com/DarkGhostHunter/Laraguard#logging-in

This forces everyone to use 2FA during login

To login, the user must issue a TOTP code along their credentials. Simply use attemptWhen() with Laraguard, which will automatically do the checks for you. By default, it checks for the 2fa_code input name, but you can issue your own.

FYI: In Laravel 8 the default User model is located in App\Models and the readme still references to namespace App

Hi.

Is it possible to set custom dynamic otp label name?

Hi, i just added your package to my Laravel 7 installation on PHP 7.4. I added the Contract and Trait to my User model, ran the migration and published the config without any changes.

I was able to sucessfully generate and confirm my 2FA code and $user->hasTwoFactorEnabled() returns true.

But when i log out and try logging back in again, i'm logged in without any request for a 2fa code! I can log in using the password only.

What have i missed?

i have login page in livewire component when attempt username and password, it shown like follow
https://www.loom.com/share/2c6bf95d7b1f4934823e7f6649520e55
my question how i can redirect to auth view manually or fired event to call check auth code view

Storing the credentials in a hidden field feels like a security issue. Basically, it happens here:

https://github.com/DarkGhostHunter/Laraguard/blob/master/src/Listeners/EnforceTwoFactorAuth.php#L112

The way the package is setup (implementing listeners, non evasive) doesn't really allow for a different way I think. I like the non invasiveness, but aren't there options to avoid the hidden fields, or at least limit security issues?

For example:

• at least set a no-store cache control in the response header, so browser does not cache.
• is there a way to encrypt the credentials, than decrypt later, filling the request object with the decrypted credentials?
• is there a way to maybe first check credentials, than mark as success, use a token for the 2fa check? (Probably not with the listeners used...)
• use sessions? Although storing credentials in sessions is also a security risk, but maybe again use encrypted credentials?

Is this package compatible with the user model id being a uuid? I'm not sure if I can just change the migration without breaking anything inside the package.

My idea was to change / replace the line

$table->morphs('authenticatable', '2fa_auth_type_auth_id_index');

with this:

$table->string('authenticatable_type');
$table->uuid('authenticatable_id');

Would that work, of break any logic inside the package itself?

Laraguard version: 2.0.2
Laravel version: 6.18.31
PostgreSQL version: 12.3
PHP version: 7.4.7

Having set up laraguard as described in the README, an exception is thrown when calling the route associated with prepareTwoFactor().

A stacktrace is attached: 2020-07-31 11-22-00 stacktrace.txt

The relevant part is where Illuminate will throw an exception with the following message:

SQLSTATE[22021]: Character not in repertoire: 7 ERROR:  invalid byte sequence for encoding "UTF8": 0x9f (SQL: update "two_factor_authentications" set "shared_secret" = X[S�
���	���"|>�}��, "updated_at" = 2020-07-31 09:03:05 where "id" = 1)

The characters following "0x" and the actual byte sequence will vary from request to request because the shared secret will be generated anew.

On PostgreSQL, the column type for "shared_secret" is "bytea". It seems that laraguard does not handle encoding the value for the database correctly.

The PostgreSQL server's encoding as indicated by "show server_encoding;" is "UTF8". The charset for the DB driver in config/database.php is "utf8".

Hi.
When i do all like installation guide in readme. I got an error:

Facade\Ignition\Exceptions\ViewException Undefined variable: url (View: /var/www/html/beta9/resources/views/vendor/laraguard/notice.blade.php) http://domain.com/2fa-required Hide solutions $url is undefined Make the variable optional in the blade template. Replace {{ $url }} with {{ $url ?? '' }}

Any ideas?

Thanks

Hello,

Are you planning to extend the totp_code rule [ TotpCodeRule ] with an anti brute-force check please?

The Confirm controller has no checks. This could be a potential security risk.

Is there any way to supply an application logo when using the QR code? For some strange reason it says "SIPPEL" for my app and I don't even know what that is. o_O

This is with Authy after I scan the QR code:

Documentation says you can change the migration file by running this command.

php artisan vendor:publish --provider="DarkGhostHunter\Laraguard\LaraguardServiceProvider" --tag="migrations"

But then you cannot run 'php artisan migrate' anymore.

php artisan migrate

   Symfony\Component\ErrorHandler\Error\FatalError 

  Cannot declare class CreateTwoFactorAuthenticationsTable, because the name is already in use

  at \database\migrations\2020_07_16_162410_create_two_factor_authentications_table.php:42
    38|     public function down()
    39|     {
    40|         Schema::dropIfExists('two_factor_authentications');
    41|     }
  > 42| }
    43|


   Whoops\Exception\ErrorException 

  Cannot declare class CreateTwoFactorAuthenticationsTable, because the name is already in use

  at \database\migrations\2020_07_16_162410_create_two_factor_authentications_table.php:42
    38|     public function down()
    39|     {
    40|         Schema::dropIfExists('two_factor_authentications');
    41|     }
  > 42| }
    43|

  1   \vendor\filp\whoops\src\Whoops\Run.php:408
      Whoops\Run::handleError("Cannot declare class CreateTwoFactorAuthenticationsTable, because the name is already in use", "\database\migrations\2020_07_16_162410_create_two_factor_authentications_table.php")

  2   [internal]:0
      Whoops\Run::handleShutdown()

Delete the created file and then you can run migrate.

The RFC for TOTP recommends encrypting the shared secret when storing it. I feel that is an important option to have on this package.

I had previously implemented this for my own use of the package using accessors/mutators, but with Laravel 8 we can take advantage of the encrypted attribute cast type. I've made a proof of concept doing this.

There are some considerations:

1. In order to maintain backward-compatibility with existing uses of the package, I dynamically adjust the $casts property based on the laraguard.encrypted config value. The default value is false. This makes the change completely invisible to existing uses.
2. Additionally, to maintain compatibility with the current table schema, I continue to use an accessor/mutator for the recovery codes so they are able to be stored as json. If we modify the column to text we can use the cast type for them as well.
3. With the current table schema the maximum secret length that can be stored encrypted is 25. If we change the column back to text we can support longer encrypted secret lengths.

I'm interested in hearing your thoughts on this and how you would want to handle backward-compatibility

Hello,
Thanks for this great package,
I'm little confused on how to use this package on login page, as I know, once the user types the correct email/password, he should be redirected to a modal or page to enter the 2fa code.
But what I saw in the docs, it seems I need to set an input 2fa_code inside login form.
Am I correct ? How could I ask the user to enter the 2fa_code just after a success login ?

Regards.

I've setup 2FA for a login system I'm using, and it works great when logging in through email address, however it fails when we attempt username based login instead.

to allow the users to login through both email/user
we override LoginController ::credentials as follows

LoginController:credentials(Request)
{
        $field = filter_var($request->get($this->username()), FILTER_VALIDATE_EMAIL)
            ? $this->username()
            : 'username';
        return [
            $field => $request->get($this->username()),
            'password' => $request->password,
        ];
}

because of this, saveCredentials saves field username which results in fail login attempt after entering the 2fa code, The email field is required.

I'm not sure what's the best way around to fixing this, Im currently overriding the view and changing the field name username to email, as a workaround.

Hello,
I'm trying to implement laraguard but i'm encountered some issues.
I'm on "Enabling Two Factor Authentication" step
qr code is showing - google auth app generate a code when i scan but it's always false^^
Have ou got an idea why ?
i have installed ntp in my server but no success - Timezone with laravel app are same as server.........
I don't understand where is the problem.

Ok. Issue Solved. Work very well.

Hi,

Can we use Laraguard with Laravel Breeze? Seems that the documentation is for Laravel UI only.

Thanks and best regards

laravel version: 7.12

Facade\Ignition\Exceptions\ViewException
Invalid argument supplied for foreach() (View: /resources/views/vendor/laraguard/auth.blade.php)

@foreach($credentials as $name => $value)

            <input type="hidden" name="{{ $name }}" value="{{ $value }}">

  @endforeach

This error appears when 2fa is activated on a successfull login request at the 2fa step

$credentials is empty.

First and foremost, I would like to thank you for creating such a nice project. I want to implement this in an app but stumbled accross the following piece in the TOTP RFC:

Note that a prover may send the same OTP inside a given time-step
window multiple times to a verifier. The verifier MUST NOT accept
the second attempt of the OTP after the successful validation has
been issued for the first OTP, which ensures one-time only use of an
OTP.

Maybe it is feasible to cache the usage of a token and only allow the first submission to pass through?

firstly thank you for Laraguard it is a great work.
sometimes need admin users control other users guard like update recovery codes or disable tow factor recovery from specific user, is there any plan to do something like this?, i can help in this upgrade work, thank you

I've started implementing this into my application, running locally on devilbox.

I was able to create the tokens, but it seems when i login and get to entering the code it causes the application to hang, redis server to die and then eventually end up with a 502.

It appears even changing the cache to file, I can see the file gets written, but even so redis crashes and it's restarted I'm logged in.

Is there something I may be falling foul of causing a timeout after verifying the code?

I'm not seeing this behaviour in other aspects of the app, and seems to be specific to laraguard.

Hi,
You may add this scope to get only available codes, something like this :

 public function getAvailableCodes(): Collection
    {
        return $this->twoFactorAuth->recovery_codes->whereNull('used_at') ?? collect();
    }

Thanks

When I run:

php artisan vendor:publish --provider=DarkGhostHunter\Laraguard\LaraguardServiceProvider

I had to add double quotes:

php artisan vendor:publish --provider="DarkGhostHunter\Laraguard\LaraguardServiceProvider"

Thanks!

Hi! This looks like such a nice library.
I'm wondering if can be integrated with Laravel Passport or any OAuth2 server implementation.
I'm working with Vue Js as a front-end and Laravel as a Rest API service. It would be great to have this working on my projects.

Thanks!

Currently, the safe devices option is activated in the config. So it is activated globally.

Let's assume I am on a public computer. When I login successfully, the device is marked as safe device, while it is not.

Currently there is no option for a user loging in to manually mark a computer as safe:
https://github.com/DarkGhostHunter/Laraguard/blob/master/src/Listeners/EnforceTwoFactorAuth.php#L87

What if we add something like:

if (request()->input('is_safe', false)) {
   // Safe device
}

(Maybe there is a way to code it without being a breaking change)

Congrats on a great plugin!

I have started to get the error:

RangeException
Base32::doDecode() only expects characters in the correct base32 alphabet

after entering the 2FA code and clicking the confirm code button.

Has been working fine, so no idea why its suddenly stopped working

Hey,

First off: thanks for this great package.
Secondly: Do you plan on releasing a Laravel 8 compatible version any time soon?

Regards

Installed as per instructions, getting the following error:

Error
Class name must be a valid object or a string

    $secret = $User->createTwoFactorAuth();

App/User.php

// 3rd Party Components

use \Spatie\Tags\HasTags;
use Spatie\Permission\Traits\HasRoles;
use DarkGhostHunter\Laraguard\TwoFactorAuthentication;
use DarkGhostHunter\Laraguard\Contracts\TwoFactorAuthenticatable;

class User extends Authenticatable implements TwoFactorAuthenticatable
{
use Notifiable;
use HasRoles;
use HasTags;
use TwoFactorAuthentication;

...

App/Http/Controllers/UserController.php

public function prepareTwoFactor(Request $request)
{
if( TRUE == ( $User = Auth::user() ) )
{
$secret = $User->createTwoFactorAuth();

    return view('user.enable2fa', [
        'as_qr_code' => $secret->toQr(),     // As QR Code
        'as_uri'     => $secret->toUri(),    // As "otpauth://" URI.
        'as_string'  => $secret->toString(), // As a string
    ]);
}
...

When i run composer require i get the following error:
Your requirements could not be resolved to an installable set of packages.

Problem 1
- darkghosthunter/laraguard[v2.0.0, ..., v2.0.2] require illuminate/support ^6.15||^7.0 -> found illuminate/support[v6.15.0, ..., v6.20.26, v7.0.0, ..., v7.30.4] but these were not
loaded, likely because it conflicts with another require.
- Root composer.json requires darkghosthunter/laraguard ^2.0 -> satisfiable by darkghosthunter/laraguard[v2.0.0, v2.0.1, v2.0.2].

Installation failed, reverting ./composer.json and ./composer.lock to their original content.
root@peddy-backend:/app# php artisan vendor:publish --provider="DarkGhostHunter\Laraguard\LaraguardServiceProvider" --tag="migrations"

C:\Users\Alican\Documents\Technoperia\Peddy\peddy_backend>docker exec -it peddy_backend_fpm_1 bash
root@peddy-backend:/app# composer require darkghosthunter/laraguard
Using version ^2.0 for darkghosthunter/laraguard
./composer.json has been updated
Running composer update darkghosthunter/laraguard

php artisan clear-compiled
Compiled services and packages files removed!
Loading composer repositories with package information
Updating dependencies

Your requirements could not be resolved to an installable set of packages.

  Problem 1
    - darkghosthunter/laraguard[v2.0.0, ..., v2.0.2] require illuminate/support ^6.15||^7.0 -> found illuminate/support[v6.15.0, ..., v6.20.26, v7.0.0, ..., v7.30.4] but these were not
 loaded, likely because it conflicts with another require.
    - Root composer.json requires darkghosthunter/laraguard ^2.0 -> satisfiable by darkghosthunter/laraguard[v2.0.0, v2.0.1, v2.0.2].


Installation failed, reverting ./composer.json and ./composer.lock to their original content.

Here is my composer json file:

{ "name": "appnormal/happymondays", "description": "Happy Mondays", "license": "MIT", "type": "project", "require": { "php": "7.3.*", "ext-json": "*", "laravel/framework": "^8.0", "laravelcollective/html": "^6.0.0", "barryvdh/laravel-debugbar": "~3.1", "barryvdh/laravel-ide-helper": "~2.4", "imagine/imagine": "0.6.*", "panique/laravel-sass": "1.0", "doctrine/dbal": "~2.5", "fideloper/proxy": "^4.0", "maatwebsite/excel": "~3.1.18", "google/apiclient": "^2.2", "pusher/pusher-php-server": "^4.0", "fruitcake/laravel-cors": "^2.0", "phpoffice/phpexcel": "^1.8", "edujugon/push-notification": "^4.4", "laravel/ui": "^3.1", "laravel/telescope": "^4.4" }, "require-dev": { "fzaninotto/faker": "~1.4", "mockery/mockery": "^1.0", "phpunit/phpunit": "^9.0", "phpspec/phpspec": "6.*", "symfony/dom-crawler": "5.*", "symfony/css-selector": "5.*", "filp/whoops": "~2.0", "laravel/browser-kit-testing": "^6.1", "knuckleswtf/scribe": "^2.0.0-beta" }, "autoload": { "classmap": [ "database" ], "psr-4": { "App\\": "app/", "Database\\Factories\\": "database/factories/", "Database\\Seeders\\": "database/seeders/" } }, "autoload-dev": { "classmap": [ "tests/TestCase.php", "tests/BrowserKitTestCase.php" ] }, "scripts": { "post-install-cmd": [ "php artisan clear-compiled", "php artisan optimize", "php artisan telescope:install" ], "pre-update-cmd": [ "php artisan clear-compiled" ], "post-update-cmd": [ "php artisan optimize", "php artisan ide-helper:generate", "composer require laravel/ui", "php artisan telescope:install" ], "post-root-package-install": [ "php -r \"copy('.env.example', '.env');\"" ], "post-create-project-cmd": [ "php artisan key:generate" ] }, "config": { "preferred-install": "dist" } }

Hi, first of all thank you for the excellent work.
I was looking for a solution to verify an otp for certain operations (on demand), is it possible to trigger the otp verification flow manually or on custom events ?
Maybe like laravel middleware password.confirm
Thanks, regards

I cannot enable Two Factor Authentication because the code generated by my authentication application does not match the value generated by the generateCode() function.

When I scan the QR code to confirm enablement the validateCode() function always returns false because the code is not valid.

I had to debug the value returned by $this->makeCode($at, -$i) and use it to be able to enable it.

Otherwise, thank you very much for this great package. I was able to use all the features.

But validateCode always returns false because the code doesn't match my authentication application :-(

In the part about enabling two factor, it is mentioned that it needs to be two way. Where do I send this in from?

$request->input('2fa_code')

Is there a route or a view I have missed?

I assume this isn't going to happen considering how the package is built, using listeners. But are there any plans to make it possible to use with javascript/ajax? I am using inertia for a project where I would love to add two factor auth, but I need to have control over the response (Inertia::render())

I just went through the README.md and I have to say, this looks like a very nice piece of work! Thank you very much for open sourcing it. Please close this issue when you read this token of appreciation, have a nice day.

Hi DarkGhostHunter,

Thanks for the great work, I just had an enquiry/feature request.

It looks like there is no support out of the box for JSON responses for 2fa.require middleware.

I am over-riding the listener as described in your README.MD, but just wanted to know if:
a) Am I missing something and this functionality already exists?
b) Were there plans to implement this?