Refactored 2fa challenge from hash to decrypt usage

stephenjude · stephenjude · commit a28522b08bf4 · 2025-08-17T20:42:09.000+01:00
diff --git a/resources/lang/en/actions.php b/resources/lang/en/actions.php
@@ -1,6 +1,4 @@
 <?php
-
-// translations for Stephenjude/FilamentTwoFactorAuthentication
 return [
     'confirm_two_factor_authentication' => [
         'wrong_code' => 'The provided two factor authentication code was invalid.',
diff --git a/resources/lang/en/pages.php b/resources/lang/en/pages.php
@@ -3,13 +3,13 @@
 return [
     'subheading' => 'Or',
     'challenge' => [
-        'action_label' => 'use a recovery code',
+        'action_label' => 'Use a recovery code',
         'confirm' => 'Please confirm access to your account by entering the authentication code provided by your authenticator application.',
         'code' => 'Code',
         'error' => 'The provided two factor authentication code was invalid.',
     ],
     'recovery' => [
-        'action_label' => 'use an authentication code',
+        'action_label' => 'Use an authentication code',
         'form_hint' => 'Please confirm access to your account by entering one of your emergency recovery codes.',
         'error' => 'The provided two factor authentication code was invalid.',
         'title' => 'Recovery Code',
diff --git a/resources/views/components/logout.blade.php b/resources/views/components/logout.blade.php
@@ -1,7 +1,7 @@
 <div class="flex justify-center w-full">
     <form method="POST" action="{{ filament()->getCurrentOrDefaultPanel()->getLogoutUrl() }}">
         @csrf
-        <x-filament::link tag="button" type="submit" weight="semibold">
+        <x-filament::link style="align-center" tag="button" type="submit" weight="semibold">
             {{__('filament-two-factor-authentication::components.logout.button')}}
         </x-filament::link>
     </form>
diff --git a/src/Pages/Challenge.php b/src/Pages/Challenge.php
@@ -19,14 +19,14 @@ class Challenge extends BaseSimplePage
 
     public ?array $data = [];
 
-    public function getTitle(): string | Htmlable
+    public function getTitle(): string|Htmlable
     {
         return __('filament-two-factor-authentication::section.header');
     }
 
     public function mount(): void
     {
-        if (! Filament::auth()->check()) {
+        if (!Filament::auth()->check()) {
             redirect()->to(filament()->getCurrentOrDefaultPanel()?->getLoginUrl());
 
             return;
@@ -44,11 +44,7 @@ public function recoveryAction(): Action
         return Action::make('recovery')
             ->link()
             ->label(__('filament-two-factor-authentication::pages.challenge.action_label'))
-            ->url(
-                filament()->getCurrentOrDefaultPanel()->route(
-                    'two-factor.recovery'
-                )
-            );
+            ->url(filament()->getCurrentOrDefaultPanel()->route('two-factor.recovery'));
     }
 
     public function authenticate()
@@ -85,8 +81,7 @@ public function form(Schema $schema): Schema
                     ->required()
                     ->autocomplete()
                     ->rules([
-                        fn () => function (string $attribute, $value, $fail) {
-
+                        fn() => function (string $attribute, $value, $fail) {
                             $user = Filament::auth()->user();
                             if (is_null($user)) {
                                 $fail(__('filament-two-factor-authentication::pages.challenge.error'));
@@ -101,7 +96,7 @@ public function form(Schema $schema): Schema
                                 code: $value
                             );
 
-                            if (! $isValidCode) {
+                            if (!$isValidCode) {
                                 $fail(__('filament-two-factor-authentication::pages.challenge.error'));
 
                                 event(new TwoFactorAuthenticationFailed($user));
@@ -122,7 +117,7 @@ public function getFormActions(): array
     protected function getAuthenticateFormAction(): Action
     {
         return Action::make('authenticate')
-            ->label(__('filament-panels::pages/auth/login.form.actions.authenticate.label'))
+            ->label(__('filament-panels::auth/pages/login.form.actions.authenticate.label'))
             ->submit('authenticate');
     }
 
diff --git a/src/Pages/Recovery.php b/src/Pages/Recovery.php
@@ -66,11 +66,7 @@ public function form(Schema $schema): Schema
             ->schema([
                 TextInput::make('recovery_code')
                     ->hiddenLabel()
-                    ->hint(
-                        __(
-                            'filament-two-factor-authentication::pages.recovery.form_hint'
-                        )
-                    )
+                    ->hint(__('filament-two-factor-authentication::pages.recovery.form_hint'))
                     ->required()
                     ->autocomplete()
                     ->autofocus()
@@ -101,7 +97,7 @@ public function getFormActions(): array
     protected function getAuthenticateFormAction(): Action
     {
         return Action::make('authenticate')
-            ->label(__('filament-panels::pages/auth/login.form.actions.authenticate.label'))
+            ->label(__('filament-panels::auth/pages/login.form.actions.authenticate.label'))
             ->submit('authenticate');
     }
 
diff --git a/src/TwoFactorAuthenticatable.php b/src/TwoFactorAuthenticatable.php
@@ -9,7 +9,6 @@
 use BaconQrCode\Renderer\RendererStyle\RendererStyle;
 use BaconQrCode\Writer;
 use Illuminate\Support\Facades\Cache;
-use Illuminate\Support\Facades\Hash;
 use Spatie\LaravelPasskeys\Models\Concerns\InteractsWithPasskeys;
 use Stephenjude\FilamentTwoFactorAuthentication\Events\RecoveryCodeReplaced;
 
@@ -22,8 +21,8 @@ trait TwoFactorAuthenticatable
      */
     public function hasEnabledTwoFactorAuthentication(): bool
     {
-        return ! is_null($this->two_factor_secret) &&
-            ! is_null($this->two_factor_confirmed_at);
+        return !is_null($this->two_factor_secret) &&
+            !is_null($this->two_factor_confirmed_at);
     }
 
     public function hasEnabledPasskeyAuthentication(): bool
@@ -44,17 +43,16 @@ public function passkeyAuthenticated(): bool
 
     public function isTwoFactorChallengePassed(): bool
     {
-        $sessionKey = 'login_2fa_challenge_passed_' . $this->id;
+        if ($twoFactorSecretFromSession = session()->get("login:challenge:secret:$this->id")) {
+            return decrypt($this->two_factor_secret) === decrypt($twoFactorSecretFromSession);
+        }
 
-        return Hash::check($this->two_factor_secret, session()->get($sessionKey));
+        return false;
     }
 
     public function setTwoFactorChallengePassed(): void
     {
-        $sessionKey = 'login_2fa_challenge_passed_' . $this->id;
-        $sessionValue = Hash::make($this->two_factor_secret);
-
-        session()->put($sessionKey, $sessionValue);
+        session()->put("login:challenge:secret:$this->id", $this->two_factor_secret);
     }
 
     /**

Original file line number	Diff line number	Diff line change
`@@ -9,7 +9,6 @@`
`9`	`9`	`use BaconQrCode\Renderer\RendererStyle\RendererStyle;`
`10`	`10`	`use BaconQrCode\Writer;`
`11`	`11`	`use Illuminate\Support\Facades\Cache;`
`12`		`-use Illuminate\Support\Facades\Hash;`
`13`	`12`	`use Spatie\LaravelPasskeys\Models\Concerns\InteractsWithPasskeys;`
`14`	`13`	`use Stephenjude\FilamentTwoFactorAuthentication\Events\RecoveryCodeReplaced;`
`15`	`14`
`@@ -22,8 +21,8 @@ trait TwoFactorAuthenticatable`
`22`	`21`	`*/`
`23`	`22`	`public function hasEnabledTwoFactorAuthentication(): bool`
`24`	`23`	`{`
`25`		`- return ! is_null($this->two_factor_secret) &&`
`26`		`- ! is_null($this->two_factor_confirmed_at);`
	`24`	`+ return !is_null($this->two_factor_secret) &&`
	`25`	`+ !is_null($this->two_factor_confirmed_at);`
`27`	`26`	`}`
`28`	`27`
`29`	`28`	`public function hasEnabledPasskeyAuthentication(): bool`
`@@ -44,17 +43,16 @@ public function passkeyAuthenticated(): bool`
`44`	`43`
`45`	`44`	`public function isTwoFactorChallengePassed(): bool`
`46`	`45`	`{`
`47`		`- $sessionKey = 'login_2fa_challenge_passed_' . $this->id;`
	`46`	`+ if ($twoFactorSecretFromSession = session()->get("login:challenge:secret:$this->id")) {`
	`47`	`+ return decrypt($this->two_factor_secret) === decrypt($twoFactorSecretFromSession);`
	`48`	`+ }`
`48`	`49`
`49`		`- return Hash::check($this->two_factor_secret, session()->get($sessionKey));`
	`50`	`+ return false;`
`50`	`51`	`}`
`51`	`52`
`52`	`53`	`public function setTwoFactorChallengePassed(): void`
`53`	`54`	`{`
`54`		`- $sessionKey = 'login_2fa_challenge_passed_' . $this->id;`
`55`		`- $sessionValue = Hash::make($this->two_factor_secret);`
`56`		`-`
`57`		`- session()->put($sessionKey, $sessionValue);`
	`55`	`+ session()->put("login:challenge:secret:$this->id", $this->two_factor_secret);`
`58`	`56`	`}`
`59`	`57`
`60`	`58`	`/**`