Enable mfa, store last login time

Author: phit

app/Filament/Resources/Users/Tables/UsersTable.php

@@ -25,6 +25,10 @@ public static function configure(Table $table): Table
                 TextColumn::make('role')
                     ->badge()
                     ->sortable(),
+                TextColumn::make('last_logged_in_at')
+                    ->label('Last login')
+                    ->dateTime()
+                    ->sortable(),
                 TextColumn::make('created_at')
                     ->dateTime()
                     ->sortable()

app/Models/User.php

@@ -6,13 +6,15 @@
 
 // use Illuminate\Contracts\Auth\MustVerifyEmail;
 use App\Enums\UserRole;
+use Filament\Auth\MultiFactor\App\Contracts\HasAppAuthentication;
+use Filament\Auth\MultiFactor\App\Contracts\HasAppAuthenticationRecovery;
 use Filament\Models\Contracts\FilamentUser;
 use Filament\Panel;
 use Illuminate\Database\Eloquent\Factories\HasFactory;
 use Illuminate\Foundation\Auth\User as Authenticatable;
 use Illuminate\Notifications\Notifiable;
 
-class User extends Authenticatable implements FilamentUser
+class User extends Authenticatable implements FilamentUser, HasAppAuthentication, HasAppAuthenticationRecovery
 {
     /** @use HasFactory<\Database\Factories\UserFactory> */
     use HasFactory;
@@ -39,6 +41,8 @@ class User extends Authenticatable implements FilamentUser
     protected $hidden = [
         'password',
         'remember_token',
+        'app_authentication_secret',
+        'app_authentication_recovery_codes',
     ];
 
     /**
@@ -50,11 +54,47 @@ protected function casts(): array
     {
         return [
             'email_verified_at' => 'datetime',
+            'last_logged_in_at' => 'datetime',
             'password' => 'hashed',
             'role' => UserRole::class,
+            'app_authentication_secret' => 'encrypted',
+            'app_authentication_recovery_codes' => 'encrypted:array',
         ];
     }
 
+    public function getAppAuthenticationSecret(): ?string
+    {
+        return $this->app_authentication_secret;
+    }
+
+    public function saveAppAuthenticationSecret(?string $secret): void
+    {
+        $this->app_authentication_secret = $secret;
+        $this->save();
+    }
+
+    public function getAppAuthenticationHolderName(): string
+    {
+        return $this->email;
+    }
+
+    /**
+     * @return ?array<string>
+     */
+    public function getAppAuthenticationRecoveryCodes(): ?array
+    {
+        return $this->app_authentication_recovery_codes;
+    }
+
+    /**
+     * @param  array<string> | null  $codes
+     */
+    public function saveAppAuthenticationRecoveryCodes(?array $codes): void
+    {
+        $this->app_authentication_recovery_codes = $codes;
+        $this->save();
+    }
+
     public function isMaintainer(): bool
     {
         return in_array($this->role, [UserRole::Maintainer, UserRole::Admin], true);

app/Providers/AppServiceProvider.php

@@ -16,6 +16,8 @@
 use App\Observers\SrvRecordObserver;
 use App\Observers\UserObserver;
 use App\Observers\WhitelistUserObserver;
+use Illuminate\Auth\Events\Login;
+use Illuminate\Support\Facades\Event;
 use Illuminate\Support\ServiceProvider;
 
 class AppServiceProvider extends ServiceProvider
@@ -39,5 +41,13 @@ public function boot(): void
         WhitelistUser::observe(WhitelistUserObserver::class);
         OverrideRule::observe(OverrideRuleObserver::class);
         SrvRecord::observe(SrvRecordObserver::class);
+
+        Event::listen(Login::class, function (Login $event): void {
+            $user = $event->user;
+            if (is_object($user)) {
+                $user->last_logged_in_at = now();
+                $user->save();
+            }
+        });
     }
 }

app/Providers/Filament/AdminPanelProvider.php

@@ -4,6 +4,7 @@
 
 namespace App\Providers\Filament;
 
+use Filament\Auth\MultiFactor\App\AppAuthentication;
 use Filament\Http\Middleware\Authenticate;
 use Filament\Http\Middleware\AuthenticateSession;
 use Filament\Http\Middleware\DisableBladeIconComponents;
@@ -39,6 +40,9 @@ public function panel(Panel $panel): Panel
             ->path('')
             ->login()
             ->profile()
+            ->multiFactorAuthentication([
+                AppAuthentication::make()->recoverable(),
+            ])
             ->viteTheme('resources/css/filament/admin/theme.css')
             ->passwordReset()
             ->emailVerification()

database/migrations/2025_12_28_000000_add_last_logged_in_at_to_users_table.php

@@ -0,0 +1,30 @@
+<?php
+
+declare(strict_types=1);
+
+use Illuminate\Database\Migrations\Migration;
+use Illuminate\Database\Schema\Blueprint;
+use Illuminate\Support\Facades\Schema;
+
+return new class extends Migration
+{
+    /**
+     * Run the migrations.
+     */
+    public function up(): void
+    {
+        Schema::table('users', function (Blueprint $table): void {
+            $table->timestamp('last_logged_in_at')->nullable()->after('remember_token');
+        });
+    }
+
+    /**
+     * Reverse the migrations.
+     */
+    public function down(): void
+    {
+        Schema::table('users', function (Blueprint $table): void {
+            $table->dropColumn('last_logged_in_at');
+        });
+    }
+};

database/migrations/2025_12_28_003206_add_mfa_to_users_table.php

@@ -0,0 +1,32 @@
+<?php
+
+declare(strict_types=1);
+
+use Illuminate\Database\Migrations\Migration;
+use Illuminate\Database\Schema\Blueprint;
+use Illuminate\Support\Facades\Schema;
+
+return new class extends Migration
+{
+    /**
+     * Run the migrations.
+     */
+    public function up(): void
+    {
+        Schema::table('users', function (Blueprint $table) {
+            $table->text('app_authentication_secret')->nullable()->after('remember_token');
+            $table->text('app_authentication_recovery_codes')->nullable()->after('app_authentication_secret');
+        });
+    }
+
+    /**
+     * Reverse the migrations.
+     */
+    public function down(): void
+    {
+        Schema::table('users', function (Blueprint $table) {
+            $table->dropColumn('app_authentication_secret');
+            $table->dropColumn('app_authentication_recovery_codes');
+        });
+    }
+};

tests/Feature/Auth/AuthenticationTest.php

@@ -5,8 +5,11 @@
 namespace Tests\Feature\Auth;
 
 use App\Models\User;
+use Filament\Auth\Pages\Login;
+use Filament\Facades\Filament;
 use Illuminate\Foundation\Testing\RefreshDatabase;
 use Illuminate\Support\Facades\Auth;
+use Livewire\Livewire;
 use Tests\TestCase;
 
 class AuthenticationTest extends TestCase
@@ -23,17 +26,36 @@ public function test_login_screen_can_be_rendered(): void
 
     public function test_users_can_authenticate_using_the_login_screen(): void
     {
-        $user = User::factory()->create();
-        $this->actingAs($user);
+        $this->assertGuest();
+
+        $userToAuthenticate = User::factory()->create();
 
-        $this->get('/')->assertOk();
+        Livewire::test(Login::class)
+            ->fillForm([
+                'email' => $userToAuthenticate->email,
+                'password' => 'password',
+            ])
+            ->call('authenticate')
+            ->assertRedirect(Filament::getUrl());
 
-        $this->assertAuthenticatedAs($user);
+        $this->assertAuthenticatedAs($userToAuthenticate);
+        $this->assertNotNull($userToAuthenticate->refresh()->last_logged_in_at);
     }
 
     public function test_users_can_not_authenticate_with_invalid_password(): void
     {
         $this->assertGuest();
+
+        $userToAuthenticate = User::factory()->create();
+
+        Livewire::test(Login::class)
+            ->fillForm([
+                'email' => $userToAuthenticate->email,
+                'password' => 'password123',
+            ])
+            ->call('authenticate')
+            ->assertHasFormErrors(['email']);
+        $this->assertGuest();
     }
 
     public function test_navigation_menu_can_be_rendered(): void