Adding some more cleanup and refactor

Author: tnylea

app/Http/Controllers/Auth/TwoFactorAuthenticatedSessionController.php

@@ -21,10 +21,7 @@ class TwoFactorAuthenticatedSessionController extends Controller
      */
     public function create(Request $request)
     {
-        if (! $request->session()->has('login.id')) {
-            return redirect()->route('login');
-        }
-
+        // Session check is now handled by the EnsureTwoFactorChallengeSession middleware
         return Inertia::render('auth/two-factor-challenge');
     }
 
@@ -41,49 +38,75 @@ public function store(Request $request)
             'recovery_code' => 'nullable|string',
         ]);
 
-        $userId = $request->session()->get('login.id');
-        $user = User::find($userId);
-
-        if (! $user) {
-            return redirect()->route('login');
-        }
+        // If we made it here, user is available via the EnsureTwoFactorChallengeSession middleware
+        $user = $request->two_factor_auth_user;
 
-        // Handle TOTP code
+        // Handle one-time password (OTP) code
         if ($request->filled('code')) {
-            $secret = decrypt($user->two_factor_secret);
-            $valid = app(\App\Actions\TwoFactorAuth\VerifyTwoFactorCode::class)($secret, $request->code);
-            if ($valid) {
-                app(CompleteTwoFactorAuthentication::class)($user);
-                return redirect()->intended(route('dashboard', absolute: false));
-            }
-            return back()->withErrors(['code' => __('The provided two factor authentication code was invalid.')]);
+            return $this->authenticateUsingCode($request, $user);
         }
 
         // Handle recovery code
         if ($request->filled('recovery_code')) {
-            $recoveryCodes = json_decode(decrypt($user->two_factor_recovery_codes), true);
-            $provided = $request->recovery_code;
-            $match = collect($recoveryCodes)->first(function ($code) use ($provided) {
-                return hash_equals($code, $provided);
-            });
-            if (! $match) {
-                return back()->withErrors(['recovery_code' => __('The provided two factor authentication recovery code was invalid.')]);
-            }
-            // Remove used recovery code using the ProcessRecoveryCode action
-            $updatedCodes = app(ProcessRecoveryCode::class)($recoveryCodes, $match);
-            if ($updatedCodes === false) {
-                return back()->withErrors(['recovery_code' => __('The provided two factor authentication recovery code was invalid.')]);
-            }
-            $user->two_factor_recovery_codes = encrypt(json_encode($updatedCodes));
-            $user->save();
-            // Complete the authentication process
+            return $this->authenticateUsingRecoveryCode($request, $user);
+        }
+
+        return back()->withErrors(['code' => __('Please provide a valid two factor code.')]);
+    }
+
+    /**
+     * Authenticate using a one-time password (OTP).
+     *
+     * @param  \Illuminate\Http\Request  $request
+     * @param  \App\Models\User  $user
+     * @return \Illuminate\Http\Response
+     */
+    protected function authenticateUsingCode(Request $request, User $user)
+    {
+        $secret = decrypt($user->two_factor_secret);
+        $valid = app(\App\Actions\TwoFactorAuth\VerifyTwoFactorCode::class)($secret, $request->code);
+        
+        if ($valid) {
             app(CompleteTwoFactorAuthentication::class)($user);
-            
-            // Redirect to the intended page
             return redirect()->intended(route('dashboard', absolute: false));
         }
+        
+        return back()->withErrors(['code' => __('The provided two factor authentication code was invalid.')]);
+    }
 
-        return back()->withErrors(['code' => __('Please provide a valid two factor authentication code.')]);
+    /**
+     * Authenticate using a recovery code.
+     *
+     * @param  \Illuminate\Http\Request  $request
+     * @param  \App\Models\User  $user
+     * @return \Illuminate\Http\Response
+     */
+    protected function authenticateUsingRecoveryCode(Request $request, User $user)
+    {
+        $recoveryCodes = json_decode(decrypt($user->two_factor_recovery_codes), true);
+        $provided = $request->recovery_code;
+        $match = collect($recoveryCodes)->first(function ($code) use ($provided) {
+            return hash_equals($code, $provided);
+        });
+        
+        if (! $match) {
+            return back()->withErrors(['recovery_code' => __('The provided two factor authentication recovery code was invalid.')]);
+        }
+        
+        // Remove used recovery code using the ProcessRecoveryCode action
+        $updatedCodes = app(ProcessRecoveryCode::class)($recoveryCodes, $match);
+        if ($updatedCodes === false) {
+            return back()->withErrors(['recovery_code' => __('The provided two factor authentication recovery code was invalid.')]);
+        }
+        
+        $user->two_factor_recovery_codes = encrypt(json_encode($updatedCodes));
+        $user->save();
+        
+        // Complete the authentication process
+        app(CompleteTwoFactorAuthentication::class)($user);
+        
+        // Redirect to the intended page
+        return redirect()->intended(route('dashboard', absolute: false));
     }
 }
 

app/Http/Middleware/EnsureTwoFactorChallengeSession.php

@@ -0,0 +1,37 @@
+<?php
+
+namespace App\Http\Middleware;
+
+use App\Models\User;
+use Closure;
+use Illuminate\Http\Request;
+use Illuminate\Support\Facades\Auth;
+
+class EnsureTwoFactorChallengeSession
+{
+    /**
+     * Handle an incoming request.
+     *
+     * @param  \Illuminate\Http\Request  $request
+     * @param  \Closure  $next
+     * @return mixed
+     */
+    public function handle(Request $request, Closure $next)
+    {
+        if (! $request->session()->has('login.id')) {
+            return redirect()->route('login');
+        }
+
+        $userId = $request->session()->get('login.id');
+        $user = User::find($userId);
+
+        if (! $user) {
+            return redirect()->route('login');
+        }
+
+        // Share the user with the request for controllers to use
+        $request->merge(['two_factor_auth_user' => $user]);
+
+        return $next($request);
+    }
+}

bootstrap/app.php

@@ -1,5 +1,6 @@
 <?php
 
+use App\Http\Middleware\EnsureTwoFactorChallengeSession;
 use App\Http\Middleware\HandleAppearance;
 use App\Http\Middleware\HandleInertiaRequests;
 use Illuminate\Foundation\Application;
@@ -14,6 +15,10 @@
         health: '/up',
     )
     ->withMiddleware(function (Middleware $middleware) {
+        $middleware->alias([
+            'ensure-two-factor-challenge-session' => EnsureTwoFactorChallengeSession::class,
+        ]);
+        
         $middleware->encryptCookies(except: ['appearance', 'sidebar_state']);
 
         $middleware->web(append: [

routes/auth.php

@@ -56,7 +56,10 @@
         ->name('logout');
 });
 
-Route::get('two-factor-challenge', [TwoFactorAuthenticatedSessionController::class, 'create'])
-        ->name('two-factor.challenge');
+// Two-factor challenge routes with the ensure-two-factor-challenge-session middleware
+Route::middleware('ensure-two-factor-challenge-session')->group(function () {
+    Route::get('two-factor-challenge', [TwoFactorAuthenticatedSessionController::class, 'create'])
+            ->name('two-factor.challenge');
 
-Route::post('two-factor-challenge', [TwoFactorAuthenticatedSessionController::class, 'store']);
+    Route::post('two-factor-challenge', [TwoFactorAuthenticatedSessionController::class, 'store']);
+});