feat: update two-factor authentication to delay login until confirmation

Author: pushpak1300

app/Http/Controllers/Auth/AuthenticatedSessionController.php

@@ -10,6 +10,7 @@
 use Illuminate\Support\Facades\Route;
 use Inertia\Inertia;
 use Inertia\Response;
+use Laravel\Fortify\Features;
 
 class AuthenticatedSessionController extends Controller
 {
@@ -29,7 +30,18 @@ public function create(Request $request): Response
      */
     public function store(LoginRequest $request): RedirectResponse
     {
-        $request->authenticate();
+        $user = $request->validateCredentials();
+
+        if (Features::enabled(Features::twoFactorAuthentication()) && filled($user->two_factor_confirmed_at)) {
+            $request->session()->put([
+                'login.id' => $user->getKey(),
+                'login.remember' => $request->boolean('remember'),
+            ]);
+
+            return redirect()->route('two-factor.login');
+        }
+
+        Auth::login($user, $request->boolean('remember'));
 
         $request->session()->regenerate();
 

app/Http/Requests/Auth/LoginRequest.php

@@ -6,11 +6,9 @@
 use Illuminate\Auth\Events\Lockout;
 use Illuminate\Foundation\Http\FormRequest;
 use Illuminate\Support\Facades\Auth;
-use Illuminate\Support\Facades\Hash;
 use Illuminate\Support\Facades\RateLimiter;
 use Illuminate\Support\Str;
 use Illuminate\Validation\ValidationException;
-use Laravel\Fortify\Features;
 
 class LoginRequest extends FormRequest
 {
@@ -36,34 +34,18 @@ public function rules(): array
     }
 
     /**
-     * Attempt to authenticate the request's credentials.
+     * Validate the request's credentials and return the user without logging them in.
      *
      * @throws \Illuminate\Validation\ValidationException
      */
-    public function authenticate()
+    public function validateCredentials(): User
     {
         $this->ensureIsNotRateLimited();
 
-        // Check if two-factor authentication is enabled
-        if (Features::enabled(Features::twoFactorAuthentication())) {
-            $user = User::where('email', $this->email)->first();
+        /** @var User $user */
+        $user = Auth::getProvider()->retrieveByCredentials($this->only('email', 'password'));
 
-            // If this user exists, the password is correct, and 2FA is enabled; we want to redirect to the 2FA challenge
-            if ($user && $user->two_factor_confirmed_at && Hash::check($this->password, $user->password)) {
-                // Store the user ID and remember preference in the session
-                $this->session()->put([
-                    'login.id' => $user->getKey(),
-                    'login.remember' => $this->boolean('remember'),
-                ]);
-
-                RateLimiter::clear($this->throttleKey());
-
-                return redirect()->route('two-factor.login');
-            }
-        }
-
-        // Proceed with normal authentication if 2FA is not enabled or the user doesn't have 2FA
-        if (! Auth::attempt($this->only('email', 'password'), $this->boolean('remember'))) {
+        if (! $user || ! Auth::getProvider()->validateCredentials($user, $this->only('password'))) {
             RateLimiter::hit($this->throttleKey());
 
             throw ValidationException::withMessages([
@@ -72,6 +54,8 @@ public function authenticate()
         }
 
         RateLimiter::clear($this->throttleKey());
+
+        return $user;
     }
 
     /**

app/Providers/FortifyServiceProvider.php

@@ -25,7 +25,7 @@ public function boot(): void
             return Inertia::render('auth/ConfirmPassword');
         });
 
-         RateLimiter::for('login', function (Request $request) {
+        RateLimiter::for('login', function (Request $request) {
             $throttleKey = Str::transliterate(Str::lower((string) $request->string(Fortify::username())).'|'.$request->ip());
 
             return Limit::perMinute(5)->by($throttleKey);