Modify throttling flow; lockout login procedure in response to hitting two-factor authentication limit

michaeldzjap · michaeldzjap · commit 62c5a9ef452a · 2017-05-28T13:48:36.000+02:00
diff --git a/src/Http/Controllers/ThrottlesTwoFactorAuths.php b/src/Http/Controllers/ThrottlesTwoFactorAuths.php
@@ -4,10 +4,14 @@
 
 use Illuminate\Auth\Events\Lockout;
 use Illuminate\Cache\RateLimiter;
+use Illuminate\Foundation\Auth\ThrottlesLogins;
 use Illuminate\Http\Request;
+use Illuminate\Support\Str;
 
 trait ThrottlesTwoFactorAuths
 {
+    use ThrottlesLogins;
+
     /**
      * Determine if the user has too many failed two-factor authentiction attempts.
      *
@@ -16,9 +20,7 @@ trait ThrottlesTwoFactorAuths
      */
     protected function hasTooManyTwoFactorAuthAttempts(Request $request)
     {
-        return $this->limiter()->tooManyAttempts(
-            $this->throttleKey($request), 3, 1
-        );
+        return self::hasTooManyLoginAttempts($request);
     }
 
     /**
@@ -29,7 +31,7 @@ protected function hasTooManyTwoFactorAuthAttempts(Request $request)
      */
     protected function incrementTwoFactorAuthAttempts(Request $request)
     {
-        $this->limiter()->hit($this->throttleKey($request));
+        self::incrementLoginAttempts($request);
     }
 
     /**
@@ -44,15 +46,19 @@ protected function sendLockoutResponse(Request $request)
             $this->throttleKey($request)
         );
 
-        $message = __('two-factor-auth.throttle', ['seconds' => $seconds]);
+        $message = __('twofactor-auth::twofactor-auth.throttle', ['seconds' => $seconds]);
 
-        $errors = [$this->fieldname() => $message];
+        $errors = [$this->username() => $message];
 
         if ($request->expectsJson()) {
             return response()->json($errors, 423);
         }
 
-        return redirect()->back()->withErrors($errors);
+        return redirect()->to('/login')
+            ->withInput(
+                array_only($request->session()->get('two-factor:auth'), [$this->username(), 'remember'])
+            )
+            ->withErrors($errors);
     }
 
     /**
@@ -85,7 +91,7 @@ protected function fireLockoutEvent(Request $request)
      */
     protected function throttleKey(Request $request)
     {
-        return $request->session()->get('two-factor:auth:id').'|'.$request->ip();
+        return Str::lower($request->session()->get('two-factor:auth')[$this->username()]).'|'.$request->ip();
     }
 
     /**
diff --git a/src/Http/Controllers/TwoFactorAuthenticatesUsers.php b/src/Http/Controllers/TwoFactorAuthenticatesUsers.php
@@ -33,10 +33,10 @@ public function showTwoFactorForm()
      */
     public function verifyToken(VerifySMSToken $request)
     {
-        // If the class is using the ThrottlesLogins trait, we can automatically throttle
-        // the two-factor authentication attempts for this application. We'll key this by
-        // the user id in the session storage and the IP address of the client making
-        // these requests into this application.
+        // If the class is using the ThrottlesTwoFactorAuths trait, we can automatically
+        // throttle the two-factor authentication attempts for this application.
+        // We'll key this by the username in the session storage and the IP address
+        // of the client making these requests into this application.
         if ($this->hasTooManyTwoFactorAuthAttempts($request)) {
             $this->fireLockoutEvent($request);
 
@@ -77,7 +77,6 @@ protected function attemptTwoFactorAuth(Request $request)
         $user = User::findOrFail($request->session()->get('two-factor:auth:id'));
 
         if (resolve(TwoFactorProvider::class)->verify($user, $request->input('token'))) {
-            $request->session()->forget('two-factor:auth:id');
             auth()->login($user);   // If SMS code validation passes, login user
 
             return true;
@@ -98,6 +97,8 @@ protected function sendTwoFactorAuthResponse(Request $request)
 
         $this->clearTwoFactorAuthAttempts($request);
 
+        $request->session()->forget('two-factor:auth');
+
         return redirect()->intended($this->redirectPath());
     }
 
@@ -109,7 +110,7 @@ protected function sendTwoFactorAuthResponse(Request $request)
      */
     protected function sendFailedTwoFactorAuthResponse(Request $request)
     {
-        $errors = [$this->fieldname() => __('two-factor-auth.failed')];
+        $errors = ['token' => __('twofactor-auth::twofactor-auth.failed')];
 
         if ($request->expectsJson()) {
             return response()->json($errors, 422);
@@ -127,22 +128,22 @@ protected function sendFailedTwoFactorAuthResponse(Request $request)
      */
     protected function sendKillTwoFactorAuthResponse(Request $request)
     {
-        $errors = [$this->fieldname() => __('two-factor-auth.expired')];
+        $errors = [$this->username() => __('twofactor-auth::twofactor-auth.expired')];
 
         if ($request->expectsJson()) {
             return response()->json($errors, 401);
         }
 
-        return redirect()->back()->withErrors($errors);
+        return redirect()->to('/login')->withErrors($errors);
     }
 
     /**
-     * Get the input field identifier to be used by the controller.
+     * Get the login username to be used by the controller.
      *
      * @return string
      */
-    public function fieldname()
+    public function username()
     {
-        return 'token';
+        return 'email';
     }
 }
diff --git a/src/Http/Requests/VerifySMSToken.php b/src/Http/Requests/VerifySMSToken.php
@@ -13,7 +13,7 @@ class VerifySMSToken extends FormRequest
      */
     public function authorize()
     {
-        if ($this->session()->has('two-factor:auth:id')) {
+        if ($this->session()->has('two-factor:auth')) {
             return true;
         }
 
diff --git a/src/resources/lang/en/twofactor-auth.php b/src/resources/lang/en/twofactor-auth.php
@@ -18,7 +18,7 @@
     'send' => 'Send Token',
 
     'failed' => 'Invalid authentication token provided.',
-    'throttle' => 'Too many authentication attempts. You will be redirected to the login page. Please try again in :seconds seconds.',
-    'expired' => 'The authentication token has expired. You will be redirected to the login page.',
+    'throttle' => 'Too many two-factor authentication token attempts. Please try again in :seconds seconds.',
+    'expired' => 'The two-factor authentication token has expired.',
 
 ];
diff --git a/src/resources/lang/nl/twofactor-auth.php b/src/resources/lang/nl/twofactor-auth.php
@@ -18,7 +18,7 @@
     'send' => 'Verstuur Token',
 
     'failed' => 'Ongeldige authenticatie token aangeleverd.',
-    'throttle' => 'Te veel authenticatie pogingen. Je wordt automatisch teruggestuurd naar de login pagina. Probeer het alsjeblieft opnieuw over :seconds seconden.',
-    'expired' => 'De authenticatie token is verlopen. Je wordt automatisch teruggestuurd naar de login pagina.',
+    'throttle' => 'Te veel authenticatie token pogingen. Probeer het alsjeblieft opnieuw over :seconds seconden.',
+    'expired' => 'De authenticatie token is verlopen.',
 
 ];

Original file line number	Diff line number	Diff line change
`@@ -4,10 +4,14 @@`
`4`	`4`
`5`	`5`	`use Illuminate\Auth\Events\Lockout;`
`6`	`6`	`use Illuminate\Cache\RateLimiter;`
	`7`	`+use Illuminate\Foundation\Auth\ThrottlesLogins;`
`7`	`8`	`use Illuminate\Http\Request;`
	`9`	`+use Illuminate\Support\Str;`
`8`	`10`
`9`	`11`	`trait ThrottlesTwoFactorAuths`
`10`	`12`	`{`
	`13`	`+ use ThrottlesLogins;`
	`14`	`+`
`11`	`15`	`/**`
`12`	`16`	`* Determine if the user has too many failed two-factor authentiction attempts.`
`13`	`17`	`*`
`@@ -16,9 +20,7 @@ trait ThrottlesTwoFactorAuths`
`16`	`20`	`*/`
`17`	`21`	`protected function hasTooManyTwoFactorAuthAttempts(Request $request)`
`18`	`22`	`{`
`19`		`- return $this->limiter()->tooManyAttempts(`
`20`		`- $this->throttleKey($request), 3, 1`
`21`		`- );`
	`23`	`+ return self::hasTooManyLoginAttempts($request);`
`22`	`24`	`}`
`23`	`25`
`24`	`26`	`/**`
`@@ -29,7 +31,7 @@ protected function hasTooManyTwoFactorAuthAttempts(Request $request)`
`29`	`31`	`*/`
`30`	`32`	`protected function incrementTwoFactorAuthAttempts(Request $request)`
`31`	`33`	`{`
`32`		`- $this->limiter()->hit($this->throttleKey($request));`
	`34`	`+ self::incrementLoginAttempts($request);`
`33`	`35`	`}`
`34`	`36`
`35`	`37`	`/**`
`@@ -44,15 +46,19 @@ protected function sendLockoutResponse(Request $request)`
`44`	`46`	`$this->throttleKey($request)`
`45`	`47`	`);`
`46`	`48`
`47`		`- $message = __('two-factor-auth.throttle', ['seconds' => $seconds]);`
	`49`	`+ $message = __('twofactor-auth::twofactor-auth.throttle', ['seconds' => $seconds]);`
`48`	`50`
`49`		`- $errors = [$this->fieldname() => $message];`
	`51`	`+ $errors = [$this->username() => $message];`
`50`	`52`
`51`	`53`	`if ($request->expectsJson()) {`
`52`	`54`	`return response()->json($errors, 423);`
`53`	`55`	`}`
`54`	`56`
`55`		`- return redirect()->back()->withErrors($errors);`
	`57`	`+ return redirect()->to('/login')`
	`58`	`+ ->withInput(`
	`59`	`+ array_only($request->session()->get('two-factor:auth'), [$this->username(), 'remember'])`
	`60`	`+ )`
	`61`	`+ ->withErrors($errors);`
`56`	`62`	`}`
`57`	`63`
`58`	`64`	`/**`
`@@ -85,7 +91,7 @@ protected function fireLockoutEvent(Request $request)`
`85`	`91`	`*/`
`86`	`92`	`protected function throttleKey(Request $request)`
`87`	`93`	`{`
`88`		`- return $request->session()->get('two-factor:auth:id').'\|'.$request->ip();`
	`94`	`+ return Str::lower($request->session()->get('two-factor:auth')[$this->username()]).'\|'.$request->ip();`
`89`	`95`	`}`
`90`	`96`
`91`	`97`	`/**`
Original file line number	Diff line number	Diff line change
`@@ -13,7 +13,7 @@ class VerifySMSToken extends FormRequest`
`13`	`13`	`*/`
`14`	`14`	`public function authorize()`
`15`	`15`	`{`
`16`		`- if ($this->session()->has('two-factor:auth:id')) {`
	`16`	`+ if ($this->session()->has('two-factor:auth')) {`
`17`	`17`	`return true;`
`18`	`18`	`}`
`19`	`19`