Added Panel id to session credentials allow logging in to different panels

cannycookie · cannycookie · commit 1a49d9dcbf6b · 2024-10-28T19:45:19.000Z
Added EnsureTwoFactor middleware
Forget Session credentials after login
Simplify  route definition
diff --git a/routes/web.php b/routes/web.php
@@ -1,21 +1,9 @@
 <?php
 
-use Visualbuilder\Filament2fa\Livewire\Confirm2Fa;
+
 use Illuminate\Support\Facades\Route;
-use Illuminate\Cookie\Middleware\EncryptCookies;
-use Illuminate\Foundation\Http\Middleware\VerifyCsrfToken;
-use Illuminate\Session\Middleware\AuthenticateSession;
-use Illuminate\Session\Middleware\StartSession;
-use Illuminate\View\Middleware\ShareErrorsFromSession;
+use Visualbuilder\Filament2fa\Livewire\Confirm2Fa;
 
-Route::middleware([
-    EncryptCookies::class,
-    StartSession::class,
-    ShareErrorsFromSession::class,
-    VerifyCsrfToken::class,
-    AuthenticateSession::class,
-])->group(function () {
-    Route::name('2fa.')->group(function () {
-        Route::get( config('filament-2fa.login.confirm_totp_page_url') , Confirm2Fa::class)->name('validate');
-    });
+Route::middleware(['web','2fa.is_login_session'])->group(function () {
+    Route::get(config('filament-2fa.login.confirm_totp_page_url'), Confirm2Fa::class)->name('2fa.validate');
 });
diff --git a/src/Filament/Pages/Login.php b/src/Filament/Pages/Login.php
@@ -36,7 +36,8 @@ public function authenticate(): null|TwoFactorAuthResponse|LoginResponse
         if ($this->needsTwoFactorAuthentication($user)) {
             $this->storeCredentials($credentials, $remember);
             Filament::auth()->logout();
-
+            // Regenerate session to prevent fixation
+            //session()->regenerate();
             return app(TwoFactorAuthResponse::class);
         }
 
@@ -77,6 +78,21 @@ protected function attemptLogin(array $credentials, bool $remember): bool
         return Filament::auth()->attempt($credentials, $remember);
     }
 
+    /**
+     * Handle two-factor authentication if required.
+     */
+    protected function handleTwoFactorAuthentication(Authenticatable $user, array $credentials, bool $remember): ?TwoFactorAuthResponse
+    {
+        if ($this->needsTwoFactorAuthentication($user)) {
+            $this->storeCredentials($credentials, $remember);
+            Filament::auth()->logout();
+
+            return app(TwoFactorAuthResponse::class);
+        }
+
+        return null;
+    }
+
     /**
      * Determine if two-factor authentication is required.
      */
@@ -109,6 +125,7 @@ protected function storeCredentials(array $credentials, bool $remember): void
         $sessionData = [
             'credentials' => $encryptedCredentials,
             'remember' => $remember,
+            'panel_id' => Filament::getCurrentPanel()->getId(),
         ];
 
         $credentialKey = config('filament-2fa.login.credential_key');
diff --git a/src/Filament2faServiceProvider.php b/src/Filament2faServiceProvider.php
@@ -8,6 +8,7 @@
 use Illuminate\Support\Str;
 use Spatie\LaravelPackageTools\Package;
 use Spatie\LaravelPackageTools\PackageServiceProvider;
+use Visualbuilder\Filament2fa\Http\Middleware\EnsureTwoFactorSession;
 
 
 class Filament2faServiceProvider extends PackageServiceProvider
@@ -68,4 +69,14 @@ protected function publishConfigs()
             base_path('config/filament-2fa.php') => base_path('config/filament-2fa.php'),
         ]);
     }
+
+    public function boot()
+    {
+        parent::boot();
+
+        /**
+         * Add middleware to ensure 2fa confirmation is only loaded when we have valid session credentials
+         */
+        app('router')->aliasMiddleware('2fa.is_login_session',EnsureTwoFactorSession::class);
+    }
 }
diff --git a/src/Http/Middleware/EnsureTwoFactorSession.php b/src/Http/Middleware/EnsureTwoFactorSession.php
@@ -0,0 +1,28 @@
+<?php
+
+namespace Visualbuilder\Filament2fa\Http\Middleware;
+
+use Closure;
+use Illuminate\Http\Request;
+use Illuminate\Support\Facades\Config;
+
+class EnsureTwoFactorSession
+{
+    /**
+     * Handle an incoming request.
+     *
+     * Allow access only if 2FA session data exists.
+     */
+    public function handle(Request $request, Closure $next)
+    {
+        $sessionKey = Config::get('filament-2fa.login.credential_key', '_2fa_login');
+        $hasCredentials = $request->session()->has("{$sessionKey}.credentials");
+        $hasPanelId = $request->session()->has("{$sessionKey}.panel_id");
+
+        if (!$hasCredentials || !$hasPanelId) {
+            return redirect()->route('filament.login');
+        }
+
+        return $next($request);
+    }
+}
diff --git a/src/Livewire/Confirm2Fa.php b/src/Livewire/Confirm2Fa.php
@@ -43,8 +43,8 @@ public static function canView()
 
     public function mount()
     {
-        [$credentials, $remember] = $this->getFlashedData();
-        if (!$credentials) {
+        [$credentials,$panelId, $remember] = $this->getFlashedData();
+        if (!$credentials || !$panelId) {
             return redirect(Filament::getLoginUrl());
         }
         // Initialize the form with default values
@@ -64,12 +64,13 @@ protected function getFlashedData(): array
         $sessionKey = config('filament-2fa.login.credential_key');
         $credentials = session("$sessionKey.credentials", []);
         $remember = session("$sessionKey.remember", false);
+        $panelId = session("$sessionKey.panel_id");
 
         foreach ($credentials as $index => $value) {
             $credentials[$index] = Crypt::decryptString($value);
         }
 
-        return [$credentials, $remember];
+        return [$credentials, $panelId,$remember ];
     }
 
     public function submit(): void
@@ -86,13 +87,20 @@ public function submit(): void
                     'code'            => $formData['totp_code'],
                     'safeDeviceInput' => isset($formData['safe_device_enable']) ? $formData['safe_device_enable'] : false
                 ])->validate2Fa($user)) {
+                $sessionKey = config('filament-2fa.login.credential_key', '_2fa_login');
+
                 Notification::make()
                     ->title('Success')
                     ->body(__('filament-2fa::two-factor.success'))
                     ->icon('heroicon-o-check-circle')
                     ->color('success')
                     ->send();
-                $this->redirect(Filament::getUrl());
+                
+                session()->forget("{$sessionKey}.credentials");
+                session()->forget("{$sessionKey}.remember");
+                session()->forget("{$sessionKey}.panel_id");
+
+                $this->redirectIntended(Filament::getUrl());
             } else {
                 Filament::auth()->logout();
                 session()->regenerate();
@@ -103,7 +111,10 @@ public function submit(): void
 
     public function authenticate(): null|bool|Model
     {
-        [$credentials, $remember] = $this->getFlashedData();
+        [$credentials, $panelId, $remember] = $this->getFlashedData();
+
+        $panel = Filament::getPanel($panelId);
+        Filament::setCurrentPanel($panel);
 
         if (!Filament::auth()->attempt($credentials, $remember)) {
             return false;
