Merge branch 'develop'

Author: michaeldzjap

README.md

@@ -1,4 +1,9 @@
-# Two-Factor-Authentication
+[![Latest Stable Version](https://poser.pugx.org/michaeldzjap/twofactor-auth/version)](https://packagist.org/packages/michaeldzjap/twofactor-auth)
+[![Total Downloads](https://poser.pugx.org/michaeldzjap/twofactor-auth/downloads)](https://packagist.org/packages/michaeldzjap/twofactor-auth)
+[![Latest Unstable Version](https://poser.pugx.org/michaeldzjap/twofactor-auth/v/unstable)](//packagist.org/packages/michaeldzjap/twofactor-auth)
+[![License](https://poser.pugx.org/michaeldzjap/twofactor-auth/license)](https://packagist.org/packages/michaeldzjap/twofactor-auth)
+
+# laravel-two-factor-authentication
 A two-factor authentication package for Laravel >= 5.5
 
 ## Description
@@ -92,8 +97,8 @@ and
 /**
  * Log out the user and start the two factor authentication state.
  *
- * @param  Request $request
- * @param  User $user
+ * @param  \Illuminate\Http\Request $request
+ * @param  \App\User $user
  * @return \Illuminate\Http\Response
  */
 private function startTwoFactorAuthProcess(Request $request, $user)
@@ -115,7 +120,7 @@ and lastly
  * Provider specific two-factor authentication logic. In the case of MessageBird
  * we just want to send an authentication token via SMS.
  *
- * @param  User $user
+ * @param  \App\User $user
  * @return mixed
  */
 private function registerUserAndSendToken(User $user)
@@ -168,16 +173,15 @@ class TwoFactorAuthController extends Controller
 ```php
 ...
 <form class="form-horizontal" role="form" method="POST" action="{{ route('login') }}">
-    {{ csrf_field() }}
+    @csrf
 
     {{-- Add this block to show an error message in case of an expired token or user lockout --}}
     @if ($errors->has('token'))
-        <div class="form-group has-error">
-            <div class="col-xs-12">
-                <span class="help-block">
-                    <strong>{{ $errors->first('token') }}</strong>
-                </span>
-            </div>
+        <div class="alert alert-danger alert-dismissible fade show" role="alert">
+            <strong>{{ $errors->first('token') }}</strong>
+            <button type="button" class="close" data-dismiss="alert" aria-label="Close">
+                <span aria-hidden="true">&times;</span>
+            </button>
         </div>
     @endif
 ...
@@ -207,3 +211,6 @@ TWO_FACTOR_AUTH_DRIVER=dummy
 
 ## Errors and Exceptions
 Unfortunately the *MessageBird* php api throws rather generic exceptions when the verification of a token fails. The only way to distinguish an expired token from an invalid token is by comparing their error messages, which obviously is not a very robust mechanism. The reason this is rather unfortunate is because in the case of an invalid token we want to give the user at least a few (3) changes to re-enter the token before throttling kicks in, whereas in the case of an expired token we just want to redirect to the login screen right away.
+
+## Testing
+An example project including unit and browser tests can be found [here](https://github.com/michaeldzjap/laravel-two-factor-authentication-example).

src/Events/TwoFactorAuthenticated.php

@@ -0,0 +1,29 @@
+<?php
+
+namespace MichaelDzjap\TwoFactorAuth\Events;
+
+use App\User;
+use Illuminate\Queue\SerializesModels;
+
+class TwoFactorAuthenticated
+{
+    use SerializesModels;
+
+    /**
+     * The user instance.
+     *
+     * @var \App\User
+     */
+    public $user;
+
+    /**
+     * Create a new event instance.
+     *
+     * @param  \App\User  $user
+     * @return void
+     */
+    public function __construct(User $user)
+    {
+        $this->user = $user;
+    }
+}

src/Http/Controllers/TwoFactorAuthenticatesUsers.php

@@ -7,6 +7,7 @@
 use Illuminate\Http\Request;
 use Illuminate\Validation\ValidationException;
 use MichaelDzjap\TwoFactorAuth\Contracts\TwoFactorProvider;
+use MichaelDzjap\TwoFactorAuth\Events\TwoFactorAuthenticated;
 use MichaelDzjap\TwoFactorAuth\Exceptions\TokenAlreadyProcessedException;
 use MichaelDzjap\TwoFactorAuth\Exceptions\TokenExpiredException;
 use MichaelDzjap\TwoFactorAuth\Exceptions\TokenInvalidException;
@@ -100,7 +101,24 @@ protected function sendTwoFactorAuthResponse(Request $request)
 
         $request->session()->forget('two-factor:auth');
 
-        return redirect()->intended($this->redirectPath());
+        $user = $request->user();
+
+        event(new TwoFactorAuthenticated($user));
+
+        return $this->authenticated($request, $user)
+            ?: redirect()->intended($this->redirectPath());
+    }
+
+    /**
+     * The user has been two-factor authenticated.
+     *
+     * @param  \Illuminate\Http\Request  $request
+     * @param  mixed  $user
+     * @return mixed
+     */
+    protected function authenticated(Request $request, $user)
+    {
+        //
     }
 
     /**
@@ -109,6 +127,7 @@ protected function sendTwoFactorAuthResponse(Request $request)
      * we can only do it here because we don't need to redirect to the login route.
      *
      * @param  \Illuminate\Http\Request  $request
+     *
      * @throws \Illuminate\Validation\ValidationException
      */
     protected function sendFailedTwoFactorAuthResponse(Request $request)

src/Providers/BaseProvider.php

@@ -0,0 +1,19 @@
+<?php
+
+namespace MichaelDzjap\TwoFactorAuth\Providers;
+
+use App\User;
+
+abstract class BaseProvider
+{
+    /**
+     * Check if two-factor authentication is enabled for a user.
+     *
+     * @param  \App\User  $user
+     * @return bool
+     */
+    public function enabled(User $user)
+    {
+        return !is_null($user->twoFactorAuth);
+    }
+}

src/Providers/MessageBirdVerify.php

@@ -13,7 +13,7 @@
 use MichaelDzjap\TwoFactorAuth\Exceptions\TokenExpiredException;
 use MichaelDzjap\TwoFactorAuth\Exceptions\TokenInvalidException;
 
-class MessageBirdVerify implements TwoFactorProvider, SMSToken
+class MessageBirdVerify extends BaseProvider implements TwoFactorProvider, SMSToken
 {
     /**
      * MessageBird client instance.
@@ -25,29 +25,18 @@ class MessageBirdVerify implements TwoFactorProvider, SMSToken
     /**
      * MessageBirdVerify constructor.
      *
-     * @param  Client $client
+     * @param  \MessageBird\Client  $client
      * @return void
      */
     public function __construct(Client $client)
     {
         $this->client = $client;
     }
 
-    /**
-     * Check if two-factor authentication is enabled for a user.
-     *
-     * @param  User $user
-     * @return bool
-     */
-    public function enabled(User $user)
-    {
-        return $user->twoFactorAuth;
-    }
-
     /**
      * Register a user with this provider.
      *
-     * @param  User $user
+     * @param  \App\User  $user
      * @return void
      */
     public function register(User $user)
@@ -58,7 +47,7 @@ public function register(User $user)
     /**
      * Unregister a user with this provider.
      *
-     * @param  User $user
+     * @param  \App\User  $user
      * @return bool
      */
     public function unregister(User $user)
@@ -72,8 +61,8 @@ public function unregister(User $user)
     /**
      * Determine if the token is valid.
      *
-     * @param  User $user
-     * @param  string $token
+     * @param  \App\User  $user
+     * @param  string  $token
      * @return bool
      */
     public function verify(User $user, string $token)
@@ -115,11 +104,11 @@ public function verify(User $user, string $token)
     /**
      * Send a user a two-factor authentication token via SMS.
      *
-     * @param  User $user
+     * @param  \App\User  $user
      * @return void
-     * @throws Exception $exception
+     * @throws Exception  $exception
      */
-    public function sendSMSToken(User $user)
+    public function sendSMSToken(User $user) : void
     {
         if (!$user->mobile) {
             throw new Exception("No mobile phone number found for user {$user->id}.");

src/Providers/NullProvider.php

@@ -6,16 +6,8 @@
 use MichaelDzjap\TwoFactorAuth\Contracts\SMSToken;
 use MichaelDzjap\TwoFactorAuth\Contracts\TwoFactorProvider;
 
-class NullProvider implements TwoFactorProvider, SMSToken
+class NullProvider extends BaseProvider implements TwoFactorProvider, SMSToken
 {
-    /**
-     * {@inheritdoc}
-     */
-    public function enabled(User $user)
-    {
-        return $user->twoFactorAuth;
-    }
-
     /**
      * {@inheritdoc}
      */

src/TwoFactorAuth.php

@@ -2,7 +2,7 @@
 
 namespace MichaelDzjap\TwoFactorAuth;
 
-use App\User;
+use Illuminate\Database\Eloquent\Relations\BelongsTo;
 use Illuminate\Database\Eloquent\Model;
 
 class TwoFactorAuth extends Model
@@ -34,9 +34,11 @@ class TwoFactorAuth extends Model
 
     /**
      * Get the user that owns the two-factor auth.
+     *
+     * @param \Illuminate\Database\Eloquent\Relations\BelongsTo
      */
-    public function user()
+    public function user() : BelongsTo
     {
-        return $this->belongsTo(User::class);
+        return $this->belongsTo(\App\User::class);
     }
 }

src/TwoFactorAuthenticable.php

@@ -2,14 +2,17 @@
 
 namespace MichaelDzjap\TwoFactorAuth;
 
+use Illuminate\Database\Eloquent\Relations\HasOne;
 use MichaelDzjap\TwoFactorAuth\TwoFactorAuth;
 
 trait TwoFactorAuthenticable
 {
     /**
      * Get the two-factor auth record associated with the user.
+     *
+     * @return \Illuminate\Database\Eloquent\Relations\HasOne
      */
-    public function twoFactorAuth()
+    public function twoFactorAuth() : HasOne
     {
         return $this->hasOne(TwoFactorAuth::class);
     }
@@ -20,7 +23,7 @@ public function twoFactorAuth()
      * @param  string $id
      * @return void
      */
-    public function setTwoFactorAuthId(string $id)
+    public function setTwoFactorAuthId(string $id) : void
     {
         $this->twoFactorAuth->update(['id' => $id]);
     }

src/resources/views/form.blade.php

@@ -2,30 +2,31 @@
 
 @section('content')
 <div class="container">
-    <div class="row">
-        <div class="col-md-8 col-md-offset-2">
-            <div class="panel panel-default">
-                <div class="panel-heading">@lang('twofactor-auth::twofactor-auth.title')</div>
-                <div class="panel-body">
+    <div class="row justify-content-center">
+        <div class="col-md-8">
+            <div class="card">
+                <div class="card-header">@lang('twofactor-auth::twofactor-auth.title')</div>
+
+                <div class="card-body">
                     <form class="form-horizontal" role="form" method="POST" action="{{ route('auth.token') }}">
-                        {{ csrf_field() }}
+                        @csrf
 
-                        <div class="form-group{{ $errors->has('token') ? ' has-error' : '' }}">
-                            <label for="token" class="col-md-4 control-label">@lang('twofactor-auth::twofactor-auth.label')</label>
+                        <div class="form-group row">
+                            <label for="token" class="col-md-4 col-form-label text-md-right">@lang('twofactor-auth::twofactor-auth.label')</label>
 
                             <div class="col-md-6">
-                                <input id="token" type="text" class="form-control" name="token" value="{{ old('token') }}" required autofocus>
+                                <input id="token" type="text" class="form-control{{ $errors->has('token') ? ' is-invalid' : '' }}" name="token" value="{{ old('token') }}" required autofocus>
 
                                 @if ($errors->has('token'))
-                                    <span class="help-block">
+                                    <span class="invalid-feedback" role="alert">
                                         <strong>{{ $errors->first('token') }}</strong>
                                     </span>
                                 @endif
                             </div>
                         </div>
 
-                        <div class="form-group">
-                            <div class="col-md-8 col-md-offset-4">
+                        <div class="form-group row mb-0">
+                            <div class="col-md-8 offset-md-4">
                                 <button type="submit" class="btn btn-primary">
                                     @lang('twofactor-auth::twofactor-auth.send')
                                 </button>