Make 2FA persistent by using the database #86
Conversation
|
On second thought, this will allow other devices to bypass 2FA (because they will pass the database check if the On this note, you can reject the PR. I will just leave this up here in order to focus on the problem which is really something that should be dealt with. Cheers! |
|
FYI in case you are interested and I am busy later: |
|
I'm currently having this same problem. The user is been asked to re-enter the 2fa code even though the Laravel remeber me option is activated. |
Problem
There is a limitation in the current state of the library in which the 2FA stays alive whilst the current session is alive. That means that
remember_mefunctionalities and cookie-based approaches do not have the choice to provide long-term 2FA authentication and the OTP will be asked as soon as the session is expired.Fix
By using a database column, we can give the choice of a persistent 2FA without being dependent on the session's lifespan. The column is a timestamp and it will be populated with the current time as soon as the OTP is provided and there is a
remember_mecookie set in the user's browser.The new
twoFactorAuthStillValidwill check if the user enabled therememberfunctionality and will pass the check by comparing the timestamp taken on the login with the current_time plus thelifetimeof the config.Bugs and considerations
Keep in mind that the check in line #229 in
Google2FA.phpjust checks for the defaultremember_mecookie of Laravel and there is no validation that the cookie is indeed valid.This PR doesn't play well with
lifetime=0(as you can see in thetwoFactorAuthStillValidmethod) and it would need a hacky way to make it for eternity by passing a large amount of time (like 100 years or something). I will leave this up to you.Final Notes
These changes will allow to the lifetime of the 2FA to be greater than the session's lifetime.
This way, users can stay "2FA authenticated" for a greater amount of time and not be limited by the session's lifespan.