fix: critical MFA bypass — old auth tokens survive MFA challenge
SECURITY: A user with MFA enabled could bypass the MFA challenge by using a pre-existing auth cookie from a previous session. Vulnerability chain: 1. Auth::attempt() in LoginController created a Laravel session (unnecessary side effect — only credential validation was needed) 2. When MFA was required, the response did NOT revoke existing Sanctum tokens or expire the auth cookie 3. If the MFA session expired, the user could navigate directly to any page and the old auth cookie would authenticate them Fixes: - Replace Auth::attempt() with Hash::check() — no session created - Revoke ALL existing Sanctum tokens when MFA is required, so old sessions cannot bypass the challenge - Expire the auth cookie in the MFA-required response via forgetAuthCookie(), ensuring the browser discards stale tokens - Auth is now ONLY issued after successful MFA verification in MfaVerifyController New security tests (11 added): - MFA login returns no auth token or user data - MFA login expires the auth cookie - MFA login revokes all existing tokens - Old token returns 401 after MFA login - MFA session token cannot be used as Bearer token - MFA session consumed after successful verify (no replay) - MFA session survives failed verify (user can retry) - Auth cookie only issued on successful MFA verify - MFA session expires after TTL (10 minutes) - Email codes consumed after use (no replay) - Trusted device expires after 30 days Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
This commit is contained in:
@@ -12,7 +12,7 @@ use App\Http\Resources\Api\V1\MeResource;
|
||||
use App\Models\User;
|
||||
use App\Services\MfaService;
|
||||
use Illuminate\Http\JsonResponse;
|
||||
use Illuminate\Support\Facades\Auth;
|
||||
use Illuminate\Support\Facades\Hash;
|
||||
use Illuminate\Support\Facades\Log;
|
||||
|
||||
final class LoginController extends Controller
|
||||
@@ -25,7 +25,12 @@ final class LoginController extends Controller
|
||||
|
||||
public function __invoke(LoginRequest $request): JsonResponse
|
||||
{
|
||||
if (! Auth::attempt($request->only('email', 'password'))) {
|
||||
// Validate credentials WITHOUT creating a session.
|
||||
// Auth::attempt() must NOT be used here — it establishes a Laravel
|
||||
// session, which could grant access before MFA verification.
|
||||
$user = User::where('email', $request->validated('email'))->first();
|
||||
|
||||
if (! $user || ! Hash::check($request->validated('password'), $user->password)) {
|
||||
Log::warning('Failed login attempt', [
|
||||
'email' => $request->validated('email'),
|
||||
'ip' => $request->ip(),
|
||||
@@ -35,8 +40,6 @@ final class LoginController extends Controller
|
||||
return $this->unauthorized('Invalid credentials');
|
||||
}
|
||||
|
||||
$user = Auth::user();
|
||||
|
||||
// MFA enabled and confirmed — check trusted device or require MFA
|
||||
if ($user->mfa_enabled && $user->mfa_confirmed_at) {
|
||||
$fingerprint = $request->header('X-Device-Fingerprint');
|
||||
@@ -44,8 +47,11 @@ final class LoginController extends Controller
|
||||
return $this->issueToken($user, $request);
|
||||
}
|
||||
|
||||
// MFA required — return session token instead of auth token
|
||||
Auth::guard('web')->logout();
|
||||
// Revoke ALL existing tokens so old sessions cannot bypass MFA.
|
||||
// The only way to get a new token is through MfaVerifyController
|
||||
// after a successful code verification.
|
||||
$user->tokens()->delete();
|
||||
|
||||
$mfaSession = $this->mfaService->createMfaSession($user, $request->ip());
|
||||
|
||||
// Auto-send email code if email is the preferred method
|
||||
@@ -57,11 +63,15 @@ final class LoginController extends Controller
|
||||
}
|
||||
}
|
||||
|
||||
// Return MFA challenge — NO auth token, NO auth cookie.
|
||||
// Expire the auth cookie to invalidate any stale browser session.
|
||||
$cookieName = $this->resolveCookieName($request);
|
||||
|
||||
return response()->json([
|
||||
'success' => true,
|
||||
'mfa_required' => true,
|
||||
...$mfaSession,
|
||||
]);
|
||||
])->withCookie($this->forgetAuthCookie($cookieName));
|
||||
}
|
||||
|
||||
// MFA required by policy but not yet set up — issue token with flag
|
||||
|
||||
Reference in New Issue
Block a user