bert.hausmans
f1a8591d17
SECURITY: A user with MFA enabled could bypass the MFA challenge by using a pre-existing auth cookie from a previous session. Vulnerability chain: 1. Auth::attempt() in LoginController created a Laravel session (unnecessary side effect — only credential validation was needed) 2. When MFA was required, the response did NOT revoke existing Sanctum tokens or expire the auth cookie 3. If the MFA session expired, the user could navigate directly to any page and the old auth cookie would authenticate them Fixes: - Replace Auth::attempt() with Hash::check() — no session created - Revoke ALL existing Sanctum tokens when MFA is required, so old sessions cannot bypass the challenge - Expire the auth cookie in the MFA-required response via forgetAuthCookie(), ensuring the browser discards stale tokens - Auth is now ONLY issued after successful MFA verification in MfaVerifyController New security tests (11 added): - MFA login returns no auth token or user data - MFA login expires the auth cookie - MFA login revokes all existing tokens - Old token returns 401 after MFA login - MFA session token cannot be used as Bearer token - MFA session consumed after successful verify (no replay) - MFA session survives failed verify (user can retry) - Auth cookie only issued on successful MFA verify - MFA session expires after TTL (10 minutes) - Email codes consumed after use (no replay) - Trusted device expires after 30 days Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
About Laravel
Laravel is a web application framework with expressive, elegant syntax. We believe development must be an enjoyable and creative experience to be truly fulfilling. Laravel takes the pain out of development by easing common tasks used in many web projects, such as:
- Simple, fast routing engine.
- Powerful dependency injection container.
- Multiple back-ends for session and cache storage.
- Expressive, intuitive database ORM.
- Database agnostic schema migrations.
- Robust background job processing.
- Real-time event broadcasting.
Laravel is accessible, powerful, and provides tools required for large, robust applications.
Learning Laravel
Laravel has the most extensive and thorough documentation and video tutorial library of all modern web application frameworks, making it a breeze to get started with the framework. You can also check out Laravel Learn, where you will be guided through building a modern Laravel application.
If you don't feel like reading, Laracasts can help. Laracasts contains thousands of video tutorials on a range of topics including Laravel, modern PHP, unit testing, and JavaScript. Boost your skills by digging into our comprehensive video library.
Laravel Sponsors
We would like to extend our thanks to the following sponsors for funding Laravel development. If you are interested in becoming a sponsor, please visit the Laravel Partners program.
Premium Partners
Contributing
Thank you for considering contributing to the Laravel framework! The contribution guide can be found in the Laravel documentation.
Code of Conduct
In order to ensure that the Laravel community is welcoming to all, please review and abide by the Code of Conduct.
Security Vulnerabilities
If you discover a security vulnerability within Laravel, please send an e-mail to Taylor Otwell via taylor@laravel.com. All security vulnerabilities will be promptly addressed.
License
The Laravel framework is open-sourced software licensed under the MIT license.