bert.hausmans/crewli
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
948687f27ed7f2e0d335644c0c23bb9aa9509a67
crewli/api/app/Http/Controllers/Api/V1/Auth/MfaVerifyController.php
bert.hausmans 948687f27e feat: enterprise MFA with TOTP, email codes, backup codes, and trusted devices 
Three verification methods (TOTP authenticator, email code, backup codes),
trusted device management with 30-day expiry, role-based enforcement for
super_admin and org_admin, admin reset capability, and full test coverage
(46 tests). Modifies login flow to support MFA challenge/response with
temporary session tokens stored in cache.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
2026-04-15 20:45:55 +02:00

91 lines
2.8 KiB
PHP
Raw Blame History

<?php
declare(strict_types=1);
namespace App\Http\Controllers\Api\V1\Auth;
use App\Http\Controllers\Api\V1\Traits\SetAuthCookie;
use App\Http\Controllers\Controller;
use App\Http\Requests\Api\V1\Auth\MfaEmailSendRequest;
use App\Http\Requests\Api\V1\Auth\MfaVerifyRequest;
use App\Http\Resources\Api\V1\MeResource;
use App\Enums\MfaMethod;
use App\Models\User;
use App\Services\MfaService;
use Illuminate\Http\JsonResponse;
use Illuminate\Support\Facades\Cache;
final class MfaVerifyController extends Controller
{
use SetAuthCookie;
public function __construct(
private MfaService $mfaService,
) {}
public function verify(MfaVerifyRequest $request): JsonResponse
{
$validated = $request->validated();
$method = MfaMethod::from($validated['method']);
try {
$user = $this->mfaService->verifyMfaCode(
sessionToken: $validated['mfa_session_token'],
code: $validated['code'],
method: $method,
ipAddress: $request->ip(),
);
} catch (\DomainException $e) {
return $this->error($e->getMessage(), 422);
}
// Trust device if requested
if (! empty($validated['trust_device']) && ! empty($validated['device_fingerprint'])) {
$this->mfaService->trustDevice(
user: $user,
fingerprint: $validated['device_fingerprint'],
ipAddress: $request->ip(),
deviceName: $validated['device_name'] ?? null,
);
}
// Issue auth token (same as login flow)
$user->load([
'organisations',
'roles',
'permissions',
'persons' => fn ($q) => $q->with(['event:id,name,slug,start_date,end_date,organisation_id', 'event.organisation:id,name']),
]);
$token = $user->createToken('auth-token')->plainTextToken;
$cookieName = $this->resolveCookieName($request);
return $this->success([
'user' => new MeResource($user),
], 'MFA verification successful')
->withCookie($this->makeAuthCookie($cookieName, $token));
}
public function sendEmailCode(MfaEmailSendRequest $request): JsonResponse
{
$sessionToken = $request->validated('mfa_session_token');
$cacheKey = 'mfa_session:' . $sessionToken;
$session = Cache::get($cacheKey);
if (! $session) {
return $this->error('MFA-sessie verlopen. Log opnieuw in.', 422);
}
$user = User::findOrFail($session['user_id']);
try {
$this->mfaService->sendEmailCode($user);
} catch (\DomainException $e) {
return $this->error($e->getMessage(), 429);
}
return $this->success(null, 'Verification code sent');
}
}
Reference in New Issue View Git Blame Copy Permalink