Added Google Two Factor Authentication. Closes #326.

src/Http/Controllers/AuthController.php

@@ -8,7 +8,9 @@ use Illuminate\Routing\Controller;
 use Illuminate\Support\Facades\Auth;
 use Illuminate\Support\Facades\Redirect;
 use Illuminate\Support\Facades\Request;
+use Illuminate\Support\Facades\Session;
 use Illuminate\Support\Facades\View;
+use PragmaRX\Google2FA\Vendor\Laravel\Facade as Google2FA;
 
 /**
  * Logs users into their account.
@@ -32,7 +34,22 @@ class AuthController extends Controller
      */
     public function postLogin()
     {
-        if (Auth::attempt(Binput::only(['email', 'password']))) {
+        $loginData = Binput::only(['email', 'password']);
+        // Validate login credentials.
+        if (Auth::validate($loginData)) {
+            // Log the user in for one request.
+            Auth::once($loginData);
+            // Do we have Two Factor Auth enabled?
+            if (Auth::user()->hasEnabled2FA) {
+                // Temporarily store the user.
+                Session::put('2fa_id', Auth::user()->id);
+
+                return Redirect::route('two-factor');
+            }
+
+            // We probably wan't to add support for "Remember me" here.
+            Auth::attempt(Binput::only(['email', 'password']));
+
             return Redirect::intended('dashboard');
         }
 
@@ -43,6 +60,47 @@ class AuthController extends Controller
             ->with('error', 'Invalid email or password');
     }
 
+    /**
+     * Shows the two-factor-auth view.
+     *
+     * @return \Illuminate\View\View
+     */
+    public function showTwoFactorAuth()
+    {
+        return View::make('auth.two-factor-auth');
+    }
+
+    /**
+     * Validates the Two Factor token.
+     *
+     * This feels very hacky, but we have to juggle authentication and codes.
+     *
+     * @return \Illuminate\Http\RedirectResponse
+     */
+    public function postTwoFactor()
+    {
+        // Check that we have a session.
+        if ($userId = Session::pull('2fa_id')) {
+            $code = Binput::get('code');
+
+            // Maybe a temp login here.
+            Auth::loginUsingId($userId);
+
+            $valid = Google2FA::verifyKey(Auth::user()->google_2fa_secret, $code);
+
+            if ($valid) {
+                return Redirect::intended('dashboard');
+            } else {
+                // Failed login, log back out.
+                Auth::logout();
+
+                return Redirect::route('login')->with('error', 'Invalid token');
+            }
+        }
+
+        return Redirect::route('login')->with('error', 'Invalid token');
+    }
+
     /**
      * Logs the user out, deleting their session etc.
      *

src/Http/Controllers/DashUserController.php

@@ -8,6 +8,7 @@ use Illuminate\Routing\Controller;
 use Illuminate\Support\Facades\Auth;
 use Illuminate\Support\Facades\Redirect;
 use Illuminate\Support\Facades\View;
+use PragmaRX\Google2FA\Vendor\Laravel\Facade as Google2FA;
 
 class DashUserController extends Controller
 {
@@ -32,6 +33,12 @@ class DashUserController extends Controller
     {
         $items = Binput::all();
 
+        $enable2FA = (bool) array_pull($items, 'google2fa');
+
+        // Let's enable/disable auth
+        $authSecret = $enable2FA && ! Auth::user()->hasEnabled2FA ? Google2FA::generateSecretKey() : '';
+        $items['google_2fa_secret'] = $authSecret;
+
         $updated = Auth::user()->update($items);
 
         return Redirect::back()->with('updated', $updated);

src/Http/Controllers/SetupController.php

@@ -126,12 +126,11 @@ class SetupController extends Controller
             // Pull the user details out.
             $userDetails = array_pull($postData, 'user');
 
-            // TODO: Do we want to just use Model::unguard() here?
             $user = User::create([
-                'username' => $userDetails['username'],
-                'email'    => $userDetails['email'],
-                'password' => $userDetails['password'],
-                'level'    => 1,
+                'username'          => $userDetails['username'],
+                'email'             => $userDetails['email'],
+                'password'          => $userDetails['password'],
+                'level'             => 1,
             ]);
 
             Auth::login($user);