Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Logging in with a Socialite provider bypasses user's 2FA settings #358

Closed
Tesseeaye opened this issue Jun 18, 2024 · 2 comments · Fixed by #361
Closed

Logging in with a Socialite provider bypasses user's 2FA settings #358

Tesseeaye opened this issue Jun 18, 2024 · 2 comments · Fixed by #361
Labels
bug Something isn't working help wanted Extra attention is needed

Comments

@Tesseeaye
Copy link

Tesseeaye commented Jun 18, 2024
edited
Loading

Stack

Jetstream – Livewire

Package Version

6.0

Laravel Version

11.9

Livewire Version

3.0

react Version

No response

Vue Version

No response

PHP Version

8.3

Problem description

I'm working on a project that uses both Socialite and Jetstream to handle authentication. When a user has 2FA enabled and confirmed and they try to login with their username/password they get put through Fortify's auth process and will be presented with a 2FA challenge. If they login with any Socialite provider and they have 2FA enabled, the user will bypass the 2FA setting and be immediately logged in.

Expected behavior

Users should be confronted with the 2FA screen if it's enabled for them whether they sign in with their username/password or via Socialite.

Steps to reproduce

  1. Create a new Laravel project with Jetstream.
  2. Install Socialstream and run install command.
  3. Generate oAuth API key and add it to your .env.
  4. Add the provider to your services.php and enable it in Socialstreams configuration.
  5. Run migrations.
  6. Login/Register with oAuth provider and create your password.
  7. Enable 2FA and confirm it on your profile.
  8. Logout and log back in with your email and password, you'll get 2FA challenge screen, finish logging in.
  9. Log back out and log back in with your provider, you'll bypass the 2FA challenge screen and be at your dashboard.

I followed these instructions with the repository I linked. Let me know if there's more information I can provide to help!

Reproduction repository

https://github.com/Tesseeaye/socialstream-2fa-bug

Relevant log output

No response
@Tesseeaye Tesseeaye added the bug Something isn't working label Jun 18, 2024
@joelbutcher joelbutcher added the help wanted Extra attention is needed label Jun 20, 2024
@joelbutcher joelbutcher mentioned this issue Jul 18, 2024
Merged
@mystyq
Copy link

mystyq commented Jul 22, 2024

@joelbutcher just a heads up #361 doesn't respect when a user changes their email (email mismatch between users and connected_accounts)

@joelbutcher
Copy link
Owner

@mystyq Thanks for this, though I think the issue was from a different PR (possibly #351)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working help wanted Extra attention is needed
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

[6.x] Various updates and fixes (incl. 2FA) joelbutcher/socialstream
3 participants
@joelbutcher @mystyq @Tesseeaye