Logging in with a Socialite provider bypasses user's 2FA settings
Tesseeaye opened this issue · comments
Stack
Jetstream – Livewire
Package Version
6.0
Laravel Version
11.9
Livewire Version
3.0
react Version
No response
Vue Version
No response
PHP Version
8.3
Problem description
I'm working on a project that uses both Socialite and Jetstream to handle authentication. When a user has 2FA enabled and confirmed and they try to login with their username/password they get put through Fortify's auth process and will be presented with a 2FA challenge. If they login with any Socialite provider and they have 2FA enabled, the user will bypass the 2FA setting and be immediately logged in.
Expected behavior
Users should be confronted with the 2FA screen if it's enabled for them whether they sign in with their username/password or via Socialite.
Steps to reproduce
- Create a new Laravel project with Jetstream.
- Install Socialstream and run install command.
- Generate oAuth API key and add it to your .env.
- Add the provider to your services.php and enable it in Socialstreams configuration.
- Run migrations.
- Login/Register with oAuth provider and create your password.
- Enable 2FA and confirm it on your profile.
- Logout and log back in with your email and password, you'll get 2FA challenge screen, finish logging in.
- Log back out and log back in with your provider, you'll bypass the 2FA challenge screen and be at your dashboard.
I followed these instructions with the repository I linked. Let me know if there's more information I can provide to help!
Reproduction repository
https://github.com/Tesseeaye/socialstream-2fa-bug
Relevant log output
No response
@joelbutcher just a heads up #361 doesn't respect when a user changes their email (email mismatch between users
and connected_accounts
)