laravel / fortify

Backend controllers and scaffolding for Laravel authentication.

Home Page:https://laravel.com/docs/fortify

Geek Repo:Geek Repo

Github PK Tool:Github PK Tool

TwoFactorAuthenticatable::twoFactorQrCodeUrl() email address for svg/url implant missing on first enable

BlueJ-D opened this issue · comments

commented
  • Fortify Version: ???? <- how do I find?
  • Laravel Version: 8.81
  • PHP Version: 8.1.2
  • Database Driver & Version: MySql

Description:

Never submitted an issue on GitHub before, might even be wrong place but best I can find. This seems it could be linked with Jetstream. I also had a look at previous issues to see if this was mentioned before.

Using Jetstream, Fortify, Livewire standard install via cli as instructed on website.
After install, navigating to user/profile/ and clicking enable on 2fa section, the page reloads with svg QR.

The QR code does not have the users email address embedded into the svg QR.
In google authenticator I get "AppName ()".

vendor/laravel/fortify/src/TwoFactorAuthenticatable.php:

/**
     * Get the two factor authentication QR code URL.
     *
     * @return string
     */
    public function twoFactorQrCodeUrl()
    {
        return app(TwoFactorAuthenticationProvider::class)->qrCodeUrl(
            config('app.name'),
            $this->{Fortify::username()},  // <- NOT set on enabled.
            decrypt($this->two_factor_secret)
        );
    }

I tested with debug_bar and on page echo in resources/views/profile/two-factor-authentication-form.blade.php:

                    {{ debug($this) }}
                    {!! auth()->user()->twoFactorQrCodeSvg() !!}
                    {!! auth()->user()->twoFactorQrCodeUrl() !!}
                    }
                </div>
                <div class="mt-4 max-w-xl text-sm text-gray-600">
                <form method="POST" action="{{ route('two-factor.confirm') }}">
...

it seems if $this->showingQrCode is true, user()->twoFactorQrCodeUrl() will not embed the user email into the QR.
reloading the page and force showing the QR then fixes the url and svg;
In google authenticator I get "AppName (email@email.com)".

I've added the below as a very hacky hack for the moment.

...
@if ($this->enabled)
            @if($this->showingQrCode)
            <script>
                location.reload();
            </script>
            @endif
...

Of course, Not a major issue, but is a little annoying. When testing the site with multiple accounts, bringing up the authenticator app I get a list of:
AppName ()
AppName ()
AppName ()
AppName ()
AppName ()

This is also the same with Microsoft authenticator

Steps To Reproduce:

  • install jetstream livewire as stated on website
  • for extra visual debugging, modify resources/views/profile/two-factor-authentication-form.blade.php by adding: {!!auth()->user()->twoFactorQrCodeUrl() !!} somewhere out of the QR showing @if(showing) statement;
  • navigate to user/profile
  • click enable 2fa
  • view totp link or scan QR
  • reload page
  • compare totp url

I can't seem to reproduce this. The username is properly set for me.