add comprehensive 2 factor authentication e2e tests

app/Http/Controllers/Web/OtherBrowserSessionsController.php

@@ -0,0 +1,54 @@
+<?php
+
+declare(strict_types=1);
+
+namespace App\Http\Controllers\Web;
+
+use Illuminate\Contracts\Auth\StatefulGuard;
+use Illuminate\Http\RedirectResponse;
+use Illuminate\Http\Request;
+use Illuminate\Routing\Controller;
+use Illuminate\Support\Facades\DB;
+use Illuminate\Validation\ValidationException;
+use Laravel\Fortify\Actions\ConfirmPassword;
+
+class OtherBrowserSessionsController extends Controller
+{
+    /**
+     * Log the user out of their other browser sessions across all devices.
+     */
+    public function destroy(Request $request, StatefulGuard $guard): RedirectResponse
+    {
+        $password = (string) $request->string('password');
+
+        $confirmed = app(ConfirmPassword::class)($guard, $request->user(), $password);
+
+        if (! $confirmed) {
+            throw ValidationException::withMessages([
+                'password' => __('The password is incorrect.'),
+            ]);
+        }
+
+        $guard->logoutOtherDevices($password);
+
+        $this->deleteOtherSessionRecords($request);
+
+        return back(303);
+    }
+
+    /**
+     * Delete the other browser session records from storage.
+     */
+    protected function deleteOtherSessionRecords(Request $request): void
+    {
+        if (config('session.driver') !== 'database') {
+            return;
+        }
+
+        DB::connection(config('session.connection'))
+            ->table(config('session.table', 'sessions'))
+            ->where('user_id', $request->user()->getAuthIdentifier())
+            ->where('id', '!=', $request->session()->getId())
+            ->delete();
+    }
+}

e2e/two-factor.spec.ts

@@ -0,0 +1,192 @@
+import { test, expect } from '../playwright/fixtures';
+import { PLAYWRIGHT_BASE_URL, TEST_USER_PASSWORD } from '../playwright/config';
+import { generateTotpCode, generateInvalidTotpCode } from './utils/totp';
+import type { Page } from '@playwright/test';
+
+async function goToProfilePage(page: Page) {
+    await page.goto(PLAYWRIGHT_BASE_URL + '/user/profile');
+}
+
+/**
+ * ConfirmsPassword only opens the dialog when the password has not been
+ * confirmed recently, so fill it only when it actually shows up.
+ */
+async function confirmPasswordIfPrompted(page: Page) {
+    const dialog = page.getByRole('dialog');
+    const appeared = await dialog
+        .waitFor({ state: 'visible', timeout: 2500 })
+        .then(() => true)
+        .catch(() => false);
+    if (appeared) {
+        await dialog.getByPlaceholder('Password').fill(TEST_USER_PASSWORD);
+        await dialog.getByRole('button', { name: 'Confirm' }).click();
+        await expect(dialog).not.toBeVisible();
+    }
+}
+
+/**
+ * Enables 2FA from the profile page and returns the TOTP secret (setup key)
+ * and the recovery codes fetched right after enabling.
+ */
+async function enableTwoFactor(page: Page): Promise<{ secret: string; recoveryCodes: string[] }> {
+    await goToProfilePage(page);
+    await page
+        .getByText('You have not enabled two factor authentication.')
+        .locator('..')
+        .getByRole('button', { name: 'Enable' })
+        .click();
+
+    const dialog = page.getByRole('dialog');
+    await expect(dialog).toBeVisible();
+
+    const recoveryCodesResponse = page.waitForResponse(
+        (response) =>
+            response.url().includes('/user/two-factor-recovery-codes') &&
+            response.request().method() === 'GET'
+    );
+    await dialog.getByPlaceholder('Password').fill(TEST_USER_PASSWORD);
+    await dialog.getByRole('button', { name: 'Confirm' }).click();
+
+    await expect(page.getByRole('heading', { name: 'Finish enabling two factor' })).toBeVisible();
+    const recoveryCodes: string[] = await (await recoveryCodesResponse).json();
+
+    const setupKeyText = await page.getByText('Setup Key:').textContent();
+    const secret = setupKeyText!.replace('Setup Key:', '').trim();
+    expect(secret.length).toBeGreaterThan(0);
+
+    return { secret, recoveryCodes };
+}
+
+/**
+ * Confirms a freshly enabled 2FA setup with a valid TOTP code.
+ */
+async function confirmTwoFactor(page: Page, secret: string) {
+    await page.getByLabel('Code').fill(generateTotpCode(secret));
+    await page.getByRole('button', { name: 'Confirm', exact: true }).click();
+    await confirmPasswordIfPrompted(page);
+    await expect(page.getByText('You have enabled two factor authentication.')).toBeVisible();
+}
+
+async function logout(page: Page) {
+    await page.getByTestId('current_user_button').click();
+    await page.getByText('Log Out', { exact: true }).click();
+    await page.waitForURL(PLAYWRIGHT_BASE_URL + '/login');
+}
+
+/**
+ * Reads the email of the current user from the profile form, waiting until
+ * the user query has populated it.
+ */
+async function getProfileEmail(page: Page): Promise<string> {
+    await goToProfilePage(page);
+    const emailInput = page.getByLabel('Email', { exact: true });
+    await expect(emailInput).toHaveValue(/@/);
+    return await emailInput.inputValue();
+}
+
+async function loginUntilTwoFactorChallenge(page: Page, email: string) {
+    await page.goto(PLAYWRIGHT_BASE_URL + '/login');
+    await page.getByLabel('Email').fill(email);
+    await page.getByLabel('Password').fill(TEST_USER_PASSWORD);
+    await page.getByRole('button', { name: 'Log in' }).click();
+    await page.waitForURL(PLAYWRIGHT_BASE_URL + '/two-factor-challenge');
+}
+
+test('test that 2FA can be confirmed with a TOTP code and shows recovery codes', async ({
+    page,
+}) => {
+    const { secret, recoveryCodes } = await enableTwoFactor(page);
+    await confirmTwoFactor(page, secret);
+
+    await expect(page.getByText('Store these recovery codes')).toBeVisible();
+    expect(recoveryCodes.length).toBeGreaterThan(0);
+    for (const code of recoveryCodes) {
+        await expect(page.getByText(code)).toBeVisible();
+    }
+
+    // The confirmed state survives a reload
+    await page.reload();
+    await expect(page.getByText('You have enabled two factor authentication.')).toBeVisible();
+});
+
+test('test that 2FA confirmation fails with an invalid TOTP code', async ({ page }) => {
+    const { secret } = await enableTwoFactor(page);
+
+    await page.getByLabel('Code').fill(generateInvalidTotpCode(secret));
+    await page.getByRole('button', { name: 'Confirm', exact: true }).click();
+    await confirmPasswordIfPrompted(page);
+
+    await expect(page.getByRole('alert')).toContainText(
+        'The provided two factor authentication code was invalid.'
+    );
+    await expect(page.getByRole('heading', { name: 'Finish enabling two factor' })).toBeVisible();
+});
+
+test('test that recovery codes can be regenerated', async ({ page }) => {
+    const { secret, recoveryCodes } = await enableTwoFactor(page);
+    await confirmTwoFactor(page, secret);
+
+    const newCodesResponse = page.waitForResponse(
+        (response) =>
+            response.url().includes('/user/two-factor-recovery-codes') &&
+            response.request().method() === 'GET'
+    );
+    await page.getByRole('button', { name: 'Regenerate Recovery Codes' }).click();
+    await confirmPasswordIfPrompted(page);
+    const newCodes: string[] = await (await newCodesResponse).json();
+
+    expect(newCodes).not.toEqual(recoveryCodes);
+    await expect(page.getByText(newCodes[0])).toBeVisible();
+    await expect(page.getByText(recoveryCodes[0])).not.toBeVisible();
+});
+
+test('test that 2FA can be disabled', async ({ page }) => {
+    const { secret } = await enableTwoFactor(page);
+    await confirmTwoFactor(page, secret);
+
+    await page.getByRole('button', { name: 'Disable' }).click();
+    await confirmPasswordIfPrompted(page);
+    await expect(page.getByText('You have not enabled two factor authentication.')).toBeVisible();
+
+    // The disabled state survives a reload
+    await page.reload();
+    await expect(page.getByText('You have not enabled two factor authentication.')).toBeVisible();
+});
+
+test('test that login challenges for a TOTP code and rejects an invalid code', async ({ page }) => {
+    const email = await getProfileEmail(page);
+
+    const { secret } = await enableTwoFactor(page);
+    await confirmTwoFactor(page, secret);
+    await logout(page);
+
+    await loginUntilTwoFactorChallenge(page, email);
+
+    await page.getByLabel('Code').fill(generateInvalidTotpCode(secret));
+    await page.getByRole('button', { name: 'Log in' }).click();
+    await expect(page.getByRole('alert')).toContainText(
+        'The provided two factor authentication code was invalid.'
+    );
+
+    // Fortify rejects replayed codes, and the current window's code was
+    // already consumed when confirming the setup — use the next window's
+    // code, which the +/- 1 step verification window also accepts.
+    await page.getByLabel('Code').fill(generateTotpCode(secret, Date.now() + 30_000));
+    await page.getByRole('button', { name: 'Log in' }).click();
+    await expect(page.getByTestId('dashboard_view')).toBeVisible();
+});
+
+test('test that login works with a recovery code', async ({ page }) => {
+    const email = await getProfileEmail(page);
+
+    const { secret, recoveryCodes } = await enableTwoFactor(page);
+    await confirmTwoFactor(page, secret);
+    await logout(page);
+
+    await loginUntilTwoFactorChallenge(page, email);
+
+    await page.getByRole('button', { name: 'Use a recovery code' }).click();
+    await page.getByLabel('Recovery Code').fill(recoveryCodes[0]);
+    await page.getByRole('button', { name: 'Log in' }).click();
+    await expect(page.getByTestId('dashboard_view')).toBeVisible();
+});

e2e/utils/totp.ts

@@ -0,0 +1,58 @@
+import { createHmac } from 'node:crypto';
+
+const BASE32_ALPHABET = 'ABCDEFGHIJKLMNOPQRSTUVWXYZ234567';
+
+function base32Decode(input: string): Buffer {
+    const normalized = input
+        .toUpperCase()
+        .replace(/=+$/, '')
+        .replace(/[^A-Z2-7]/g, '');
+    let bits = 0;
+    let value = 0;
+    const bytes: number[] = [];
+    for (const char of normalized) {
+        value = (value << 5) | BASE32_ALPHABET.indexOf(char);
+        bits += 5;
+        if (bits >= 8) {
+            bytes.push((value >>> (bits - 8)) & 0xff);
+            bits -= 8;
+        }
+    }
+    return Buffer.from(bytes);
+}
+
+/**
+ * Generates a 6-digit TOTP code (RFC 6238, SHA-1, 30 second period) for the
+ * given base32 secret — the "Setup Key" shown while enabling 2FA.
+ */
+export function generateTotpCode(base32Secret: string, atMs: number = Date.now()): string {
+    const counter = Math.floor(atMs / 1000 / 30);
+    const counterBuffer = Buffer.alloc(8);
+    counterBuffer.writeBigUInt64BE(BigInt(counter));
+    const digest = createHmac('sha1', base32Decode(base32Secret)).update(counterBuffer).digest();
+    const offset = digest[digest.length - 1] & 0x0f;
+    const code =
+        ((digest[offset] & 0x7f) << 24) |
+        ((digest[offset + 1] & 0xff) << 16) |
+        ((digest[offset + 2] & 0xff) << 8) |
+        (digest[offset + 3] & 0xff);
+    return (code % 1_000_000).toString().padStart(6, '0');
+}
+
+/**
+ * Generates a syntactically valid TOTP code that is guaranteed to be rejected,
+ * by using a timestamp far outside the accepted verification window.
+ */
+export function generateInvalidTotpCode(base32Secret: string): string {
+    const validNow = [
+        generateTotpCode(base32Secret, Date.now() - 30_000),
+        generateTotpCode(base32Secret),
+        generateTotpCode(base32Secret, Date.now() + 30_000),
+    ];
+    for (let minutes = 10; ; minutes++) {
+        const candidate = generateTotpCode(base32Secret, Date.now() + minutes * 60_000);
+        if (!validNow.includes(candidate)) {
+            return candidate;
+        }
+    }
+}

routes/web.php

@@ -6,6 +6,7 @@ use App\Http\Controllers\Web\DashboardController;
 use App\Http\Controllers\Web\HomeController;
 use App\Http\Controllers\Web\OrganizationController;
 use App\Http\Controllers\Web\OrganizationInvitationController;
+use App\Http\Controllers\Web\OtherBrowserSessionsController;
 use App\Http\Controllers\Web\UserController;
 use App\Http\Controllers\Web\UserProfileController;
 use App\Service\PermissionStore;
@@ -102,6 +103,8 @@ Route::middleware([
         return to_route('organizations.show', [$organizationId]);
     })->name('teams.show');
     Route::get('/user/profile', [UserProfileController::class, 'show'])->name('profile.show');
+    Route::delete('/user/other-browser-sessions', [OtherBrowserSessionsController::class, 'destroy'])
+        ->name('other-browser-sessions.destroy');
 });
 
 Route::get('/team-invitations/{invitation}', [OrganizationInvitationController::class, 'accept'])

tests/Feature/BrowserSessionsTest.php

@@ -1,25 +0,0 @@
-<?php
-
-declare(strict_types=1);
-
-namespace Tests\Feature;
-
-use App\Models\User;
-use Illuminate\Foundation\Testing\RefreshDatabase;
-use Tests\TestCase;
-
-class BrowserSessionsTest extends TestCase
-{
-    use RefreshDatabase;
-
-    public function test_other_browser_sessions_can_be_logged_out(): void
-    {
-        $this->actingAs($user = User::factory()->create());
-
-        $response = $this->delete('/user/other-browser-sessions', [
-            'password' => 'password',
-        ]);
-
-        $response->assertSessionHasNoErrors();
-    }
-}

tests/Unit/Endpoint/Web/OtherBrowserSessionsEndpointTest.php

@@ -0,0 +1,103 @@
+<?php
+
+declare(strict_types=1);
+
+namespace Tests\Unit\Endpoint\Web;
+
+use App\Http\Controllers\Web\OtherBrowserSessionsController;
+use App\Models\User;
+use Illuminate\Support\Facades\DB;
+use Illuminate\Support\Facades\Hash;
+use PHPUnit\Framework\Attributes\CoversClass;
+
+#[CoversClass(OtherBrowserSessionsController::class)]
+class OtherBrowserSessionsEndpointTest extends EndpointTestAbstract
+{
+    public function test_destroy_logs_out_other_browser_sessions_with_the_correct_password(): void
+    {
+        // Arrange
+        $user = User::factory()->create();
+        $originalPasswordHash = $user->password;
+        $this->actingAs($user);
+
+        // Act
+        $response = $this->delete('/user/other-browser-sessions', [
+            'password' => 'password',
+        ]);
+
+        // Assert
+        $response->assertRedirect();
+        $response->assertSessionHasNoErrors();
+        // logoutOtherDevices re-hashes the password (same plaintext, new hash) to invalidate other sessions.
+        $this->assertNotSame($originalPasswordHash, $user->fresh()->password);
+        $this->assertTrue(Hash::check('password', $user->fresh()->password));
+    }
+
+    public function test_destroy_fails_with_an_incorrect_password(): void
+    {
+        // Arrange
+        $user = User::factory()->create();
+        $originalPasswordHash = $user->password;
+        $this->actingAs($user);
+
+        // Act
+        $response = $this->delete('/user/other-browser-sessions', [
+            'password' => 'wrong-password',
+        ]);
+
+        // Assert
+        $response->assertSessionHasErrors('password');
+        // No side effects when the password is incorrect: the password must not be re-hashed.
+        $this->assertSame($originalPasswordHash, $user->fresh()->password);
+    }
+
+    public function test_destroy_requires_authentication(): void
+    {
+        // Act
+        $response = $this->delete('/user/other-browser-sessions', [
+            'password' => 'password',
+        ]);
+
+        // Assert
+        $response->assertRedirect(route('login'));
+    }
+
+    public function test_destroy_deletes_the_other_database_session_records_of_the_current_user(): void
+    {
+        // Arrange
+        config(['session.driver' => 'database']);
+        $user = User::factory()->create();
+        $otherUser = User::factory()->create();
+        $this->actingAs($user);
+
+        DB::table('sessions')->insert([
+            [
+                'id' => 'other-session-of-current-user',
+                'user_id' => $user->getKey(),
+                'ip_address' => '192.0.2.10',
+                'user_agent' => '',
+                'payload' => '',
+                'last_activity' => now()->subMinutes(5)->timestamp,
+            ],
+            [
+                'id' => 'session-of-another-user',
+                'user_id' => $otherUser->getKey(),
+                'ip_address' => '192.0.2.30',
+                'user_agent' => '',
+                'payload' => '',
+                'last_activity' => now()->timestamp,
+            ],
+        ]);
+
+        // Act
+        $response = $this->delete('/user/other-browser-sessions', [
+            'password' => 'password',
+        ]);
+
+        // Assert
+        $response->assertSessionHasNoErrors();
+        // The current user's other sessions are removed, while another user's session is untouched.
+        $this->assertDatabaseMissing('sessions', ['id' => 'other-session-of-current-user']);
+        $this->assertDatabaseHas('sessions', ['id' => 'session-of-another-user']);
+    }
+}