From 8e6306cb412d92b895d2e12246e2d9d8c39ee604 Mon Sep 17 00:00:00 2001
From: Dries Vints <dries@vints.io>
Date: Fri, 4 Mar 2022 16:13:11 +0100
Subject: [PATCH 1/7] Confirm 2FA in Livewire

---
 .../Livewire/TwoFactorAuthenticationForm.php  | 56 +++++++++++++++++++
 .../two-factor-authentication-form.blade.php  | 28 +++++++++-
 2 files changed, 82 insertions(+), 2 deletions(-)

diff --git a/src/Http/Livewire/TwoFactorAuthenticationForm.php b/src/Http/Livewire/TwoFactorAuthenticationForm.php
index ba804f84f..5cd03fd7d 100644
--- a/src/Http/Livewire/TwoFactorAuthenticationForm.php
+++ b/src/Http/Livewire/TwoFactorAuthenticationForm.php
@@ -3,6 +3,7 @@
 namespace Laravel\Jetstream\Http\Livewire;
 
 use Illuminate\Support\Facades\Auth;
+use Laravel\Fortify\Actions\ConfirmTwoFactorAuthentication;
 use Laravel\Fortify\Actions\DisableTwoFactorAuthentication;
 use Laravel\Fortify\Actions\EnableTwoFactorAuthentication;
 use Laravel\Fortify\Actions\GenerateNewRecoveryCodes;
@@ -21,6 +22,13 @@ class TwoFactorAuthenticationForm extends Component
      */
     public $showingQrCode = false;
 
+    /**
+     * Indicates if two factor authentication confirmation input and button are being displayed.
+     *
+     * @var bool
+     */
+    public $showingConfirmation = false;
+
     /**
      * Indicates if two factor authentication recovery codes are being displayed.
      *
@@ -28,6 +36,26 @@ class TwoFactorAuthenticationForm extends Component
      */
     public $showingRecoveryCodes = false;
 
+    /**
+     * The OTP code for confirming 2FA.
+     *
+     * @var string|null
+     */
+    public $code;
+
+    /**
+     * Mount the component.
+     *
+     * @return void
+     */
+    public function mount()
+    {
+        if (Features::optionEnabled(Features::twoFactorAuthentication(), 'confirm') &&
+            is_null(Auth::user()->two_factor_confirmed_at)) {
+            app(DisableTwoFactorAuthentication::class)(Auth::user());
+        }
+    }
+
     /**
      * Enable two factor authentication for the user.
      *
@@ -43,6 +71,30 @@ public function enableTwoFactorAuthentication(EnableTwoFactorAuthentication $ena
         $enable(Auth::user());
 
         $this->showingQrCode = true;
+
+        if (Features::optionEnabled(Features::twoFactorAuthentication(), 'confirm')) {
+            $this->showingConfirmation = true;
+        } else {
+            $this->showingRecoveryCodes = true;
+        }
+    }
+
+    /**
+     * Confirm two factor authentication for the user.
+     *
+     * @param  \Laravel\Fortify\Actions\ConfirmTwoFactorAuthentication  $confirm
+     * @return void
+     */
+    public function confirmTwoFactorAuthentication(ConfirmTwoFactorAuthentication $confirm)
+    {
+        if (Features::optionEnabled(Features::twoFactorAuthentication(), 'confirmPassword')) {
+            $this->ensurePasswordIsConfirmed();
+        }
+
+        $confirm(Auth::user(), $this->code);
+
+        $this->showingQrCode = false;
+        $this->showingConfirmation = false;
         $this->showingRecoveryCodes = true;
     }
 
@@ -90,6 +142,10 @@ public function disableTwoFactorAuthentication(DisableTwoFactorAuthentication $d
         }
 
         $disable(Auth::user());
+
+        $this->showingQrCode = false;
+        $this->showingConfirmation = false;
+        $this->showingRecoveryCodes = false;
     }
 
     /**
diff --git a/stubs/livewire/resources/views/profile/two-factor-authentication-form.blade.php b/stubs/livewire/resources/views/profile/two-factor-authentication-form.blade.php
index 88d8f3865..0960cbc44 100644
--- a/stubs/livewire/resources/views/profile/two-factor-authentication-form.blade.php
+++ b/stubs/livewire/resources/views/profile/two-factor-authentication-form.blade.php
@@ -10,7 +10,11 @@
     <x-slot name="content">
         <h3 class="text-lg font-medium text-gray-900">
             @if ($this->enabled)
-                {{ __('You have enabled two factor authentication.') }}
+                @if ($showingConfirmation)
+                    {{ __('You are enabling two factor authentication.') }}
+                @else
+                    {{ __('You have enabled two factor authentication.') }}
+                @endif
             @else
                 {{ __('You have not enabled two factor authentication.') }}
             @endif
@@ -26,13 +30,27 @@
             @if ($showingQrCode)
                 <div class="mt-4 max-w-xl text-sm text-gray-600">
                     <p class="font-semibold">
-                        {{ __('Two factor authentication is now enabled. Scan the following QR code using your phone\'s authenticator application.') }}
+                        @if ($showingConfirmation)
+                            {{ __('Scan the following QR code using your phone\'s authenticator application and confirm it with the generated OTP code.') }}
+                        @else
+                            {{ __('Two factor authentication is now enabled. Scan the following QR code using your phone\'s authenticator application.') }}
+                        @endif
                     </p>
                 </div>
 
                 <div class="mt-4">
                     {!! $this->user->twoFactorQrCodeSvg() !!}
                 </div>
+
+                @if ($showingConfirmation)
+                    <div class="mt-4">
+                        <x-jet-label for="code" value="{{ __('Code') }}" />
+                        <x-jet-input id="code" class="block mt-1 w-full" type="text" inputmode="numeric" name="code" autofocus autocomplete="one-time-code"
+                            wire:model.defer="code"
+                            wire:keydown.enter="confirmTwoFactorAuthentication" />
+                        <x-jet-input-error for="code" class="mt-2" />
+                    </div>
+                @endif
             @endif
 
             @if ($showingRecoveryCodes)
@@ -64,6 +82,12 @@
                             {{ __('Regenerate Recovery Codes') }}
                         </x-jet-secondary-button>
                     </x-jet-confirms-password>
+                @elseif ($showingConfirmation)
+                    <x-jet-confirms-password wire:then="confirmTwoFactorAuthentication">
+                        <x-jet-button type="button" wire:loading.attr="disabled">
+                            {{ __('Confirm') }}
+                        </x-jet-button>
+                    </x-jet-confirms-password>
                 @else
                     <x-jet-confirms-password wire:then="showRecoveryCodes">
                         <x-jet-secondary-button class="mr-3">

From 7e83ffaa0b1007654d8c1890c59544e650d33ba7 Mon Sep 17 00:00:00 2001
From: Dries Vints <dries@vints.io>
Date: Fri, 4 Mar 2022 16:15:39 +0100
Subject: [PATCH 2/7] Bump fortify

---
 composer.json | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/composer.json b/composer.json
index b9df2d8cd..527398ebf 100644
--- a/composer.json
+++ b/composer.json
@@ -18,7 +18,7 @@
         "ext-json": "*",
         "illuminate/support": "^8.37|^9.0",
         "jenssegers/agent": "^2.6",
-        "laravel/fortify": "^1.9"
+        "laravel/fortify": "^1.11.1"
     },
     "require-dev": {
         "inertiajs/inertia-laravel": "^0.5.2",

From ad938ff1b197e8f79d9d2cb96544852e752251d1 Mon Sep 17 00:00:00 2001
From: Taylor Otwell <taylor@laravel.com>
Date: Tue, 15 Mar 2022 10:20:47 -0500
Subject: [PATCH 3/7] formatting

---
 .../Livewire/TwoFactorAuthenticationForm.php  |  4 +--
 .../two-factor-authentication-form.blade.php  | 29 +++++++++++++------
 2 files changed, 22 insertions(+), 11 deletions(-)

diff --git a/src/Http/Livewire/TwoFactorAuthenticationForm.php b/src/Http/Livewire/TwoFactorAuthenticationForm.php
index 5cd03fd7d..0f0f27ffd 100644
--- a/src/Http/Livewire/TwoFactorAuthenticationForm.php
+++ b/src/Http/Livewire/TwoFactorAuthenticationForm.php
@@ -23,7 +23,7 @@ class TwoFactorAuthenticationForm extends Component
     public $showingQrCode = false;
 
     /**
-     * Indicates if two factor authentication confirmation input and button are being displayed.
+     * Indicates if the two factor authentication confirmation input and button are being displayed.
      *
      * @var bool
      */
@@ -37,7 +37,7 @@ class TwoFactorAuthenticationForm extends Component
     public $showingRecoveryCodes = false;
 
     /**
-     * The OTP code for confirming 2FA.
+     * The OTP code for confirming two factor authentication.
      *
      * @var string|null
      */
diff --git a/stubs/livewire/resources/views/profile/two-factor-authentication-form.blade.php b/stubs/livewire/resources/views/profile/two-factor-authentication-form.blade.php
index 0960cbc44..eda90d486 100644
--- a/stubs/livewire/resources/views/profile/two-factor-authentication-form.blade.php
+++ b/stubs/livewire/resources/views/profile/two-factor-authentication-form.blade.php
@@ -11,7 +11,7 @@
         <h3 class="text-lg font-medium text-gray-900">
             @if ($this->enabled)
                 @if ($showingConfirmation)
-                    {{ __('You are enabling two factor authentication.') }}
+                    {{ __('Finish enabling two factor authentication.') }}
                 @else
                     {{ __('You have enabled two factor authentication.') }}
                 @endif
@@ -31,7 +31,7 @@
                 <div class="mt-4 max-w-xl text-sm text-gray-600">
                     <p class="font-semibold">
                         @if ($showingConfirmation)
-                            {{ __('Scan the following QR code using your phone\'s authenticator application and confirm it with the generated OTP code.') }}
+                            {{ __('To finish enabling two factor authentication, scan the following QR code using your phone\'s authenticator application and provide the generated OTP code.') }}
                         @else
                             {{ __('Two factor authentication is now enabled. Scan the following QR code using your phone\'s authenticator application.') }}
                         @endif
@@ -45,9 +45,11 @@
                 @if ($showingConfirmation)
                     <div class="mt-4">
                         <x-jet-label for="code" value="{{ __('Code') }}" />
-                        <x-jet-input id="code" class="block mt-1 w-full" type="text" inputmode="numeric" name="code" autofocus autocomplete="one-time-code"
+
+                        <x-jet-input id="code" class="block mt-1 w-1/2" type="text" inputmode="numeric" name="code" autofocus autocomplete="one-time-code"
                             wire:model.defer="code"
                             wire:keydown.enter="confirmTwoFactorAuthentication" />
+
                         <x-jet-input-error for="code" class="mt-2" />
                     </div>
                 @endif
@@ -84,7 +86,7 @@
                     </x-jet-confirms-password>
                 @elseif ($showingConfirmation)
                     <x-jet-confirms-password wire:then="confirmTwoFactorAuthentication">
-                        <x-jet-button type="button" wire:loading.attr="disabled">
+                        <x-jet-button type="button" class="mr-3" wire:loading.attr="disabled">
                             {{ __('Confirm') }}
                         </x-jet-button>
                     </x-jet-confirms-password>
@@ -96,11 +98,20 @@
                     </x-jet-confirms-password>
                 @endif
 
-                <x-jet-confirms-password wire:then="disableTwoFactorAuthentication">
-                    <x-jet-danger-button wire:loading.attr="disabled">
-                        {{ __('Disable') }}
-                    </x-jet-danger-button>
-                </x-jet-confirms-password>
+                @if ($showingConfirmation)
+                    <x-jet-confirms-password wire:then="disableTwoFactorAuthentication">
+                        <x-jet-secondary-button wire:loading.attr="disabled">
+                            {{ __('Cancel') }}
+                        </x-jet-secondary-button>
+                    </x-jet-confirms-password>
+                @else
+                    <x-jet-confirms-password wire:then="disableTwoFactorAuthentication">
+                        <x-jet-danger-button wire:loading.attr="disabled">
+                            {{ __('Disable') }}
+                        </x-jet-danger-button>
+                    </x-jet-confirms-password>
+                @endif
+
             @endif
         </div>
     </x-slot>

From 232f025635a2ad2839d86412175805bc3c657262 Mon Sep 17 00:00:00 2001
From: Taylor Otwell <taylor@laravel.com>
Date: Tue, 15 Mar 2022 11:36:18 -0500
Subject: [PATCH 4/7] inertia support

---
 .../Inertia/UserProfileController.php         | 33 ++++++++
 .../Partials/TwoFactorAuthenticationForm.vue  | 84 +++++++++++++++++--
 .../resources/js/Pages/Profile/Show.vue       |  9 +-
 .../two-factor-authentication-form.blade.php  |  2 +-
 4 files changed, 117 insertions(+), 11 deletions(-)

diff --git a/src/Http/Controllers/Inertia/UserProfileController.php b/src/Http/Controllers/Inertia/UserProfileController.php
index 4c1ab69f6..325c0d071 100644
--- a/src/Http/Controllers/Inertia/UserProfileController.php
+++ b/src/Http/Controllers/Inertia/UserProfileController.php
@@ -5,8 +5,11 @@
 use Illuminate\Http\Request;
 use Illuminate\Routing\Controller;
 use Illuminate\Support\Carbon;
+use Illuminate\Support\Facades\Auth;
 use Illuminate\Support\Facades\DB;
 use Jenssegers\Agent\Agent;
+use Laravel\Fortify\Actions\DisableTwoFactorAuthentication;
+use Laravel\Fortify\Features;
 use Laravel\Jetstream\Jetstream;
 
 class UserProfileController extends Controller
@@ -19,7 +22,37 @@ class UserProfileController extends Controller
      */
     public function show(Request $request)
     {
+        $currentTime = time();
+
+        // Notate totally disabled state in session...
+        if (Features::optionEnabled(Features::twoFactorAuthentication(), 'confirm') &&
+            is_null(Auth::user()->two_factor_secret) &&
+            is_null(Auth::user()->two_factor_confirmed_at)) {
+            $request->session()->put('two_factor_empty_at', $currentTime);
+        }
+
+        // If was previously totally disabled this session but is now confirming, notate time...
+        if (Features::optionEnabled(Features::twoFactorAuthentication(), 'confirm') &&
+            ! is_null(Auth::user()->two_factor_secret) &&
+            is_null(Auth::user()->two_factor_confirmed_at) &&
+            $request->session()->has('two_factor_empty_at') &&
+            is_null($request->session()->get('two_factor_confirming_at'))) {
+            $request->session()->put('two_factor_confirming_at', $currentTime);
+        }
+
+        // If the profile is reloaded and is not confirmed but was previously in confirming state, disable...
+        if (Features::optionEnabled(Features::twoFactorAuthentication(), 'confirm') &&
+            is_null(Auth::user()->two_factor_confirmed_at) &&
+            // Don't disable if confirmation was first noted during this same request...
+            $request->session()->get('two_factor_confirming_at', 0) != $currentTime) {
+            app(DisableTwoFactorAuthentication::class)(Auth::user());
+
+            $request->session()->put('two_factor_empty_at', $currentTime);
+            $request->session()->remove('two_factor_confirming_at');
+        }
+
         return Jetstream::inertia()->render($request, 'Profile/Show', [
+            'confirmsTwoFactorAuthentication' => Features::optionEnabled(Features::twoFactorAuthentication(), 'confirm'),
             'sessions' => $this->sessions($request)->all(),
         ]);
     }
diff --git a/stubs/inertia/resources/js/Pages/Profile/Partials/TwoFactorAuthenticationForm.vue b/stubs/inertia/resources/js/Pages/Profile/Partials/TwoFactorAuthenticationForm.vue
index 8e3625751..057041b59 100644
--- a/stubs/inertia/resources/js/Pages/Profile/Partials/TwoFactorAuthenticationForm.vue
+++ b/stubs/inertia/resources/js/Pages/Profile/Partials/TwoFactorAuthenticationForm.vue
@@ -9,10 +9,14 @@
         </template>
 
         <template #content>
-            <h3 class="text-lg font-medium text-gray-900" v-if="twoFactorEnabled">
+            <h3 class="text-lg font-medium text-gray-900" v-if="twoFactorEnabled && ! confirming">
                 You have enabled two factor authentication.
             </h3>
 
+            <h3 class="text-lg font-medium text-gray-900" v-else-if="confirming">
+                Finish enabling two factor authentication.
+            </h3>
+
             <h3 class="text-lg font-medium text-gray-900" v-else>
                 You have not enabled two factor authentication.
             </h3>
@@ -26,16 +30,34 @@
             <div v-if="twoFactorEnabled">
                 <div v-if="qrCode">
                     <div class="mt-4 max-w-xl text-sm text-gray-600">
-                        <p class="font-semibold">
+                        <p class="font-semibold" v-if="confirming">
+                            To finish enabling two factor authentication, scan the following QR code using your phone's authenticator application and provide the generated OTP code.
+                        </p>
+
+                        <p v-else>
                             Two factor authentication is now enabled. Scan the following QR code using your phone's authenticator application.
                         </p>
                     </div>
 
                     <div class="mt-4" v-html="qrCode">
                     </div>
+
+                    <div class="mt-4" v-if="confirming">
+                        <jet-label for="code" value="Code" />
+
+                        <jet-input id="code" type="text" name="code"
+                                class="block mt-1 w-1/2"
+                                inputmode="numeric"
+                                autofocus
+                                autocomplete="one-time-code"
+                                v-model="confirmationForm.code"
+                                @keyup.enter="confirmTwoFactorAuthentication" />
+
+                        <jet-input-error :message="confirmationForm.errors.code" class="mt-2" />
+                    </div>
                 </div>
 
-                <div v-if="recoveryCodes.length > 0">
+                <div v-if="recoveryCodes.length > 0 && ! confirming">
                     <div class="mt-4 max-w-xl text-sm text-gray-600">
                         <p class="font-semibold">
                             Store these recovery codes in a secure password manager. They can be used to recover access to your account if your two factor authentication device is lost.
@@ -60,23 +82,39 @@
                 </div>
 
                 <div v-else>
+                    <jet-confirms-password @confirmed="confirmTwoFactorAuthentication">
+                        <jet-button type="button" class="mr-3" :class="{ 'opacity-25': enabling }" :disabled="enabling" v-if="confirming">
+                            Confirm
+                        </jet-button>
+                    </jet-confirms-password>
+
                     <jet-confirms-password @confirmed="regenerateRecoveryCodes">
                         <jet-secondary-button class="mr-3"
-                                        v-if="recoveryCodes.length > 0">
+                                        v-if="recoveryCodes.length > 0 && ! confirming">
                             Regenerate Recovery Codes
                         </jet-secondary-button>
                     </jet-confirms-password>
 
                     <jet-confirms-password @confirmed="showRecoveryCodes">
-                        <jet-secondary-button class="mr-3" v-if="recoveryCodes.length === 0">
+                        <jet-secondary-button class="mr-3" v-if="recoveryCodes.length === 0 && ! confirming">
                             Show Recovery Codes
                         </jet-secondary-button>
                     </jet-confirms-password>
 
+                    <jet-confirms-password @confirmed="disableTwoFactorAuthentication">
+                        <jet-secondary-button
+                                        :class="{ 'opacity-25': disabling }"
+                                        :disabled="disabling"
+                                        v-if="confirming">
+                            Cancel
+                        </jet-secondary-button>
+                    </jet-confirms-password>
+
                     <jet-confirms-password @confirmed="disableTwoFactorAuthentication">
                         <jet-danger-button
                                         :class="{ 'opacity-25': disabling }"
-                                        :disabled="disabling">
+                                        :disabled="disabling"
+                                        v-if="! confirming">
                             Disable
                         </jet-danger-button>
                     </jet-confirms-password>
@@ -92,6 +130,9 @@
     import JetButton from '@/Jetstream/Button.vue'
     import JetConfirmsPassword from '@/Jetstream/ConfirmsPassword.vue'
     import JetDangerButton from '@/Jetstream/DangerButton.vue'
+    import JetInput from '@/Jetstream/Input.vue'
+    import JetInputError from '@/Jetstream/InputError.vue'
+    import JetLabel from '@/Jetstream/Label.vue'
     import JetSecondaryButton from '@/Jetstream/SecondaryButton.vue'
 
     export default defineComponent({
@@ -100,16 +141,26 @@
             JetButton,
             JetConfirmsPassword,
             JetDangerButton,
+            JetInput,
+            JetInputError,
+            JetLabel,
             JetSecondaryButton,
         },
 
+        props: ['requiresConfirmation'],
+
         data() {
             return {
                 enabling: false,
+                confirming: false,
                 disabling: false,
 
                 qrCode: null,
                 recoveryCodes: [],
+
+                confirmationForm: this.$inertia.form({
+                    code: '',
+                }),
             }
         },
 
@@ -123,7 +174,10 @@
                         this.showQrCode(),
                         this.showRecoveryCodes(),
                     ]),
-                    onFinish: () => (this.enabling = false),
+                    onFinish: () => {
+                        this.enabling = false
+                        this.confirming = this.requiresConfirmation
+                    }
                 })
             },
 
@@ -141,6 +195,17 @@
                         })
             },
 
+            confirmTwoFactorAuthentication() {
+                this.confirmationForm.post('/user/confirmed-two-factor-authentication', {
+                    preserveScroll: true,
+                    preserveState: true,
+                    onSuccess: () => {
+                        this.confirming = false
+                        this.qrCode = null
+                    }
+                })
+            },
+
             regenerateRecoveryCodes() {
                 axios.post('/user/two-factor-recovery-codes')
                         .then(response => {
@@ -153,7 +218,10 @@
 
                 this.$inertia.delete('/user/two-factor-authentication', {
                     preserveScroll: true,
-                    onSuccess: () => (this.disabling = false),
+                    onSuccess: () => {
+                        this.disabling = false
+                        this.confirming = false
+                    }
                 })
             },
         },
diff --git a/stubs/inertia/resources/js/Pages/Profile/Show.vue b/stubs/inertia/resources/js/Pages/Profile/Show.vue
index b4765522e..bca55ed8e 100644
--- a/stubs/inertia/resources/js/Pages/Profile/Show.vue
+++ b/stubs/inertia/resources/js/Pages/Profile/Show.vue
@@ -21,7 +21,9 @@
                 </div>
 
                 <div v-if="$page.props.jetstream.canManageTwoFactorAuthentication">
-                    <two-factor-authentication-form class="mt-10 sm:mt-0" />
+                    <two-factor-authentication-form
+                                class="mt-10 sm:mt-0"
+                                :requires-confirmation="confirmsTwoFactorAuthentication" />
 
                     <jet-section-border />
                 </div>
@@ -49,7 +51,10 @@
     import UpdateProfileInformationForm from '@/Pages/Profile/Partials/UpdateProfileInformationForm.vue'
 
     export default defineComponent({
-        props: ['sessions'],
+        props: [
+            'confirmsTwoFactorAuthentication',
+            'sessions'
+        ],
 
         components: {
             AppLayout,
diff --git a/stubs/livewire/resources/views/profile/two-factor-authentication-form.blade.php b/stubs/livewire/resources/views/profile/two-factor-authentication-form.blade.php
index eda90d486..34882db2c 100644
--- a/stubs/livewire/resources/views/profile/two-factor-authentication-form.blade.php
+++ b/stubs/livewire/resources/views/profile/two-factor-authentication-form.blade.php
@@ -46,7 +46,7 @@
                     <div class="mt-4">
                         <x-jet-label for="code" value="{{ __('Code') }}" />
 
-                        <x-jet-input id="code" class="block mt-1 w-1/2" type="text" inputmode="numeric" name="code" autofocus autocomplete="one-time-code"
+                        <x-jet-input id="code" type="text" name="code" class="block mt-1 w-1/2" inputmode="numeric" autofocus autocomplete="one-time-code"
                             wire:model.defer="code"
                             wire:keydown.enter="confirmTwoFactorAuthentication" />
 

From cc3e8d00796c336c37b07c57fa86abf5dcde66e0 Mon Sep 17 00:00:00 2001
From: Taylor Otwell <taylor@laravel.com>
Date: Tue, 15 Mar 2022 11:55:50 -0500
Subject: [PATCH 5/7] user profile tests

---
 tests/UserProfileControllerTest.php | 122 ++++++++++++++++++++++++++++
 1 file changed, 122 insertions(+)
 create mode 100644 tests/UserProfileControllerTest.php

diff --git a/tests/UserProfileControllerTest.php b/tests/UserProfileControllerTest.php
new file mode 100644
index 000000000..82cf77ede
--- /dev/null
+++ b/tests/UserProfileControllerTest.php
@@ -0,0 +1,122 @@
+<?php
+
+namespace Laravel\Jetstream\Tests;
+
+use Illuminate\Support\Facades\Schema;
+use Laravel\Fortify\Actions\DisableTwoFactorAuthentication;
+use Laravel\Fortify\Features;
+use Laravel\Jetstream\Jetstream;
+use Laravel\Jetstream\Tests\Fixtures\User;
+use Mockery as m;
+
+class UserProfileControllerTest extends OrchestraTestCase
+{
+    public function setUp(): void
+    {
+        parent::setUp();
+
+        Jetstream::useUserModel(User::class);
+    }
+
+    public function test_empty_two_factor_state_is_noted()
+    {
+        $this->migrate();
+
+        $disable = $this->mock(DisableTwoFactorAuthentication::class);
+        $disable->shouldReceive('__invoke')->once();
+
+        Jetstream::$inertiaManager = $inertia = m::mock();
+        $inertia->shouldReceive('render')->once();
+
+        $user = User::forceCreate([
+            'name' => 'Taylor Otwell',
+            'email' => 'taylor@laravel.com',
+            'password' => 'secret',
+        ]);
+
+        $response = $this->actingAs($user)->get('/user/profile');
+
+        $response->assertSessionHas('two_factor_empty_at');
+
+        $response->assertStatus(200);
+    }
+
+    public function test_two_factor_is_not_disabled_if_was_previously_empty_and_currently_confirming()
+    {
+        $this->migrate();
+
+        $disable = $this->mock(DisableTwoFactorAuthentication::class);
+        $disable->shouldReceive('__invoke')->never();
+
+        Jetstream::$inertiaManager = $inertia = m::mock();
+        $inertia->shouldReceive('render')->once();
+
+        $user = User::forceCreate([
+            'name' => 'Taylor Otwell',
+            'email' => 'taylor@laravel.com',
+            'password' => 'secret',
+            'two_factor_secret' => 'test-secret',
+        ]);
+
+        $response = $this->actingAs($user)
+                        ->withSession(['two_factor_empty_at' => time()])
+                        ->get('/user/profile');
+
+        $response->assertStatus(200);
+    }
+
+    public function test_two_factor_is_disabled_if_was_previously_confirming_and_page_is_reloaded()
+    {
+        $this->migrate();
+
+        $disable = $this->mock(DisableTwoFactorAuthentication::class);
+        $disable->shouldReceive('__invoke')->once();
+
+        Jetstream::$inertiaManager = $inertia = m::mock();
+        $inertia->shouldReceive('render')->once();
+
+        $user = User::forceCreate([
+            'name' => 'Taylor Otwell',
+            'email' => 'taylor@laravel.com',
+            'password' => 'secret',
+            'two_factor_secret' => 'test-secret',
+        ]);
+
+        $response = $this->actingAs($user)
+                        ->withSession([
+                            'two_factor_empty_at' => time(),
+                            'two_factor_confirming_at' => time() - 10,
+                        ])
+                        ->get('/user/profile');
+
+        $response->assertStatus(200);
+    }
+
+    protected function migrate()
+    {
+        $this->artisan('migrate', ['--database' => 'testbench'])->run();
+
+        Schema::table('users', function ($table) {
+            $table->string('two_factor_secret')->nullable();
+            $table->timestamp('two_factor_confirmed_at')->nullable();
+        });
+    }
+
+    protected function getEnvironmentSetUp($app)
+    {
+        parent::getEnvironmentSetUp($app);
+
+        $app['config']->set('jetstream.stack', 'inertia');
+        $app['config']->set('fortify.features', [
+            Features::registration(),
+            Features::resetPasswords(),
+            // Features::emailVerification(),
+            Features::updateProfileInformation(),
+            Features::updatePasswords(),
+            Features::twoFactorAuthentication([
+                'confirm' => true,
+                'confirmPassword' => true,
+            ]),
+        ]);
+    }
+}

From 7203f016a2fbdc42bfe1bd4e7e167400d7d29a47 Mon Sep 17 00:00:00 2001
From: Taylor Otwell <taylor@laravel.com>
Date: Tue, 15 Mar 2022 16:41:32 -0500
Subject: [PATCH 6/7] refactoring

---
 .../ConfirmsTwoFactorAuthentication.php       | 83 +++++++++++++++++++
 .../Inertia/UserProfileController.php         | 31 +------
 2 files changed, 86 insertions(+), 28 deletions(-)
 create mode 100644 src/Http/Controllers/Inertia/Concerns/ConfirmsTwoFactorAuthentication.php

diff --git a/src/Http/Controllers/Inertia/Concerns/ConfirmsTwoFactorAuthentication.php b/src/Http/Controllers/Inertia/Concerns/ConfirmsTwoFactorAuthentication.php
new file mode 100644
index 000000000..7d8498ee2
--- /dev/null
+++ b/src/Http/Controllers/Inertia/Concerns/ConfirmsTwoFactorAuthentication.php
@@ -0,0 +1,83 @@
+<?php
+
+namespace Laravel\Jetstream\Http\Controllers\Inertia\Concerns;
+
+use Illuminate\Http\Request;
+use Illuminate\Support\Facades\Auth;
+use Laravel\Fortify\Actions\DisableTwoFactorAuthentication;
+use Laravel\Fortify\Features;
+
+trait ConfirmsTwoFactorAuthentication
+{
+    /**
+     * Validate the two factor authentication state for the request.
+     *
+     * @param  \Illuminate\Http\Request
+     * @return void
+     */
+    protected function validateTwoFactorAuthenticationState(Request $request)
+    {
+        if (! Features::optionEnabled(Features::twoFactorAuthentication(), 'confirm')) {
+            return;
+        }
+
+        $currentTime = time();
+
+        // Notate totally disabled state in session...
+        if ($this->twoFactorAuthenticationDisabled($request)) {
+            $request->session()->put('two_factor_empty_at', $currentTime);
+        }
+
+        // If was previously totally disabled this session but is now confirming, notate time...
+        if ($this->hasJustBegunConfirmingTwoFactorAuthentication($request)) {
+            $request->session()->put('two_factor_confirming_at', $currentTime);
+        }
+
+        // If the profile is reloaded and is not confirmed but was previously in confirming state, disable...
+        if ($this->neverFinishedConfirmingTwoFactorAuthentication($request, $currentTime)) {
+            app(DisableTwoFactorAuthentication::class)(Auth::user());
+
+            $request->session()->put('two_factor_empty_at', $currentTime);
+            $request->session()->remove('two_factor_confirming_at');
+        }
+    }
+
+    /**
+     * Determine if two factor authenticatoin is totally disabled.
+     *
+     * @param  \Illuminate\Http\Request  $request
+     * @return bool
+     */
+    protected function twoFactorAuthenticationDisabled(Request $request)
+    {
+        return is_null($request->user()->two_factor_secret) &&
+               is_null($request->user()->two_factor_confirmed_at);
+    }
+
+    /**
+     * Determine if two factor authentication is just now being confirmed within the last request cycle.
+     *
+     * @param  \Illuminate\Http\Request  $request
+     * @return bool
+     */
+    protected function hasJustBegunConfirmingTwoFactorAuthentication(Request $request)
+    {
+        return ! is_null($request->user()->two_factor_secret) &&
+               is_null($request->user()->two_factor_confirmed_at) &&
+               $request->session()->has('two_factor_empty_at') &&
+               is_null($request->session()->get('two_factor_confirming_at'));
+    }
+
+    /**
+     * Determine if two factor authentication was never totally confirmed once confirmation started.
+     *
+     * @param  \Illuminate\Http\Request  $request
+     * @param  int  $currentTime
+     * @return bool
+     */
+    protected function neverFinishedConfirmingTwoFactorAuthentication(Request $request, $currentTime)
+    {
+        return is_null($request->user()->two_factor_confirmed_at) &&
+               $request->session()->get('two_factor_confirming_at', 0) != $currentTime;
+    }
+}
diff --git a/src/Http/Controllers/Inertia/UserProfileController.php b/src/Http/Controllers/Inertia/UserProfileController.php
index 325c0d071..981ee0683 100644
--- a/src/Http/Controllers/Inertia/UserProfileController.php
+++ b/src/Http/Controllers/Inertia/UserProfileController.php
@@ -14,6 +14,8 @@
 
 class UserProfileController extends Controller
 {
+    use Concerns\ConfirmsTwoFactorAuthentication;
+
     /**
      * Show the general profile settings screen.
      *
@@ -22,34 +24,7 @@ class UserProfileController extends Controller
      */
     public function show(Request $request)
     {
-        $currentTime = time();
-
-        // Notate totally disabled state in session...
-        if (Features::optionEnabled(Features::twoFactorAuthentication(), 'confirm') &&
-            is_null(Auth::user()->two_factor_secret) &&
-            is_null(Auth::user()->two_factor_confirmed_at)) {
-            $request->session()->put('two_factor_empty_at', $currentTime);
-        }
-
-        // If was previously totally disabled this session but is now confirming, notate time...
-        if (Features::optionEnabled(Features::twoFactorAuthentication(), 'confirm') &&
-            ! is_null(Auth::user()->two_factor_secret) &&
-            is_null(Auth::user()->two_factor_confirmed_at) &&
-            $request->session()->has('two_factor_empty_at') &&
-            is_null($request->session()->get('two_factor_confirming_at'))) {
-            $request->session()->put('two_factor_confirming_at', $currentTime);
-        }
-
-        // If the profile is reloaded and is not confirmed but was previously in confirming state, disable...
-        if (Features::optionEnabled(Features::twoFactorAuthentication(), 'confirm') &&
-            is_null(Auth::user()->two_factor_confirmed_at) &&
-            // Don't disable if confirmation was first noted during this same request...
-            $request->session()->get('two_factor_confirming_at', 0) != $currentTime) {
-            app(DisableTwoFactorAuthentication::class)(Auth::user());
-
-            $request->session()->put('two_factor_empty_at', $currentTime);
-            $request->session()->remove('two_factor_confirming_at');
-        }
+        $this->validateTwoFactorAuthenticationState($request);
 
         return Jetstream::inertia()->render($request, 'Profile/Show', [
             'confirmsTwoFactorAuthentication' => Features::optionEnabled(Features::twoFactorAuthentication(), 'confirm'),

From 6f1d13320893d86bfe41e641d88c7c3725bd3cf0 Mon Sep 17 00:00:00 2001
From: Taylor Otwell <taylor@laravel.com>
Date: Tue, 15 Mar 2022 16:42:07 -0500
Subject: [PATCH 7/7] fix spacing

---
 .../Concerns/ConfirmsTwoFactorAuthentication.php       | 10 +++++-----
 1 file changed, 5 insertions(+), 5 deletions(-)

diff --git a/src/Http/Controllers/Inertia/Concerns/ConfirmsTwoFactorAuthentication.php b/src/Http/Controllers/Inertia/Concerns/ConfirmsTwoFactorAuthentication.php
index 7d8498ee2..4edb45fe0 100644
--- a/src/Http/Controllers/Inertia/Concerns/ConfirmsTwoFactorAuthentication.php
+++ b/src/Http/Controllers/Inertia/Concerns/ConfirmsTwoFactorAuthentication.php
@@ -51,7 +51,7 @@ protected function validateTwoFactorAuthenticationState(Request $request)
     protected function twoFactorAuthenticationDisabled(Request $request)
     {
         return is_null($request->user()->two_factor_secret) &&
-               is_null($request->user()->two_factor_confirmed_at);
+            is_null($request->user()->two_factor_confirmed_at);
     }
 
     /**
@@ -63,9 +63,9 @@ protected function twoFactorAuthenticationDisabled(Request $request)
     protected function hasJustBegunConfirmingTwoFactorAuthentication(Request $request)
     {
         return ! is_null($request->user()->two_factor_secret) &&
-               is_null($request->user()->two_factor_confirmed_at) &&
-               $request->session()->has('two_factor_empty_at') &&
-               is_null($request->session()->get('two_factor_confirming_at'));
+            is_null($request->user()->two_factor_confirmed_at) &&
+            $request->session()->has('two_factor_empty_at') &&
+            is_null($request->session()->get('two_factor_confirming_at'));
     }
 
     /**
@@ -78,6 +78,6 @@ protected function hasJustBegunConfirmingTwoFactorAuthentication(Request $reques
     protected function neverFinishedConfirmingTwoFactorAuthentication(Request $request, $currentTime)
     {
         return is_null($request->user()->two_factor_confirmed_at) &&
-               $request->session()->get('two_factor_confirming_at', 0) != $currentTime;
+            $request->session()->get('two_factor_confirming_at', 0) != $currentTime;
     }
 }