Let the WebAuthn form log in any user

2025-08-09 05:54:34 +02:00 · 2023-02-21 09:29:05 +01:00
parent 90f322f3b1
commit 5c83e17752
5 changed files with 39 additions and 19 deletions
--- a/app/Http/Controllers/Auth/LoginController.php
+++ b/app/Http/Controllers/Auth/LoginController.php
@ -71,8 +71,10 @@ class LoginController extends Controller
     */
    public function logout(Request $request)
    {
+        $user = $request->user();
        Auth::logout();
-        Log::info('User logged out');
+
+        Log::info(sprintf('User id #%s logged out', $user->id));

        return response()->json(['message' => 'signed out'], Response::HTTP_OK);
    }
@ -151,6 +153,6 @@ class LoginController extends Controller
        $user->last_seen_at = Carbon::now()->format('Y-m-d H:i:s');
        $user->save();

-        Log::info('User authenticated');
+        Log::info(sprintf('User id #%s authenticated using login & pwd', $user->id));
    }
 }
--- a/app/Http/Controllers/Auth/WebAuthnLoginController.php
+++ b/app/Http/Controllers/Auth/WebAuthnLoginController.php
@ -43,16 +43,13 @@ class WebAuthnLoginController extends Controller
                break;
        }

-        // Since 2FAuth is single user designed we fetch the user instance.
-        // This lets Larapass validate the request without the need to ask
-        // the visitor for an email address.
-        $user = User::first();
-
-        return $user
-            ? $request->toVerify($user)
-            : response()->json([
-                'message' => 'no registered user',
-            ], 400);
+        return $request->toVerify($request->validate([
+            'email' => [
+                'required',
+                'email',
+                new \App\Rules\CaseInsensitiveEmailExists
+            ]
+        ]));
    }

    /**
@ -69,7 +66,7 @@ class WebAuthnLoginController extends Controller
            $response = $request->response;

            // Some authenticators do not send a userHandle so we hack the response to be compliant
-            // with Larapass/webauthn-lib implementation that waits for a userHandle
+            // with Laragear\WebAuthn implementation that waits for a userHandle
            if (! Arr::exists($response, 'userHandle') || blank($response['userHandle'])) {
                $response['userHandle'] = User::getFromCredentialId($request->id)?->userHandle();
                $request->merge(['response' => $response]);
@ -98,6 +95,6 @@ class WebAuthnLoginController extends Controller
        $user->last_seen_at = Carbon::now()->format('Y-m-d H:i:s');
        $user->save();

-        Log::info('User authenticated via webauthn');
+        Log::info(sprintf('User id #%s authenticated using webauthn', $user->id));
    }
 }