Force login failed
Created 6 years ago by siemike

Hi, I'm going to implement 2FA for my website, basically I will send SMS code to user after login. I've change the LoginFormHandler to redirect to SMS authentication, its works great but when the OTP code succeed I use $authenticator->login($user, true); , redirect to admin panel and it failed. I've tried use both UserAuthenticator and auth()->login($user) but neither of them are succeeded. Anybody in this forum has a same problem?

piterden  —  6 years ago

What you mean you have change LoginFormHandler?

siemike  —  6 years ago

Yes, I've changed LoginFormHandler to redirecting to controller that handle SMS authentication. The problem is I can't do force login. I've tested using $authenticator->login($user, true) and auth()->login($user) but failed

ryanthompson  —  6 years ago

How is it failing? Exception or the session is not being written?

siemike  —  6 years ago

There is no error exception just the session is not written.

ryanthompson  —  6 years ago

Have you tried native Laravel methods? It might have to do with the timing / lifecycle of the response. I know at one point I had to force a refresh because the session was just sitting there but not being attached to the response or something like that.. But.. a form handler should be fine cause it DOES return the response.. so the session would get pushed in after forcing auth..

Can you share your code for the builder? I assume you've verified that it's being overridden properly 😛

siemike  —  6 years ago

Hi, Here's the code for authenticate OTP.

        try {
            $validate = $client->AuthenticationSMSRequest('VB-' . $user->phone, $otpCode, $otpSession['m_challengeCode'], '300');

            if($validate->m_statusCode == '0000') {
                $authenticator->login($user, true);

                return redirect('/admin');
            } else {
                $otpAttempt = request()->session()->get('login_otp_attempt', 0);

                if($otpAttempt > $maxOtpAttempt) {
                    $messages->warning('This account is locked. Please contact the Administrator');

                    // request()->session()->forget('login_otp_attempt');

                    $user->enabled = 0;

                    return redirect('/admin/login');
                } else {
                    $messages->warning('Your code is expired or invalid, please try again ('.$otpAttempt.').');

                    request()->session()->put('login_otp_attempt', $otpAttempt);

                    $userToken = encrypt($user->email);
                    return redirect("/users/login/otp?token={$userToken}");
        } catch(\Exception $e) {
            echo "Error: " . $e->getMessage() . "<br/><br/>"; 
        } finally {
            if (!is_null($transport)) {
                try {
                } catch(\Exception $e1) {
                    echo "Error: " . $e1->getMessage() . "<br/><br/>";