JetConfirmsPassword on Confirming 2FA #1033
Description
- Jetstream Version: 2.7.1
- Jetstream Stack: both
- Uses Teams: N/A but no
- Laravel Version: N/A but 9.6.0
- PHP Version: N/A but 8.1.0
- Database Driver & Version: N/A
Description:
In the Inertia stack the Confirm button for 2FA is wrapped in
<JetConfirmsPassword @confirmed="confirmTwoFactorAuthentication">...</JetConfirmsPassword>However the input on the form the button relates to triggers the same function via the enter key
@keyup.enter="confirmTwoFactorAuthentication"
Meaning the confirms password can be bypassed by simply pressing enter on the input.
Similary for the Livewire stack it's wrapped in
<x-jet-confirms-password wire:then="confirmTwoFactorAuthentication">However the input on the form the button relates to triggers the same function via the enter key
wire:keydown.enter="confirmTwoFactorAuthentication"
I believe this wrapping JetConfirmsPassword/x-jet-confirms-password probably shouldn't be there as the user would have recently confirmed their password when they clicked the Enable button, so unless they clicked enable and then left their device long enough for the confirm password timeout to occur (3 hours by default iirc) they'll never get prompted anyway.
Steps To Reproduce:
Enable 2FA and 2FA Confirming
Relevant Files
https://github.com/laravel/jetstream/blob/2.x/stubs/livewire/resources/views/profile/two-factor-authentication-form.blade.php
https://github.com/laravel/jetstream/blob/2.x/stubs/inertia/resources/js/Pages/Profile/Partials/TwoFactorAuthenticationForm.vue