Skip to content

Add Two Factor Authentication for React Starter Kit #156

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 37 commits into from
Sep 18, 2025
Merged

Add Two Factor Authentication for React Starter Kit #156

merged 37 commits into from
Sep 18, 2025
+1,623 −112

Conversation

pushpak1300
Copy link
Member

@pushpak1300 pushpak1300 commented Aug 26, 2025
edited
Loading

This MR adds Two-Factor Authentication (2FA) functionality to the React Starter Kit using Laravel Fortify's built-in support for 2FA

🔒 Backend Changes

We are now leveraging Fortify for handling two-factor authentication. Since Fortify provides additional security features out of the box, this MR also replaces our custom implementation of the password confirmation page with Fortify’s native confirm password functionality.

Previously: Custom password confirmation
Now: Native Fortify confirm-password implementation

🖥️ Frontend/UI Updates

The UI has been updated to handle all the two-factor settings based on Fortify's configuration. The following Fortify features are enabled:

Features::twoFactorAuthentication([
    'confirm' => true,
    'confirmPassword' => true,
    // 'window' => 0
]),

Demo

https://www.loom.com/share/6bf836eccae84778a511916a9d02bb59?sid=efb1fac2-7482-40ec-82e6-31f0b3fa77a8

Co-authored-by: Tony Lea [email protected]
Thanks to #101

@ludo237
Copy link

ludo237 commented Aug 26, 2025

I think this is better be its own starter kit

@pushpak1300
Merge branch 'main' into feat/add_two_factor_auth
6840944 
# Conflicts:
#	routes/auth.php
#	tests/Feature/Auth/AuthenticationTest.php
#	tests/Feature/Auth/PasswordConfirmationTest.php
@pushpak1300
feat: enhance two-factor authentication implementation and improve co…
bf996b7 
…de consistency
@hebbet hebbet mentioned this pull request Aug 30, 2025
Closed
@pushpak1300 pushpak1300 marked this pull request as ready for review September 1, 2025 09:28
@pushpak1300 pushpak1300 marked this pull request as draft September 1, 2025 11:42
@pushpak1300 pushpak1300 marked this pull request as ready for review September 1, 2025 14:19
@pushpak1300 pushpak1300 marked this pull request as draft September 3, 2025 04:05
@pushpak1300
Copy link
Member Author

Waiting until we fix this bug in the Inertia <Form> component inertiajs/inertia#2558, as it will clean up a few unnecessary parts.

@OliverSpeak
Copy link

Why is this using Fortify? I don't see how it makes sense to use part of that package when the rest of the authentication is already handled by open code.

@Diddyy
Copy link

Diddyy commented Sep 3, 2025

Waiting until we fix this bug in the Inertia <Form> component inertiajs/inertia#2558, as it will clean up a few unnecessary parts.

Its been merged!

@pushpak1300
Copy link
Member Author

Its been merged!

Hey It's needs to be tagged with new release in order to use it. I'm tracking it and will push changes once tagged.

@ludo237
Copy link

ludo237 commented Sep 3, 2025

Why is this using Fortify? I don't see how it makes sense to use part of that package when the rest of the authentication is already handled by open code.

Don't bother they won't listen. Just wait for a maintainer to close this

@pushpak1300 pushpak1300 marked this pull request as ready for review September 3, 2025 15:32
@tnylea
Copy link
Contributor

tnylea commented Sep 4, 2025

Thanks for the shout out @pushpak1300 😁

Excited to see this released 👍

joetannenbaum
joetannenbaum requested changes Sep 10, 2025
View reviewed changes
@pushpak1300 pushpak1300 force-pushed the feat/add_two_factor_auth branch from e5f8b6f to 29c28f5 Compare September 11, 2025 17:32
@pushpak1300 pushpak1300 force-pushed the feat/add_two_factor_auth branch from 29c28f5 to e18dbbe Compare September 11, 2025 17:46
@pushpak1300 pushpak1300 force-pushed the feat/add_two_factor_auth branch from e94aa8c to 416b731 Compare September 11, 2025 19:09
@pushpak1300 pushpak1300 mentioned this pull request Sep 12, 2025
Merged
@thewebartisan7
Copy link

I have concerns about using Laravel Fortify solely for adding Two-Factor Authentication (2FA) in this pull request. The Laravel React Starter Kit is intended to be a lightweight foundation, and introducing Fortify, which is a more comprehensive and framework-agnostic authentication solution, feels like overkill for this specific feature.
Here are my reasons for suggesting an alternative approach:

  • Lightweight Design: The starter kit is meant to be minimal and flexible. Adding Fortify for just 2FA introduces unnecessary dependencies and complexity, which could bloat the project and deviate from its lightweight ethos.

  • Avoiding a Jetstream-like Solution: Fortify is a robust tool, but it’s better suited for projects requiring a full suite of authentication features. Using it here risks turning the starter kit into something akin to Laravel Jetstream, which contradicts the goal of keeping it simple.

  • Alternative Packages: There are lighter, more focused packages available for implementing 2FA, such as google2fa-laravel or Laragear/TwoFactor. This packages provides a straightforward way to add 2FA without the overhead of Fortify.

  • Documentation Clarity: If Fortify is used, the Laravel documentation (e.g., Fortify documentation) should be updated to clarify when and why Fortify is the right choice for projects like this. This would help developers understand the decision and avoid confusion.

I suggest exploring a lighter solution like google2fa-laravel, Laragear/TwoFactor or a custom 2FA implementation to keep the starter kit lean while still providing robust security. If Fortify is retained, a clear justification for its inclusion over simpler alternatives would be helpful.

Looking forward to hearing your thoughts!

@pushpak1300
Copy link
Member Author

Thanks for raising these points! I totally get the concern about keeping the starter kit lightweight. The reason we went with Fortify here is that it’s already battle-tested and gives us a reliable foundation for 2FA without reinventing the wheel.

We’re still evaluating Fortify’s usage across the other parts of the starter kits, but that’s outside the scope of this MR, so those changes aren’t included here. For 2FA specifically, we’ll stick with Fortify since it provides configurable options that teams can easily opt-in or opt-out of depending on their needs.

hugo-lovighi
hugo-lovighi reviewed Sep 17, 2025
View reviewed changes
joetannenbaum
joetannenbaum approved these changes Sep 18, 2025
View reviewed changes
Copy link
Contributor

@joetannenbaum joetannenbaum left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks good, thanks @pushpak1300 👍

@pushpak1300
Merge branch 'main' into feat/add_two_factor_auth
b4d4b6d 
# Conflicts:
#	resources/js/app.tsx
#	resources/js/components/delete-user.tsx
#	resources/js/layouts/settings/layout.tsx
#	resources/js/pages/auth/confirm-password.tsx
#	resources/js/pages/settings/password.tsx
#	resources/js/pages/settings/profile.tsx
@taylorotwell taylorotwell merged commit ed51c24 into main Sep 18, 2025
3 of 5 checks passed
@taylorotwell taylorotwell deleted the feat/add_two_factor_auth branch September 18, 2025 20:34
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@joetannenbaum joetannenbaum joetannenbaum approved these changes

@taylorotwell taylorotwell Awaiting requested review from taylorotwell

+2 more reviewers

@ludo237 ludo237 ludo237 left review comments

@hugo-lovighi hugo-lovighi hugo-lovighi left review comments

Reviewers whose approvals may not affect merge requirements
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
9 participants
@pushpak1300 @ludo237 @OliverSpeak @Diddyy @tnylea @joetannenbaum @thewebartisan7 @hugo-lovighi @taylorotwell