feat: enforce MFA for sensitive permissions and add security enhancements (#416)
Commit: 2ada4ab2d8bbd3db310849485d13de588d2977b5
Date: 2025-10-22 10:14:36 +0000
Author: PascalHavelange
Commit Message
feat: enforce MFA for sensitive permissions and add security enhancements (#416)
# feat: enforce MFA for sensitive permissions and add security enhancements
## Overview
Implement comprehensive MFA security requirements for users with administrative permissions to significantly improve account security.
## Changes
### Backend Security Enhancements
- **Added MFA requirement validation for sensitive permissions**
- Created `Permission::sensitivePermissions()` method to identify permissions requiring MFA:
- manage users
- manage roles
- assign roles
- manage settings
- Added `User::hasSensitivePermissions()` helper method
- Implemented validation in `StoreUserManagementRequest` to prevent creating users with sensitive permissions
- Implemented validation in `UpdateUserManagementRequest` to prevent assigning sensitive roles to users without MFA
- **Prevented MFA disable for privileged users**
- Created custom `TwoFactorAuthenticationForm` component overriding Jetstream's default
- Added validation in TOTP disable method to check for sensitive permissions
- Updated `EmailTwoFactorForm` to prevent email 2FA disable for users with sensitive permissions
- Users with sensitive permissions cannot disable MFA (both TOTP and Email)
### UI Enhancements
- **Added MFA status column to users list**
- Shows "Enabled" with green badge and security icon for users with MFA
- Shows "Disabled" with gray badge for users without MFA
- Updated table colspan to accommodate new column
### Bug Fixes
- **Fixed HTTP 500 error when enabling email 2FA**
- Added `ConfirmsPasswords` trait from Jetstream to `EmailTwoFactorForm`
- Replaced custom redirect-based password confirmation with proper Jetstream integration
- Password confirmation now works correctly with Livewire components
### Service Provider Updates
- **Registered custom Livewire components**
- Override Jetstream's `TwoFactorAuthenticationForm` with custom implementation in `JetstreamServiceProvider`
### Test Updates
- **Updated all affected tests**
- Added password confirmation session data to Email 2FA tests
- Updated role assignment tests to use non-sensitive roles (Visitor) for new users
- Updated role assignment tests to enable MFA for existing users before assigning sensitive roles
- Added new test to verify MFA requirement validation
- Fixed role names (Viewer → Visitor)
- All 1854 tests now pass
## Security Impact
- **Enhanced protection for administrative accounts**: Users with privileges to manage users, roles, or settings must have MFA enabled
- **Prevention of privilege escalation**: New users cannot be created with sensitive permissions; they must enable MFA first
- **Mandatory MFA for privileged users**: Users with sensitive permissions cannot disable their MFA
- **Improved accountability**: Clear visibility of MFA status in user management interface
## Testing
- ✅ All 1854 backend tests passing
- ✅ Laravel Pint: No style issues (2 auto-fixed)
- ✅ TypeScript type checking: No errors
- ✅ ESLint: No errors
- ✅ Frontend build: Successful
## Breaking Changes
None - existing users are not affected. New security requirements only apply when:
1. Creating new users with sensitive permissions (now requires MFA first)
2. Assigning sensitive roles to existing users (requires MFA)
3. Attempting to disable MFA while having sensitive permissions (now prevented)
Co-authored-by: Pascal HAVELANGE <havelangep@hotmail.com>
Files Changed
- 📝 Modified:
app/Enums/Permission.php - 📝 Modified:
app/Http/Requests/Web/StoreUserManagementRequest.php - 📝 Modified:
app/Http/Requests/Web/UpdateUserManagementRequest.php - 📝 Modified:
app/Livewire/Profile/EmailTwoFactorForm.php - ✅ Added:
app/Livewire/Profile/TwoFactorAuthenticationForm.php - 📝 Modified:
app/Models/User.php - 📝 Modified:
app/Providers/JetstreamServiceProvider.php - 📝 Modified:
resources/views/admin/users/index.blade.php - 📝 Modified:
tests/Feature/Auth/EmailTwoFactorFormTest.php - 📝 Modified:
tests/Feature/Integration/ActualWebInterfaceBugReproductionTest.php - 📝 Modified:
tests/Feature/Integration/RoleAssignmentBugFixVerificationTest.php - 📝 Modified:
tests/Feature/Web/Admin/CreateUserWebInterfaceTest.php - 📝 Modified:
tests/Feature/Web/Admin/EditUserPasswordGenerationTest.php - 📝 Modified:
tests/Feature/Web/Admin/UserManagementWebInterfaceTest.php
Links
This documentation was automatically generated from Git commit data.