Skip to content

[codex] Respect ops TOTP config in production#3025

Merged
fermatmind merged 1 commit into
mainfrom
codex/disable-ops-2fa
Jul 12, 2026
Merged

[codex] Respect ops TOTP config in production#3025
fermatmind merged 1 commit into
mainfrom
codex/disable-ops-2fa

Conversation

@fermatmind

Copy link
Copy Markdown
Owner

What changed

  • Removed the production-only override that forced Ops TOTP even when admin.totp.enabled is false.
  • Kept TOTP enabled by default, but made production honor OPS_ADMIN_TOTP_ENABLED=false through the existing config path.
  • Added regression coverage for both protected Ops route access and post-login redirect behavior when TOTP is disabled in a production environment.
  • Updated the repository MFA rule so the architecture contract matches the new runtime behavior.

Why

The Ops panel currently sends administrators to two-factor enrollment/challenge in production even when the runtime config disables TOTP. The operator wants to use the backend without these 2FA secrets, so production must respect the explicit disable switch.

Validation

  • php artisan test tests/Feature/Ops/AdminTotpEnforcementTest.php --display-warnings
  • ./vendor/bin/pint --test app/Http/Responses/Auth/OpsLoginResponse.php app/Http/Middleware/EnsureAdminTotpVerified.php app/Filament/Ops/Pages/TwoFactorChallenge.php tests/Feature/Ops/AdminTotpEnforcementTest.php
  • FAP_ADMIN_PANEL_ENABLED=true php artisan route:list --path=ops
  • git diff --check

Deferred items

  • No database migration needed.
  • No MBTI verification run; this change is limited to Ops admin TOTP enforcement and does not touch MBTI runtime paths.
  • Production still needs OPS_ADMIN_TOTP_ENABLED=false and php artisan optimize:clear after deployment.

@chatgpt-codex-connector chatgpt-codex-connector Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: 71b42ebb0f

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

  • Open a pull request for review
  • Mark a draft as ready
  • Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

Comment on lines +21 to 23
$totpRequired = (bool) config('admin.totp.enabled', true);
if (! $totpRequired) {
$request->session()->put('ops_admin_totp_verified_user_id', (int) $user->id);

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

P1 Badge Avoid caching a bypassed TOTP session

When production is run with OPS_ADMIN_TOTP_ENABLED=false, this disabled branch now stores ops_admin_totp_verified_user_id for the admin on ordinary Ops requests. If TOTP is later re-enabled while that same session is still alive, the required branch below treats the stale session value as a completed current-session challenge for enrolled admins, so they can continue into Ops without being challenged. Skip writing the verified marker when TOTP is disabled, or clear/version it when enforcement is re-enabled.

Useful? React with 👍 / 👎.

@fermatmind fermatmind merged commit 619cb3d into main Jul 12, 2026
9 checks passed
@fermatmind fermatmind deleted the codex/disable-ops-2fa branch July 12, 2026 13:36
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant