[codex] Respect ops TOTP config in production#3025
Conversation
There was a problem hiding this comment.
💡 Codex Review
Here are some automated review suggestions for this pull request.
Reviewed commit: 71b42ebb0f
ℹ️ About Codex in GitHub
Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "@codex review".
If Codex has suggestions, it will comment; otherwise it will react with 👍.
Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".
| $totpRequired = (bool) config('admin.totp.enabled', true); | ||
| if (! $totpRequired) { | ||
| $request->session()->put('ops_admin_totp_verified_user_id', (int) $user->id); |
There was a problem hiding this comment.
Avoid caching a bypassed TOTP session
When production is run with OPS_ADMIN_TOTP_ENABLED=false, this disabled branch now stores ops_admin_totp_verified_user_id for the admin on ordinary Ops requests. If TOTP is later re-enabled while that same session is still alive, the required branch below treats the stale session value as a completed current-session challenge for enrolled admins, so they can continue into Ops without being challenged. Skip writing the verified marker when TOTP is disabled, or clear/version it when enforcement is re-enabled.
Useful? React with 👍 / 👎.
What changed
admin.totp.enabledis false.OPS_ADMIN_TOTP_ENABLED=falsethrough the existing config path.Why
The Ops panel currently sends administrators to two-factor enrollment/challenge in production even when the runtime config disables TOTP. The operator wants to use the backend without these 2FA secrets, so production must respect the explicit disable switch.
Validation
php artisan test tests/Feature/Ops/AdminTotpEnforcementTest.php --display-warnings./vendor/bin/pint --test app/Http/Responses/Auth/OpsLoginResponse.php app/Http/Middleware/EnsureAdminTotpVerified.php app/Filament/Ops/Pages/TwoFactorChallenge.php tests/Feature/Ops/AdminTotpEnforcementTest.phpFAP_ADMIN_PANEL_ENABLED=true php artisan route:list --path=opsgit diff --checkDeferred items
OPS_ADMIN_TOTP_ENABLED=falseandphp artisan optimize:clearafter deployment.