GET /api/2fa/code- Get 2FA QR codePOST /api/2fa/verify- Verify 2FA codePATCH /api/2fa/enable- Enable 2FAPATCH /api/2fa/disable- Disable 2FA
Retrieve the QR code for setting up 2FA in an authenticator app.
GET /api/2fa/codecurl -X GET "http://your-app.com/api/2fa/code" \
-H "Authorization: Bearer your-token" \
-H "Accept: application/json"const response = await axios.get('/api/2fa/code', {
headers: {
'Authorization': `Bearer ${token}`,
'Accept': 'application/json'
}
});$response = $client->get('/api/2fa/code');
$qrCode = json_decode($response->getBody(), true);{
"code": "data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAA..."
}{
"message": "Two factor authentication is not enabled for current user"
}Verify a 2FA code provided by the user. Success will unlock the current session and verify the device.
POST /api/2fa/verify{
"code": "123456"
}curl -X POST "http://your-app.com/api/2fa/verify" \
-H "Authorization: Bearer your-token" \
-H "Content-Type: application/json" \
-H "Accept: application/json" \
-d '{"code":"123456"}'const response = await axios.post('/api/2fa/verify', {
code: '123456'
}, {
headers: {
'Authorization': `Bearer ${token}`,
'Accept': 'application/json',
'Content-Type': 'application/json'
}
});$response = $client->post('/api/2fa/verify', [
'json' => ['code' => '123456']
]);{
"message": "Two factor authentication successful"
}{
"message": "Two factor authentication failed"
}Enable two-factor authentication for the current user.
PATCH /api/2fa/enablecurl -X PATCH "http://your-app.com/api/2fa/enable" \
-H "Authorization: Bearer your-token" \
-H "Accept: application/json"const response = await axios.patch('/api/2fa/enable', {}, {
headers: {
'Authorization': `Bearer ${token}`,
'Accept': 'application/json'
}
});$response = $client->patch('/api/2fa/enable');{
"message": "Two factor authentication enabled for current user"
}{
"message": "Two factor authentication already enabled for current user"
}Disable two-factor authentication for the current user.
PATCH /api/2fa/disablecurl -X PATCH "http://your-app.com/api/2fa/disable" \
-H "Authorization: Bearer your-token" \
-H "Accept: application/json"const response = await axios.patch('/api/2fa/disable', {}, {
headers: {
'Authorization': `Bearer ${token}`,
'Accept': 'application/json'
}
});$response = $client->patch('/api/2fa/disable');{
"message": "Two factor authentication disabled for current user"
}{
"message": "Two factor authentication is not enabled for current user"
}// 2FA Setup Component
const TwoFactorSetup = {
data() {
return {
qrCode: null,
verificationCode: '',
isEnabled: false,
error: null
}
},
methods: {
async enable2FA() {
try {
// Enable 2FA
await axios.patch('/api/2fa/enable');
// Get QR code
const response = await axios.get('/api/2fa/code');
this.qrCode = response.data.code;
this.isEnabled = true;
} catch (error) {
this.error = error.response.data.message;
}
},
async verify2FA() {
try {
await axios.post('/api/2fa/verify', {
code: this.verificationCode
});
// Redirect on success
window.location.href = '/dashboard';
} catch (error) {
this.error = error.response.data.message;
}
},
async disable2FA() {
try {
await axios.patch('/api/2fa/disable');
this.isEnabled = false;
this.qrCode = null;
} catch (error) {
this.error = error.response.data.message;
}
}
}
}// Example 2FA Controller Implementation
class TwoFactorController extends Controller
{
public function setup(Request $request)
{
$user = $request->user();
if ($user->google2faEnabled()) {
return response()->json([
'message' => 'Two factor authentication already enabled'
], 400);
}
try {
// Enable 2FA with new secret
$user->enable2fa(
app(Google2FA::class)->generateSecretKey()
);
// Get QR code for setup
$qrCode = $user->google2faQrCode();
return response()->json([
'code' => $qrCode
]);
} catch (\Exception $e) {
return response()->json([
'message' => 'Failed to enable two factor authentication'
], 500);
}
}
public function verify(Request $request)
{
$user = $request->user();
$code = $request->input('code');
try {
$valid = app(Google2FA::class)->verifyKeyNewer(
$user->google2fa->secret(),
$code,
$user->google2fa->last_success_at?->timestamp ?? 0
);
if ($valid !== false) {
$user->google2fa->success();
event(new Google2FASuccess($user));
return response()->json([
'message' => 'Two factor authentication successful'
]);
}
} catch (\Exception $e) {
report($e);
}
event(new Google2FAFailed($user));
return response()->json([
'message' => 'Two factor authentication failed'
], 400);
}
}The 2FA verification endpoint includes rate limiting to prevent brute force attacks:
// Example rate limiting implementation
'2fa_verify' => [
'attempts' => 5,
'decay_minutes' => 5
]After 5 failed attempts, the user must wait 5 minutes before trying again:
{
"message": "Too Many Attempts.",
"retry_after": 300
}The 2FA system dispatches the following events:
event(new Google2FASuccess($user));event(new Google2FAFailed($user));-
Transport Security
- Always use HTTPS for 2FA endpoints
- Never log or expose 2FA secrets
- Store secrets encrypted at rest
-
Validation
- Implement proper rate limiting
- Validate code format before verification
- Use appropriate time windows for code validation
-
Recovery
- Implement backup codes or recovery process
- Document recovery procedures for users
- Keep audit logs of 2FA activities
- Review Session Management API
- Learn about Device Management API
- Explore Events System