You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Add database migration to add two_factor_recovery_codes_viewed_at column to users table
Update confirmTwoFactorAuthentication() to set the viewed timestamp when showing codes for the first time
Update showRecoveryCodes() method to prevent showing codes if they have been viewed
Update the view to hide "Show Recovery Codes" button if codes have been viewed
Update regenerateRecoveryCodes() to reset the viewed timestamp so new codes can be shown once
Add comprehensive tests to verify recovery codes cannot be viewed after initial display
Fix code style issues (trailing whitespace)
Run security scan with CodeQL (no vulnerabilities found)
Fix test failure by adding hasViewedRecoveryCodes() helper method
Recent Fix
Added hasViewedRecoveryCodes() helper method to User model to safely check if recovery codes have been viewed, preventing attribute access errors in blade views during testing.
Security Improvement
Recovery codes are now only displayed once when first generated:
When 2FA is confirmed, codes are shown and marked as viewed
The "Show Recovery Codes" button is hidden after codes are viewed
Attempting to call showRecoveryCodes() after viewing shows an error message
When codes are regenerated, they can be viewed once again (timestamp is reset)
When 2FA is disabled, the viewed timestamp is properly cleared
Testing
Added 3 new test cases:
Verify codes can be viewed initially
Verify codes cannot be viewed after being viewed once
Verify codes can be viewed after regeneration
All existing tests updated to account for the new timestamp field.
Original prompt
This section details on the original issue you should resolve
<issue_title>FIX: 2FA recover codes should only be allowed to be displayed the first time, and never again.</issue_title>
<issue_description>FIX: 2FA recover codes should only be allowed to be displayed the first time, and never again.</issue_description>
Comments on the Issue (you are @copilot in this section)
@copilot FAILED Tests\Feature\Settings\TwoFactorTest > recovery co… ViewException
The attribute [two_factor_recovery_codes_viewed_at] either does not exist or was not retrieved for model [App\Models\User]. (View: /home/runner/work/tallstarter/tallstarter/resources/views/livewire/settings/two-factor.blade.php) (View: /home/runner/work/tallstarter/tallstarter/resources/views/livewire/settings/two-factor.blade.php)
@copilot FAILED Tests\Feature\Settings\TwoFactorTest > recovery co… ViewException
The attribute [two_factor_recovery_codes_viewed_at] either does not exist or was not retrieved for model [App...
Fixed in e10d083. Added hasViewedRecoveryCodes() helper method to the User model to safely check if recovery codes have been viewed, preventing direct attribute access in the blade view that was causing the test failure.
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
✅ Completed: 2FA Recovery Codes Security Enhancement
Changes Implemented
two_factor_recovery_codes_viewed_atcolumn to users tableconfirmTwoFactorAuthentication()to set the viewed timestamp when showing codes for the first timeshowRecoveryCodes()method to prevent showing codes if they have been viewedregenerateRecoveryCodes()to reset the viewed timestamp so new codes can be shown oncehasViewedRecoveryCodes()helper methodRecent Fix
Added
hasViewedRecoveryCodes()helper method to User model to safely check if recovery codes have been viewed, preventing attribute access errors in blade views during testing.Security Improvement
Recovery codes are now only displayed once when first generated:
showRecoveryCodes()after viewing shows an error messageTesting
Added 3 new test cases:
All existing tests updated to account for the new timestamp field.
Original prompt
💬 We'd love your input! Share your thoughts on Copilot coding agent in our 2 minute survey.