Add Two Factor Authentication for React Starter Kit

[pushpak1300]

This MR adds Two-Factor Authentication (2FA) functionality to the React Starter Kit using Laravel Fortify's built-in support for 2FA

🔒 Backend Changes

We are now leveraging Fortify for handling two-factor authentication. Since Fortify provides additional security features out of the box, this MR also replaces our custom implementation of the password confirmation page with Fortify’s native confirm password functionality.

Previously: Custom password confirmation
Now: Native Fortify confirm-password implementation

🖥️ Frontend/UI Updates

The UI has been updated to handle all the two-factor settings based on Fortify's configuration. The following Fortify features are enabled:

Features::twoFactorAuthentication([
    'confirm' => true,
    'confirmPassword' => true,
    // 'window' => 0
]),

Demo

https://www.loom.com/share/6bf836eccae84778a511916a9d02bb59?sid=efb1fac2-7482-40ec-82e6-31f0b3fa77a8

Co-authored-by: Tony Lea [email protected]
Thanks to #101

[ludo237]

I think this is better be its own starter kit

[pushpak1300]

Waiting until we fix this bug in the Inertia <Form> component inertiajs/inertia#2558, as it will clean up a few unnecessary parts.

[OliverSpeak]

Why is this using Fortify? I don't see how it makes sense to use part of that package when the rest of the authentication is already handled by open code.

[Diddyy]

Waiting until we fix this bug in the Inertia <Form> component inertiajs/inertia#2558, as it will clean up a few unnecessary parts.

Its been merged!

[pushpak1300]

Its been merged!

Hey It's needs to be tagged with new release in order to use it. I'm tracking it and will push changes once tagged.

[ludo237]

Why is this using Fortify? I don't see how it makes sense to use part of that package when the rest of the authentication is already handled by open code.

Don't bother they won't listen. Just wait for a maintainer to close this

[tnylea]

Thanks for the shout out @pushpak1300 😁

Excited to see this released 👍

[thewebartisan7]

I have concerns about using Laravel Fortify solely for adding Two-Factor Authentication (2FA) in this pull request. The Laravel React Starter Kit is intended to be a lightweight foundation, and introducing Fortify, which is a more comprehensive and framework-agnostic authentication solution, feels like overkill for this specific feature.
Here are my reasons for suggesting an alternative approach:

• Lightweight Design: The starter kit is meant to be minimal and flexible. Adding Fortify for just 2FA introduces unnecessary dependencies and complexity, which could bloat the project and deviate from its lightweight ethos.

• Avoiding a Jetstream-like Solution: Fortify is a robust tool, but it’s better suited for projects requiring a full suite of authentication features. Using it here risks turning the starter kit into something akin to Laravel Jetstream, which contradicts the goal of keeping it simple.

• Alternative Packages: There are lighter, more focused packages available for implementing 2FA, such as google2fa-laravel or Laragear/TwoFactor. This packages provides a straightforward way to add 2FA without the overhead of Fortify.

• Documentation Clarity: If Fortify is used, the Laravel documentation (e.g., Fortify documentation) should be updated to clarify when and why Fortify is the right choice for projects like this. This would help developers understand the decision and avoid confusion.

I suggest exploring a lighter solution like google2fa-laravel, Laragear/TwoFactor or a custom 2FA implementation to keep the starter kit lean while still providing robust security. If Fortify is retained, a clear justification for its inclusion over simpler alternatives would be helpful.

Looking forward to hearing your thoughts!

[pushpak1300]

Thanks for raising these points! I totally get the concern about keeping the starter kit lightweight. The reason we went with Fortify here is that it’s already battle-tested and gives us a reliable foundation for 2FA without reinventing the wheel.

We’re still evaluating Fortify’s usage across the other parts of the starter kits, but that’s outside the scope of this MR, so those changes aren’t included here. For 2FA specifically, we’ll stick with Fortify since it provides configurable options that teams can easily opt-in or opt-out of depending on their needs.

[thewebartisan7]

Thanks for the follow-up! One more angle from the starter kit perspective: this repo is meant to be a starting point that teams are encouraged to adapt. In that spirit, 2FA doesn't need to live in the base by default. And if we do ship it, it should be trivial to remove or toggle off so teams who don't need OTP aren't forced to carry that surface area.

A focused package like Laragear/TwoFactor
keeps things lean while still being battle-tested. I'm integrating it now and it works well with Inertia. It gives us 2FA without pulling in Fortify's broader scope, and if a team doesn't want OTP, they can delete it quickly or flip a flag, which aligns with the "starter kit, not a framework package" philosophy.

We could also include a simple config toggle inside the package config file (e.g., two-factor.enabled = false by default) so projects can enable it in one place, or remove it entirely, keeping the kit lean.

I'm happy to open a small follow-up showing this approach that I've already implemented in a project.

For full transparency: I'm one of those who often push back on Fortify/Jetstream and prefer the simplicity of Breeze, so I may be a bit partial here. I'm sure there are others who will be happy to have it.

[joetannenbaum]

Looks good, thanks @pushpak1300 👍