Adding context length configuration for 2FA to ensure better security…

… standards (#568)

* Update TwoFactorAuthenticationProvider.php

Added secret length option to generate secret key

* Update EnableTwoFactorAuthentication.php

Consume a new option that can be set from config files to ensure basic required length for 2FA security

* Update TwoFactorAuthenticationProvider.php

Update contract to reflect new security standard in 2FA

* Update TwoFactorAuthenticationProvider.php

Reverted Contract mandatory parameter to avoid backward incompatibility

* Fixing typo TwoFactorAuthenticationProvider.php

* Switched case in EnableTwoFactorAuthentication.php

* Update TwoFactorAuthenticationProvider.php

src/Actions/EnableTwoFactorAuthentication.php

@@ -37,8 +37,11 @@ public function __construct(TwoFactorAuthenticationProvider $provider)
     public function __invoke($user, $force = false)
     {
         if (empty($user->two_factor_secret) || $force === true) {
+
+            $secretLength = (int) config('fortify-options.two-factor-authentication.secret-length', 16);
+
             $user->forceFill([
-                'two_factor_secret' => encrypt($this->provider->generateSecretKey()),
+                'two_factor_secret' => encrypt($this->provider->generateSecretKey($secretLength)),
                 'two_factor_recovery_codes' => encrypt(json_encode(Collection::times(8, function () {
                     return RecoveryCode::generate();
                 })->all())),

src/TwoFactorAuthenticationProvider.php

@@ -38,11 +38,12 @@ public function __construct(Google2FA $engine, Repository $cache = null)
     /**
      * Generate a new secret key.
      *
+     * @param  int  $secretLength
      * @return string
      */
-    public function generateSecretKey()
+    public function generateSecretKey(int $secretLength = 16)
     {
-        return $this->engine->generateSecretKey();
+        return $this->engine->generateSecretKey($secretLength);
     }
 
     /**