Move frontend 2FA URLs to config

Replaces the two_factor_challenge_url/two_factor_setup_url tag params and
hidden-field plumbing with statamic.users.two_factor_challenge_url and
two_factor_setup_url config keys. Eliminates the encrypt/decrypt dance
and the session-based URL storage. CP flows are unaffected.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

Author: jasonvarga

config/users.php

@@ -211,6 +211,22 @@
 
     'two_factor_enforced_roles' => [],
 
+    /*
+    |--------------------------------------------------------------------------
+    | Two-Factor Authentication URLs
+    |--------------------------------------------------------------------------
+    |
+    | When users log in to the frontend and need to verify a two-factor code
+    | or set up two-factor authentication, they will be redirected to these
+    | URLs. Leave null to use the built-in pages. Control panel flows are
+    | unaffected and always use their own pages.
+    |
+    */
+
+    'two_factor_challenge_url' => null,
+
+    'two_factor_setup_url' => null,
+
     /*
     |--------------------------------------------------------------------------
     | Default Sorting

src/Auth/UserTags.php

@@ -107,7 +107,7 @@ public function loginForm()
             'passkey_verify_url' => route('statamic.passkeys.login'),
         ]);
 
-        $knownParams = ['redirect', 'error_redirect', 'allow_request_redirect', 'two_factor_challenge_url', 'two_factor_setup_url'];
+        $knownParams = ['redirect', 'error_redirect', 'allow_request_redirect'];
 
         $action = route('statamic.login');
         $method = 'POST';
@@ -122,14 +122,6 @@ public function loginForm()
             $params['error_redirect'] = $this->parseRedirect($errorRedirect);
         }
 
-        if ($twoFactorChallengeUrl = $this->params->get('two_factor_challenge_url')) {
-            $params['two_factor_challenge_url'] = $twoFactorChallengeUrl;
-        }
-
-        if ($twoFactorSetupUrl = $this->params->get('two_factor_setup_url')) {
-            $params['two_factor_setup_url'] = encrypt($twoFactorSetupUrl);
-        }
-
         if (! $this->canParseContents()) {
             return array_merge([
                 'attrs' => $this->formAttrs($action, $method, $knownParams),
@@ -1034,7 +1026,7 @@ public function disableTwoFactorForm()
 
         $data = $this->getFormSession();
 
-        $knownParams = ['redirect', 'allow_request_redirect', 'setup_url'];
+        $knownParams = ['redirect', 'allow_request_redirect'];
 
         $method = 'DELETE';
         $action = route('statamic.users.two-factor.disable');
@@ -1043,10 +1035,6 @@ public function disableTwoFactorForm()
             $params['redirect'] = $this->parseRedirect($redirect);
         }
 
-        if ($setupUrl = $this->params->get('setup_url')) {
-            $params['setup_url'] = $setupUrl;
-        }
-
         if (! $this->canParseContents()) {
             return array_merge([
                 'attrs' => $this->formAttrs($action, $method, $knownParams),

src/Http/Controllers/CP/Auth/TwoFactorChallengeController.php

@@ -3,14 +3,9 @@
 namespace Statamic\Http\Controllers\CP\Auth;
 
 use Illuminate\Http\Request;
-use Illuminate\Support\Facades\Auth;
-use Inertia\Inertia;
-use Statamic\Events\TwoFactorAuthenticationFailed;
-use Statamic\Events\ValidTwoFactorAuthenticationCodeProvided;
 use Statamic\Http\Controllers\TwoFactorChallengeController as Controller;
 use Statamic\Http\Middleware\CP\HandleInertiaRequests;
 use Statamic\Http\Middleware\CP\RedirectIfAuthorized;
-use Statamic\Http\Requests\TwoFactorChallengeRequest;
 use Statamic\Support\Str;
 
 class TwoFactorChallengeController extends Controller
@@ -22,37 +17,6 @@ public function __construct()
         $this->middleware(RedirectIfAuthorized::class);
     }
 
-    public function store(TwoFactorChallengeRequest $request)
-    {
-        $user = $request->challengedUser();
-
-        if ($code = $request->validRecoveryCode()) {
-            $user->replaceTwoFactorRecoveryCode($code);
-        } elseif (! $request->hasValidCode()) {
-            TwoFactorAuthenticationFailed::dispatch($user);
-
-            return $this->sendFailedResponse($request);
-        }
-
-        ValidTwoFactorAuthenticationCodeProvided::dispatch($user);
-
-        Auth::guard()->login($user, $request->remember());
-
-        $this->clearTwoFactorSession($request);
-
-        $request->session()->elevate();
-
-        $request->session()->regenerate();
-
-        if ($request->inertia() || $request->expectsJson()) {
-            return $request->inertia()
-                ? Inertia::location($this->redirectPath($request))
-                : response('Authenticated');
-        }
-
-        return redirect()->intended($this->redirectPath($request));
-    }
-
     protected function formAction()
     {
         return cp_route('two-factor-challenge');

src/Http/Controllers/Concerns/HandlesLogins.php

@@ -3,7 +3,6 @@
 namespace Statamic\Http\Controllers\Concerns;
 
 use Illuminate\Contracts\Auth\Authenticatable;
-use Illuminate\Contracts\Encryption\DecryptException;
 use Illuminate\Http\Request;
 use Illuminate\Support\Facades\Auth;
 use Illuminate\Validation\ValidationException;
@@ -66,16 +65,6 @@ protected function twoFactorChallengeResponse(Request $request, User $user)
             'login.remember' => $request->boolean('remember'),
         ];
 
-        if ($challengeUrl = $request->input('_two_factor_challenge_url')) {
-            if (! URL::isExternalToApplication($challengeUrl)) {
-                $session['login.two_factor_challenge_url'] = $challengeUrl;
-            }
-        }
-
-        if ($setupUrl = $this->decryptSetupUrl($request->input('_two_factor_setup_url'))) {
-            $session['login.two_factor_setup_url'] = $setupUrl;
-        }
-
         if ($redirect = $request->input('_redirect')) {
             if (! URL::isExternalToApplication($redirect)) {
                 $session['login.redirect'] = $redirect;
@@ -86,14 +75,9 @@ protected function twoFactorChallengeResponse(Request $request, User $user)
 
         TwoFactorAuthenticationChallenged::dispatch($user);
 
-        $challengeRedirect = ($challengeUrl = $request->input('_two_factor_challenge_url'))
-            && ! URL::isExternalToApplication($challengeUrl)
-            ? $challengeUrl
-            : $this->twoFactorChallengeRedirect();
-
         return $request->wantsJson()
             ? response()->json(['two_factor' => true])
-            : redirect($challengeRedirect);
+            : redirect($this->twoFactorChallengeRedirect());
     }
 
     abstract protected function twoFactorChallengeRedirect(): string;
@@ -106,19 +90,4 @@ protected function authenticate(Request $request, Authenticatable $user): void
 
         $request->session()->regenerate();
     }
-
-    private function decryptSetupUrl(?string $value): ?string
-    {
-        if (! $value) {
-            return null;
-        }
-
-        try {
-            $url = decrypt($value);
-        } catch (DecryptException $e) {
-            return null;
-        }
-
-        return URL::isExternalToApplication($url) ? null : $url;
-    }
 }

src/Http/Controllers/TwoFactorChallengeController.php

@@ -52,8 +52,6 @@ public function store(TwoFactorChallengeRequest $request)
 
         Auth::guard()->login($user, $request->remember());
 
-        $this->clearTwoFactorSession($request);
-
         $request->session()->elevate();
 
         $request->session()->regenerate();
@@ -75,21 +73,9 @@ protected function sendFailedResponse(TwoFactorChallengeRequest $request)
             }
         }
 
-        if ($challengeUrl = $request->session()->get('login.two_factor_challenge_url')) {
-            return $request->sendFailedTwoFactorChallengeResponse($challengeUrl);
-        }
-
         return $request->sendFailedTwoFactorChallengeResponse($this->failedRedirectPath());
     }
 
-    protected function clearTwoFactorSession(Request $request): void
-    {
-        $request->session()->forget([
-            'login.two_factor_challenge_url',
-            'login.two_factor_setup_url',
-        ]);
-    }
-
     protected function formAction()
     {
         return route('statamic.two-factor-challenge');
@@ -114,6 +100,6 @@ protected function redirectPath(Request $request)
 
     protected function failedRedirectPath()
     {
-        return route('statamic.two-factor-challenge');
+        return config('statamic.users.two_factor_challenge_url') ?? route('statamic.two-factor-challenge');
     }
 }

src/Http/Controllers/User/LoginController.php

@@ -29,25 +29,17 @@ public function login(UserLoginRequest $request)
             return $this->twoFactorChallengeResponse($request, $user);
         }
 
-        if ($setupUrl = $this->decryptSetupUrl($request->input('_two_factor_setup_url'))) {
-            $request->session()->put('login.two_factor_setup_url', $setupUrl);
-        }
+        $redirect = $request->input('_redirect');
+        $redirect = $redirect && ! URL::isExternalToApplication($redirect) ? $redirect : null;
 
-        if ($redirect = $request->input('_redirect')) {
-            if (! URL::isExternalToApplication($redirect)) {
-                $request->session()->put('login.redirect', $redirect);
-            }
+        // If 2FA setup is required, stash the redirect so the setup flow can use it after completion.
+        if (TwoFactor::enabled() && $user->isTwoFactorAuthenticationRequired() && ! $user->hasEnabledTwoFactorAuthentication() && $redirect) {
+            $request->session()->put('login.redirect', $redirect);
         }
 
         $this->authenticate($request, $user);
 
-        $redirect = $request->input('_redirect');
-
-        $url = $redirect && ! URL::isExternalToApplication($redirect)
-            ? $redirect
-            : route('statamic.site');
-
-        return redirect($url)->withSuccess(__('Login successful.'));
+        return redirect($redirect ?? route('statamic.site'))->withSuccess(__('Login successful.'));
     }
 
     private function checkPasskeyEnforcement(Request $request)
@@ -77,7 +69,7 @@ private function checkPasskeyEnforcement(Request $request)
 
     protected function twoFactorChallengeRedirect(): string
     {
-        return route('statamic.two-factor-challenge');
+        return config('statamic.users.two_factor_challenge_url') ?? route('statamic.two-factor-challenge');
     }
 
     /**

src/Http/Controllers/User/TwoFactorAuthenticationController.php

@@ -59,7 +59,7 @@ public function disable(Request $request, DisableTwoFactorAuthentication $disabl
 
         $disable($user);
 
-        if (! $request->has('_redirect') && ! $request->has('_setup_url')) {
+        if (! $request->has('_redirect')) {
             if ($user->isTwoFactorAuthenticationRequired()) {
                 return ['redirect' => $this->setupUrlRedirect()];
             }
@@ -68,35 +68,13 @@ public function disable(Request $request, DisableTwoFactorAuthentication $disabl
         }
 
         if ($user->isTwoFactorAuthenticationRequired()) {
-            $this->storeSetupUrlInSession($request);
-
-            return redirect($this->getSetupUrl($request))
+            return redirect($this->setupUrlRedirect())
                 ->with('success', __('Two-factor authentication disabled.'));
         }
 
         return $this->formSuccessRedirect($request, __('Two-factor authentication disabled.'));
     }
 
-    private function getSetupUrl(Request $request): string
-    {
-        $setupUrl = $request->input('_setup_url');
-
-        if ($setupUrl && ! URL::isExternalToApplication($setupUrl)) {
-            return $setupUrl;
-        }
-
-        return $this->setupUrlRedirect();
-    }
-
-    private function storeSetupUrlInSession(Request $request): void
-    {
-        $setupUrl = $request->input('_setup_url');
-
-        if ($setupUrl && ! URL::isExternalToApplication($setupUrl)) {
-            $request->session()->put('login.two_factor_setup_url', $setupUrl);
-        }
-    }
-
     private function handleFormValidationError(Request $request, ValidationException $e)
     {
         $errorRedirect = $request->input('_error_redirect');
@@ -132,6 +110,6 @@ protected function confirmUrl()
 
     protected function setupUrlRedirect()
     {
-        return route('statamic.two-factor-setup');
+        return config('statamic.users.two_factor_setup_url') ?? route('statamic.two-factor-setup');
     }
 }

src/Http/Middleware/RedirectIfTwoFactorSetupIncomplete.php

@@ -5,7 +5,6 @@
 use Closure;
 use Illuminate\Http\Request;
 use Statamic\Facades\TwoFactor;
-use Statamic\Facades\URL;
 use Statamic\Facades\User;
 
 class RedirectIfTwoFactorSetupIncomplete
@@ -27,28 +26,20 @@ public function handle(Request $request, Closure $next)
 
     protected function isSetupUrl(Request $request): bool
     {
-        $currentPath = '/'.ltrim($request->path(), '/');
-
-        // Check if we're on the custom setup URL from session.
-        if ($request->hasSession() && ($customUrl = $request->session()->get('login.two_factor_setup_url'))) {
-            if (! URL::isExternalToApplication($customUrl)) {
-                $customPath = '/'.ltrim(parse_url($customUrl, PHP_URL_PATH), '/');
-
-                if ($currentPath === $customPath) {
-                    return true;
-                }
-            }
+        if (! $customUrl = config('statamic.users.two_factor_setup_url')) {
+            return false;
         }
 
-        return false;
+        $currentPath = '/'.ltrim($request->path(), '/');
+        $customPath = '/'.ltrim(parse_url($customUrl, PHP_URL_PATH) ?? '', '/');
+
+        return $currentPath === $customPath;
     }
 
     protected function redirectUrl(Request $request): string
     {
-        if ($request->hasSession() && ($url = $request->session()->get('login.two_factor_setup_url'))) {
-            if (! URL::isExternalToApplication($url)) {
-                return $url;
-            }
+        if ($url = config('statamic.users.two_factor_setup_url')) {
+            return $url;
         }
 
         return route($this->redirectRoute(), [