Stash intended URL in session for 2FA setup middleware

jasonvarga · claude · jasonvarga · commit 0cd77d2d4204 · 2026-04-29T16:04:25.000-04:00
The frontend RedirectIfTwoFactorSetupIncomplete middleware previously
threaded the original URL through a referer query string, but the
TwoFactorSetupController had been switched to read url.intended from
the session — leaving the query string dead and dropping the original
URL for already-authenticated users bounced into setup. Both middlewares
now stash the URL via setIntendedUrl, and the CP setup controller reads
it back via getIntendedUrl, keeping CP and frontend on the same
mechanism.

Co-Authored-By: Claude Opus 4.7 (1M context) &lt;noreply@anthropic.com&gt;
diff --git a/src/Http/Controllers/CP/Auth/TwoFactorSetupController.php b/src/Http/Controllers/CP/Auth/TwoFactorSetupController.php
@@ -16,10 +16,10 @@ public function __construct(Request $request)
     protected function redirectPath()
     {
         $cp = cp_route('index');
-        $referer = request('referer');
-        $referredFromCp = Str::startsWith($referer, $cp) && ! Str::startsWith($referer, $cp.'/auth/');
+        $intended = redirect()->getIntendedUrl();
+        $isCpUrl = $intended && Str::startsWith($intended, $cp) && ! Str::startsWith($intended, $cp.'/auth/');
 
-        return $referredFromCp ? $referer : $cp;
+        return $isCpUrl ? $intended : $cp;
     }
 
     protected function routes($user): array
diff --git a/src/Http/Middleware/CP/RedirectIfTwoFactorSetupIncomplete.php b/src/Http/Middleware/CP/RedirectIfTwoFactorSetupIncomplete.php
@@ -2,7 +2,6 @@
 
 namespace Statamic\Http\Middleware\CP;
 
-use Illuminate\Http\Request;
 use Statamic\Http\Middleware\RedirectIfTwoFactorSetupIncomplete as Middleware;
 
 class RedirectIfTwoFactorSetupIncomplete extends Middleware
@@ -12,10 +11,8 @@ protected function redirectRoute(): string
         return 'statamic.cp.two-factor-setup';
     }
 
-    protected function redirectUrl(Request $request): string
+    protected function redirectUrl(): string
     {
-        return route($this->redirectRoute(), [
-            'referer' => $request->fullUrl(),
-        ]);
+        return route($this->redirectRoute());
     }
 }
diff --git a/src/Http/Middleware/RedirectIfTwoFactorSetupIncomplete.php b/src/Http/Middleware/RedirectIfTwoFactorSetupIncomplete.php
@@ -23,7 +23,9 @@ public function handle(Request $request, Closure $next)
                 app(EnableTwoFactorAuthentication::class)($user);
             }
 
-            return redirect($this->redirectUrl($request));
+            redirect()->setIntendedUrl($request->fullUrl());
+
+            return redirect($this->redirectUrl());
         }
 
         return $next($request);
@@ -41,15 +43,9 @@ protected function isSetupUrl(Request $request): bool
         return $currentPath === $customPath;
     }
 
-    protected function redirectUrl(Request $request): string
+    protected function redirectUrl(): string
     {
-        if ($url = config('statamic.users.two_factor_setup_url')) {
-            return $url;
-        }
-
-        return route($this->redirectRoute(), [
-            'referer' => $request->fullUrl(),
-        ]);
+        return config('statamic.users.two_factor_setup_url') ?? route($this->redirectRoute());
     }
 
     protected function redirectRoute(): string
diff --git a/tests/Feature/Users/TwoFactorRoutesTest.php b/tests/Feature/Users/TwoFactorRoutesTest.php
@@ -63,7 +63,8 @@ public function cp_two_factor_setup_middleware_redirects_when_two_factor_is_enfo
         $this
             ->actingAs($user)
             ->get(cp_route('dashboard'))
-            ->assertRedirect(cp_route('two-factor-setup', ['referer' => cp_route('dashboard')]));
+            ->assertRedirect(cp_route('two-factor-setup'))
+            ->assertSessionHas('url.intended', cp_route('dashboard'));
     }
 
     #[Test]
@@ -93,7 +94,8 @@ public function cp_two_factor_setup_middleware_ignores_frontend_setup_url_config
         $this
             ->actingAs($user)
             ->get(cp_route('dashboard'))
-            ->assertRedirect(cp_route('two-factor-setup', ['referer' => cp_route('dashboard')]));
+            ->assertRedirect(cp_route('two-factor-setup'))
+            ->assertSessionHas('url.intended', cp_route('dashboard'));
     }
 
     #[Test]
@@ -106,7 +108,8 @@ public function frontend_two_factor_setup_middleware_redirects_when_two_factor_i
         $this
             ->actingAs($user)
             ->get('/test-frontend-route')
-            ->assertRedirect(route('statamic.two-factor-setup', ['referer' => url('/test-frontend-route')]));
+            ->assertRedirect(route('statamic.two-factor-setup'))
+            ->assertSessionHas('url.intended', url('/test-frontend-route'));
     }
 
     #[Test]
@@ -121,7 +124,8 @@ public function frontend_two_factor_setup_middleware_generates_secret_when_none_
         $this
             ->actingAs($user)
             ->get('/test-frontend-route')
-            ->assertRedirect(route('statamic.two-factor-setup', ['referer' => url('/test-frontend-route')]));
+            ->assertRedirect(route('statamic.two-factor-setup'))
+            ->assertSessionHas('url.intended', url('/test-frontend-route'));
 
         $this->assertNotNull($user->fresh()->two_factor_secret);
     }
@@ -138,7 +142,8 @@ public function frontend_two_factor_setup_middleware_does_not_regenerate_existin
         $this
             ->actingAs($user)
             ->get('/test-frontend-route')
-            ->assertRedirect(route('statamic.two-factor-setup', ['referer' => url('/test-frontend-route')]));
+            ->assertRedirect(route('statamic.two-factor-setup'))
+            ->assertSessionHas('url.intended', url('/test-frontend-route'));
 
         $this->assertEquals($existing, $user->fresh()->two_factor_secret);
     }
diff --git a/tests/Feature/Users/TwoFactorSetupTest.php b/tests/Feature/Users/TwoFactorSetupTest.php
@@ -35,13 +35,12 @@ public function it_redirects_to_the_dashboard_if_the_user_is_already_set_up()
     }
 
     #[Test]
-    public function redirect_url_is_referer()
+    public function redirect_url_is_intended_url()
     {
         $this
             ->actingAs($this->user())
-            ->get(cp_route('two-factor-setup', [
-                'referer' => 'http://localhost/cp/collections',
-            ]))
+            ->withSession(['url.intended' => 'http://localhost/cp/collections'])
+            ->get(cp_route('two-factor-setup'))
             ->assertInertia(fn ($page) => $page->where('redirect', 'http://localhost/cp/collections'));
     }
 

Original file line number	Diff line number	Diff line change
`@@ -16,10 +16,10 @@ public function __construct(Request $request)`
`16`	`16`	`protected function redirectPath()`
`17`	`17`	`{`
`18`	`18`	`$cp = cp_route('index');`
`19`		`- $referer = request('referer');`
`20`		`- $referredFromCp = Str::startsWith($referer, $cp) && ! Str::startsWith($referer, $cp.'/auth/');`
	`19`	`+ $intended = redirect()->getIntendedUrl();`
	`20`	`+ $isCpUrl = $intended && Str::startsWith($intended, $cp) && ! Str::startsWith($intended, $cp.'/auth/');`
`21`	`21`
`22`		`- return $referredFromCp ? $referer : $cp;`
	`22`	`+ return $isCpUrl ? $intended : $cp;`
`23`	`23`	`}`
`24`	`24`
`25`	`25`	`protected function routes($user): array`
Original file line number	Diff line number	Diff line change
`@@ -2,7 +2,6 @@`
`2`	`2`
`3`	`3`	`namespace Statamic\Http\Middleware\CP;`
`4`	`4`
`5`		`-use Illuminate\Http\Request;`
`6`	`5`	`use Statamic\Http\Middleware\RedirectIfTwoFactorSetupIncomplete as Middleware;`
`7`	`6`
`8`	`7`	`class RedirectIfTwoFactorSetupIncomplete extends Middleware`
`@@ -12,10 +11,8 @@ protected function redirectRoute(): string`
`12`	`11`	`return 'statamic.cp.two-factor-setup';`
`13`	`12`	`}`
`14`	`13`
`15`		`- protected function redirectUrl(Request $request): string`
	`14`	`+ protected function redirectUrl(): string`
`16`	`15`	`{`
`17`		`- return route($this->redirectRoute(), [`
`18`		`- 'referer' => $request->fullUrl(),`
`19`		`- ]);`
	`16`	`+ return route($this->redirectRoute());`
`20`	`17`	`}`
`21`	`18`	`}`
Original file line number	Diff line number	Diff line change
`@@ -23,7 +23,9 @@ public function handle(Request $request, Closure $next)`
`23`	`23`	`app(EnableTwoFactorAuthentication::class)($user);`
`24`	`24`	`}`
`25`	`25`
`26`		`- return redirect($this->redirectUrl($request));`
	`26`	`+ redirect()->setIntendedUrl($request->fullUrl());`
	`27`	`+`
	`28`	`+ return redirect($this->redirectUrl());`
`27`	`29`	`}`
`28`	`30`
`29`	`31`	`return $next($request);`
`@@ -41,15 +43,9 @@ protected function isSetupUrl(Request $request): bool`
`41`	`43`	`return $currentPath === $customPath;`
`42`	`44`	`}`
`43`	`45`
`44`		`- protected function redirectUrl(Request $request): string`
	`46`	`+ protected function redirectUrl(): string`
`45`	`47`	`{`
`46`		`- if ($url = config('statamic.users.two_factor_setup_url')) {`
`47`		`- return $url;`
`48`		`- }`
`49`		`-`
`50`		`- return route($this->redirectRoute(), [`
`51`		`- 'referer' => $request->fullUrl(),`
`52`		`- ]);`
	`48`	`+ return config('statamic.users.two_factor_setup_url') ?? route($this->redirectRoute());`
`53`	`49`	`}`
`54`	`50`
`55`	`51`	`protected function redirectRoute(): string`
Original file line number	Diff line number	Diff line change
`@@ -35,13 +35,12 @@ public function it_redirects_to_the_dashboard_if_the_user_is_already_set_up()`
`35`	`35`	`}`
`36`	`36`
`37`	`37`	`#[Test]`
`38`		`- public function redirect_url_is_referer()`
	`38`	`+ public function redirect_url_is_intended_url()`
`39`	`39`	`{`
`40`	`40`	`$this`
`41`	`41`	`->actingAs($this->user())`
`42`		`- ->get(cp_route('two-factor-setup', [`
`43`		`- 'referer' => 'http://localhost/cp/collections',`
`44`		`- ]))`
	`42`	`+ ->withSession(['url.intended' => 'http://localhost/cp/collections'])`
	`43`	`+ ->get(cp_route('two-factor-setup'))`
`45`	`44`	`->assertInertia(fn ($page) => $page->where('redirect', 'http://localhost/cp/collections'));`
`46`	`45`	`}`
`47`	`46`