Use expectsJson to distinguish CP vs frontend 2FA responses

Frontend form submissions without a _redirect param now redirect back
with a flash message instead of returning raw JSON. CP axios calls keep
their JSON response because they set the appropriate Accept header.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

Author: jasonvarga

src/Http/Controllers/User/TwoFactorAuthenticationController.php

@@ -39,14 +39,14 @@ public function confirm(Request $request, ConfirmTwoFactorAuthentication $confir
         try {
             $confirm($user, $request->input('code'));
         } catch (ValidationException $e) {
-            if (! $request->has('_redirect')) {
+            if ($request->expectsJson()) {
                 throw $e;
             }
 
             return $this->handleFormValidationError($request, $e);
         }
 
-        if (! $request->has('_redirect')) {
+        if ($request->expectsJson()) {
             return [];
         }
 
@@ -59,7 +59,7 @@ public function disable(Request $request, DisableTwoFactorAuthentication $disabl
 
         $disable($user);
 
-        if (! $request->has('_redirect')) {
+        if ($request->expectsJson()) {
             if ($user->isTwoFactorAuthenticationRequired()) {
                 return ['redirect' => $this->setupUrlRedirect()];
             }
@@ -100,7 +100,7 @@ private function formSuccessRedirect(Request $request, string $message)
             }
         }
 
-        return redirect(route('statamic.site'))->with('success', $message);
+        return back()->with('success', $message);
     }
 
     protected function confirmUrl()

src/Http/Controllers/User/TwoFactorRecoveryCodesController.php

@@ -22,7 +22,7 @@ public function store(Request $request, GenerateNewRecoveryCodes $generateRecove
 
         $generateRecoveryCodes($user);
 
-        if (! $request->has('_redirect')) {
+        if ($request->expectsJson()) {
             return ['recovery_codes' => $user->twoFactorRecoveryCodes()];
         }
 

tests/Feature/Users/DisableTwoFactorTest.php

@@ -29,7 +29,7 @@ public function it_disables_two_factor_authentication()
         $this
             ->actingAs($user)
             ->withActiveElevatedSession()
-            ->delete(cp_route('users.two-factor.disable'))
+            ->deleteJson(cp_route('users.two-factor.disable'))
             ->assertOk()
             ->assertJson(['redirect' => null]);
 
@@ -55,7 +55,7 @@ public function it_disables_two_factor_authentication_when_two_factor_is_enforce
         $this
             ->actingAs($user)
             ->withActiveElevatedSession()
-            ->delete(cp_route('users.two-factor.disable'))
+            ->deleteJson(cp_route('users.two-factor.disable'))
             ->assertOk()
             ->assertJson(['redirect' => cp_route('two-factor-setup')]);
 

tests/Feature/Users/EnableTwoFactorTest.php

@@ -143,7 +143,7 @@ public function it_confirms_two_factor_authentication($url)
         $this
             ->actingAs($user)
             ->withActiveElevatedSession()
-            ->post($url(), [
+            ->postJson($url(), [
                 'code' => $this->getOneTimeCode($user),
             ])
             ->assertOk();

tests/Feature/Users/TwoFactorRecoveryCodesTest.php

@@ -76,7 +76,7 @@ public function it_generates_recovery_codes($url)
         $this
             ->actingAs($user)
             ->withActiveElevatedSession()
-            ->post($url())
+            ->postJson($url())
             ->assertOk()
             ->assertJsonStructure(['recovery_codes']);
     }

tests/Tags/User/DisableTwoFactorFormTest.php

@@ -137,7 +137,7 @@ public function it_falls_back_to_default_setup_route_when_no_config_and_2fa_is_e
     }
 
     #[Test]
-    public function it_uses_login_redirect_from_session_when_no_redirect_param()
+    public function it_prefers_redirect_param_over_login_redirect_in_session()
     {
         $user = $this->userWithTwoFactorEnabled();
 
@@ -155,6 +155,37 @@ public function it_uses_login_redirect_from_session_when_no_redirect_param()
         $this->assertNull($user->fresh()->two_factor_confirmed_at);
     }
 
+    #[Test]
+    public function it_redirects_back_without_redirect_param()
+    {
+        $user = $this->userWithTwoFactorEnabled();
+
+        $this
+            ->actingAs($user)
+            ->session(['statamic_elevated_session' => now()->timestamp])
+            ->from('/account')
+            ->delete(route('statamic.users.two-factor.disable'))
+            ->assertRedirect('/account')
+            ->assertSessionHas('success');
+
+        $this->assertNull($user->fresh()->two_factor_confirmed_at);
+    }
+
+    #[Test]
+    public function it_returns_json_for_xhr_requests()
+    {
+        $user = $this->userWithTwoFactorEnabled();
+
+        $this
+            ->actingAs($user)
+            ->session(['statamic_elevated_session' => now()->timestamp])
+            ->deleteJson(route('statamic.users.two-factor.disable'))
+            ->assertOk()
+            ->assertJson(['redirect' => null]);
+
+        $this->assertNull($user->fresh()->two_factor_confirmed_at);
+    }
+
     private function user()
     {
         return tap(User::make()->makeSuper()->email('test@example.com'))->save();

tests/Tags/User/ResetTwoFactorRecoveryCodesFormTest.php

@@ -111,13 +111,24 @@ public function it_redirects_back_without_redirect_param()
             ->actingAs($user)
             ->session(['statamic_elevated_session' => now()->timestamp])
             ->from('/account/security')
-            ->post(route('statamic.users.two-factor.recovery-codes.generate'), [
-                '_redirect' => '/account/security',
-            ])
+            ->post(route('statamic.users.two-factor.recovery-codes.generate'))
             ->assertRedirect('/account/security')
             ->assertSessionHas('success');
     }
 
+    #[Test]
+    public function it_returns_json_for_xhr_requests()
+    {
+        $user = $this->userWithTwoFactorEnabled();
+
+        $this
+            ->actingAs($user)
+            ->session(['statamic_elevated_session' => now()->timestamp])
+            ->postJson(route('statamic.users.two-factor.recovery-codes.generate'))
+            ->assertOk()
+            ->assertJsonStructure(['recovery_codes']);
+    }
+
     private function user()
     {
         return tap(User::make()->makeSuper()->email('test@example.com'))->save();

tests/Tags/User/TwoFactorSetupFormTest.php

@@ -119,15 +119,34 @@ public function it_confirms_setup_and_redirects()
     }
 
     #[Test]
-    public function it_redirects_to_home_without_redirect_param()
+    public function it_redirects_back_without_redirect_param()
     {
         $user = $this->userWithTwoFactorPending();
 
         $this
             ->actingAs($user)
+            ->from('/setup-2fa')
             ->post(route('statamic.users.two-factor.confirm'), [
                 'code' => $this->getOneTimeCode($user),
-            ]);
+            ])
+            ->assertRedirect('/setup-2fa')
+            ->assertSessionHas('success');
+
+        $this->assertNotNull($user->fresh()->two_factor_confirmed_at);
+    }
+
+    #[Test]
+    public function it_returns_json_for_xhr_requests()
+    {
+        $user = $this->userWithTwoFactorPending();
+
+        $this
+            ->actingAs($user)
+            ->postJson(route('statamic.users.two-factor.confirm'), [
+                'code' => $this->getOneTimeCode($user),
+            ])
+            ->assertOk()
+            ->assertJson([]);
 
         $this->assertNotNull($user->fresh()->two_factor_confirmed_at);
     }