Add coverage for configured 2FA setup URL and login redirect stash

jasonvarga · claude · jasonvarga · commit b8952b65bb58 · 2026-04-22T10:11:29.000-04:00
Adds middleware tests for the configured two_factor_setup_url (redirect
target and loop bypass) and login-form tests covering when
login.redirect is or isn't stashed in the session.

Co-Authored-By: Claude Opus 4.7 (1M context) &lt;noreply@anthropic.com&gt;
diff --git a/tests/Feature/Users/TwoFactorRoutesTest.php b/tests/Feature/Users/TwoFactorRoutesTest.php
@@ -23,6 +23,10 @@ protected function resolveApplicationConfiguration($app)
             Route::get('/test-frontend-route', function () {
                 return 'ok';
             })->middleware('statamic.web');
+
+            Route::get('/custom-setup', function () {
+                return 'setup page';
+            })->middleware('statamic.web');
         });
     }
 
@@ -87,6 +91,39 @@ public function frontend_two_factor_setup_middleware_redirects_when_two_factor_i
             ->assertRedirect(route('statamic.two-factor-setup', ['referer' => url('/test-frontend-route')]));
     }
 
+    #[Test]
+    public function frontend_two_factor_setup_middleware_redirects_to_configured_url()
+    {
+        config([
+            'statamic.users.two_factor_enforced_roles' => ['*'],
+            'statamic.users.two_factor_setup_url' => '/custom-setup',
+        ]);
+
+        $user = tap(User::make()->makeSuper()->email('admin@domain.com'))->save();
+
+        $this
+            ->actingAs($user)
+            ->get('/test-frontend-route')
+            ->assertRedirect('/custom-setup');
+    }
+
+    #[Test]
+    public function frontend_two_factor_setup_middleware_allows_configured_url_through()
+    {
+        config([
+            'statamic.users.two_factor_enforced_roles' => ['*'],
+            'statamic.users.two_factor_setup_url' => '/custom-setup',
+        ]);
+
+        $user = tap(User::make()->makeSuper()->email('admin@domain.com'))->save();
+
+        $this
+            ->actingAs($user)
+            ->get('/custom-setup')
+            ->assertOk()
+            ->assertSee('setup page');
+    }
+
     #[Test]
     #[DefineEnvironment('disableTwoFactor')]
     public function frontend_two_factor_setup_middleware_does_not_redirect_when_two_factor_is_disabled()
diff --git a/tests/Tags/User/LoginFormTest.php b/tests/Tags/User/LoginFormTest.php
@@ -387,6 +387,47 @@ public function it_stores_redirect_in_session_for_two_factor_challenge()
             ->assertSessionHas('login.redirect', '/dashboard');
     }
 
+    #[Test]
+    public function it_does_not_stash_login_redirect_when_two_factor_is_not_enforced()
+    {
+        User::make()
+            ->id(1)
+            ->email('san@holo.com')
+            ->password('chewy')
+            ->save();
+
+        $this
+            ->post('/!/auth/login', [
+                'token' => 'test-token',
+                'email' => 'san@holo.com',
+                'password' => 'chewy',
+                '_redirect' => '/dashboard',
+            ])
+            ->assertRedirect('/dashboard')
+            ->assertSessionMissing('login.redirect');
+    }
+
+    #[Test]
+    public function it_stashes_login_redirect_when_two_factor_setup_is_required()
+    {
+        config()->set('statamic.users.two_factor_enforced_roles', ['*']);
+
+        User::make()
+            ->id(1)
+            ->email('san@holo.com')
+            ->password('chewy')
+            ->save();
+
+        $this
+            ->post('/!/auth/login', [
+                'token' => 'test-token',
+                'email' => 'san@holo.com',
+                'password' => 'chewy',
+                '_redirect' => '/dashboard',
+            ])
+            ->assertSessionHas('login.redirect', '/dashboard');
+    }
+
     #[Test]
     #[DefineEnvironment('disableTwoFactor')]
     public function it_skips_two_factor_challenge_when_two_factor_is_disabled()
