Ctrlpanel-gg · MrWeez · May 3, 2026 · May 3, 2026 · May 3, 2026 · May 3, 2026
diff --git a/.editorconfig b/.editorconfig
@@ -21,16 +21,10 @@ indent_size = 2
 indent_size = 4
 
 [*.blade.php]
-indent_size = 2
+indent_size = 4
 
 [*.js]
 indent_size = 4
 
-[*.jsx]
-indent_size = 2
-
-[*.tsx]
-indent_size = 2
-
 [*.json]
 indent_size = 4
diff --git a/app/Classes/TwoFactorExtension.php b/app/Classes/TwoFactorExtension.php
@@ -0,0 +1,104 @@
+<?php
+
+namespace App\Classes;
+
+use App\Models\User;
+use Illuminate\Http\Request;
+
+abstract class TwoFactorExtension extends AbstractExtension
+{
+    /**
+     * Get the unique identifier for this 2FA method.
+     */
+    abstract public function getName(): string;
+
+    /**
+     * Get the display label for this 2FA method.
+     */
+    abstract public function getLabel(): string;
+
+    /**
+     * Get the FontAwesome icon for this 2FA method.
+     */
+    abstract public function getIcon(): string;
+
+    /**
+     * Get a short description for this 2FA method.
+     */
+    abstract public function getDescription(): string;
+
+    /**
+     * Check if this 2FA method is available for the given user.
+     */
+    public function isAvailable(User $user): bool
+    {
+        return true;
+    }
+
+    /**
+     * Get the view name for the settings card in the profile.
+     */
+    abstract public function getSettingsView(): string;
+
+    /**
+     * Get the view name for the login challenge.
+     */
+    abstract public function getChallengeView(): string;
+
+    /**
+     * Verify the 2FA challenge.
+     */
+    abstract public function verify(Request $request): bool;
+
+    /**
+     * Handle the setup logic (AJAX).
+     */
+    abstract public function setup(Request $request);
+
+    /**
+     * Handle the enable logic (AJAX).
+     */
+    abstract public function enable(Request $request);
+
+    /**
+     * Handle the disable logic (AJAX).
+     */
+    abstract public function disable(Request $request);
+
+    /**
+     * Get the list of allowed actions that can be called via the action route.
+     *
+     * @return array
+     */
+    public function getAllowedActions(): array
+    {
+        return [];
+    }
+
+    /**
+     * Get the rate limit for a specific action.
+     * 
+     * @param string $action (setup, enable, disable, verify, action)
+     * @return array ['attempts' => int, 'minutes' => int]
+     */
+    public function getRateLimit(string $action): array
+    {
+        $defaults = [
+            'setup'   => ['attempts' => 3, 'minutes' => 1],
+            'enable'  => ['attempts' => 3, 'minutes' => 1],
+            'disable' => ['attempts' => 3, 'minutes' => 1],
+            'verify'  => ['attempts' => 5, 'minutes' => 1],
+            'action'  => ['attempts' => 3, 'minutes' => 5], // Default 3 per 5 mins for sensitive actions
+        ];
+
+        return $this->getConfig()['rate_limits'][$action] ?? $defaults[$action];
+    }
+
+    /**
+     * Get method-specific routes configuration if any.
+     */
+    public static function getConfig(): array
+    {
+        return [];
+    }
+}
diff --git a/app/Console/Commands/DisableTwoFactorCommand.php b/app/Console/Commands/DisableTwoFactorCommand.php
@@ -0,0 +1,133 @@
+<?php
+
+namespace App\Console\Commands;
+
+use App\Models\User;
+use App\Services\TwoFactor\TwoFactorService;
+use Illuminate\Console\Command;
+
+class DisableTwoFactorCommand extends Command
+{
+    /**
+     * The name and signature of the console command.
+     *
+     * @var string
+     */
+    protected $signature = 'cp:user:2fa:disable {search? : The ID, Email, Username or Discord ID of the user}';
+
+    /**
+     * The console command description.
+     *
+     * @var string
+     */
+    protected $description = 'Forcibly disable 2FA methods for a user';
+
+    protected $twoFactorService;
+
+    public function __construct(TwoFactorService $twoFactorService)
+    {
+        parent::__construct();
+        $this->twoFactorService = $twoFactorService;
+    }
+
+    /**
+     * Execute the console command.
+     */
+    public function handle()
+    {
+        $search = $this->argument('search');
+
+        if (!$search) {
+            $search = $this->ask('Please enter User ID, Email, Username or Discord ID');
+        }
+
+        if (!$search) {
+            $this->error('No search term provided.');
+            return 1;
+        }
+
+        $user = User::query()
+            ->where('id', $search)
+            ->orWhere('email', $search)
+            ->orWhere('name', $search)
+            ->orWhereHas('discordUser', function ($query) use ($search) {
+                $query->where('id', $search);
+            })
+            ->first();
+
+        if (!$user) {
+            $this->error("User not found with term: {$search}");
+            return 1;
+        }
+
+        $this->info("Found User: {$user->name} ({$user->email}) [ID: {$user->id}]");
+
+        $methods = $user->twoFactorMethods()->where('is_enabled', true)->get();
+
+        if ($methods->isEmpty()) {
+            $this->warn('This user does not have any 2FA methods enabled.');
+            return 0;
+        }
+
+        $choices = $methods->mapWithKeys(function ($m) {
+            $label = $this->twoFactorService->getExtension($m->method)?->getLabel() ?? ucfirst($m->method);
+            return [$m->method => "{$label} ({$m->method})"];
+        })->toArray();
+
+        $choices['all'] = 'Disable ALL methods';
+
+        $selected = $this->choice(
+            'Which 2FA methods do you want to disable?',
+            $choices,
+            null,
+            null,
+            true // Multiple selection
+        );
+
+        if (empty($selected)) {
+            $this->info('Nothing selected. Aborting.');
+            return 0;
+        }
+
+        if (in_array('Disable ALL methods', $selected) || in_array('all', $selected)) {
+            if ($this->confirm("Are you sure you want to disable ALL 2FA methods for {$user->name}?", true)) {
+                $user->twoFactorMethods()->delete();
+                $this->twoFactorService->clearVerified(request(), $user);
+                $this->success("Successfully disabled all 2FA methods for {$user->name}.");
+            }
+            return 0;
+        }
+
+        // Map back titles to keys if necessary (Laravel's choice with multiple can return values or keys depending on version/selection)
+        $methodKeys = [];
+        foreach ($selected as $choice) {
+            $key = array_search($choice, $choices);
+            if ($key !== false) {
+                $methodKeys[] = $key;
+            } else {
+                // If it already returned the key
+                if (isset($choices[$choice])) {
+                    $methodKeys[] = $choice;
+                }
+            }
+        }
+
+        if ($this->confirm("Disable selected methods: " . implode(', ', $methodKeys) . "?", true)) {
+            $user->twoFactorMethods()->whereIn('method', $methodKeys)->delete();
+
+            // If we disabled everything, clear verified state
+            if ($user->twoFactorMethods()->where('is_enabled', true)->count() === 0) {
+                $this->twoFactorService->clearVerified(request(), $user);
+            }
+
+            $this->success("Successfully disabled " . implode(', ', $methodKeys) . " for {$user->name}.");
+        }
+
+        return 0;
+    }
+
+    protected function success($message)
+    {
+        $this->output->writeln("<fg=green;options=bold> SUCCESS </> $message");
+    }
+}
diff --git a/app/Console/Kernel.php b/app/Console/Kernel.php
@@ -33,6 +33,7 @@ protected function schedule(Schedule $schedule)
         $schedule->command('payments:open:clear')->daily();
         $schedule->command('coupons:delete')->hourly();
         $schedule->command('vouchers:delete')->hourly();
+        $schedule->command('model:prune')->daily();
 
         //log cronjob activity
         $schedule->call(function () {

diff --git a/app/Extensions/TwoFactor/Dummy/DummyExtension.php b/app/Extensions/TwoFactor/Dummy/DummyExtension.php
@@ -0,0 +1,105 @@
+<?php
+
+namespace App\Extensions\TwoFactor\Dummy;
+
+use App\Classes\TwoFactorExtension;
+use App\Models\User;
+use App\Models\UserTwoFactorMethod;
+use Illuminate\Http\Request;
+
+class DummyExtension extends TwoFactorExtension
+{
+    public function getName(): string
+    {
+        return 'dummy';
+    }
+
+    public function getLabel(): string
+    {
+        return __('Dummy 2FA (Test)');
+    }
+
+    public function getIcon(): string
+    {
+        return 'fas fa-flask';
+    }
+
+    public function getDescription(): string
+    {
+        return __('A temporary method for testing modular 2FA.');
+    }
+
+    public function isAvailable(User $user): bool
+    {
+        return app()->environment('local');
+    }
+
+    public function getSettingsView(): string
+    {
+        if (!app()->environment('local')) {
+            abort(403);
+        }
+
+        return 'twofactor_dummy::profile_card';
+    }
+
+    public function getChallengeView(): string
+    {
+        if (!app()->environment('local')) {
+            abort(403);
+        }
+
+        return 'twofactor_dummy::auth.two-factor.dummy-challenge';
+    }
+
+    public function verify(Request $request): bool
+    {
+        if (!app()->environment('local')) {
+            abort(403);
+        }
+
+        return $request->input('code') === '123456';
+    }
+
+    public function setup(Request $request)
+    {
+        if (!app()->environment('local')) {
+            abort(403);
+        }
+
+        return response()->json(['message' => 'Dummy setup ready. Use code 123456 to enable.']);
+    }
+
+    public function enable(Request $request)
+    {
+        if (!app()->environment('local')) {
+            abort(403);
+        }
+
+        if ($request->input('code') !== '123456') {
+             return response()->json(['errors' => ['code' => ['Use 123456']]], 422);
+        }
+
+        UserTwoFactorMethod::updateOrCreate(
+            ['user_id' => $request->user()->id, 'method' => 'dummy'],
+            ['is_enabled' => true]
+        );
+
+        return response()->json(['message' => 'Dummy 2FA enabled!']);
+    }
+
+    /**
+     * NOTE: This is a dummy method for development only.
+     * In a production-ready extension, this method SHOULD require
+     * password or 2FA code verification before disabling.
+     */
+    public function disable(Request $request)
+    {
+        if (!app()->environment('local')) {
+            abort(403);
+        }
+
+        $request->user()->twoFactorMethods()->where('method', 'dummy')->delete();
+        return response()->json(['message' => 'Dummy 2FA disabled.']);
+    }
+}
diff --git a/app/Extensions/TwoFactor/Dummy/views/auth/two-factor/dummy-challenge.blade.php b/app/Extensions/TwoFactor/Dummy/views/auth/two-factor/dummy-challenge.blade.php
@@ -0,0 +1,27 @@
+@extends('layouts.app')
+
+@section('content')
+  @php($suppressSweetAlert2 = true)
+
+  <body class="hold-transition dark-mode login-page">
+  <div class="login-box">
+    <div class="card card-outline card-primary">
+      <div class="text-center card-header">
+        <a href="{{ route('welcome') }}" class="mb-2 h1"><b class="mr-1">{{ config('app.name', 'CtrlPanel.gg') }}</b></a>
+      </div>
+      <div class="card-body">
+        <p class="login-box-msg">{{ __('Dummy 2FA Challenge') }}</p>
+        <p class="text-center small text-muted">Enter 123456 to pass.</p>
+
+        <form action="{{ route('login.2fa.verify', ['method' => 'dummy']) }}" method="post">
+          @csrf
+          <div class="form-group">
+            <input type="text" name="code" class="form-control" placeholder="123456" autofocus>
+          </div>
+          <button type="submit" class="btn btn-primary btn-block">{{ __('Verify') }}</button>
+        </form>
+      </div>
+    </div>
+  </div>
+  </body>
+@endsection