Update 2FA and account activation

app/Http/Kernel.php

@@ -47,6 +47,9 @@ class Kernel extends HttpKernel
      */
     protected $middlewareGroups
         = [
+            // does not check login
+            // does not check 2fa
+            // does not check activation
             'web'                    => [
                 EncryptCookies::class,
                 AddQueuedCookiesToResponse::class,
@@ -54,6 +57,9 @@ class Kernel extends HttpKernel
                 ShareErrorsFromSession::class,
                 VerifyCsrfToken::class,
             ],
+            // must be authenticated
+            // must be 2fa (if enabled)
+            // must be activated account
             'web-auth'               => [
                 EncryptCookies::class,
                 AddQueuedCookiesToResponse::class,
@@ -64,6 +70,9 @@ class Kernel extends HttpKernel
                 AuthenticateTwoFactor::class,
                 IsConfirmed::class,
             ],
+            // must be authenticated
+            // must be 2fa (if enabled)
+            // must NOT be activated account
             'web-auth-no-confirm'    => [
                 EncryptCookies::class,
                 AddQueuedCookiesToResponse::class,
@@ -74,6 +83,9 @@ class Kernel extends HttpKernel
                 AuthenticateTwoFactor::class,
                 IsNotConfirmed::class,
             ],
+            // must be authenticated
+            // does not care about 2fa
+            // must be confirmed.
             'web-auth-no-two-factor' => [
                 EncryptCookies::class,
                 AddQueuedCookiesToResponse::class,
@@ -84,6 +96,15 @@ class Kernel extends HttpKernel
                 RedirectIfTwoFactorAuthenticated::class,
                 IsConfirmed::class,
             ],
+            'web-auth-no-two-factor-any-confirm' => [
+                EncryptCookies::class,
+                AddQueuedCookiesToResponse::class,
+                StartSession::class,
+                ShareErrorsFromSession::class,
+                VerifyCsrfToken::class,
+                Authenticate::class,
+                RedirectIfTwoFactorAuthenticated::class,
+            ],
             'web-auth-range'         => [
                 EncryptCookies::class,
                 AddQueuedCookiesToResponse::class,

app/Http/routes.php

@@ -1,7 +1,9 @@
 <?php
 declare(strict_types = 1);
 
-// auth routes, i think
+// does not check login
+// does not check 2fa
+// does not check activation
 Route::group(
     ['middleware' => 'web'], function () {
 
@@ -30,9 +32,11 @@ Route::group(
 
 }
 );
-// routes that can be accessed without being logged using two factor.
+// must be authenticated
+// does not care about 2fa
+// does not care about confirmation.
 Route::group(
-    ['middleware' => 'web-auth-no-two-factor'], function () {
+    ['middleware' => 'web-auth-no-two-factor-any-confirm'], function () {
     Route::get('/two-factor', ['uses' => 'Auth\TwoFactorController@index', 'as' => 'two-factor']);
     Route::get('/lost-two-factor', ['uses' => 'Auth\TwoFactorController@lostTwoFactor', 'as' => 'lost-two-factor']);
     Route::post('/two-factor', ['uses' => 'Auth\TwoFactorController@postIndex', 'as' => 'two-factor-post']);