Improved TOTp handling in login.

Cleaned up the code a bit, also checks TOTP before attemping to verify
user.

This addresses the potential for an attacker to try at a password
and/or confirm that the password is correct unless they have a valid
TOTP code for the request. A failed TOTP response will trigger a
throttle count on the login as well.

app/Http/Routes/AuthRoutes.php

@@ -10,20 +10,22 @@ class AuthRoutes {
 
     public function map(Router $router) {
         $router->group(['prefix' => 'auth'], function () use ($router) {
+
             $router->get('login', [ 'as' => 'auth.login', 'uses' => 'Auth\AuthController@getLogin' ]);
-            $router->post('login/totp', [ 'as' => 'auth.login.totp', 'uses' => 'Auth\AuthController@checkTotp' ]);
-            $router->post('login', [ 'as' => 'auth.login.submit', 'uses' => 'Auth\AuthController@postLogin' ]);
+            $router->post('login', [ 'uses' => 'Auth\AuthController@postLogin' ]);
+            $router->post('login/totp', [ 'uses' => 'Auth\AuthController@checkTotp' ]);
+
 
             $router->get('password', [ 'as' => 'auth.password', 'uses' => 'Auth\PasswordController@getEmail' ]);
             $router->post('password', [ 'as' => 'auth.password.submit', 'uses' => 'Auth\PasswordController@postEmail' ], function () {
                 return redirect('auth/password')->with('sent', true);
             });
-
+            $router->post('password/verify', [ 'uses' => 'Auth\PasswordController@postReset' ]);
             $router->get('password/verify/{token}', [ 'as' => 'auth.verify', 'uses' => 'Auth\PasswordController@getReset' ]);
-            $router->post('password/verify', [ 'as' => 'auth.verify.submit', 'uses' => 'Auth\PasswordController@postReset' ]);
 
             $router->get('logout', [ 'as' => 'auth.logout', 'uses' => 'Auth\AuthController@getLogout' ]);
+
         });
     }
 
-}
+}