From 36abf58838557837b0c16e577dd314df891bb71e Mon Sep 17 00:00:00 2001
From: Hosteroid <office@hosteroid.uk>
Date: Tue, 10 Mar 2026 23:04:20 +0200
Subject: [PATCH] Preserve 'remember me' choice across 2FA

Carry the login "remember me" choice through two-factor authentication by storing it in the session. When a user initially logs in, set $_SESSION['pending_remember'] = $remember; after successful 2FA, TwoFactorController checks and clears that flag and invokes a new public wrapper (createRememberTokenPublic) on AuthController to create the persistent remember token. This allows remember-me behavior to be applied only after 2FA completes.
---
 app/Controllers/AuthController.php      | 9 +++++++++
 app/Controllers/TwoFactorController.php | 8 ++++++++
 2 files changed, 17 insertions(+)

diff --git a/app/Controllers/AuthController.php b/app/Controllers/AuthController.php
index 566c453..13f2006 100644
--- a/app/Controllers/AuthController.php
+++ b/app/Controllers/AuthController.php
@@ -156,6 +156,7 @@ class AuthController extends Controller
             $_SESSION['email'] = $user['email'];
             $_SESSION['role'] = $user['role'];
             $_SESSION['2fa_required'] = true;
+            $_SESSION['pending_remember'] = $remember;
             
             // Clear any existing session messages before redirecting to 2FA
             unset($_SESSION['error']);
@@ -706,6 +707,14 @@ class AuthController extends Controller
         }
     }
 
+    /**
+     * Public wrapper for creating remember token (used by TwoFactorController after 2FA)
+     */
+    public function createRememberTokenPublic(int $userId): void
+    {
+        $this->createRememberToken($userId);
+    }
+
     /**
      * Create remember me token linked to current session
      */
diff --git a/app/Controllers/TwoFactorController.php b/app/Controllers/TwoFactorController.php
index b2df9b2..60b7bac 100644
--- a/app/Controllers/TwoFactorController.php
+++ b/app/Controllers/TwoFactorController.php
@@ -276,7 +276,9 @@ class TwoFactorController extends Controller
 
         if ($verified) {
             // Clear 2FA requirement and complete login
+            $pendingRemember = !empty($_SESSION['pending_remember']);
             unset($_SESSION['2fa_required']);
+            unset($_SESSION['pending_remember']);
             
             // Determine which method was used
             $method = 'unknown';
@@ -296,6 +298,12 @@ class TwoFactorController extends Controller
                 'method' => $method
             ]);
 
+            // Handle remember me (carried over from login form)
+            if ($pendingRemember) {
+                $authController = new \App\Controllers\AuthController();
+                $authController->createRememberTokenPublic($userId);
+            }
+
             // Update last login timestamp
             $this->userModel->updateLastLogin($userId);