From 016d600d0b34875d32083f34911e71b0610ea9a1 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Gu=CC=88nther=20Debrauwer?= Date: Fri, 19 Jul 2024 16:02:00 +0200 Subject: [PATCH] Rehash password if required --- .../RedirectIfTwoFactorAuthenticatable.php | 4 ++ ...atedSessionControllerWithTwoFactorTest.php | 53 +++++++++++++++++++ 2 files changed, 57 insertions(+) diff --git a/src/Actions/RedirectIfTwoFactorAuthenticatable.php b/src/Actions/RedirectIfTwoFactorAuthenticatable.php index 03fa807..448b0f3 100644 --- a/src/Actions/RedirectIfTwoFactorAuthenticatable.php +++ b/src/Actions/RedirectIfTwoFactorAuthenticatable.php @@ -94,6 +94,10 @@ protected function validateCredentials($request) $this->throwFailedAuthenticationException($request); } + + if (config('hashing.rehash_on_login', true) && method_exists($this->guard->getProvider(), 'rehashPasswordIfRequired')) { + $this->guard->getProvider()->rehashPasswordIfRequired($user, ['password' => $request->password]); + } }); } diff --git a/tests/AuthenticatedSessionControllerWithTwoFactorTest.php b/tests/AuthenticatedSessionControllerWithTwoFactorTest.php index 35dc377..dbc9301 100644 --- a/tests/AuthenticatedSessionControllerWithTwoFactorTest.php +++ b/tests/AuthenticatedSessionControllerWithTwoFactorTest.php @@ -2,9 +2,11 @@ namespace Laravel\Fortify\Tests; +use Illuminate\Foundation\Application; use Illuminate\Foundation\Testing\RefreshDatabase; use Illuminate\Support\Facades\Auth; use Illuminate\Support\Facades\Event; +use Illuminate\Support\Facades\Hash; use Laravel\Fortify\Events\TwoFactorAuthenticationChallenged; use Laravel\Fortify\Features; use Laravel\Fortify\Tests\Models\UserWithTwoFactor; @@ -100,6 +102,57 @@ public function test_user_can_authenticate_when_two_factor_challenge_is_disabled $response->assertRedirect('/home'); } + public function test_rehash_user_password_when_redirecting_to_two_factor_challenge_if_rehashing_on_login_is_enabled() + { + if (version_compare(Application::VERSION, '11.0.0', '<')) { + $this->markTestSkipped('Only on Laravel 11 and later'); + } + + $this->app['config']->set('hashing.rehash_on_login', true); + + $user = UserWithTwoFactor::forceCreate([ + 'name' => 'Taylor Otwell', + 'email' => 'taylor@laravel.com', + 'password' => Hash::make('secret', ['rounds' => 6]), + 'two_factor_secret' => 'test-secret', + ]); + + $response = $this->withoutExceptionHandling()->post('/login', [ + 'email' => 'taylor@laravel.com', + 'password' => 'secret', + ]); + + $response->assertRedirect('/two-factor-challenge'); + + $this->assertNotSame($user->password, $user->fresh()->password); + $this->assertTrue(Hash::check('secret', $user->fresh()->password)); + } + + public function test_does_not_rehash_user_password_when_redirecting_to_two_factor_challenge_if_rehashing_on_login_is_disabled() + { + if (version_compare(Application::VERSION, '11.0.0', '<')) { + $this->markTestSkipped('Only on Laravel 11 and later'); + } + + $this->app['config']->set('hashing.rehash_on_login', false); + + $user = UserWithTwoFactor::forceCreate([ + 'name' => 'Taylor Otwell', + 'email' => 'taylor@laravel.com', + 'password' => Hash::make('secret', ['rounds' => 6]), + 'two_factor_secret' => 'test-secret', + ]); + + $response = $this->withoutExceptionHandling()->post('/login', [ + 'email' => 'taylor@laravel.com', + 'password' => 'secret', + ]); + + $response->assertRedirect('/two-factor-challenge'); + + $this->assertSame($user->password, $user->fresh()->password); + } + public function test_two_factor_challenge_can_be_passed_via_code() { $tfaEngine = app(Google2FA::class);