laravel · taylorotwell · Aug 28, 2024 · Aug 26, 2024 · Aug 28, 2024
diff --git a/src/Http/Controllers/ConfirmedPasswordStatusController.php b/src/Http/Controllers/ConfirmedPasswordStatusController.php
@@ -4,6 +4,7 @@
 
 use Illuminate\Http\Request;
 use Illuminate\Routing\Controller;
+use Illuminate\Support\Facades\Date;
 
 class ConfirmedPasswordStatusController extends Controller
 {
@@ -15,8 +16,20 @@ class ConfirmedPasswordStatusController extends Controller
      */
     public function show(Request $request)
     {
+        $lastConfirmation = $request->session()->get(
+            'auth.password_confirmed_at', 0
+        );
+
+        $lastConfirmed = (Date::now()->unix() - $lastConfirmation);
+
+        $confirmed = $lastConfirmed < $request->input(
+            'seconds', config('auth.password_timeout', 900)
+        );
+
         return response()->json([
-            'confirmed' => (time() - $request->session()->get('auth.password_confirmed_at', 0)) < $request->input('seconds', config('auth.password_timeout', 900)),
-        ]);
+            'confirmed' => $confirmed,
+        ], headers: array_filter([
+            'X-Retry-After' => $confirmed ? $lastConfirmed : null,
+        ]));
     }
 }
diff --git a/tests/ConfirmablePasswordControllerTest.php b/tests/ConfirmablePasswordControllerTest.php
@@ -4,9 +4,11 @@
 
 use Illuminate\Foundation\Auth\User;
 use Illuminate\Foundation\Testing\RefreshDatabase;
+use Illuminate\Support\Carbon;
 use Illuminate\Support\Facades\Date;
 use Laravel\Fortify\Contracts\ConfirmPasswordViewResponse;
 use Laravel\Fortify\Fortify;
+use Orchestra\Testbench\Attributes\WithConfig;
 use Orchestra\Testbench\Attributes\WithMigration;
 
 #[WithMigration]
@@ -153,6 +155,56 @@ public function test_password_confirmation_can_fail_with_json()
         $response->assertJsonValidationErrors('password');
     }
 
+    #[WithConfig('auth.password_timeout', 120)]
+    public function test_password_confirmation_status_has_been_confirmed()
+    {
+        Carbon::setTestNow();
+
+        $response = $this->withoutExceptionHandling()
+            ->actingAs($this->user)
+            ->withSession(['auth.password_confirmed_at' => now()->subMinute(1)->unix()])
+            ->get(
+                '/user/confirmed-password-status',
+            );
+
+        $response->assertOk()
+            ->assertJson(['confirmed' => true])
+            ->assertHeader('X-Retry-After', 60);
+    }
+
+    #[WithConfig('auth.password_timeout', 120)]
+    public function test_password_confirmation_status_has_expired()
+    {
+        Carbon::setTestNow();
+
+        $response = $this->withoutExceptionHandling()
+            ->actingAs($this->user)
+            ->withSession(['auth.password_confirmed_at' => now()->subMinutes(10)->unix()])
+            ->get(
+                '/user/confirmed-password-status',
+            );
+
+        $response->assertOk()
+            ->assertJson(['confirmed' => false])
+            ->assertHeaderMissing('X-Retry-After');
+    }
+
+    #[WithConfig('auth.password_timeout', 120)]
+    public function test_password_confirmation_status_has_not_confirmed()
+    {
+        Carbon::setTestNow();
+
+        $response = $this->withoutExceptionHandling()
+            ->actingAs($this->user)
+            ->get(
+                '/user/confirmed-password-status',
+            );
+
+        $response->assertOk()
+            ->assertJson(['confirmed' => false])
+            ->assertHeaderMissing('X-Retry-After');
+    }
+
     protected function defineEnvironment($app)
     {
         parent::defineEnvironment($app);