[6.x] Implement new password rule and password confirmation #30214
Conversation
|
Thanks @driesvints 👍 |
|
I very much like the functionality, but I find the name is a bit confusing. If someone now says to you "I have a problem confirming a password", does that problem concern:
I think a name like |
|
Glad I could be an inspiration! Happy to see this in the core. Couple of comments/questions:
My last point is a little more overarching. I think the way we handle injecting functionality into Controllers with built in features (auth, password resets, elevated security) is a little off. Having the Traits is great, but the methods of the Traits are too all inclusive and therefore (IMO) restrictive. A trait method should not encompass an entire route Controller method. I think it would be better if the methods were more "single responsibility", and then the programmer would use them to compose their own Controllers. This gives the programmer the freedom to make the flow of the Controller to work however they like, while also having the consistency of the methods in the Traits. This also prevents us from having to add a bunch of properties to customize every single use case. Maybe I'll bring this up elsewhere, because this is a concern I have with all of these features. |
Github also does "a few hours", hence the reason why I decided on this value.
Left out intentionally but I don't mind adding that either way. Not sure how @taylorotwell feels about that.
This is gonna be a bit tricky indeed. Not sure how to exactly solve this. In any case, the current middleware will still protect post routes, they'll just fail if people attempt to execute them manually.
This is more of a discussion for the ideas repo. |
|
Hi @driesvints, What if the user has an account without a password (Socialite) ? What is the best approach ?
|
|
@arcanedev-maroc this would only work with a password based flow. |
|
This is causing problems for some users, the Auth::routes() helper tries to register a route for this but the ConfirmPasswordController is a userland file that doesn't get added to existing applications on upgrade. Is there some way to add the file on upgrade? this is a really useful feature but as it stands it's also a breaking change for what should be a minor release |
|
Just a two hours headhach to share with you :-) The password confirmation did not work anymore yesterday on a project. The culprit was https://github.com/Intervention/validation. It redefines the It is a convenient method to use this validator to check user password but given that the validator is not used when creating a new fresh user, we can reach this kind of asymmetrical problem. I finally removed the package and implement manually the wanted validators I needed. Thank you @driesvints for this new feature 💕 Really useful for hot transactions 🔥 |
|
Hey @potsky sorry to hear that. We can't unfortunately keep into account every third party library that might implement its own password rule, sorry. I think it's best that that library either renames its validator or creates a new one. |
|
This is a great feature @driesvints 🚀 I miss a way to check if the user is in the 3 hours timespan. I accomplished this by checking the auth.password_confirmed_at key in the session. public function confirmedPassword()
{
if (session('auth.password_confirmed_at') === null) {
return false;
}
return session('auth.password_confirmed_at') > time();
}```
I'm I missing some point here? |
This is not the ideas repo, but what do you think about this being added to the request session as a method? |
|
Why do you need this? |
|
Basically to show some sensitive data with partial views. |
|
We'd have to store the timeout inside the session store for that and that's not wanted. We could do it somewhere else maybe but I'm not sure where. For now just re-use the logic. |
|
Thanks @driesvints I'll go with the logic re-used in a method in the User model. public function confirmedPassword()
{
$confirmedAt = time() - (session('auth.password_confirmed_at') ?? 0);
return $confirmedAt < config('auth.password_timeout', 10800);
} |
Is there a possibility to have the entire request instance saved to the session and use that one after successful password confirmation instead of just saving the intended url? |
These changes add a new password validation rule and the new password confirmation functionality.
The validation rule offers to validate a password input field and checks if the password matches the currently authed user's password. You can also pass a guard name as a parameter.
The password confirmation functionality behaves exactly like the Github confirmation screen, allowing you to set a
password.confirmmiddleware on sensitive routes you want password protected. When a user enters a valid password, the time will be added to the session and its session will stay valid for a default of three hours (can be configured in theauth.phpconfig file here: laravel/laravel#5129). Underneath the hood it makes use of the intended url to redirect the user to wherever they were going when the password confirmation was done.Some remarks:
auth.password_timeoutconfig option might need a better name but couldn't think of oneRedirectorclass might need a rename because I noticed that this is actually a bad naming for what it actually does.Feel free to provide feedback.
Kudos to @freekmurze, @mpociot, @christophrumpel and all the others that helped out with validating this idea. I first started working on this but later discovered this article below by @browner12 which inspired me a bit for this PR. Thanks!
laravel/ui PR: laravel/ui#34
laravel/laravel PR: laravel/laravel#5129