For pages that contain more sensitive operations, sometimes you wish to have the user reauthenticate themselves. This simple package provides the tools you need to quickly implement this functionality on your website.
Via Composer
$ composer require browner12/reauthenticate
Add the service provider to the providers array in config/app.php
.
'providers' => [
browner12\reauthenticate\ReauthenticateServiceProvider::class,
];
If you are using Laravel's automatic package discovery, you can skip this step.
While we provide sensible defaults, if you would like to customize this package simply publish the config file with the following command.
php artisan vendor:publish --provider="browner12\reauthenticate\ReauthenticateServiceProvider"
Let's start by adding our new middleware to App\Http\Kernel.php
.
protected $routeMiddleware = [
'auth' => \Illuminate\Auth\Middleware\Authenticate::class,
'auth.basic' => \Illuminate\Auth\Middleware\AuthenticateWithBasicAuth::class,
'bindings' => \Illuminate\Routing\Middleware\SubstituteBindings::class,
'can' => \Illuminate\Auth\Middleware\Authorize::class,
'guest' => \App\Http\Middleware\RedirectIfAuthenticated::class,
'throttle' => \Illuminate\Routing\Middleware\ThrottleRequests::class,
'reauthenticate' => \browner12\reauthenticate\Reauthenticate::class,
];
We will need 2 routes for our reauthentication. One to show the form to enter a password, and another to process the input.
Route::get('reauthenticate', 'ReauthenticateController@reauthenticate')->name('reauthenticate');
Route::post('reauthenticate', 'ReauthenticateController@processReauthenticate')->name('reauthenticate.process');
Now let's make the associated controller:
php artisan make:controller ReauthenticateController
This package offers a trait to use in your controller. This pattern gives you the flexibility to customize the controllers as you need, while also controlling the pieces that are important for the normal package operation.
The trait offers 2 methods:
checkReauthenticationPassword()
- Checks the entered password against the known hash, and returns the requested URL if successful. Returnsfalse
on failure.resetReauthenticationTimer()
- Stores the current time in the session as the last successful authentication.
Now we will use this trait in our controller.
namespace App\Http\Controllers;
use browner12\reauthenticate\Concerns\Reauthenticates;
use Illuminate\Http\Request;
class ReauthenticateController extends Controller
{
use Reauthenticates;
/**
* @return \Illuminate\Contracts\View\Factory|\Illuminate\View\View
*/
public function reauthenticate()
{
//load view
return view('main/auth/reauthenticate');
}
/**
* @param \Illuminate\Http\Request $request
* @return \Illuminate\Http\RedirectResponse
*/
public function processReauthenticate(Request $request)
{
//good password
if ($url = $this->checkReauthenticationPassword($request->get('password'), $request->user()->password)){
return redirect()->to($url);
}
//send back
return back();
}
}
We do not require your view to be formatted in any way, or name your inputs anything specific. In the example above, the input is named 'password', and we are pulling the current password hash off of the logged in user.
If you would like to reset the timer in any of your other controllers, for example when the user initially logs in, you can also use the resetAuthorizationTimer()
method on this trait.
Using the reauthentication feature is incredibly easy. Simply add the middleware to either your routes:
Route::get('users', 'UserController')->middleware('reauthenticate');
or your controllers:
class UserController extends Controller
{
/**
* constructor
*/
public function __construct()
{
//parent
parent::__construct();
//middleware
$this->middleware('auth');
//reauthenticate
$this->middleware('reauthenticate')->only(['index']);
}
}
Currently this feature only works on GET requests. The reason for this is because we cannot redirect to a POST route. I do have a solution in mind that uses a dummy page with a form that automatically submits, but I am holding off to see what the interest for it is first.
Please see CHANGELOG for more information on what has changed recently.
Please see CONTRIBUTING and CODE_OF_CONDUCT for details.
If you discover any security related issues, please email [email protected] instead of using the issue tracker.
The MIT License (MIT). Please see License File for more information.