[6.x] Implement new password rule and password confirmation

src/Illuminate/Auth/Middleware/RequirePassword.php

@@ -0,0 +1,59 @@
+<?php
+
+namespace Illuminate\Auth\Middleware;
+
+use Closure;
+use Illuminate\Routing\Redirector;
+
+class RequirePassword
+{
+ /**
+ * The Redirector instance.
+ *
+ * @var \Illuminate\Routing\Redirector
+ */
+ protected $redirector;
+
+ /**
+ * Create a new middleware instance.
+ *
+ * @param \Illuminate\Routing\Redirector $redirector
+ * @return void
+ */
+ public function __construct(Redirector $redirector)
+ {
+ $this->redirector = $redirector;
+ }
+
+ /**
+ * Handle an incoming request.
+ *
+ * @param \Illuminate\Http\Request $request
+ * @param \Closure $next
+ * @param string $redirectToRoute
+ * @return mixed
+ */
+ public function handle($request, Closure $next, $redirectToRoute = null)
+ {
+ if ($this->shouldConfirmPassword($request)) {
+ return $this->redirector->guest(
+ $this->redirector->getUrlGenerator()->route($redirectToRoute ?? 'password.confirm')
+ );
+ }
+
+ return $next($request);
+ }
+
+ /**
+ * Determine if the confirmation timeout has expired.
+ *
+ * @param \Illuminate\Http\Request $request
+ * @return bool
+ */
+ protected function shouldConfirmPassword($request)
+ {
+ $confirmedAt = time() - $request->session()->get('auth.password_confirmed_at', 0);
+
+ return $confirmedAt > config('auth.password_timeout', 10800);
+ }
+}

src/Illuminate/Foundation/Auth/ConfirmsPasswords.php

@@ -0,0 +1,68 @@
+<?php
+
+namespace Illuminate\Foundation\Auth;
+
+use Illuminate\Http\Request;
+
+trait ConfirmsPasswords
+{
+ use RedirectsUsers;
+
+ /**
+ * Display the password confirmation view.
+ *
+ * @return \Illuminate\Http\Response
+ */
+ public function showConfirmForm()
+ {
+ return view('auth.passwords.confirm');
+ }
+
+ /**
+ * Confirm the given user's password.
+ *
+ * @param \Illuminate\Http\Request $request
+ * @return \Illuminate\Http\RedirectResponse|\Illuminate\Http\JsonResponse
+ */
+ public function confirm(Request $request)
+ {
+ $request->validate($this->rules(), $this->validationErrorMessages());
+
+ $this->resetPasswordConfirmationTimeout($request);
+
+ return redirect()->intended($this->redirectPath());
+ }
+
+ /**
+ * Reset the password confirmation timeout.
+ *
+ * @param \Illuminate\Http\Request $request
+ * @return void
+ */
+ protected function resetPasswordConfirmationTimeout(Request $request)
+ {
+ $request->session()->put('auth.password_confirmed_at', time());
+ }
+
+ /**
+ * Get the password confirmation validation rules.
+ *
+ * @return array
+ */
+ protected function rules()
+ {
+ return [
+ 'password' => 'required|password',
+ ];
+ }
+
+ /**
+ * Get the password confirmation validation error messages.
+ *
+ * @return array
+ */
+ protected function validationErrorMessages()
+ {
+ return [];
+ }
+}

src/Illuminate/Routing/Router.php

@@ -1164,6 +1164,11 @@ public function auth(array $options = [])
  $this->resetPassword();
  }
 
+ // Password Confirmation Routes...
+ if ($options['confirm'] ?? true) {
+ $this->confirmPassword();
+ }
+
  // Email Verification Routes...
  if ($options['verify'] ?? false) {
  $this->emailVerification();
@@ -1183,6 +1188,17 @@ public function resetPassword()
  $this->post('password/reset', 'Auth\ResetPasswordController@reset')->name('password.update');
  }
 
+ /**
+ * Register the typical confirm password routes for an application.
+ *
+ * @return void
+ */
+ public function confirmPassword()
+ {
+ $this->get('password/confirm', 'Auth\ConfirmPasswordController@showConfirmForm')->name('password.confirm');
+ $this->post('password/confirm', 'Auth\ConfirmPasswordController@confirm');
+ }
+
  /**
  * Register the typical email verification routes for an application.
  *

src/Illuminate/Validation/Concerns/ValidatesAttributes.php

@@ -1279,6 +1279,28 @@ public function validateNumeric($attribute, $value)
  return is_numeric($value);
  }
 
+ /**
+ * Validate that the current logged in user's password matches the given value.
+ *
+ * @param string $attribute
+ * @param mixed $value
+ * @param array $parameters
+ * @return bool
+ */
+ protected function validatePassword($attribute, $value, $parameters)
+ {
+ $auth = $this->container->make('auth');
+ $hasher = $this->container->make('hash');
+
+ $guard = $auth->guard(Arr::first($parameters));
+
+ if ($guard->guest()) {
+ return false;
+ }
+
+ return $hasher->check($value, $guard->user()->getAuthPassword());
+ }
+
  /**
  * Validate that an attribute exists even if not filled.
  *

tests/Validation/ValidationValidatorTest.php

@@ -5,6 +5,9 @@
 use DateTime;
 use DateTimeImmutable;
 use Illuminate\Container\Container;
+use Illuminate\Contracts\Auth\Authenticatable;
+use Illuminate\Contracts\Auth\Guard;
+use Illuminate\Contracts\Hashing\Hasher;
 use Illuminate\Contracts\Translation\Translator as TranslatorContract;
 use Illuminate\Contracts\Validation\ImplicitRule;
 use Illuminate\Contracts\Validation\Rule;
@@ -686,6 +689,100 @@ public function testValidationStopsAtFailedPresenceCheck()
  $this->assertEquals(['validation.present'], $v->errors()->get('name'));
  }
 
+ public function testValidatePassword()
+ {
+ // Fails when user is not logged in.
+ $auth = m::mock(Guard::class);
+ $auth->shouldReceive('guard')->andReturn($auth);
+ $auth->shouldReceive('guest')->andReturn(true);
+
+ $hasher = m::mock(Hasher::class);
+
+ $container = m::mock(Container::class);
+ $container->shouldReceive('make')->with('auth')->andReturn($auth);
+ $container->shouldReceive('make')->with('hash')->andReturn($hasher);
+
+ $trans = $this->getTranslator();
+ $trans->shouldReceive('get');
+
+ $v = new Validator($trans, ['password' => 'foo'], ['password' => 'password']);
+ $v->setContainer($container);
+
+ $this->assertFalse($v->passes());
+
+ // Fails when password is incorrect.
+ $user = m::mock(Authenticatable::class);
+ $user->shouldReceive('getAuthPassword');
+
+ $auth = m::mock(Guard::class);
+ $auth->shouldReceive('guard')->andReturn($auth);
+ $auth->shouldReceive('guest')->andReturn(false);
+ $auth->shouldReceive('user')->andReturn($user);
+
+ $hasher = m::mock(Hasher::class);
+ $hasher->shouldReceive('check')->andReturn(false);
+
+ $container = m::mock(Container::class);
+ $container->shouldReceive('make')->with('auth')->andReturn($auth);
+ $container->shouldReceive('make')->with('hash')->andReturn($hasher);
+
+ $trans = $this->getTranslator();
+ $trans->shouldReceive('get');
+
+ $v = new Validator($trans, ['password' => 'foo'], ['password' => 'password']);
+ $v->setContainer($container);
+
+ $this->assertFalse($v->passes());
+
+ // Succeeds when password is correct.
+ $user = m::mock(Authenticatable::class);
+ $user->shouldReceive('getAuthPassword');
+
+ $auth = m::mock(Guard::class);
+ $auth->shouldReceive('guard')->andReturn($auth);
+ $auth->shouldReceive('guest')->andReturn(false);
+ $auth->shouldReceive('user')->andReturn($user);
+
+ $hasher = m::mock(Hasher::class);
+ $hasher->shouldReceive('check')->andReturn(true);
+
+ $container = m::mock(Container::class);
+ $container->shouldReceive('make')->with('auth')->andReturn($auth);
+ $container->shouldReceive('make')->with('hash')->andReturn($hasher);
+
+ $trans = $this->getTranslator();
+ $trans->shouldReceive('get');
+
+ $v = new Validator($trans, ['password' => 'foo'], ['password' => 'password']);
+ $v->setContainer($container);
+
+ $this->assertTrue($v->passes());
+
+ // We can use a specific guard.
+ $user = m::mock(Authenticatable::class);
+ $user->shouldReceive('getAuthPassword');
+
+ $auth = m::mock(Guard::class);
+ $auth->shouldReceive('guard')->with('custom')->andReturn($auth);
+ $auth->shouldReceive('guest')->andReturn(false);
+ $auth->shouldReceive('user')->andReturn($user);
+
+ $hasher = m::mock(Hasher::class);
+ $hasher->shouldReceive('check')->andReturn(true);
+
+ $container = m::mock(Container::class);
+ $container->shouldReceive('make')->with('auth')->andReturn($auth);
+ $container->shouldReceive('make')->with('hash')->andReturn($hasher);
+
+ $trans = $this->getTranslator();
+ $trans->shouldReceive('get');
+
+ $v = new Validator($trans, ['password' => 'foo'], ['password' => 'password:custom']);
+ $v->setContainer($container);
+
+ $this->assertTrue($v->passes());
+ }
+
  public function testValidatePresent()
  {
  $trans = $this->getIlluminateArrayTranslator();