browner12 / reauthenticate
reauthenticate your users on higher security pages
Installs: 1 022
Dependents: 0
Suggesters: 0
Security: 0
Stars: 29
Watchers: 3
Forks: 4
Open Issues: 1
Requires
- php: ^7.2
- illuminate/console: ^6.0|^7.0|^8.0
- illuminate/http: ^6.0|^7.0|^8.0
Requires (Dev)
- orchestra/testbench: ^4.0
- phpunit/phpunit: ^8.0
- squizlabs/php_codesniffer: ^2.3
README
For pages that contain more sensitive operations, sometimes you wish to have the user reauthenticate themselves. This simple package provides the tools you need to quickly implement this functionality on your website.
Install
Via Composer
$ composer require browner12/reauthenticate
Setup
Add the service provider to the providers array in config/app.php
.
'providers' => [ browner12\reauthenticate\ReauthenticateServiceProvider::class, ];
If you are using Laravel's automatic package discovery, you can skip this step.
Publishing
While we provide sensible defaults, if you would like to customize this package simply publish the config file with the following command.
php artisan vendor:publish --provider="browner12\reauthenticate\ReauthenticateServiceProvider"
Wiring
Let's start by adding our new middleware to App\Http\Kernel.php
.
protected $routeMiddleware = [ 'auth' => \Illuminate\Auth\Middleware\Authenticate::class, 'auth.basic' => \Illuminate\Auth\Middleware\AuthenticateWithBasicAuth::class, 'bindings' => \Illuminate\Routing\Middleware\SubstituteBindings::class, 'can' => \Illuminate\Auth\Middleware\Authorize::class, 'guest' => \App\Http\Middleware\RedirectIfAuthenticated::class, 'throttle' => \Illuminate\Routing\Middleware\ThrottleRequests::class, 'reauthenticate' => \browner12\reauthenticate\Reauthenticate::class, ];
We will need 2 routes for our reauthentication. One to show the form to enter a password, and another to process the input.
Route::get('reauthenticate', 'ReauthenticateController@reauthenticate')->name('reauthenticate'); Route::post('reauthenticate', 'ReauthenticateController@processReauthenticate')->name('reauthenticate.process');
Now let's make the associated controller:
php artisan make:controller ReauthenticateController
This package offers a trait to use in your controller. This pattern gives you the flexibility to customize the controllers as you need, while also controlling the pieces that are important for the normal package operation.
The trait offers 2 methods:
checkReauthenticationPassword()
- Checks the entered password against the known hash, and returns the requested URL if successful. Returnsfalse
on failure.resetReauthenticationTimer()
- Stores the current time in the session as the last successful authentication.
Now we will use this trait in our controller.
namespace App\Http\Controllers; use browner12\reauthenticate\Concerns\Reauthenticates; use Illuminate\Http\Request; class ReauthenticateController extends Controller { use Reauthenticates; /** * @return \Illuminate\Contracts\View\Factory|\Illuminate\View\View */ public function reauthenticate() { //load view return view('main/auth/reauthenticate'); } /** * @param \Illuminate\Http\Request $request * @return \Illuminate\Http\RedirectResponse */ public function processReauthenticate(Request $request) { //good password if ($url = $this->checkReauthenticationPassword($request->get('password'), $request->user()->password)){ return redirect()->to($url); } //send back return back(); } }
We do not require your view to be formatted in any way, or name your inputs anything specific. In the example above, the input is named 'password', and we are pulling the current password hash off of the logged in user.
If you would like to reset the timer in any of your other controllers, for example when the user initially logs in, you can also use the resetAuthorizationTimer()
method on this trait.
Usage
Using the reauthentication feature is incredibly easy. Simply add the middleware to either your routes:
Route::get('users', 'UserController')->middleware('reauthenticate');
or your controllers:
class UserController extends Controller { /** * constructor */ public function __construct() { //parent parent::__construct(); //middleware $this->middleware('auth'); //reauthenticate $this->middleware('reauthenticate')->only(['index']); } }
Limitations
Currently this feature only works on GET requests. The reason for this is because we cannot redirect to a POST route. I do have a solution in mind that uses a dummy page with a form that automatically submits, but I am holding off to see what the interest for it is first.
Change log
Please see CHANGELOG for more information on what has changed recently.
Contributing
Please see CONTRIBUTING and CODE_OF_CONDUCT for details.
Security
If you discover any security related issues, please email browner12@gmail.com instead of using the issue tracker.
Credits
License
The MIT License (MIT). Please see License File for more information.