Reauthenticate users by letting them re-enter their passwords for specific parts of your app.

1.4.0 2019-10-08 08:25 UTC

This package is auto-updated.

Last update: 2023-09-08 16:42:44 UTC


Because sometimes, you want that extra layer of security

Software License Build Status Scrutinizer Code Quality StyleCI

Reauthenticate users by letting them re-enter their passwords for specific parts of your app (for Laravel 5).

Route::group(['middleware' => ['auth','reauthenticate']], function () {

    Route::get('user/payment', function () {
        // Needs to re-enter password to see this




In order to add reauthenticate to your project, just add

"mpociot/reauthenticate": "~1.0"

to your composer.json. Then run composer install or composer update.

Or run composer require mpociot/reauthenticate if you prefer that.


Add the middleware to your Kernel

In your app\Http\Kernel.php file, add the reauthenticate middleware to the $routeMiddleware array.

protected $routeMiddleware = [
    // ...
    'reauthenticate'         => \Mpociot\Reauthenticate\Middleware\Reauthenticate::class,
    // ...

Add the routes & views

By default, reauthanticate is looking for a route auth/reauthenticate and a view auth.reauthenticate that will hold a password field.

An example view can be copied from here. Please note that this file needs to be manually copied, because I didn't want to bloat this package with a service provider.

The HTTP controller methods can be used from the Reauthenticates trait, so your AuthController looks like this:


namespace App\Http\Controllers\Auth;

use App\User;
use Validator;
use App\Http\Controllers\Controller;
use Mpociot\Reauthenticate\Reauthenticates;
use Illuminate\Foundation\Auth\ThrottlesLogins;
use Illuminate\Foundation\Auth\AuthenticatesAndRegistersUsers;

class AuthController extends Controller
    | Registration & Login Controller
    | This controller handles the registration of new users, as well as the
    | authentication of existing users. By default, this controller uses
    | a simple trait to add these behaviors. Why don't you explore it?

    use AuthenticatesAndRegistersUsers, ThrottlesLogins, Reauthenticates {
        AuthenticatesAndRegistersUsers::getFailedLoginMessage insteadof Reauthenticates;

Be sure to except the reauthenticate routes from the guest middleware.

     * Create a new authentication controller instance.
     * @return void
    public function __construct()
        $this->middleware('guest', ['except' => ['logout','getReauthenticate','postReauthenticate'] ]);

To get started, add these routes to your routes.php file:

// Reauthentication routes
Route::get('auth/reauthenticate', 'Auth\AuthController@getReauthenticate');
Route::post('auth/reauthenticate', 'Auth\AuthController@postReauthenticate');

That's it. Once the user successfully reauthenticates, the valid login will be stored for 30 minutes.

The URL the user gets redirected to can be configured by adding a reauthenticate_url key to your config/app.php file:

return [
    // ...

    'reauthenticate_url' => '/custom-url',


Reauthenticate is free software distributed under the terms of the MIT license.