Tips for building password expired functionality
wbovela opened this issue · 4 comments
This is a (request for help building a new) feature request.
Prerequisites
- [+] Are you running the latest version? (3.2.25)
- [+] Are you reporting to the correct repository? (Core)
- [+] Did you check the documentation?
- [+] Did you perform a cursory search?
Description
I would like to build a feature that allows me to check if a user's password has expired (i.e. has been left unchanged for a set number of days). I have all of the code required to check the validity of the password, present a dialog and process a password change, but I've run into a problem. The execution of this check should occur after successful login, but before the user is redirected to their landing page. I have introduced a new Middleware to perform the check but I am unsuccessful in finding a point in the code to have it called.
What would be a good way to do this?
Steps taken (but all without success)
-
I've registered my Middleware in kernel.php in the $routeMiddleware array ('password_expired' =>\App\Http\Middleware\PasswordExpired::class)
-
Added a controller and method to perform the password expiration check and added a route in routes\api.php:
Route::middleware(['auth'])
->group(function () {
Route::get('expiration', 'Auth\ExpiredPasswordController@expiration');
}); -
Changed the App\Http\Controllers\Auth\LoginController to redirect to a route to my Auth\ExpiredPasswordController@expiration method, but the LoginController is overridden.
-
Tried to perform the password expired check by changing the RedirectIfAuthenticated Middleware, but at this point Auth::user() and $request->user() yield null.
Expected behaviour
I expect to be able to check the logged in User's password_changed_at before the user is redirected to the application, so that I can choose to either: show a password reset dialog or redirect the user as usual.
Actual behaviour
The user is always redirected to their usual start page.
Hi,
This is something that we want to implement at the framework level so maybe we can work together on it.
If you don't mind please make a PR here, on the core package, to add the Middleware / Controller and we'll go from that point forward.
The password valability should be customizable, so an option in config('enso.config') should be added too.
Created a pull request.
I have no experience with framework level work, but I've included a new controller, middleware, migration and configuration changes.
I've not been able to figure out a point in the code where I can comfortably check the expiration of the password. To my mind this should happen after login and before redirecting to the user's landing page. Middleware seems like the right place, but the Auth::user() information should be available, which it isn't in auth:api middleware.