2

I am adding some implementation which allows a user to update there password within a admin panel given that they provide the correct current password.

The issue I am facing is that the use upon updating the password is logged out because the password_hash no longer matches in the session, I know this as I've commented out the middleware AuthenticateSession.

I can see here that there is a check for the session value of password_hash with a suffix of the default driver.

if ($request->session()->get('password_hash_'.$this->auth->getDefaultDriver()) !== $request->user()->getAuthPassword()) {
    $this->logout($request);
}

It seems asthough I am ALWAYS hitting this, although when updating the password I am setting the session variable to be the users new password.

$user->password = Hash::make($request->input('password'));
$user->save();

auth()->guard('web')->login($user, true);
$request->session()->put([
    'password_hash_' . auth()->getDefaultDriver() =>  $user->getAuthPassword(),
]);

Even with this, I hit the logout method, obviously I don't want to remove the middleware as it's useful incase an account gets compromised.

Jonathan Hall
  • 75,165
  • 16
  • 143
  • 189

1 Answers1

0

You shouldn't need to re-login the user after a password change.

You just need to check request password against current like Hash::check($request->current_password, $this->User->password) or a similar method

You can always look in to the Illuminate\Foundation\Auth\ResetsPasswords class to see how laravel implements it

This an example of an update password method that checks current password

    /**
     * Update the specified resource in storage.
     *
     * @param \Illuminate\Http\Request $request
     * @param \App\Models\User $user
     * @return \Illuminate\Http\JsonResponse
     */
    public function updatePassword(Request $request)
    {
        if (!(Hash::check($request->current_password, $this->User->password))) {
            return response()->json([
                'status'  => 'error',
                'message' => 'Your current password is incorrect. Please try again.'
            ], 403);
        }

        if (strcmp($request->current_password, $request->new_password) == 0) {
            return response()->json([
                'status'  => 'error',
                'message' => 'New Password cannot be the same as your current password. Please choose a different password.'
            ], 403);
        }

        $validatedData = $request->validate([
            'current_password' => 'required',
            'new_password'     => 'required|strong_password|string|min:6|confirmed',
        ]);

        try {
            $this->User->password = bcrypt($request->new_password);
            $this->User->save();

            return response()->json([
                'status'  => 'success',
                'message' => 'Your password has been updated',
            ], 200);
        } catch (\Exception $e) {
            return response()->json([
                'status'  => 'error',
                'message' => $e->getMessage()
            ], 500);
        }
    }
justrusty
  • 827
  • 7
  • 10
  • I thought this was the case however I am using Laravel Jetstream and inertia and I think this is default behaviour. If you take a look at `Illuminate\Session\Middleware\AuthenticateSession` you will see the code which I mentioned above. –  Nov 17 '20 at 14:19