browner12/reauthenticate

reauthenticate your users on higher security pages

Reauthenticate

![Software License][ico-license] ![Coverage Status][ico-scrutinizer] ![Total Downloads][ico-downloads], _(*1)

For pages that contain more sensitive operations, sometimes you wish to have the user reauthenticate themselves. This simple package provides the tools you need to quickly implement this functionality on your website., _(*2)

Install

Via Composer, _(*3)

``` bash $ composer require browner12/reauthenticate, <sub>(*4)</sub>

## Setup

Add the service provider to the providers array in `config/app.php`.

``` php
'providers' => [
    browner12\reauthenticate\ReauthenticateServiceProvider::class,
];

If you are using Laravel's automatic package discovery, you can skip this step., <sub>(*5)</sub>

Publishing

While we provide sensible defaults, if you would like to customize this package simply publish the config file with the following command., <sub>(*6)</sub>

``` php php artisan vendor:publish --provider="browner12\reauthenticate\ReauthenticateServiceProvider", <sub>(*7)</sub>

## Wiring

Let's start by adding our new middleware to `App\Http\Kernel.php`.

```php
protected $routeMiddleware = [
    'auth'           => \Illuminate\Auth\Middleware\Authenticate::class,
    'auth.basic'     => \Illuminate\Auth\Middleware\AuthenticateWithBasicAuth::class,
    'bindings'       => \Illuminate\Routing\Middleware\SubstituteBindings::class,
    'can'            => \Illuminate\Auth\Middleware\Authorize::class,
    'guest'          => \App\Http\Middleware\RedirectIfAuthenticated::class,
    'throttle'       => \Illuminate\Routing\Middleware\ThrottleRequests::class,
    'reauthenticate' => \browner12\reauthenticate\Reauthenticate::class,
];

We will need 2 routes for our reauthentication. One to show the form to enter a password, and another to process the input., <sub>(*8)</sub>

Route::get('reauthenticate', 'ReauthenticateController@reauthenticate')->name('reauthenticate');
Route::post('reauthenticate', 'ReauthenticateController@processReauthenticate')->name('reauthenticate.process');

Now let's make the associated controller:, <sub>(*9)</sub>

php artisan make:controller ReauthenticateController

This package offers a trait to use in your controller. This pattern gives you the flexibility to customize the controllers as you need, while also controlling the pieces that are important for the normal package operation., <sub>(*10)</sub>

The trait offers 2 methods:, <sub>(*11)</sub>

• checkReauthenticationPassword() - Checks the entered password against the known hash, and returns the requested URL if successful. Returns false on failure.
• resetReauthenticationTimer() - Stores the current time in the session as the last successful authentication.

Now we will use this trait in our controller., <sub>(*12)</sub>

namespace App\Http\Controllers;

use browner12\reauthenticate\Concerns\Reauthenticates;
use Illuminate\Http\Request;

class ReauthenticateController extends Controller
{
    use Reauthenticates;

    /**
     * @return \Illuminate\Contracts\View\Factory|\Illuminate\View\View
     */
    public function reauthenticate()
    {
        //load view
        return view('main/auth/reauthenticate');
    }

    /**
     * @param \Illuminate\Http\Request             $request
     * @return \Illuminate\Http\RedirectResponse
     */
    public function processReauthenticate(Request $request)
    {
        //good password
        if ($url = $this->checkReauthenticationPassword($request->get('password'), $request->user()->password)){

            return redirect()->to($url);
        }

        //send back
        return back();
    }
}

We do not require your view to be formatted in any way, or name your inputs anything specific. In the example above, the input is named 'password', and we are pulling the current password hash off of the logged in user., <sub>(*13)</sub>

If you would like to reset the timer in any of your other controllers, for example when the user initially logs in, you can also use the resetAuthorizationTimer() method on this trait., <sub>(*14)</sub>

Usage

Using the reauthentication feature is incredibly easy. Simply add the middleware to either your routes:, <sub>(*15)</sub>

Route::get('users', 'UserController')->middleware('reauthenticate');

or your controllers:, <sub>(*16)</sub>

class UserController extends Controller
{
    /**
     * constructor
     */
    public function __construct()
    {
        //parent
        parent::__construct();

        //middleware
        $this->middleware('auth');

        //reauthenticate
        $this->middleware('reauthenticate')->only(['index']);
    }
}

Limitations

Currently this feature only works on GET requests. The reason for this is because we cannot redirect to a POST route. I do have a solution in mind that uses a dummy page with a form that automatically submits, but I am holding off to see what the interest for it is first., <sub>(*17)</sub>

Change log

Please see CHANGELOG for more information on what has changed recently., <sub>(*18)</sub>

Contributing

Please see CONTRIBUTING and CODE_OF_CONDUCT for details., <sub>(*19)</sub>

Security

If you discover any security related issues, please email browner12@gmail.com instead of using the issue tracker., <sub>(*20)</sub>

Credits

• Andrew Brown
• All Contributors

License

The MIT License (MIT). Please see License File for more information., <sub>(*21)</sub>