I have a secret route in Laravel that should sit behind a password confirmation protection (Like GitHub sudo mode when you're about to delete a repo or add a collaborator)
Route::get('/secret', 'DiariesController@index')->middleware(['auth', 'verified']);
But already authenticated users can easily access the routes
What I want is an extra layer of protection against physical access to the user's device
Here's what I have tried so far
DiariesController
public function index()
{
if (session()->has('sudo')) {
return view('secret.diaries');
}
auth()->logout();
return redirect('/login');
}
And in LoginController
/**
* The user has been authenticated.
*
* @param \Illuminate\Http\Request $request
* @param mixed $user
* @return mixed
*/
protected function authenticated(Request $request, $user)
{
session(['sudo' => true]);
}
But this basically does nothing, I have to manually expire the sudo
session key somehow
is there an easier way to achieve this?
The Laravel v6.2.0
release ships with a new password confirmation feature
. This feature allows you to attach a password.confirm middleware
to routes where you want a user to re-confirm their password. Considering your code your route will look like below.
Route::get('/secret', 'DiariesController@index')->middleware(['auth', 'verified','password.confirm']);
If you attempt to access the route, you will be prompted to confirm your password, similar to what you may have seen on other applications like GitHub. For more info you can visit this
Thanks
Collected from the Internet
Please contact [email protected] to delete if infringement.
Comments