lonnieezell / myth-auth

One-stop Auth package for CodeIgniter 4
MIT License
637 stars 208 forks source link

New Feature | Force Re-authenticate #447

Open mjamilasfihani opened 3 years ago

mjamilasfihani commented 3 years ago

From the ROADMAP https://github.com/lonnieezell/myth-auth/projects/1#card-37568349 I notice that we can use filter (maybe sudo-su 😄) for give the user access to the page that need to input their password first.

how to check it? we can use session to save the key, any flows suggestion? It's honor for me to finish this feature

lonnieezell commented 3 years ago

Actually, another user had sent me an email with their solution on this, which I think works nicely. I had forgotten about it, unfortunately. If you want to take this and turn it into a PR that would be awesome. Here's their email:


My process of Re-authenticate begin with update the App/Filters and add this line to aliases

'passwordConfirmCheck' => PasswordConfirm::class

and then, add this line to filter, it will tell the fw which place need to Re-authenticate the password

'passwordConfirmCheck' => ['before' => ['acp/user','acp/user/*', 'acp/permission', 'acp/config']],

The password confirm function

/**
 * Confirm the password
 */
public function passwordConfirm() {

    $this->_render('\acp\password_confirm', $this->_data);
}

public function passwordConfirmAction() {
    $inputData = $this->request->getPost();
    // Validate data
    $rules = [
        'password'    => 'required',
    ];
    $errMess = [
        'password' => [
            'required' => lang('User.pw_required')
        ]
    ];

    //validate the input
    if (! $this->validate($rules, $errMess)) {
        return redirect()->back()->withInput()->with('errors', $this->validator->getErrors());
    }

    $authenticator = Services::authentication();

    if ( !$authenticator->validPassword($inputData['password']) ) {
        return redirect()->back()->withInput()->with('error', lang('Auth.invalidPassword'));
    } else {
        $redirectURL = session('redirect_url') ?? '/';
        unset($_SESSION['redirect_url']);

        session()->set('password_confirm', $this->user->id);
        return redirect()->to($redirectURL);
    }
}

View: password_confirm.php

I haven't examined it too closely but seems like a great solution for it.

mjamilasfihani commented 3 years ago

Thanks for the good news @lonnieezell . I am in fire right now 😂

mjamilasfihani commented 3 years ago

You can see the detail in project card, here is the link https://github.com/lonnieezell/myth-auth/projects/1#card-37568349