search

rinvex / laravel-auth

A powerful authentication, authorization and verification package built on top of Laravel. It provides developers with Role Based Access Control, Two-Factor Authentication, Social Authentication, and much more, compatible Laravel’s standard API and fully featured out of the box.
https://rinvex.com
MIT License
132 stars 12 forks source link

[Security] Invalidate all sessions on password change #139

Closed Omranic closed 4 years ago

noxify commented 6 years ago

Just an idea how to solve this:

Currently we have the following implementation in the Controller: https://github.com/rinvex/fort/blob/develop/resources/stubs/controllers/Memberarea/AccountSessionsController.stub#L33-L39

The easiest way is to duplicate the following line

app('rinvex.fort.session')->where('user_id', $request->user($this->getGuard())->id)->delete();

My idea was to extract the session termination into an event. If the password was changed successfully, we're executing command, which terminates the sessions then.

I think with this, we have more flexibility and we can reuse it (e.g. after changing the email/username)

Omranic commented 6 years ago

To be revised & implemented soon god willing!

Omranic commented 4 years ago

This is no longer needed as this feature is handled automatically now through Cortex\Auth\Http\Middleware\AuthenticateSession middleware!