Route `/user/confirmed-password-status` only created `if ($enableViews)` despite returning JSON.

Question

Route `/user/confirmed-password-status` only created `if ($enableViews)` despite returning JSON.

LeoniePhiline opened this issue 4 years ago · comments

Fortify Version: v1.7.4
Laravel Version: v8.22.1
PHP Version: v7.4.13

Description:

The /user/confirmed-password-status route is only created if ($enableViews) in https://github.com/laravel/fortify/blob/1.x/routes/routes.php#L113.

Actually, though, \Laravel\Fortify\Http\Controllers\ConfirmedPasswordStatusController::show() returns JSON - and is really only useful in an SPA (therefore: ! $enableViews).

Of course anyone can create this route themselves, but it looks a bit like the declaration was moved inside the if block accidentally and should be fixed.

    // Password Confirmation...
    if ($enableViews) {
        Route::get('/user/confirm-password', [ConfirmablePasswordController::class, 'show'])
            ->middleware(['auth'])
            ->name('password.confirm');

        // This route looks like it got into this `if` block by accident.
        Route::get('/user/confirmed-password-status', [ConfirmedPasswordStatusController::class, 'show'])
            ->middleware(['auth'])
            ->name('password.confirmation');
    }

    Route::post('/user/confirm-password', [ConfirmablePasswordController::class, 'store'])
        ->middleware(['auth']);

Do you agree or am I getting this wrong?

I can see that https://laravel.com/docs/8.x/fortify does not mention /user/confirmed-password-status, so maybe the feature is just a left-over.
It seems useful to me, though: Writing an SPA i'd want to check if the password confirmation timeout has passed before even asking to re-type the password.
I fail to see why this should be enabled if you are using views. In that case you would much rather redirect to a password confirmation route (GET /user/confirm-password) if needed, before performing the

Fix:

    // Password Confirmation...
    if ($enableViews) {
        Route::get('/user/confirm-password', [ConfirmablePasswordController::class, 'show'])
            ->middleware(['auth'])
            ->name('password.confirm');
    }

    Route::get('/user/confirmed-password-status', [ConfirmedPasswordStatusController::class, 'show'])
        ->middleware(['auth'])
        ->name('password.confirmation');

    Route::post('/user/confirm-password', [ConfirmablePasswordController::class, 'store'])
        ->middleware(['auth']);

Generally, would you like to see pull requests, or have contributers first ask if a PR is desired?

PS:
\Laravel\Fortify\Http\Controllers\ConfirmablePasswordController::store() might want to use \Illuminate\Session\Store::passwordConfirmed() instead of manually calling $request->session()->put('auth.password_confirmed_at', time()).

Dries Vints · Answer 1 · Tue Jan 19 2021 18:13:06 GMT+0800 (China Standard Time)

Thanks for the report! I've sent in a PR here: #203

Generally, would you like to see pull requests, or have contributers first ask if a PR is desired?

PRs are always preferred over issues because then we can look at actual code.

Dries Vints · Answer 2 · Tue Jan 19 2021 18:13:52 GMT+0800 (China Standard Time)

PS: \Laravel\Fortify\Http\Controllers\ConfirmablePasswordController::store() might want to use \Illuminate\Session\Store::passwordConfirmed() instead of manually calling $request->session()->put('auth.password_confirmed_at', time()).

Just send in a PR if you like, thanks!

LeoniePhiline · Answer 3 · Sat Jan 23 2021 23:58:59 GMT+0800 (China Standard Time)

Made #206 - let's see if this is welcome. :)