Merge branch 'hotfix/password-rehash' into 8.x

laravel · Mar 16, 2021 · eacabc7 · eacabc7
2 parents d98cf8b + 1e61612
commit eacabc7
Show file tree

Hide file tree

Showing 2 changed files with 40 additions and 4 deletions.
diff --git a/src/Illuminate/Auth/SessionGuard.php b/src/Illuminate/Auth/SessionGuard.php
@@ -20,6 +20,7 @@
 use Illuminate\Support\Facades\Hash;
 use Illuminate\Support\Str;
 use Illuminate\Support\Traits\Macroable;
+use InvalidArgumentException;
 use RuntimeException;
 use Symfony\Component\HttpFoundation\Request;
 use Symfony\Component\HttpKernel\Exception\UnauthorizedHttpException;
@@ -581,16 +582,16 @@ protected function cycleRememberToken(AuthenticatableContract $user)
      * @param  string  $password
      * @param  string  $attribute
      * @return bool|null
+     *
+     * @throws \Illuminate\Auth\AuthenticationException
      */
     public function logoutOtherDevices($password, $attribute = 'password')
     {
         if (! $this->user()) {
             return;
         }
 
-        $result = tap($this->user()->forceFill([
-            $attribute => Hash::make($password),
-        ]))->save();
+        $result = $this->rehashUserPassword($password, $attribute);
 
         if ($this->recaller() ||
             $this->getCookieJar()->hasQueued($this->getRecallerName())) {
@@ -602,6 +603,26 @@ public function logoutOtherDevices($password, $attribute = 'password')
         return $result;
     }
 
+    /**
+     * Rehash the current user's password.
+     *
+     * @param  string  $password
+     * @param  string  $attribute
+     * @return bool|null
+     *
+     * @throws \InvalidArgumentException
+     */
+    protected function rehashUserPassword($password, $attribute)
+    {
+        if (! Hash::check($password, $this->user()->{$attribute})) {
+            throw new InvalidArgumentException("The given password does not match the current password.");
+        }
+
+        return tap($this->user()->forceFill([
+            $attribute => Hash::make($password),
+        ]))->save();
+    }
+
     /**
      * Register an authentication attempt event listener.
      *

diff --git a/tests/Integration/Auth/AuthenticationTest.php b/tests/Integration/Auth/AuthenticationTest.php
@@ -19,6 +19,7 @@
 use Illuminate\Support\Str;
 use Illuminate\Support\Testing\Fakes\EventFake;
 use Illuminate\Tests\Integration\Auth\Fixtures\AuthenticationTestUser;
+use InvalidArgumentException;
 use Orchestra\Testbench\TestCase;
 
 /**
@@ -211,7 +212,7 @@ public function testLoggingOutOtherDevices()
 
         $this->assertEquals(1, $user->id);
 
-        $this->app['auth']->logoutOtherDevices('adifferentpassword');
+        $this->app['auth']->logoutOtherDevices('password');
         $this->assertEquals(1, $user->id);
 
         Event::assertDispatched(OtherDeviceLogout::class, function ($event) {
@@ -222,6 +223,20 @@ public function testLoggingOutOtherDevices()
         });
     }
 
+    public function testPasswordMustBeValidToLogOutOtherDevices()
+    {
+        $this->expectException(InvalidArgumentException::class);
+        $this->expectExceptionMessage('current password');
+
+        $this->app['auth']->loginUsingId(1);
+
+        $user = $this->app['auth']->user();
+
+        $this->assertEquals(1, $user->id);
+
+        $this->app['auth']->logoutOtherDevices('adifferentpassword');
+    }
+
     public function testLoggingInOutViaAttemptRemembering()
     {
         $this->assertTrue(