[6.x] Implement new password rule and password confirmation #30214
These changes add a new password validation rule and the new password confirmation functionality.
The validation rule offers to validate a password input field and checks if the password matches the currently authed user's password. You can also pass a guard name as a parameter.
The password confirmation functionality behaves exactly like the Github confirmation screen, allowing you to set a
Feel free to provide feedback.
Kudos to @freekmurze, @mpociot, @christophrumpel and all the others that helped out with validating this idea. I first started working on this but later discovered this article below by @browner12 which inspired me a bit for this PR. Thanks!
I very much like the functionality, but I find the name is a bit confusing.
If someone now says to you "I have a problem confirming a password", does that problem concern:
I think a name like
Glad I could be an inspiration! Happy to see this in the core.
Couple of comments/questions:
My last point is a little more overarching. I think the way we handle injecting functionality into Controllers with built in features (auth, password resets, elevated security) is a little off. Having the Traits is great, but the methods of the Traits are too all inclusive and therefore (IMO) restrictive. A trait method should not encompass an entire route Controller method. I think it would be better if the methods were more "single responsibility", and then the programmer would use them to compose their own Controllers. This gives the programmer the freedom to make the flow of the Controller to work however they like, while also having the consistency of the methods in the Traits. This also prevents us from having to add a bunch of properties to customize every single use case. Maybe I'll bring this up elsewhere, because this is a concern I have with all of these features.
Github also does "a few hours", hence the reason why I decided on this value.
Left out intentionally but I don't mind adding that either way. Not sure how @taylorotwell feels about that.
This is gonna be a bit tricky indeed. Not sure how to exactly solve this. In any case, the current middleware will still protect post routes, they'll just fail if people attempt to execute them manually.
This is more of a discussion for the ideas repo.