Merge branch 'main' into route_tidy

Author: phpsa

.gitignore

@@ -1 +1,2 @@
 vendor/
+composer.lock

.lando.yml

@@ -0,0 +1,68 @@
+name: laravelfauth
+recipe: lamp
+config:
+  via: "cli"
+  php: "8.2"
+
+services:
+
+  php83:
+    type: php:8.3
+    via: "cli"
+
+  php81:
+    type: php:8.1
+    via: "cli"
+
+
+tooling:
+  cleanup:
+    cmd: rm -rf vendor composer.lock
+
+  setup81:
+    service: php81
+    cmd: rm -rf vendor composer.lock && composer install
+
+  setup83:
+    service: php83
+    cmd: rm -rf vendor composer.lock && composer install
+
+  setup82:
+    service: appserver
+    cmd: rm -rf vendor composer.lock && composer install
+
+
+
+
+  lara11:
+    service: php83
+    cmd:
+      - rm -rf vendor composer.lock
+      - composer require laravel/laravel:^11
+      - composer install
+      - composer phpunit
+      - composer phpstan
+      # this is for removing a specific version
+      - composer remove laravel/laravel
+
+  lara10:
+    service: php82
+    cmd:
+      - rm -rf vendor composer.lock
+      - composer require laravel/laravel:^10
+      - composer install
+      - composer phpunit
+      - composer phpstan
+      # this is for removing a specific version
+      - composer remove laravel/laravel
+
+  lara9:
+    service: php81
+    cmd:
+      - rm -rf vendor composer.lock
+      - composer require laravel/laravel:^9
+      - composer install
+      - composer phpunit
+      - composer phpstan
+      # this is for removing a specific version
+      - composer remove laravel/laravel

README.md

@@ -139,6 +139,25 @@ Enable this & configure this as Follows:
 
 this will force a user to update their password, note -- all existing users will initially be foreced to, this can be ignored by running the following command:
 
+From V5.0.0 - there is a new validation rule that can be added to validate that a password has not been used before.
+`Phpsa\FilamentAuthentication\Rules\PreventPasswordReuseRule` - this will use the value from config `filament-authentication.password_renew.prevent_password_reuse` 0 to disable, any number of previous to block out fro re-use.
+
+-- If using socialite / Filament-socialite etc, you will need to override the `public function needsRenewal(): bool` method in the trait,
+EG:
+```php
+ use CanRenewPassword {
+        CanRenewPassword::needsRenewal as traitNeedsRenewal;
+    }
+
+    public function needsRenewal(): bool
+    {
+        if ($this->password === null && SocialiteUser::where('user_id', $this->id)->exists()) {
+            return false;
+        }
+        return $this->traitNeedsRenewal();
+    }
+```
+
 ## Authentication Log
 
 Introduced in V4.2.0 - this allows you to log each user login attempt.

UPGRADE.md

@@ -1,3 +1,11 @@
+# Upgrading V4 - V5
+
+Breaking Changes:
+- Impersonation - links now generated based on panels, so route name and path will be slightly different
+- Password Renew - added phash to the table to store previous passwords, this will be used to validate if a password has been used before.
+
+
+
 Upgrading V2 - V3
 
 - Widget / panels no longer auto-published

composer.json

@@ -24,14 +24,16 @@
   ],
   "minimum-stability": "dev",
   "require": {
-    "php": "^8.0",
+    "php": "^8.1",
     "filament/filament": "^3.0",
+    "illuminate/support": "^9.0|^10|^11",
     "lab404/laravel-impersonate": "^1.7",
     "spatie/laravel-package-tools": "^1.13",
     "spatie/laravel-permission": "^5.5|^6.0"
   },
   "require-dev": {
-    "laravel/pint": "^1.2"
+    "laravel/pint": "^1.2",
+    "orchestra/testbench": "^7.0|^8.0|^9.0"
   },
   "config": {
     "sort-packages": true

config/filament-authentication.php

@@ -63,6 +63,8 @@
         'prune'                      => 365,
         //renew password days period, 0 to disable
         'renew_password_days_period' => 90,
+        //prevent password reuse for x times, 0 to disable
+        'prevent_password_reuse'     => 0,
     ],
 
 

database/migrations/tracks_filament_password_hashes.php.stub

@@ -0,0 +1,16 @@
+<?php
+
+use Illuminate\Database\Migrations\Migration;
+use Illuminate\Database\Schema\Blueprint;
+use Illuminate\Support\Facades\Schema;
+
+return new class extends Migration
+{
+    public function up(): void
+    {
+        Schema::table(config('filament-authentication.password_renew.table_name'), function (Blueprint $table): void {
+            $table->string('phash', 255)->nullable()->after('renewable_id');
+        });
+    }
+
+};

src/FilamentAuthenticationProvider.php

@@ -24,6 +24,7 @@ public function configurePackage(Package $package): void
             ->hasRoute('web')
             ->hasMigration('create_filament_authentication_tables')
             ->hasMigration('create_filament_password_renew_table')
+            ->hasMigration('tracks_filament_password_hashes')
             ->hasConfigFile('filament-authentication')
             ->hasCommand(InstallCommand::class)
             ->hasCommand(UpdateUserPasswordToUpdatedCommand::class)

src/Models/PasswordRenewLog.php

@@ -23,6 +23,9 @@ class PasswordRenewLog extends Model
 {
     use Prunable;
 
+    //no guarding
+    protected $guarded = [];
+
     public function getConnectionName()
     {
         return config('filament-authentication.password_renew.db_connection', null) ?? $this->connection;

src/Pages/Auth/RenewPassword.php

@@ -14,6 +14,7 @@
 use Filament\Pages\Concerns\InteractsWithFormActions;
 use Yebor974\Filament\RenewPassword\RenewPasswordPlugin;
 use Illuminate\Validation\Rules\Password as PasswordRule;
+use Phpsa\FilamentAuthentication\Rules\PreventPasswordReuseRule;
 use Phpsa\FilamentAuthentication\Traits\CanRenewPassword;
 
 class RenewPassword extends SimplePage
@@ -34,8 +35,7 @@ public function mount(): void
     {
         $user = Filament::auth()->user();
 
-        if (
-               ! in_array(CanRenewPassword::class, class_uses_recursive($user))
+        if (! in_array(CanRenewPassword::class, class_uses_recursive($user))
                || ! $user->needsRenewal()
         ) {
             redirect()->intended(Filament::getUrl());
@@ -93,7 +93,7 @@ protected function getForms(): array
                             ->password()
                             ->revealable(filament()->arePasswordsRevealable())
                             ->required()
-                            ->rules(['different:data.currentPassword', PasswordRule::default()]),
+                            ->rules(['different:data.currentPassword', PasswordRule::default(), new PreventPasswordReuseRule()]),
                         TextInput::make('PasswordConfirmation')
                             ->label(__('filament-authentication::filament-authentication.field.user.confirm_password'))
                             ->password()

src/Rules/PreventPasswordReuseRule.php

@@ -0,0 +1,38 @@
+<?php
+namespace Phpsa\FilamentAuthentication\Rules;
+
+use Closure;
+use Illuminate\Contracts\Auth\Authenticatable;
+use Illuminate\Contracts\Validation\ValidationRule;
+use Illuminate\Support\Facades\Hash;
+use Phpsa\FilamentAuthentication\Models\PasswordRenewLog;
+
+class PreventPasswordReuseRule implements ValidationRule
+{
+
+    public function __construct(?Authenticatable $user = null)
+    {
+        $this->user = $user ?? auth()->user();
+    }
+
+    public function validate(string $attribute, mixed $value, Closure $fail): void
+    {
+
+        //if config is disabled we don't wanna
+        if ((int) config('filament-authentication.password_renew.prevent_password_reuse') <= 0) {
+            return;
+        }
+
+        $previous = PasswordRenewLog::where('renewable_id', $this->user->getAuthIdentifier())
+            ->where('renewable_type', get_class($this->user))
+            ->latest()
+            ->limit(config('filament-authentication.password_renew.prevent_password_reuse'))
+            ->pluck('phash')
+            ->filter(fn($hash) => Hash::check($value, $hash))
+            ->isNotEmpty();
+
+        if ($previous) {
+            $fail('You cannot use the same password as a previous one.');
+        }
+    }
+}

src/Traits/CanRenewPassword.php

@@ -11,7 +11,9 @@ public function initializeCanRenewPassword()
             $field = method_exists($user, 'getAuthPasswordName') ? $user->getAuthPasswordName() : 'password';
 
             if ($user->isDirty($field)) {
-                $user->renewables()->where('created_at', now())->firstOrCreate([]);
+                $user->renewables()->where('created_at', now())->firstOrCreate([
+                    'phash' => $user->getOriginal($field),
+                ]);
             }
         });
     }
@@ -28,6 +30,7 @@ public function latestRenewable()
 
     public function needsRenewal(): bool
     {
+
         $period = config('filament-authentication.password_renew.renew_password_days_period');
 
         if (! is_numeric($period) || $period <= 0) {