Force user to update password

1. Which part are you unsure of how to proceed?
2. When a user logs in, their passwords will be sent to you in plaintext, that's the time you can compare against the new rules

Easy solution could be to not login, but to trigger a reset password email, and redirect the user to a page telling them about what is happening and what to do. That way they can never login unless they change their password

I use the standard Auth Routes and I don't know where / how to intercept the password to do the manual check - I presume I would need to then handle the login myself?

How to hold the user in the password form until they have done the change - I am presuming a Middleware, perhaps with a session variable? Again, unsure.

1. In your LoginController.php, you will see use AuthenticatesUsers;.
2. Open vendor\laravel\framework\src\Illuminate\Foundation\Auth\AuthenticatesUsers.php
3. The function that first receives the plaintext password is public function login(Request $request)
4. You can intercept it there an do a redirect() or whatever is required
5. We can do it the middleware way too

<?php

namespace App\Http\Middleware;

use Closure;
use Illuminate\Support\Facades\App;

class weak_password
{
    public function handle($request, Closure $next)
    {
        if (has_weak_password($request->password)) {            
            return redirect()->secure("/whever");            
        }

        return $next($request);
    }
}

I would probably go with attemptLogin instead as it is much smaller. Trigger reset mail and redirect the user :)

I would let them login first to prove their identity.

Then if the password does not meet your new requirements, log them out and show them a message/redirect asking them to change password.

You shouldn't do this unless they can provide the correct existing password.

Or leave them logged in and show a banner on every page they visit advising that their password has expired and to reset it.

You can show a banner, or restrict access to pages using a middleware

What version are you using?

Thanks everyone for the replies.

So far, this is where I'm at. I hijacked the attemptLogin, see whether the user was able to auth, if they did, check the password.

If everything is good, they continue, otherwise I want to force the user to my ChangePasswordController which is at /myaccount/change-password and not let them complete any other actions on the site.

If they complete /myaccount/change-password, then I would want to release the "lock" and they can continue as normal.

L7

    protected function attemptLogin(Request $request)
    {
        $successfulAuth = $this->guard()->attempt(
            $this->credentials($request), $request->filled('remember')
        );

        // check if the user was able to authenticate
        if ($successfulAuth == true) {   

            // check if password meetings new requirements
            if (preg_match("/^(?=.*?[A-Z])(?=.*?[a-z])(?=.*?[0-9])(?=.*?[#?!@()$%^&*=_{}[\]:;\"'|\<>,.\/~`±§+-]).{12,30}$/", $request->password)) {
        
                // user can proceed
                return $successfulAuth;
        
            } else {
                
                // user has auth'ed but the password isn't strong enough
                // user needs to be forced to /myaccount/change-password
            }
        }
    }

I don't see why your idea don't work, you could also add a checkbox that gets updated to true or 1 after the task is done. That is behind the scenes during the update.

I'm just not sure how to do the last part.. set some kind of session variable and attach it to a Middleware to push the user to the change password form and not let them complete any other actions. I suppose I could do something with a flag on the database, but it just feels a bit too much when something on the session should do?

Laravel is designed to be efficient, attemptLogin is only execute once per session at login. It can be a place to flag a weak password, but to perform enforcement of password reset on every request, you need a middleware.

1. Set a weak_password session key in your attemptLogin to flag out this user
2. Have a middleware that checks for weak_password and redirect user
3. On /myaccount/change-password, after the you are satisfied with the new password, you need session()->forget('weak_password'); to unflag this user

    protected function attemptLogin(Request $request)
    {
        $successfulAuth = $this->guard()->attempt(
            $this->credentials($request), $request->filled('remember')
        );

        // check if the user was able to authenticate
        if ($successfulAuth == true) {

            // check if password meetings new requirements
            if (preg_match("/^(?=.*?[A-Z])(?=.*?[a-z])(?=.*?[0-9])(?=.*?[#?!@()$%^&*=_{}[\]:;\"'|\<>,.\/~`±§+-]).{12,30}$/", $request->password)) {
                // user can proceed
                return $successfulAuth;

            } else {

                // user has auth'ed but the password isn't strong enough
                // user needs to be forced to /myaccount/change-password
                session(['weak_password' => true]);
            }
        }
    }

Middleware

<?php

namespace App\Http\Middleware;

use Closure;
use Illuminate\Support\Facades\App;

class weak_password
{

    protected $except = [
        '/myaccount/change-password', // allow this URL to load even if "weak_password" exists
                                // add more for your change-password CRUD URLs
    ];

    protected function inExceptArray($request)
    {
        foreach ($this->except as $except) {
            if ($except !== '/') {
                $except = trim($except, '/');
            }

            if ($request->fullUrlIs($except) || $request->is($except)) {
                return true;
            }
        }

        return false;
    }

    public function handle($request, Closure $next)
    {
        if (!$this->inExceptArray($request) || session("weak_password")) {
            return redirect()->secure("/myaccount/change-password");
        }

        return $next($request);
    }
}