#Handle logoutOtherDevices when users have null passwords

8 messages · Page 1 of 1 (latest)

fast wigeon
#

I'm not a fan of the way Laravel comes out of the box with a requirement for users to have passwords in 2024 when we are on the verge of password-less internet.

I changed my users schema to have a nullable password for users who sign up with Oauth. But there is a problem with logging off all user's sessions using logoutOtherDevices because it requires a password, and from what it seems it will change the password after the sessions were logged off.

public function destroy(Request $request, StatefulGuard $guard)
    {
        $user = $request->user();

        $requiresPasswordConfirmation = is_null($user->google_id) && !is_null($user->password);
        $pass = 'password';

        if ($requiresPasswordConfirmation) {
            $confirmed = app(ConfirmPassword::class)(
                $guard, $user, $request->password
            );

            if (! $confirmed) {
                throw ValidationException::withMessages([
                    'password' => __('The password is incorrect.'),
                ]);
            }

            $pass = $request->password;
        } elseif (is_null($user->google_id) && is_null($user->password)) {
            throw ValidationException::withMessages([
                'error' => __('Your account is not properly set up. Contact support.'),
            ]);
        }

        $guard->logoutOtherDevices($pass);

        $this->deleteOtherSessionRecords($request);

        return back(303);
    }

Questions:

  1. The above won't work because This password does not use the Bcrypt algorithm. although I tried with both plain text and bcrypt(). Probably happens because user's password is null.

  2. What would be the first step to customize logoutOtherDevices's functionality? Is it as easy as recreating the methods used by SessionsGuard->logoutOtherDevices?

honest dune
#

Try with \Illuminate\Support\Facades\Hash::make('pass') for hashing

wooden oxide
#

No

#

just use session driver as database and then delete from table where user_id matches their user id

#

and u'll delete the sessions & invalidate the sessions

#

protected function deleteOtherSessionRecords(): void
{
if (config(key: 'session.driver') !== 'database') {
return;
}

    DB::connection(config(key: 'session.connection'))->table(table: config(key: 'session.table', default: 'sessions'))
        ->where(column: 'user_id', operator: '=', value: Auth::user()->getAuthIdentifier())
        ->where(column: 'id', operator: '!=', value: request()->session()->getId())
        ->delete();
}
#

thats exactly what laravel is doing anyway ^^ from laravel source