Rehash password if required (#557)

Author: gdebrauwer

src/Actions/RedirectIfTwoFactorAuthenticatable.php

@@ -94,6 +94,10 @@ protected function validateCredentials($request)
 
                 $this->throwFailedAuthenticationException($request);
             }
+
+            if (config('hashing.rehash_on_login', true) && method_exists($this->guard->getProvider(), 'rehashPasswordIfRequired')) {
+                $this->guard->getProvider()->rehashPasswordIfRequired($user, ['password' => $request->password]);
+            }
         });
     }
 

tests/AuthenticatedSessionControllerWithTwoFactorTest.php

@@ -2,9 +2,11 @@
 
 namespace Laravel\Fortify\Tests;
 
+use Illuminate\Foundation\Application;
 use Illuminate\Foundation\Testing\RefreshDatabase;
 use Illuminate\Support\Facades\Auth;
 use Illuminate\Support\Facades\Event;
+use Illuminate\Support\Facades\Hash;
 use Laravel\Fortify\Events\TwoFactorAuthenticationChallenged;
 use Laravel\Fortify\Features;
 use Laravel\Fortify\Tests\Models\UserWithTwoFactor;
@@ -100,6 +102,57 @@ public function test_user_can_authenticate_when_two_factor_challenge_is_disabled
         $response->assertRedirect('/home');
     }
 
+    public function test_rehash_user_password_when_redirecting_to_two_factor_challenge_if_rehashing_on_login_is_enabled()
+    {
+        if (version_compare(Application::VERSION, '11.0.0', '<')) {
+            $this->markTestSkipped('Only on Laravel 11 and later');
+        }
+
+        $this->app['config']->set('hashing.rehash_on_login', true);
+
+        $user = UserWithTwoFactor::forceCreate([
+            'name' => 'Taylor Otwell',
+            'email' => '[email protected]',
+            'password' => Hash::make('secret', ['rounds' => 6]),
+            'two_factor_secret' => 'test-secret',
+        ]);
+
+        $response = $this->withoutExceptionHandling()->post('/login', [
+            'email' => '[email protected]',
+            'password' => 'secret',
+        ]);
+
+        $response->assertRedirect('/two-factor-challenge');
+
+        $this->assertNotSame($user->password, $user->fresh()->password);
+        $this->assertTrue(Hash::check('secret', $user->fresh()->password));
+    }
+
+    public function test_does_not_rehash_user_password_when_redirecting_to_two_factor_challenge_if_rehashing_on_login_is_disabled()
+    {
+        if (version_compare(Application::VERSION, '11.0.0', '<')) {
+            $this->markTestSkipped('Only on Laravel 11 and later');
+        }
+
+        $this->app['config']->set('hashing.rehash_on_login', false);
+
+        $user = UserWithTwoFactor::forceCreate([
+            'name' => 'Taylor Otwell',
+            'email' => '[email protected]',
+            'password' => Hash::make('secret', ['rounds' => 6]),
+            'two_factor_secret' => 'test-secret',
+        ]);
+
+        $response = $this->withoutExceptionHandling()->post('/login', [
+            'email' => '[email protected]',
+            'password' => 'secret',
+        ]);
+
+        $response->assertRedirect('/two-factor-challenge');
+
+        $this->assertSame($user->password, $user->fresh()->password);
+    }
+
     public function test_two_factor_challenge_can_be_passed_via_code()
     {
         $tfaEngine = app(Google2FA::class);