README

This package allows you to keep track of the last passwords used by a user.

Installation

You can install the package via composer:

composer require beliven-it/laravel-password-history

You can publish and run the migrations with:

php artisan vendor:publish --tag="password-history-migrations"
php artisan migrate

You can publish the config file with:

php artisan vendor:publish --tag="password-history-config"

This is the contents of the published config file:

return [
    // Use -1 for unlimited history
    'depth' => (int) env('PASSWORD_HISTORY_DEPTH', 10),
];

The only value configurable is the depth of the password history. This value is the number of passwords that will be stored in the history. When a user tries to set a password that is in the history, the validation will fail.

Usage

The library allow to apply a trait in your own models.

Let's try to use in the User model:

<?php

namespace App\Models;

use Beliven\PasswordHistory\Traits\HasPasswordHistory;

class User extends Authenticatable
{
    use HasPasswordHistory;
    // ... other code
}

Now, when you need to create / update a user password you can use the following procedure:

$user->password = $password_from_request;
$user->save();

You can also use a rule in your request validation:

<?php

namespace App\Http\Requests\Auth;
use Illuminate\Foundation\Http\FormRequest;
use Illuminate\Validation\Rules\Password;
use Beliven\PasswordHistory\Rules\HasPasswordInHistory;

class UpdatePasswordRequest extends FormRequest
{
    /**
     * Determine if the user is authorized to make this request.
     */
    public function authorize(): bool
    {
        return true;
    }

    /**
     * Get the validation rules that apply to the request.
     */
    public function rules(): array
    {
        return [
            'password_current' => 'required|current_password:api|max:100',
            'password'         => [
                'required',
                'confirmed',
                'string',
                Password::min(8)
                    ->mixedCase()
                    ->numbers()
                    ->symbols()
                    ->uncompromised(),
                new HasPasswordInHistory($this->user()),
            ],
        ];
    }
}

Warning!!:

For password checking is important to provide the plain text password and NOT the hashed password. otherwise an exception will be thrown. Make sure to check your code before using this package.

<?php

# Allowed
$user->password = 'password';

# Not allowed
$user->password = Hash::make('password');

# This throw an exception of type PasswordAlreadyHashedException

Testing

composer test

Changelog

Please see CHANGELOG for more information on what has changed recently.

Contributing

Please see CONTRIBUTING for details.

Security Vulnerabilities

Please review our security policy on how to report security vulnerabilities.

Credits

• Fabrizio Gortani
• All Contributors

License

The MIT License (MIT). Please see License File for more information.