AuthenticateSession.php
TLDR
The file AuthenticateSession.php is a middleware class in the Illuminate\Session\Middleware namespace. It provides functionality for authenticating sessions in Laravel applications.
Methods
handle
The handle
method is responsible for handling an incoming request. It checks if the request has a session and a user authenticated. If not, it passes the request to the next middleware. If the user is authenticated via remember me functionality, it verifies the user's password hash with the one stored in the session. If the password hash does not match, it logs the user out. It also stores the user's password hash in the session and logs the user out if the stored password hash does not match the one retrieved from the user.
storePasswordHashInSession
The storePasswordHashInSession
method is a protected method that is responsible for storing the user's current password hash in the session.
logout
The logout
method is a protected method that logs the user out of the application. It clears the session and throws an AuthenticationException
with a default driver and redirect path.
guard
The guard
method is a protected method that returns the authentication factory used by the middleware.
redirectTo
The redirectTo
method is a protected method that returns the redirect path for unauthenticated sessions. It uses a callback if specified.
redirectUsing
The redirectUsing
method is a public method that specifies a callback to be used for generating the redirect path.
<?php
namespace Illuminate\Session\Middleware;
use Closure;
use Illuminate\Auth\AuthenticationException;
use Illuminate\Contracts\Auth\Factory as AuthFactory;
use Illuminate\Contracts\Session\Middleware\AuthenticatesSessions;
use Illuminate\Http\Request;
class AuthenticateSession implements AuthenticatesSessions
{
/**
* The authentication factory implementation.
*
* @var \Illuminate\Contracts\Auth\Factory
*/
protected $auth;
/**
* The callback that should be used to generate the authentication redirect path.
*
* @var callable
*/
protected static $redirectToCallback;
/**
* Create a new middleware instance.
*
* @param \Illuminate\Contracts\Auth\Factory $auth
* @return void
*/
public function __construct(AuthFactory $auth)
{
$this->auth = $auth;
}
/**
* Handle an incoming request.
*
* @param \Illuminate\Http\Request $request
* @param \Closure $next
* @return mixed
*/
public function handle($request, Closure $next)
{
if (! $request->hasSession() || ! $request->user()) {
return $next($request);
}
if ($this->guard()->viaRemember()) {
$passwordHash = explode('|', $request->cookies->get($this->guard()->getRecallerName()))[2] ?? null;
if (! $passwordHash || ! hash_equals($request->user()->getAuthPassword(), $passwordHash)) {
$this->logout($request);
}
}
if (! $request->session()->has('password_hash_'.$this->auth->getDefaultDriver())) {
$this->storePasswordHashInSession($request);
}
if (! hash_equals($request->session()->get('password_hash_'.$this->auth->getDefaultDriver()), $request->user()->getAuthPassword())) {
$this->logout($request);
}
return tap($next($request), function () use ($request) {
if (! is_null($this->guard()->user())) {
$this->storePasswordHashInSession($request);
}
});
}
/**
* Store the user's current password hash in the session.
*
* @param \Illuminate\Http\Request $request
* @return void
*/
protected function storePasswordHashInSession($request)
{
if (! $request->user()) {
return;
}
$request->session()->put([
'password_hash_'.$this->auth->getDefaultDriver() => $request->user()->getAuthPassword(),
]);
}
/**
* Log the user out of the application.
*
* @param \Illuminate\Http\Request $request
* @return void
*
* @throws \Illuminate\Auth\AuthenticationException
*/
protected function logout($request)
{
$this->guard()->logoutCurrentDevice();
$request->session()->flush();
throw new AuthenticationException(
'Unauthenticated.', [$this->auth->getDefaultDriver()], $this->redirectTo($request)
);
}
/**
* Get the guard instance that should be used by the middleware.
*
* @return \Illuminate\Contracts\Auth\Factory|\Illuminate\Contracts\Auth\Guard
*/
protected function guard()
{
return $this->auth;
}
/**
* Get the path the user should be redirected to when their session is not authenticated.
*
* @param \Illuminate\Http\Request $request
* @return string|null
*/
protected function redirectTo(Request $request)
{
if (static::$redirectToCallback) {
return call_user_func(static::$redirectToCallback, $request);
}
}
/**
* Specify the callback that should be used to generate the redirect path.
*
* @param callable $redirectToCallback
* @return void
*/
public static function redirectUsing(callable $redirectToCallback)
{
static::$redirectToCallback = $redirectToCallback;
}
}