[6.x] Modernize elevated session confirmation#19237
Closed
riasvdv wants to merge 5 commits into
Closed
Conversation
📚 Storybook previews@craftcms/cp — open Storybook No changed components detected in this Storybook. resources/js — open Storybook No changed components detected in this Storybook. |
Contributor
There was a problem hiding this comment.
Pull request overview
This PR modernizes Craft CMS’s elevated-session (password re-confirmation) flow by replacing the legacy prompt with a Vue-based host that works across both Inertia and legacy CP pages, while also centralizing 423-based retry handling and adding login rate limiting.
Changes:
- Introduces a Vue elevated-session host + manager, and wires it into both Inertia (AppLayout) and legacy CP bootstrapping.
- Adds a Laravel-native confirmed-password middleware and a new
users/confirm-passwordaction to power a unified preflight/423 flow across settings and OAuth connect/disconnect. - Adds login rate limiting infrastructure (named limiter + tests) and updates workbench/Testbench setup for local browser testing.
Reviewed changes
Copilot reviewed 42 out of 43 changed files in this pull request and generated 7 comments.
Show a summary per file
| File | Description |
|---|---|
| workbench/.env.example | Updates workbench env defaults (SQLite + DB-backed sessions). |
| tests/Feature/Http/Middleware/RequireConfirmedPasswordTest.php | Adds coverage for the new password-confirm middleware behavior and timeout semantics. |
| tests/Feature/Http/Controllers/User/SignInProvidersControllerTest.php | Updates sign-in provider connect/disconnect tests to use JSON POST + 423 handling. |
| tests/Feature/Http/Controllers/Auth/SessionInfoControllerTest.php | Adds coverage for confirmPassword preflight responses, validation, and alt login methods capture. |
| tests/Feature/Http/Controllers/Auth/LoginControllerTest.php | Adds rate-limit tests and verifies clearing on successful login. |
| tests/Feature/Auth/Concerns/ConfirmsPasswordsTest.php | Aligns expected status to 423 and asserts consistent default password timeout. |
| testbench.yaml | Adjusts workbench asset sync source to cms-assets/resources. |
| src/Route/RouteServiceProvider.php | Registers the named login rate limiter and aliases password.confirm middleware. |
| src/Http/Middleware/RequireConfirmedPassword.php | Adds Laravel middleware wrapper for requiring a confirmed password. |
| src/Http/Controllers/Users/SignInProvidersController.php | Switches OAuth connect to JSON-returned URL + 422/423 semantics. |
| src/Http/Controllers/Users/PermissionsController.php | Removes legacy ElevatedSessionForm JS injection in favor of the new centralized flow. |
| src/Http/Controllers/Settings/Users/UserGroupsController.php | Removes legacy ElevatedSessionForm JS injection in favor of the new centralized flow. |
| src/Http/Controllers/Gql/TokensController.php | Removes legacy ElevatedSessionForm JS injection in favor of the new centralized flow. |
| src/Http/Controllers/Gql/SchemasController.php | Removes legacy ElevatedSessionForm JS injection in favor of the new centralized flow. |
| src/Http/Controllers/Auth/SessionInfoController.php | Adds confirmPassword endpoint that returns confirmation status + alternative login fragments. |
| src/Http/Controllers/Auth/LoginController.php | Injects LoginRateLimiter and clears attempts after valid credentials. |
| src/Auth/LoginRateLimiter.php | Adds named limiter definition + keying/clearing behavior. |
| src/Auth/Concerns/ConfirmsPasswords.php | Standardizes duration logic and changes denial status from 403 → 423. |
| routes/cp.php | Adds throttle middleware to CP login POST and changes provider connect route to POST. |
| routes/actions.php | Adds users/confirm-password action route (auth + CP access). |
| resources/js/pages/users/SignInProviders.vue | Uses the elevated-session manager + JSON connect flow and adds per-provider loading state. |
| resources/js/pages/users/Permissions.vue | Requires password confirmation only when sensitive fields actually changed. |
| resources/js/pages/settings/users/groups/Edit.vue | Adds password-confirm integration for permission changes. |
| resources/js/pages/graphql/tokens/Edit.vue | Adds password-confirm integration (always required) and uses elevated-session manager for token reveal. |
| resources/js/pages/graphql/schemas/Edit.vue | Adds password-confirm integration for schema permission changes. |
| resources/js/modules/settings/composables/useSettingsSave.ts | Centralizes preflight + 423 retry behavior around elevated sessions for settings saves. |
| resources/js/modules/auth/elevated-session/manager.ts | Adds core elevated-session manager with coalescing + retry logic. |
| resources/js/modules/auth/elevated-session/manager.test.ts | Adds unit tests for elevated-session manager behavior. |
| resources/js/modules/auth/elevated-session/index.ts | Provides legacy API adapter (Craft.elevatedSessionManager, Craft.ElevatedSessionForm) + mounting helper. |
| resources/js/modules/auth/elevated-session/index.test.ts | Tests legacy adapter mapping to the new manager. |
| resources/js/modules/auth/elevated-session/ElevatedSessionHost.vue | Adds modal host UI for elevated-session confirmation, including alternative login methods slot. |
| resources/js/modules/auth/elevated-session/ElevatedSessionHost.test.ts | Tests host rendering and success/cancel behavior. |
| resources/js/modules/auth/elevated-session/elevated-session-form.ts | Adds a modern replacement for legacy ElevatedSessionForm (input-diff detection + resubmit). |
| resources/js/modules/auth/elevated-session/elevated-session-form.test.ts | Tests elevated-session form diff detection and resubmission behavior. |
| resources/js/modules/auth/components/login/login-form.ts | Adds a focus() override to focus the appropriate field after rendering. |
| resources/js/legacy.ts | Mounts the elevated-session host for legacy CP pages. |
| resources/js/cp.ts | Ensures elevated-session module is included in the CP bundle. |
| resources/js/common/types/globals.d.ts | Broadens Craft.initUiElements typing to accept Element or JQuery. |
| resources/js/common/layouts/AppLayout.vue | Mounts ElevatedSessionHost for Inertia-based CP pages. |
| resources/js/common/components/HtmlFragmentRenderer.vue | Emits a rendered event after fragment injection and continues upgrading legacy UI elements. |
| packages/craftcms-legacy/cp/src/Craft.js | Removes legacy elevated-session JS imports in favor of the new implementation. |
| composer.json | Ensures the workbench build creates the SQLite DB before building. |
| CHANGELOG.md | Notes elevated-session prompt modernization and new login rate limiting. |
Contributor
Author
|
See #19238 |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Description