Skip to content

[6.x] Modernize elevated session confirmation#19237

Closed
riasvdv wants to merge 5 commits into
6.xfrom
feature/elevated-sessions
Closed

[6.x] Modernize elevated session confirmation#19237
riasvdv wants to merge 5 commits into
6.xfrom
feature/elevated-sessions

Conversation

@riasvdv

@riasvdv riasvdv commented Jul 10, 2026

Copy link
Copy Markdown
Contributor

Description

  • Replace the legacy elevated-session prompt with a Vue host shared by Inertia and legacy control-panel pages.
  • Centralize password-confirmation preflight and 423 retry handling across settings, GraphQL, permissions, and sign-in-provider actions.
  • Add Laravel-native confirmed-password middleware and login rate limiting while preserving the legacy JavaScript APIs.
  • Preserve alternative login-method HTML fragments and initialize their legacy UI assets after rendering.
  • Fix the Testbench workbench SQLite, session, and asset setup used for local browser testing.

@riasvdv riasvdv changed the title Modernize elevated session confirmation [6.x] Modernize elevated session confirmation Jul 10, 2026
@github-actions

github-actions Bot commented Jul 10, 2026

Copy link
Copy Markdown

📚 Storybook previews

@craftcms/cpopen Storybook

No changed components detected in this Storybook.

resources/jsopen Storybook

No changed components detected in this Storybook.

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR modernizes Craft CMS’s elevated-session (password re-confirmation) flow by replacing the legacy prompt with a Vue-based host that works across both Inertia and legacy CP pages, while also centralizing 423-based retry handling and adding login rate limiting.

Changes:

  • Introduces a Vue elevated-session host + manager, and wires it into both Inertia (AppLayout) and legacy CP bootstrapping.
  • Adds a Laravel-native confirmed-password middleware and a new users/confirm-password action to power a unified preflight/423 flow across settings and OAuth connect/disconnect.
  • Adds login rate limiting infrastructure (named limiter + tests) and updates workbench/Testbench setup for local browser testing.

Reviewed changes

Copilot reviewed 42 out of 43 changed files in this pull request and generated 7 comments.

Show a summary per file
File Description
workbench/.env.example Updates workbench env defaults (SQLite + DB-backed sessions).
tests/Feature/Http/Middleware/RequireConfirmedPasswordTest.php Adds coverage for the new password-confirm middleware behavior and timeout semantics.
tests/Feature/Http/Controllers/User/SignInProvidersControllerTest.php Updates sign-in provider connect/disconnect tests to use JSON POST + 423 handling.
tests/Feature/Http/Controllers/Auth/SessionInfoControllerTest.php Adds coverage for confirmPassword preflight responses, validation, and alt login methods capture.
tests/Feature/Http/Controllers/Auth/LoginControllerTest.php Adds rate-limit tests and verifies clearing on successful login.
tests/Feature/Auth/Concerns/ConfirmsPasswordsTest.php Aligns expected status to 423 and asserts consistent default password timeout.
testbench.yaml Adjusts workbench asset sync source to cms-assets/resources.
src/Route/RouteServiceProvider.php Registers the named login rate limiter and aliases password.confirm middleware.
src/Http/Middleware/RequireConfirmedPassword.php Adds Laravel middleware wrapper for requiring a confirmed password.
src/Http/Controllers/Users/SignInProvidersController.php Switches OAuth connect to JSON-returned URL + 422/423 semantics.
src/Http/Controllers/Users/PermissionsController.php Removes legacy ElevatedSessionForm JS injection in favor of the new centralized flow.
src/Http/Controllers/Settings/Users/UserGroupsController.php Removes legacy ElevatedSessionForm JS injection in favor of the new centralized flow.
src/Http/Controllers/Gql/TokensController.php Removes legacy ElevatedSessionForm JS injection in favor of the new centralized flow.
src/Http/Controllers/Gql/SchemasController.php Removes legacy ElevatedSessionForm JS injection in favor of the new centralized flow.
src/Http/Controllers/Auth/SessionInfoController.php Adds confirmPassword endpoint that returns confirmation status + alternative login fragments.
src/Http/Controllers/Auth/LoginController.php Injects LoginRateLimiter and clears attempts after valid credentials.
src/Auth/LoginRateLimiter.php Adds named limiter definition + keying/clearing behavior.
src/Auth/Concerns/ConfirmsPasswords.php Standardizes duration logic and changes denial status from 403 → 423.
routes/cp.php Adds throttle middleware to CP login POST and changes provider connect route to POST.
routes/actions.php Adds users/confirm-password action route (auth + CP access).
resources/js/pages/users/SignInProviders.vue Uses the elevated-session manager + JSON connect flow and adds per-provider loading state.
resources/js/pages/users/Permissions.vue Requires password confirmation only when sensitive fields actually changed.
resources/js/pages/settings/users/groups/Edit.vue Adds password-confirm integration for permission changes.
resources/js/pages/graphql/tokens/Edit.vue Adds password-confirm integration (always required) and uses elevated-session manager for token reveal.
resources/js/pages/graphql/schemas/Edit.vue Adds password-confirm integration for schema permission changes.
resources/js/modules/settings/composables/useSettingsSave.ts Centralizes preflight + 423 retry behavior around elevated sessions for settings saves.
resources/js/modules/auth/elevated-session/manager.ts Adds core elevated-session manager with coalescing + retry logic.
resources/js/modules/auth/elevated-session/manager.test.ts Adds unit tests for elevated-session manager behavior.
resources/js/modules/auth/elevated-session/index.ts Provides legacy API adapter (Craft.elevatedSessionManager, Craft.ElevatedSessionForm) + mounting helper.
resources/js/modules/auth/elevated-session/index.test.ts Tests legacy adapter mapping to the new manager.
resources/js/modules/auth/elevated-session/ElevatedSessionHost.vue Adds modal host UI for elevated-session confirmation, including alternative login methods slot.
resources/js/modules/auth/elevated-session/ElevatedSessionHost.test.ts Tests host rendering and success/cancel behavior.
resources/js/modules/auth/elevated-session/elevated-session-form.ts Adds a modern replacement for legacy ElevatedSessionForm (input-diff detection + resubmit).
resources/js/modules/auth/elevated-session/elevated-session-form.test.ts Tests elevated-session form diff detection and resubmission behavior.
resources/js/modules/auth/components/login/login-form.ts Adds a focus() override to focus the appropriate field after rendering.
resources/js/legacy.ts Mounts the elevated-session host for legacy CP pages.
resources/js/cp.ts Ensures elevated-session module is included in the CP bundle.
resources/js/common/types/globals.d.ts Broadens Craft.initUiElements typing to accept Element or JQuery.
resources/js/common/layouts/AppLayout.vue Mounts ElevatedSessionHost for Inertia-based CP pages.
resources/js/common/components/HtmlFragmentRenderer.vue Emits a rendered event after fragment injection and continues upgrading legacy UI elements.
packages/craftcms-legacy/cp/src/Craft.js Removes legacy elevated-session JS imports in favor of the new implementation.
composer.json Ensures the workbench build creates the SQLite DB before building.
CHANGELOG.md Notes elevated-session prompt modernization and new login rate limiting.

Comment thread resources/js/modules/auth/elevated-session/manager.ts
Comment thread resources/js/pages/settings/users/groups/Edit.vue
Comment thread resources/js/pages/graphql/schemas/Edit.vue
Comment thread resources/js/modules/auth/elevated-session/ElevatedSessionHost.vue
Comment thread resources/js/modules/auth/elevated-session/ElevatedSessionHost.vue Outdated
Comment thread resources/js/modules/auth/elevated-session/ElevatedSessionHost.vue
Comment thread routes/actions.php
@riasvdv riasvdv requested a review from brianjhanson July 10, 2026 18:56
@riasvdv

riasvdv commented Jul 10, 2026

Copy link
Copy Markdown
Contributor Author

See #19238

@riasvdv riasvdv closed this Jul 10, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants