Manual auth in Laravel: password confirmation

#laravel #authentication

With the arrival of Laravel 8, new ways for authentication have been added to the Laravel ecosystem. Fortify, Jetstream and Breeze. Although these tools can save you a lot of time, often when you want something more complex they cost you more time.

Fortunately, Laravel allows you to add manual auth without the use of any package, just Laravel's core. In this series, we're going to learn how to add manual auth in Laravel.

These topics will be covered:

Registering
Signing in and signing out
Password confirmation
Email verification
Password reset

Note: For the examples in this series, I've chosen to use controllers and blade views. But you can also use other technologies, like Livewire or Inertia.js.

Getting started

First we'll create a controller to load a view:

// app/Http/Controllers/Auth/PasswordConfirmationController.php

namespace App\Http\Controllers\Auth;

use App\Http\Controllers\Controller;

class PasswordConfirmationController extends Controller
{
    public function show()
    {
        return view('auth.confirm-password');
    }

    public function handle()
    {
        // Handling the response
    }
}

Routing

Next, we'll add routes:

// routes/web.php

use App\Http\Controllers\Auth\PasswordConfirmationController;
use Illuminate\Support\Facades\Route;

Route::get('/confirm-password', [PasswordConfirmationController::class, 'show'])
    ->middleware('auth')
    ->name('password.confirm');

Route::post('/confirm-password', [PasswordConfirmationController::class, 'handle'])
    ->middleware('auth')
    ->name('password.confirm');

Views

After routing, we create a form for the user to fill in their password. For example:

<!-- resources/views/auth/confirm-password.blade.php -->

<h1>Confirm Password</h1>

<form  action="{{ route('password.confirm') }}" method="post">
    @csrf

    <!-- Password -->
    <label for="password">Password</label>
    <input type="password" name="password" id="password"  />

    <!-- Submit button -->
    <button type="submit">Confirm Password</button>
</form>

Controller logic

Finally, we'll add some code to the handle method:

First, we check if the password is correct:

// app/Http/Controllers/Auth/PasswordConfirmationController.php

use Illuminate\Support\Facades\Hash;

if (!Hash::check(request()->password, auth()->user()->password)) {
    return back()->withErrors(['password' => 'The provided password does not match our records.']);
}

If the password was correct, we will tell Laravel that the password was correct.

// app/Http/Controllers/Auth/PasswordConfirmationController.php

session()->passwordConfirmed();

Finally, we will redirect the user as intented after a success.

// app/Http/Controllers/Auth/PasswordConfirmationController.php

return redirect()->intended();

Conclusion

Where as registering and signing in and out does not use much of Laravel's authentication features, confirming a password does. However, you still have a lot of freedom as to how you want to implement it.

If you at some point couldn't follow the tutorial anymore, this is the finished Auth\PasswordConfirmationController:

<?php

// app/Http/Controller/Auth/PasswordConfirmationController.php

namespace App\Http\Controllers\Auth;

use App\Http\Controllers\Controller;
use Illuminate\Support\Facades\Hash;

class PasswordConfirmationController extends Controller
{
    public function show()
    {
        return view('auth.confirm-password');
    }

    public function handle()
    {
        if (!Hash::check(request()->password, auth()->user()->password)) {
            return back()->withErrors(['password' => 'The provided password does not match our records.']);
        }

        session()->passwordConfirmed();

        return redirect()->intended();
    }
}