[6.x] Elevated Sessions #11688

duncanmcclean · 2025-04-10T16:04:18Z

This pull request introduces the concept of "elevated sessions", which prompts you for your password before allowing you to take certain actions. Similar to GitHub's sudo mode.

After "starting" an elevated session, you won't be prompted for your password again until the session expires. By default, elevated sessions last for 15 minutes.

For now, I've implemented this in front of the following actions:

Changing another user's password
Copying a password reset link
Updating permissions on a role
Impersonating a user

We'll also use this in #11664 before allowing you to view recovery codes, or deactivate 2FA on your account.

Extending

Addon developers can require elevated sessions in their code by applying the RequireElevatedSession middleware to applicable routes, and using the requireElevatedSession JS function.

Route::get('foo', [FooController::class, 'index'])
  ->middleware(RequireElevatedSession::class);

import { requireElevatedSession } from '@statamic';

methods: {
    submit() {
        requireElevatedSession()
            .then(() => this.actuallySubmit())
            .catch(() => {});
    },
    actuallySubmit() {
        // ...
    }
}

resources/js/components/users/ChangePassword.vue

Otherwise, `$user->password()` will error out when storing users in a database.

…rd. When you update your own you have to enter your own password anyway.

If we want to use that for reasons other than testing, a timestamp is more accurate.

- When middleware is on a route that is accessed directly, redirect to a form page. - Middleware throws an exception - The exception will render json or perform appropriate redirect - Middleware test uses an actual route so redirects can be tested

…checking ... Say you have the expiration set to 1 hour. Someone elevates. Their expiry is 1 hour in the future. You change the config to 15 minutes. The user is still elevated for the whole hour. This change allows the config to be changed and existing sessions will comply.

This was added to confirm passwords while impersonating. If you have permission to impersonate anyway, it's not really preventing anything.

…son. Update test expectation.

duncanmcclean added 16 commits April 10, 2025 15:59

Elevated Sessions

480f357

Require elevated session before changing another user's password

5752f1c

Add ability for actions to require elevated sessions

d2bb314

Require elevated session before copying password reset link

6f050e2

Require elevated session when updating permissions on a role

094a928

wip

7912a02

Improve how we enforce elevated sessions on the backend

dc08871

Update tests

d351866

Include user ID in session key

9d2f48c

Rename session key

552556c

Pint

b4be28d

Wordsmithing.

6d8ecad

Merge remote-tracking branch 'origin/master' into elevated-sessions

d501c9b

Wire up elevated session modal

de6fcda

Catch promise returned by this.requireElevatedSession

8b33826

Merge remote-tracking branch 'origin/master' into elevated-sessions

526d61c

duncanmcclean commented Apr 24, 2025

View reviewed changes

resources/js/components/users/ChangePassword.vue Show resolved Hide resolved

duncanmcclean added 2 commits April 24, 2025 16:26

Prettier

2cb53ba

Make sure we're dealing with a Statamic user instance

3cdd919

Otherwise, `$user->password()` will error out when storing users in a database.

duncanmcclean mentioned this pull request Apr 24, 2025

[6.x] Two-Factor Authentication #11664

Merged

jasonvarga added 10 commits April 24, 2025 17:08

nitpick

df56f84

Don't require passing request in

468298d

nitpick

8b3ef5b

Only require elevated session if you're updating someone elses passwo…

5608ddb

…rd. When you update your own you have to enter your own password anyway.

Use expiry instead of diff ...

ed62949

If we want to use that for reasons other than testing, a timestamp is more accurate.

Use macros to clean up and colocate logic

9b77e29

group tests so they can be run together

b9eaf43

Including user ids in session key is not necessary.

91e5def

This was added to confirm passwords while impersonating. If you have permission to impersonate anyway, it's not really preventing anything.

jasonvarga added 7 commits April 25, 2025 10:48

Nitpick

6f00df2

Require elevated session for impersonation

31b59e3

We now have a better dedicated exception. Test should be performing j…

982926c

…son. Update test expectation.

Show toast if elevated session was not completed when saving role

9ad7c76

Add a convenience method

15aae20

Move away from mixins so its usable in composition api

5b34928

Expose

0642163

jasonvarga marked this pull request as ready for review April 25, 2025 16:13

jasonvarga merged commit 74adbaf into master Apr 25, 2025
19 checks passed

jasonvarga deleted the elevated-sessions branch April 25, 2025 16:14

duncanmcclean mentioned this pull request Apr 28, 2025

[6.x] Elevated Sessions (continued) #11744

Merged

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Uh oh!

[6.x] Elevated Sessions #11688

[6.x] Elevated Sessions #11688

Uh oh!

duncanmcclean commented Apr 10, 2025 •

edited by jasonvarga

Loading

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

[6.x] Elevated Sessions #11688

[6.x] Elevated Sessions #11688

Uh oh!

Conversation

duncanmcclean commented Apr 10, 2025 • edited by jasonvarga Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Extending

Uh oh!

Uh oh!

Uh oh!

Uh oh!

duncanmcclean commented Apr 10, 2025 •

edited by jasonvarga

Loading