laravel · gdebrauwer · May 10, 2024 · May 10, 2024 · May 10, 2024 · May 10, 2024
diff --git a/src/Bridge/UserRepository.php b/src/Bridge/UserRepository.php
@@ -3,6 +3,7 @@
 namespace Laravel\Passport\Bridge;
 
 use Illuminate\Contracts\Hashing\Hasher;
+use Illuminate\Support\Facades\Auth;
 use League\OAuth2\Server\Entities\ClientEntityInterface;
 use League\OAuth2\Server\Repositories\UserRepositoryInterface;
 use RuntimeException;
@@ -16,15 +17,24 @@ class UserRepository implements UserRepositoryInterface
      */
     protected $hasher;
 
+    /**
+     * Indicates if passwords should be rehashed on login if needed.
+     *
+     * @var bool
+     */
+    protected $rehashOnLogin;
+
     /**
      * Create a new repository instance.
      *
      * @param  \Illuminate\Contracts\Hashing\Hasher  $hasher
+     * @param  bool  $rehashOnLogin
      * @return void
      */
-    public function __construct(Hasher $hasher)
+    public function __construct(Hasher $hasher, bool $rehashOnLogin = true)
     {
         $this->hasher = $hasher;
+        $this->rehashOnLogin = $rehashOnLogin;
     }
 
     /**
@@ -64,6 +74,10 @@ public function getUserEntityByUserCredentials($username, $password, $grantType,
             return;
         }
 
+        if ($this->rehashOnLogin && method_exists(Auth::createUserProvider($provider), 'rehashPasswordIfRequired')) {
+            Auth::createUserProvider($provider)->rehashPasswordIfRequired($user, ['password' => $password]);
+        }
+
         return new User($user->getAuthIdentifier());
     }
 }
diff --git a/src/PassportServiceProvider.php b/src/PassportServiceProvider.php
@@ -231,7 +231,9 @@ protected function makeRefreshTokenGrant()
     protected function makePasswordGrant()
     {
         $grant = new PasswordGrant(
-            $this->app->make(Bridge\UserRepository::class),
+            $this->app->make(Bridge\UserRepository::class, [
+                'rehashOnLogin' => $this->app['config']->get('hashing.rehash_on_login', true),
+            ]),
             $this->app->make(Bridge\RefreshTokenRepository::class)
         );
 

diff --git a/tests/Feature/AccessTokenControllerTest.php b/tests/Feature/AccessTokenControllerTest.php
@@ -4,6 +4,7 @@
 
 use Carbon\CarbonImmutable;
 use Illuminate\Contracts\Hashing\Hasher;
+use Illuminate\Foundation\Application;
 use Laravel\Passport\Client;
 use Laravel\Passport\Database\Factories\ClientFactory;
 use Laravel\Passport\Passport;
@@ -274,6 +275,80 @@ public function testGettingCustomResponseType()
         $this->assertArrayHasKey('id_token', $decodedResponse);
         $this->assertSame('foo_bar_open_id_token', $decodedResponse['id_token']);
     }
+
+    public function testRehashPasswordOnLoginWithPasswordGrant()
+    {
+        if (version_compare(Application::VERSION, '11.0.0', '<')) {
+            $this->markTestSkipped('Only on Laravel 11 and later');
+        }
+
+        $this->withoutExceptionHandling();
+
+        $this->app['config']->set('hashing.rehash_on_login', true);
+
+        Passport::enablePasswordGrant();
+
+        $password = 'foobar123';
+        $user = UserFactory::new()->create([
+            'email' => '[email protected]',
+            'password' => $this->app->make(Hasher::class)->make($password, ['rounds' => 6]),
+        ]);
+
+        /** @var Client $client */
+        $client = ClientFactory::new()->asPasswordClient()->create(['user_id' => $user->getKey()]);
+
+        $response = $this->post(
+            '/oauth/token',
+            [
+                'grant_type' => 'password',
+                'client_id' => $client->getKey(),
+                'client_secret' => $client->secret,
+                'username' => $user->email,
+                'password' => $password,
+            ]
+        );
+
+        $response->assertOk();
+
+        $this->assertNotSame($user->password, $user->fresh()->password);
+    }
+
+    public function testNoRehashPasswordOnLoginWithPasswordGrant()
+    {
+        if (version_compare(Application::VERSION, '11.0.0', '<')) {
+            $this->markTestSkipped('Only on Laravel 11 and later');
+        }
+
+        $this->withoutExceptionHandling();
+
+        $this->app['config']->set('hashing.rehash_on_login', false);
+
+        Passport::enablePasswordGrant();
+
+        $password = 'foobar123';
+        $user = UserFactory::new()->create([
+            'email' => '[email protected]',
+            'password' => $this->app->make(Hasher::class)->make($password, ['rounds' => 6]),
+        ]);
+
+        /** @var Client $client */
+        $client = ClientFactory::new()->asPasswordClient()->create(['user_id' => $user->getKey()]);
+
+        $response = $this->post(
+            '/oauth/token',
+            [
+                'grant_type' => 'password',
+                'client_id' => $client->getKey(),
+                'client_secret' => $client->secret,
+                'username' => $user->email,
+                'password' => $password,
+            ]
+        );
+
+        $response->assertOk();
+
+        $this->assertSame($user->password, $user->fresh()->password);
+    }
 }
 
 class IdTokenResponse extends \League\OAuth2\Server\ResponseTypes\BearerTokenResponse