Merge pull request #4053 from angelej/global-password-policy

Remove deprecated fortify password policy and add a stricter one

app/Actions/Fortify/CreateNewUser.php

@@ -6,12 +6,11 @@ use App\Models\User;
 use Illuminate\Support\Facades\Hash;
 use Illuminate\Support\Facades\Validator;
 use Illuminate\Validation\Rule;
+use Illuminate\Validation\Rules\Password;
 use Laravel\Fortify\Contracts\CreatesNewUsers;
 
 class CreateNewUser implements CreatesNewUsers
 {
-    use PasswordValidationRules;
-
     /**
      * Validate and create a newly registered user.
      *
@@ -32,7 +31,7 @@ class CreateNewUser implements CreatesNewUsers
                 'max:255',
                 Rule::unique(User::class),
             ],
-            'password' => $this->passwordRules(),
+            'password' => ['required', Password::defaults(), 'confirmed'],
         ])->validate();
 
         if (User::count() == 0) {

app/Actions/Fortify/PasswordValidationRules.php

@@ -1,18 +0,0 @@
-<?php
-
-namespace App\Actions\Fortify;
-
-use Laravel\Fortify\Rules\Password;
-
-trait PasswordValidationRules
-{
-    /**
-     * Get the validation rules used to validate passwords.
-     *
-     * @return array<int, \Illuminate\Contracts\Validation\Rule|array|string>
-     */
-    protected function passwordRules(): array
-    {
-        return ['required', 'string', new Password, 'confirmed'];
-    }
-}

app/Actions/Fortify/ResetUserPassword.php

@@ -5,12 +5,11 @@ namespace App\Actions\Fortify;
 use App\Models\User;
 use Illuminate\Support\Facades\Hash;
 use Illuminate\Support\Facades\Validator;
+use Illuminate\Validation\Rules\Password;
 use Laravel\Fortify\Contracts\ResetsUserPasswords;
 
 class ResetUserPassword implements ResetsUserPasswords
 {
-    use PasswordValidationRules;
-
     /**
      * Validate and reset the user's forgotten password.
      *
@@ -19,7 +18,7 @@ class ResetUserPassword implements ResetsUserPasswords
     public function reset(User $user, array $input): void
     {
         Validator::make($input, [
-            'password' => $this->passwordRules(),
+            'password' => ['required', Password::defaults(), 'confirmed'],
         ])->validate();
 
         $user->forceFill([

app/Actions/Fortify/UpdateUserPassword.php

@@ -5,12 +5,11 @@ namespace App\Actions\Fortify;
 use App\Models\User;
 use Illuminate\Support\Facades\Hash;
 use Illuminate\Support\Facades\Validator;
+use Illuminate\Validation\Rules\Password;
 use Laravel\Fortify\Contracts\UpdatesUserPasswords;
 
 class UpdateUserPassword implements UpdatesUserPasswords
 {
-    use PasswordValidationRules;
-
     /**
      * Validate and update the user's password.
      *
@@ -20,7 +19,7 @@ class UpdateUserPassword implements UpdatesUserPasswords
     {
         Validator::make($input, [
             'current_password' => ['required', 'string', 'current_password:web'],
-            'password' => $this->passwordRules(),
+            'password' => ['required', Password::defaults(), 'confirmed'],
         ], [
             'current_password.current_password' => __('The provided password does not match your current password.'),
         ])->validateWithBag('updatePassword');

app/Livewire/ForcePasswordReset.php

@@ -4,6 +4,7 @@ namespace App\Livewire;
 
 use DanHarrin\LivewireRateLimiting\WithRateLimiting;
 use Illuminate\Support\Facades\Hash;
+use Illuminate\Validation\Rules\Password;
 use Livewire\Component;
 
 class ForcePasswordReset extends Component
@@ -16,11 +17,13 @@ class ForcePasswordReset extends Component
 
     public string $password_confirmation;
 
-    protected $rules = [
-        'email' => 'required|email',
-        'password' => 'required|min:8',
-        'password_confirmation' => 'required|same:password',
-    ];
+    public function rules(): array
+    {
+        return [
+            'email' => ['required', 'email'],
+            'password' => ['required', Password::defaults(), 'confirmed'],
+        ];
+    }
 
     public function mount()
     {

app/Livewire/Profile/Index.php

@@ -3,6 +3,7 @@
 namespace App\Livewire\Profile;
 
 use Illuminate\Support\Facades\Hash;
+use Illuminate\Validation\Rules\Password;
 use Livewire\Attributes\Validate;
 use Livewire\Component;
 
@@ -48,9 +49,8 @@ class Index extends Component
     {
         try {
             $this->validate([
-                'current_password' => 'required',
-                'new_password' => 'required|min:8',
-                'new_password_confirmation' => 'required|min:8|same:new_password',
+                'current_password' => ['required'],
+                'new_password' => ['required', Password::defaults(), 'confirmed'],
             ]);
             if (! Hash::check($this->current_password, auth()->user()->password)) {
                 $this->dispatch('error', 'Current password is incorrect.');

app/Providers/AppServiceProvider.php

@@ -5,6 +5,7 @@ namespace App\Providers;
 use App\Models\PersonalAccessToken;
 use Illuminate\Support\Facades\Http;
 use Illuminate\Support\ServiceProvider;
+use Illuminate\Validation\Rules\Password;
 use Laravel\Sanctum\Sanctum;
 
 class AppServiceProvider extends ServiceProvider
@@ -15,6 +16,14 @@ class AppServiceProvider extends ServiceProvider
     {
         Sanctum::usePersonalAccessTokenModel(PersonalAccessToken::class);
 
+        Password::defaults(function () {
+            $rule = Password::min(8);
+
+            return $this->app->isProduction()
+                ? $rule->mixedCase()->letters()->numbers()->symbols()
+                : $rule;
+        });
+
         Http::macro('github', function (string $api_url, ?string $github_access_token = null) {
             if ($github_access_token) {
                 return Http::withHeaders([