[6.x] Frontend Elevated Sessions (#14424)

Co-authored-by: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Co-authored-by: Jason Varga <jason@pixelfear.com>

Author: 3 people

config/users.php

@@ -181,6 +181,8 @@
 
     'elevated_session_duration' => 15,
 
+    'elevated_session_url' => null,
+
     /*
     |--------------------------------------------------------------------------
     | Two-Factor Authentication

lang/en/validation.php

@@ -169,6 +169,7 @@
     'date_fieldtype_time_required' => 'Time is required.',
     'duplicate_field_handle' => 'A field with a handle of :handle already exists.',
     'duplicate_uri' => 'Duplicate URI :value',
+    'elevated_session_resend_code_unavailable' => 'Resend code is only available for verification code method.',
     'elevated_session_verification_code' => 'The verification code is incorrect.',
     'email_available' => 'A user with this email already exists.',
     'fieldset_imported_recursively' => 'Fieldset :handle is being imported recursively.',

resources/js/pages/auth/ConfirmPassword.vue

@@ -1,11 +1,20 @@
+<script>
+import Outside from '@/pages/layout/Outside.vue';
+import Layout from '@/pages/layout/Layout.vue';
+
+export default {
+    layout: (h, page) => page.props.outside ? h(Outside, () => page) : h(Layout, () => page),
+};
+</script>
+
 <script setup>
 import Head from '@/pages/layout/Head.vue';
 import { AuthCard, Input, Field, Button, Description, ErrorMessage, Separator } from '@ui';
 import { computed } from 'vue';
 import { Form, router } from '@inertiajs/vue3';
 import { usePasskey } from '@/composables/passkey';
 
-const props = defineProps(['method', 'allowPasskey', 'status', 'submitUrl', 'resendUrl', 'passkeyOptionsUrl']);
+const props = defineProps(['method', 'allowPasskey', 'status', 'submitUrl', 'resendUrl', 'passkeyOptionsUrl', 'outside']);
 const isConfirmingPassword = computed(() => props.method === 'password_confirmation');
 const isUsingVerificationCode = computed(() => props.method === 'verification_code');
 const isOnlyUsingPasskey = computed(() => props.method === 'passkey');
@@ -45,7 +54,7 @@ async function confirmWithPasskey() {
 
                 <Button
                     v-if="isUsingVerificationCode"
-                    as="href"
+                    as="a"
                     class="flex-1"
                     :href="resendUrl"
                     :text="__('Resend code')"

routes/cp.php

@@ -445,8 +445,8 @@
 
     Route::get('auth/confirm-password', [ElevatedSessionController::class, 'showForm'])->name('confirm-password');
     Route::get('elevated-session', [ElevatedSessionController::class, 'status'])->name('elevated-session.status');
-    Route::get('elevated-session/passkey-options', [ElevatedSessionController::class, 'options'])->name('elevated-session.passkey-options');
-    Route::post('elevated-session', [ElevatedSessionController::class, 'confirm'])->name('elevated-session.confirm');
+    Route::get('elevated-session/passkey-options', [ElevatedSessionController::class, 'options'])->name('elevated-session.passkey-options')->middleware('throttle:statamic.cp.passkeys');
+    Route::post('elevated-session', [ElevatedSessionController::class, 'confirm'])->name('elevated-session.confirm')->middleware('throttle:statamic.cp.auth');
     Route::get('elevated-session/resend-code', [ElevatedSessionController::class, 'resendCode'])->name('elevated-session.resend-code')->middleware('throttle:send-elevated-session-code');
 
     Route::get('playground', PlaygroundController::class)->name('playground');

routes/web.php

@@ -7,6 +7,7 @@
 use Statamic\Facades\OAuth;
 use Statamic\Facades\TwoFactor;
 use Statamic\Http\Controllers\ActivateAccountController;
+use Statamic\Http\Controllers\Auth\ElevatedSessionController;
 use Statamic\Http\Controllers\ForgotPasswordController;
 use Statamic\Http\Controllers\FormController;
 use Statamic\Http\Controllers\FrontendController;
@@ -53,6 +54,13 @@
             Route::get('password/reset/{token}', [ResetPasswordController::class, 'showResetForm'])->name('password.reset');
             Route::post('password/reset', [ResetPasswordController::class, 'reset'])->middleware('throttle:statamic.auth')->name('password.reset.action');
 
+            Route::middleware('auth')->group(function () {
+                Route::get('confirm-password', [ElevatedSessionController::class, 'showForm'])->name('elevated-session')->middleware([HandleInertiaRequests::class]);
+                Route::post('elevated-session', [ElevatedSessionController::class, 'confirm'])->name('elevated-session.confirm')->middleware('throttle:statamic.auth');
+                Route::get('elevated-session/passkey-options', [ElevatedSessionController::class, 'options'])->name('elevated-session.passkey-options')->middleware('throttle:statamic.passkeys');
+                Route::get('elevated-session/resend-code', [ElevatedSessionController::class, 'resendCode'])->name('elevated-session.resend-code')->middleware('throttle:send-elevated-session-code');
+            });
+
             Route::group(['prefix' => 'passkeys'], function () {
                 Route::middleware('throttle:statamic.passkeys')->group(function () {
                     Route::get('options', [PasskeyLoginController::class, 'options'])->name('passkeys.options');

src/Auth/UserTags.php

@@ -738,6 +738,53 @@ public function notIn()
         return $in ? null : $this->parse();
     }
 
+    /**
+     * Output an elevated session form.
+     *
+     * Maps to {{ user:elevated_session_form }}
+     *
+     * @return string
+     */
+    public function elevatedSessionForm()
+    {
+        if (! ($user = User::current())) {
+            return;
+        }
+
+        $method = $user->getElevatedSessionMethod();
+
+        if ($method === 'verification_code') {
+            session()->sendElevatedSessionVerificationCodeIfRequired();
+        }
+
+        $data = [
+            ...$this->getFormSession('user.elevated_session'),
+            'method' => $method,
+            'allow_passkey' => $method !== 'verification_code' && $user->passkeys()->isNotEmpty(),
+            'resend_code_url' => route('statamic.elevated-session.resend-code'),
+            'passkey_options_url' => route('statamic.elevated-session.passkey-options'),
+            'submit_url' => route('statamic.elevated-session.confirm'),
+        ];
+
+        $action = route('statamic.elevated-session.confirm');
+        $method = 'POST';
+
+        if (! $this->canParseContents()) {
+            return array_merge([
+                'attrs' => $this->formAttrs($action, $method),
+                'params' => $this->formMetaPrefix($this->formParams($method)),
+            ], $data);
+        }
+
+        $html = $this->formOpen($action, $method);
+
+        $html .= $this->parse($data);
+
+        $html .= $this->formClose();
+
+        return $html;
+    }
+
     /**
      * {@inheritdoc}
      */

src/Exceptions/ElevatedSessionAuthorizationException.php

@@ -3,6 +3,7 @@
 namespace Statamic\Exceptions;
 
 use Illuminate\Http\Request;
+use Statamic\Statamic;
 
 class ElevatedSessionAuthorizationException extends \Exception
 {
@@ -13,8 +14,14 @@ public function __construct()
 
     public function render(Request $request)
     {
-        return $request->wantsJson()
-            ? response()->json(['message' => $this->getMessage()], 403)
-            : redirect()->setIntendedUrl($request->fullUrl())->to(cp_route('confirm-password'));
+        if ($request->wantsJson()) {
+            return response()->json(['message' => $this->getMessage()], 403);
+        }
+
+        $redirectUrl = Statamic::isCpRoute()
+            ? cp_route('confirm-password')
+            : route('statamic.elevated-session');
+
+        return redirect()->setIntendedUrl($request->fullUrl())->to($redirectUrl);
     }
 }

src/Http/Controllers/Auth/ElevatedSessionController.php

@@ -0,0 +1,153 @@
+<?php
+
+namespace Statamic\Http\Controllers\Auth;
+
+use Illuminate\Http\Exceptions\HttpResponseException;
+use Illuminate\Http\Request;
+use Illuminate\Support\Facades\Hash;
+use Illuminate\Validation\ValidationException;
+use Inertia\Inertia;
+use Statamic\Auth\WebAuthn\Serializer;
+use Statamic\Facades\User;
+use Statamic\Facades\WebAuthn;
+use Statamic\Http\Controllers\Controller;
+use Statamic\Http\Requests\Auth\ElevatedSessionConfirmationRequest;
+
+class ElevatedSessionController extends Controller
+{
+    public function showForm(Request $request)
+    {
+        if ($customUrl = config('statamic.users.elevated_session_url')) {
+            return redirect()->to($customUrl);
+        }
+
+        $user = User::current();
+        $method = $user->getElevatedSessionMethod();
+
+        if ($method === 'verification_code') {
+            session()->sendElevatedSessionVerificationCodeIfRequired();
+        }
+
+        return Inertia::render('auth/ConfirmPassword', [
+            'outside' => true,
+            'method' => $method,
+            'allowPasskey' => $method !== 'verification_code' && $user->passkeys()->isNotEmpty(),
+            'status' => session('status'),
+            'submitUrl' => route('statamic.elevated-session.confirm'),
+            'resendUrl' => route('statamic.elevated-session.resend-code'),
+            'passkeyOptionsUrl' => route('statamic.elevated-session.passkey-options'),
+        ]);
+    }
+
+    public function confirm(ElevatedSessionConfirmationRequest $request)
+    {
+        $user = User::current();
+
+        $this->validatePasswordConfirmation($request, $user);
+        $this->validateVerificationCodeConfirmation($request);
+        $this->validatePasskeyConfirmation($request, $user);
+
+        session()->elevate();
+
+        return $this->buildConfirmResponse($request, $user);
+    }
+
+    protected function buildConfirmResponse(Request $request, $user)
+    {
+        $message = $user->getElevatedSessionMethod() === 'password_confirmation'
+            ? __('Password confirmed')
+            : __('Code verified');
+
+        $redirect = redirect()->intended(route('statamic.site'));
+
+        if ($request->wantsJson()) {
+            return response()->json([
+                'elevated' => true,
+                'expiry' => $request->getElevatedSessionExpiry(),
+                'redirect' => $redirect->getTargetUrl(),
+            ]);
+        }
+
+        return $request->inertia()
+            ? Inertia::location($redirect->getTargetUrl())
+            : $redirect->with('success', $message);
+    }
+
+    public function options()
+    {
+        $options = WebAuthn::prepareAssertion();
+
+        return app(Serializer::class)->normalize($options);
+    }
+
+    public function resendCode()
+    {
+        if (User::current()->getElevatedSessionMethod() !== 'verification_code') {
+            throw ValidationException::withMessages([
+                'method' => __('statamic::validation.elevated_session_resend_code_unavailable'),
+            ]);
+        }
+
+        session()->sendElevatedSessionVerificationCode();
+
+        return back()->with('status', __('statamic::messages.elevated_session_verification_code_sent'));
+    }
+
+    private function validatePasswordConfirmation(Request $request, $user): void
+    {
+        if (! $request->filled('password')) {
+            return;
+        }
+
+        if (Hash::check($request->password, $user->password())) {
+            return;
+        }
+
+        $this->throwValidationException($request, [
+            'password' => [__('statamic::validation.current_password')],
+        ]);
+    }
+
+    private function validateVerificationCodeConfirmation(Request $request): void
+    {
+        if (! $request->filled('verification_code')) {
+            return;
+        }
+
+        $verificationCode = $request->verification_code;
+        $storedVerificationCode = $request->getElevatedSessionVerificationCode();
+
+        if (
+            is_string($verificationCode)
+            && is_string($storedVerificationCode)
+            && hash_equals($storedVerificationCode, $verificationCode)
+        ) {
+            return;
+        }
+
+        $this->throwValidationException($request, [
+            'verification_code' => [__('statamic::validation.elevated_session_verification_code')],
+        ]);
+    }
+
+    protected function throwValidationException(Request $request, array $errors): never
+    {
+        if ($request->wantsJson() || $request->inertia()) {
+            throw ValidationException::withMessages($errors);
+        }
+
+        throw new HttpResponseException(
+            back()->withInput()->withErrors($errors, 'user.elevated_session')
+        );
+    }
+
+    private function validatePasskeyConfirmation(Request $request, $user): void
+    {
+        if (! $request->filled('id')) {
+            return;
+        }
+
+        $credentials = $request->only(['id', 'rawId', 'response', 'type']);
+        WebAuthn::validateAssertion($user, $credentials);
+    }
+}