Failing re-authentication based on Fortify::confirmPasswordsUsing

[acharseth]

I have an application where I need to support re-authentication for one action. I am trying to implementing this by using the Jetstream Confirm Password functionality like this:

Blade file:

<x-confirms-password wire:then="changeOwner($event.target.value)">
    <x-button type="button" wire:loading.attr="disabled">
        {{ __('Take over ownership') }}
    </x-button>
</x-confirms-password> 

Livewire component:

public function changeOwner($rcId)
{
    ...
}

This will open a window which performs a re-authentication on the user.
This re-authentication fails however.
I have been able to get one step further by adding the following callback function in AuthServiceProvider:

    Fortify::confirmPasswordsUsing(function ($request) {         
        $userId=auth()->user()->userid;
        
        $validated = Auth::validate([
            'samaccountname' => $userId,
            'password' => $request->password, 

            'fallback' => [
                'userid' => $userId,
                'password' => $request->password,                   
            ],
            
        ]);
        $valStr=$validated ? 'true' : 'false';
        self::uaUidLog(LogType::Info, __CLASS__, $userId, "(Re)Auth validation: $valStr");
        return $validated ? Auth::getLastAttempted() : null;
    });   

This re-authentication still fails however on the validation with the following error message:

[2024-04-11T16:14:02.574092+02:00] test-mock.INFO: {"from":"App\Providers\AuthServiceProvider","userId":"myUserId","ip":"10.10.10.10"} (Re)Auth validation: false
What am I doing wrong?

I notice that confirmPasswordUsing() is missing in LdapUserAuthentication and have tried to add it like this:

/**
 * Set the callback to use for authenticating users.
 */
public function confirmPasswordsUsing(Closure $authenticator): static
{
    $this->authenticator = $authenticator;

    return $this;
}

This did not help though and I am not sure it is necessary since my new call back function do get called without this.

Anything else I need to do?

[acharseth]

How can I get logged the actual bind call so that I can check if there is something wrong (different from ordinary log in working fine)?

[stevebauman]

Hi @acharseth,

I just pushed out an update that will allow you to retrieve the BindException from the bind failure that occurs during this process.

Run composer update, then once complete, register a listener on the LdapRecord Failed auth event before calling Auth::validate():

use LdapRecord\Container;
use LdapRecord\Auth\Events\Failed;

$dispatcher = Container::getDispatcher();

$dispatcher->listen(Failed::class, function (Failed $event) {
    $exception = $event->getException(); // \LdapRecord\Auth\BindException

    $error = $exception->getDetailedError(); // \LdapRecord\DetailedError

    // Do something with the error values:
    $error->getErrorCode(); // int
    $error->getErrorMessage(); // string
    $error->getDiagnosticMessage(): // ?string
});

Give that a shot!

[acharseth]

Thanks a lot! Does it work with Laravel 10? Arne fre. 12. apr. 2024 kl. 18:03 skrev Steve Bauman ***@***.***>:

…

Hi @acharseth <https://github.com/acharseth>, I just pushed out an update that will allow you to retrieve the BindException from the bind failure that occurs during this process. Run composer update, then once complete, register a listener on the LdapRecord Failed auth event before calling Auth::validate(): use LdapRecord\Container;use LdapRecord\Auth\Events\Failed; $dispatcher = Container::getDispatcher(); $dispatcher->listen(Failed::class, function (Failed $event) { $exception = $event->getException(); // \LdapRecord\Auth\BindException $error = $exception->getDetailedError(); // \LdapRecord\DetailedError // Do something with the error values: $error->getErrorCode(); // int $error->getErrorMessage(); // string $error->getDiagnosticMessage(): // ?string }); Give that a shot! — Reply to this email directly, view it on GitHub <#646 (reply in thread)>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/AEBE7I5J46X42ZFRQUWEFALY5AAUBAVCNFSM6AAAAABGEIIAYSVHI2DSMVQWIX3LMV43SRDJONRXK43TNFXW4Q3PNVWWK3TUHM4TAOJXHEZTM> . You are receiving this because you were mentioned.Message ID: <DirectoryTree/LdapRecord-Laravel/repo-discussions/646/comments/9097936@ github.com>

[stevebauman]

Yup this was pushed in the core LdapRecord repo, so its compatible with Laravel 8 to 11 👍

[acharseth]

I updated LdapRecord and added the debug info you suggested. This gave me the following information:

Invalid credentials (80090308: LdapErr: DSID-0C090569, comment: AcceptSecurityContext error, data 52e, v4563)

This unfortunately does not make me any wiser.
I then included the password found with $request->password in a log entry in confirmPasswordsUsing() and notice that it is not the password provided and is the same no matter what password I enter (but with ordinary login I do get the entered password in the log entry from similar logging in authenticateUsing()). So it seems to me that I need to find another way to retrieve the password entered.

[acharseth]

... and true, this could be because with reauthentication the Livewire password field is called confirmablePassword.
Unfortunately this field is empty and I therefore get the following error message:

LdapRecord\\Auth\\Guard::attempt(): Argument #2 ($password) must be of type string, null given, called in /var/www/my-app/releases/14/vendor/directorytree/ldaprecord-laravel/src/LdapUserAuthenticator.php on line 45 at /var/www/my-app/releases/14/vendor/directorytree/ldaprecord/src/Auth/Guard.php:42)"} LdapRecord\Auth\Guard::attempt(): Argument #2 ($password) must be of type string, null given, called in /var/www/my-app/releases/14/vendor/directorytree/ldaprecord-laravel/src/LdapUserAuthenticator.php on line 45