From fc302a6667f9dcce53395d01d8e6ba752ea62955 Mon Sep 17 00:00:00 2001
From: Taylor Otwell <taylorotwell@gmail.com>
Date: Tue, 15 Nov 2016 10:59:50 -0600
Subject: [PATCH] Add AuthenticateSession middleware.

---
 src/Illuminate/Foundation/Http/Kernel.php     |  1 +
 .../Middleware/AuthenticateSession.php        | 88 +++++++++++++++++++
 2 files changed, 89 insertions(+)
 create mode 100644 src/Illuminate/Session/Middleware/AuthenticateSession.php

diff --git a/src/Illuminate/Foundation/Http/Kernel.php b/src/Illuminate/Foundation/Http/Kernel.php
index 2cccc5552c5e..4b8633dac7a0 100644
--- a/src/Illuminate/Foundation/Http/Kernel.php
+++ b/src/Illuminate/Foundation/Http/Kernel.php
@@ -75,6 +75,7 @@ class Kernel implements KernelContract
         \Illuminate\Session\Middleware\StartSession::class,
         \Illuminate\View\Middleware\ShareErrorsFromSession::class,
         \Illuminate\Auth\Middleware\Authenticate::class,
+        \Illuminate\Session\Middleware\AuthenticateSession::class,
         \Illuminate\Routing\Middleware\SubstituteBindings::class,
         \Illuminate\Auth\Middleware\Authorize::class,
     ];
diff --git a/src/Illuminate/Session/Middleware/AuthenticateSession.php b/src/Illuminate/Session/Middleware/AuthenticateSession.php
new file mode 100644
index 000000000000..9c657aecede2
--- /dev/null
+++ b/src/Illuminate/Session/Middleware/AuthenticateSession.php
@@ -0,0 +1,88 @@
+<?php
+
+namespace Illuminate\Session\Middleware;
+
+use Closure;
+use Illuminate\Auth\AuthenticationException;
+use Illuminate\Contracts\Auth\Factory as AuthFactory;
+
+class AuthenticateSession
+{
+    /**
+     * The authentication factory implementation.
+     *
+     * @var \Illuminate\Contracts\Auth\Factory
+     */
+    protected $auth;
+
+    /**
+     * Create a new middleware instance.
+     *
+     * @param  \Illuminate\Contracts\Auth\Factory  $auth
+     * @return void
+     */
+    public function __construct(AuthFactory $auth)
+    {
+        $this->auth = $auth;
+    }
+
+    /**
+     * Handle an incoming request.
+     *
+     * @param  \Illuminate\Http\Request  $request
+     * @param  \Closure  $next
+     * @return mixed
+     */
+    public function handle($request, Closure $next)
+    {
+        if (! $request->user() || ! $request->session()) {
+            return $next($request);
+        }
+
+        if (! $request->session()->has('password_hash') && $this->auth->viaRemember()) {
+            $this->logout($request);
+        }
+
+        if (! $request->session()->has('password_hash')) {
+            $this->storePasswordHashInSession($request);
+        }
+
+        if ($request->session()->get('password_hash') !== $request->user()->password) {
+            $this->logout($request);
+        }
+
+        return tap($next($request), function () use ($request) {
+            $this->storePasswordHashInSession($request);
+        });
+    }
+
+    /**
+     * Store the user's current password hash in the session.
+     *
+     * @param  \Illuminate\Http\Request  $request
+     * @return void
+     */
+    protected function storePasswordHashInSession($request)
+    {
+        $request->session()->put([
+            'password_hash' => $request->user()->password,
+        ]);
+    }
+
+    /**
+     * Log the user out of the application.
+     *
+     * @param  \Illuminate\Http\Request  $request
+     * @return void
+     *
+     * @throws \Illuminate\Auth\AuthenticationException
+     */
+    protected function logout($request)
+    {
+        $this->auth->logout();
+
+        $request->session()->flush();
+
+        throw new AuthenticationException;
+    }
+}