Add support for password confirmation middleware.

routes/routes.php

@@ -84,6 +84,14 @@
                     ->middleware(['auth']);
     }
 
+    // Password Verification...
+    Route::get('/user/password/verify', 'VerifyPasswordController@show')
+                    ->middleware(['auth'])
+                    ->name('password.confirm');
+
+    Route::post('/user/password/verify', 'VerifyPasswordController@store')
+                    ->middleware(['auth']);
+
     // Two Factor Authentication...
     if (Features::enabled(Features::twoFactorAuthentication())) {
         Route::post('/user/two-factor-authentication', 'TwoFactorAuthenticationController@store')

src/Contracts/FailedPasswordVerifyResponse.php

@@ -0,0 +1,10 @@
+<?php
+
+namespace Laravel\Fortify\Contracts;
+
+use Illuminate\Contracts\Support\Responsable;
+
+interface FailedPasswordVerifyResponse extends Responsable
+{
+    //
+}

src/Contracts/PasswordVerifiedResponse.php

@@ -0,0 +1,10 @@
+<?php
+
+namespace Laravel\Fortify\Contracts;
+
+use Illuminate\Contracts\Support\Responsable;
+
+interface PasswordVerifiedResponse extends Responsable
+{
+    //
+}

src/Contracts/VerifyPasswordViewResponse.php

@@ -0,0 +1,10 @@
+<?php
+
+namespace Laravel\Fortify\Contracts;
+
+use Illuminate\Contracts\Support\Responsable;
+
+interface VerifyPasswordViewResponse extends Responsable
+{
+    //
+}

src/Fortify.php

@@ -116,6 +116,19 @@ public static function verifyEmailView($view)
         });
     }
 
+    /**
+     * Specify which view should be used as the password verification prompt.
+     *
+     * @param  string  $view
+     * @return void
+     */
+    public static function verifyPasswordView($view)
+    {
+        app()->singleton(VerifyPasswordViewResponse::class, function () use ($view) {
+            return new SimpleViewResponse($view);
+        });
+    }
+
     /**
      * Specify which view should be used as the request password reset link view.
      *

src/FortifyServiceProvider.php

@@ -8,19 +8,23 @@
 use Illuminate\Support\ServiceProvider;
 use Laravel\Fortify\Contracts\FailedPasswordResetLinkRequestResponse as FailedPasswordResetLinkRequestResponseContract;
 use Laravel\Fortify\Contracts\FailedPasswordResetResponse as FailedPasswordResetResponseContract;
+use Laravel\Fortify\Contracts\FailedPasswordVerifyResponse as FailedPasswordVerifyResponseContract;
 use Laravel\Fortify\Contracts\LockoutResponse as LockoutResponseContract;
 use Laravel\Fortify\Contracts\LoginResponse as LoginResponseContract;
 use Laravel\Fortify\Contracts\LogoutResponse as LogoutResponseContract;
 use Laravel\Fortify\Contracts\PasswordResetResponse as PasswordResetResponseContract;
+use Laravel\Fortify\Contracts\PasswordVerifiedResponse as PasswordVerifiedResponseContract;
 use Laravel\Fortify\Contracts\RegisterResponse as RegisterResponseContract;
 use Laravel\Fortify\Contracts\SuccessfulPasswordResetLinkRequestResponse as SuccessfulPasswordResetLinkRequestResponseContract;
 use Laravel\Fortify\Contracts\TwoFactorAuthenticationProvider as TwoFactorAuthenticationProviderContract;
 use Laravel\Fortify\Http\Responses\FailedPasswordResetLinkRequestResponse;
 use Laravel\Fortify\Http\Responses\FailedPasswordResetResponse;
+use Laravel\Fortify\Http\Responses\FailedPasswordVerifyResponse;
 use Laravel\Fortify\Http\Responses\LockoutResponse;
 use Laravel\Fortify\Http\Responses\LoginResponse;
 use Laravel\Fortify\Http\Responses\LogoutResponse;
 use Laravel\Fortify\Http\Responses\PasswordResetResponse;
+use Laravel\Fortify\Http\Responses\PasswordVerifiedResponse;
 use Laravel\Fortify\Http\Responses\RegisterResponse;
 use Laravel\Fortify\Http\Responses\SuccessfulPasswordResetLinkRequestResponse;
 
@@ -62,6 +66,8 @@ protected function registerResponseBindings()
         $this->app->singleton(FailedPasswordResetLinkRequestResponseContract::class, FailedPasswordResetLinkRequestResponse::class);
         $this->app->singleton(PasswordResetResponseContract::class, PasswordResetResponse::class);
         $this->app->singleton(FailedPasswordResetResponseContract::class, FailedPasswordResetResponse::class);
+        $this->app->singleton(PasswordVerifiedResponseContract::class, PasswordVerifiedResponse::class);
+        $this->app->singleton(FailedPasswordVerifyResponseContract::class, FailedPasswordVerifyResponse::class);
     }
 
     /**

src/Http/Controllers/VerifyPasswordController.php

@@ -0,0 +1,65 @@
+<?php
+
+namespace Laravel\Fortify\Http\Controllers;
+
+use Illuminate\Contracts\Auth\StatefulGuard;
+use Illuminate\Contracts\Support\Responsable;
+use Illuminate\Http\Request;
+use Illuminate\Routing\Controller;
+use Laravel\Fortify\Contracts\FailedPasswordVerifyResponse;
+use Laravel\Fortify\Contracts\PasswordVerifiedResponse;
+use Laravel\Fortify\Contracts\VerifyPasswordViewResponse;
+
+class VerifyPasswordController extends Controller
+{
+    /**
+     * The guard implementation.
+     *
+     * @var \Illuminate\Contracts\Auth\StatefulGuard
+     */
+    protected $guard;
+
+    /**
+     * Create a new controller instance.
+     *
+     * @param  \Illuminate\Contracts\Auth\StatefulGuard
+     * @return void
+     */
+    public function __construct(StatefulGuard $guard)
+    {
+        $this->guard = $guard;
+    }
+
+    /**
+     * Show the verify password view.
+     *
+     * @param  \Illuminate\Http\Request  $request
+     * @return \Laravel\Fortify\Contracts\VerifyPasswordViewResponse
+     */
+    public function show(Request $request, VerifyPasswordViewResponse $response): VerifyPasswordViewResponse
+    {
+        return $response;
+    }
+
+    /**
+     * Verify the user's password.
+     *
+     * @param  \Illuminate\Http\Request  $request
+     * @return \Illuminate\Contracts\Support\Responsable
+     */
+    public function store(Request $request): Responsable
+    {
+        $username = config('fortify.username');
+
+        if ($status = $this->guard->validate([
+            $username => $request->user()->{$username},
+            'password' => $request->input('password'),
+        ])) {
+            $request->session()->put('auth.password_confirmed_at', time());
+        }
+
+        return $status
+                    ? app(PasswordVerifiedResponse::class)
+                    : app(FailedPasswordVerifyResponse::class);
+    }
+}

src/Http/Responses/FailedPasswordVerifyResponse.php

@@ -0,0 +1,29 @@
+<?php
+
+namespace Laravel\Fortify\Http\Responses;
+
+use Illuminate\Http\Response;
+use Illuminate\Validation\ValidationException;
+use Laravel\Fortify\Contracts\FailedPasswordVerifyResponse as FailedPasswordVerifyResponseContract;
+
+class FailedPasswordVerifyResponse implements FailedPasswordVerifyResponseContract
+{
+    /**
+     * Create an HTTP response that represents the object.
+     *
+     * @param  \Illuminate\Http\Request  $request
+     * @return \Symfony\Component\HttpFoundation\Response
+     */
+    public function toResponse($request)
+    {
+        $message = __('The provided password was incorrect.');
+
+        if ($request->wantsJson()) {
+            throw ValidationException::withMessages([
+                'password' => [$message],
+            ]);
+        }
+
+        return redirect()->back()->withErrors(['password' => $message]);
+    }
+}

src/Http/Responses/PasswordVerifiedResponse.php

@@ -0,0 +1,22 @@
+<?php
+
+namespace Laravel\Fortify\Http\Responses;
+
+use Illuminate\Http\Response;
+use Laravel\Fortify\Contracts\PasswordVerifiedResponse as PasswordVerifiedResponseContract;
+
+class PasswordVerifiedResponse implements PasswordVerifiedResponseContract
+{
+    /**
+     * Create an HTTP response that represents the object.
+     *
+     * @param  \Illuminate\Http\Request  $request
+     * @return \Symfony\Component\HttpFoundation\Response
+     */
+    public function toResponse($request)
+    {
+        return $request->wantsJson()
+                    ? new Response('', 201)
+                    : redirect()->intended(config('fortify.home'));
+    }
+}

src/Http/Responses/SimpleViewResponse.php

@@ -8,14 +8,16 @@
 use Laravel\Fortify\Contracts\ResetPasswordViewResponse;
 use Laravel\Fortify\Contracts\TwoFactorChallengeViewResponse;
 use Laravel\Fortify\Contracts\VerifyEmailViewResponse;
+use Laravel\Fortify\Contracts\VerifyPasswordViewResponse;
 
 class SimpleViewResponse implements
     LoginViewResponse,
     ResetPasswordViewResponse,
     RegisterViewResponse,
     RequestPasswordResetLinkViewResponse,
     TwoFactorChallengeViewResponse,
-    VerifyEmailViewResponse
+    VerifyEmailViewResponse,
+    VerifyPasswordViewResponse
 {
     /**
      * The name of the view.

tests/VerifyPasswordControllerTest.php

@@ -0,0 +1,109 @@
+<?php
+
+namespace Laravel\Fortify\Tests;
+
+use Illuminate\Foundation\Auth\User;
+use Laravel\Fortify\Contracts\VerifyPasswordViewResponse;
+
+class VerifyPasswordControllerTest extends OrchestraTestCase
+{
+    protected $user;
+
+    public function test_the_verify_password_view_is_returned()
+    {
+        $this->mock(VerifyPasswordViewResponse::class)
+            ->shouldReceive('toResponse')
+            ->andReturn(response('hello world'));
+
+        $response = $this->withoutExceptionHandling()->actingAs($this->user)->get(
+            '/user/password/verify'
+        );
+
+        $response->assertStatus(200);
+        $response->assertSeeText('hello world');
+    }
+
+    public function test_password_can_be_verified()
+    {
+        $response = $this->withoutExceptionHandling()
+            ->actingAs($this->user)
+            ->withSession(['url.intended' => 'http://foo.com/bar'])
+            ->post(
+                '/user/password/verify',
+                ['password' => 'secret']
+            );
+
+        $response->assertSessionHas('auth.password_confirmed_at');
+        $response->assertRedirect('http://foo.com/bar');
+    }
+
+    public function test_password_verification_can_fail()
+    {
+        $response = $this->withoutExceptionHandling()
+            ->actingAs($this->user)
+            ->withSession(['url.intended' => 'http://foo.com/bar'])
+            ->post(
+                '/user/password/verify',
+                ['password' => 'invalid']
+            );
+
+        $response->assertSessionHasErrors(['password']);
+        $response->assertSessionMissing('auth.password_confirmed_at');
+        $response->assertRedirect();
+        $this->assertNotEquals($response->getTargetUrl(), 'http://foo.com/bar');
+    }
+
+    public function test_password_can_be_verified_with_json()
+    {
+        $response = $this->actingAs($this->user)
+            ->postJson(
+                '/user/password/verify',
+                ['password' => 'secret']
+            );
+        $response->assertStatus(201);
+    }
+
+    public function test_password_verification_can_fail_with_json()
+    {
+        $response = $this->actingAs($this->user)
+            ->postJson(
+                '/user/password/verify',
+                ['password' => 'invalid']
+            );
+
+        $response->assertJsonValidationErrors('password');
+    }
+
+    protected function setUp(): void
+    {
+        parent::setUp();
+        $this->loadLaravelMigrations(['--database' => 'testbench']);
+        $this->artisan('migrate', ['--database' => 'testbench'])->run();
+
+        $this->user = TestVerifyPasswordUser::forceCreate([
+            'name' => 'Taylor Otwell',
+            'email' => '[email protected]',
+            'password' => bcrypt('secret'),
+        ]);
+    }
+
+    protected function getEnvironmentSetUp($app)
+    {
+        $app['migrator']->path(__DIR__.'/../database/migrations');
+
+        $app['config']->set('auth.providers.users.model', TestVerifyPasswordUser::class);
+
+        $app['config']->set('database.default', 'testbench');
+
+        $app['config']->set('database.connections.testbench', [
+            'driver'   => 'sqlite',
+            'database' => ':memory:',
+            'prefix'   => '',
+        ]);
+    }
+}
+
+class TestVerifyPasswordUser extends User
+{
+    protected $table = 'users';
+}