Build a Starter Kit With Inertia and Fortify
This episode is for members only

Sign up to access "Build a Starter Kit With Inertia and Fortify" right now.

Get started
Already a member? Sign in to continue
Playing
32. Fixing password confirm redirect

Episodes

0%
Your progress
  • Total: 5h 21m
  • Played: 0m
  • Remaining: 5h 21m
Join or sign in to track your progress
01. Setting up
01. Introduction and demo
4m 30s
0%
02. Installing Inertia from scratch
11m 49s
0%
03. Installing Tailwind
3m 24s
0%
04. Layout and navigation
31m 15s
0%
05. Installing Fortify
6m 10s
0%
06. Exposing routes with Ziggy
6m 44s
0%
07. Global modals
23m 41s
0%
02. Authentication
08. Registering users
13m 56s
0%
09. Sharing the authenticated user globally
5m 48s
0%
10. Signing in
9m 27s
0%
11. Signing out
2m 39s
0%
12. Redirecting to the intended location
4m 58s
0%
03. Feature management
13. Adding feature management checks
3m 14s
0%
14. Client-side feature management
5m 53s
0%
04. Building a toast feature
15. Basic flash messages with Inertia
7m 51s
0%
16. Building a toast plugin
15m 38s
0%
17. Styling and transitioning the toast
4m 53s
0%
05. Profile management
18. Creating an account layout
13m 24s
0%
19. Detecting and highlighting current pages
5m 22s
0%
20. Updating profile details
9m 22s
0%
21. Profile photo output and swapping
9m 17s
0%
22. Storing a profile photo
13m
0%
23. Changing user passwords
9m 9s
0%
24. Account feature toggling
8m 19s
0%
06. Password confirmation
25. Using a modal for password confirmation
8m 16s
0%
26. Confirming user passwords
4m 23s
0%
07. Two factor authentication
27. Building the two factor modal
9m 7s
0%
28. Showing a QR code
7m 44s
0%
29. Enabling two factor authentication
6m 52s
0%
30. Disabling two factor authentication
1m 35s
0%
31. Showing recovery codes
4m 37s
0%
32. Fixing password confirm redirect
9m 42s
0%
33. Fixing password confirm flow when enabling
3m 26s
0%
34. Challenging the user when signing in
5m 58s
0%
08. Email verification
35. Mail setup and forcing email verification
4m 8s
0%
36. Adding a verification notice
3m 42s
0%
37. Resending the verification email
3m 27s
0%
09. Account recovery
38. Sending a recovery email
8m 45s
0%
39. Setting a new password
8m 22s
0%
10. Fixes and improvements
40. Closing the user navigation on click
2m 12s
0%

Transcript

00:00
So when we fetch our recovery codes, this is protected by our password confirmation middleware,
00:05
which means that if the user hasn't recently confirmed their password, this will actually error. Now, we saw that earlier when we made a direct request to show the modal, but we actually
00:15
have an issue with the redirection of this. And let's go ahead and trigger that now and see how we can fix it. So the first thing I'm going to do
00:22
is head over to our Fortify routes within the Fortify package itself. And just down here, we've got this two-factor middleware, which is applied to all of our two-factor routes.
00:32
And as you can see, we've got password confirm as one of them. Now, we want to go ahead and change around the password confirmation timing for this.
00:41
So we want to basically take down the amount of time it takes for this to work. So let's go over to our kernel just to remind ourselves this is called require password.
00:51
We're going to go ahead and pull require password into here. And then we're going to say using. We'll set null for the redirect. And then we'll set, say, 10 seconds for the timeout.
01:02
So that means that a user has to re-enter their password every 10 seconds. So that's enough for us to test this out. So if I click Show Recovery Codes now,
01:10
you can see nothing happens. If we open up our console, we get exactly the same issue as we saw before where we are getting back this message password confirmation required.
01:19
So we've got to go through the same steps now to handle this. If we come over to our two-factor form, that is not too much trouble. We've already done this.
01:27
We're going to go ahead and catch an error in here, compare the status code, and then automatically trigger our modal. So we'll go ahead and say if e response and status is 423,
01:41
then we want to use our router to make a get request, or we could say replace or whatever, to our password confirm modal. So that will be enough just to trigger the modal.
01:52
Now, if we go ahead and try this, sure enough, when I click on this, it will now prompt us to confirm our password. But watch what happens when I enter my password
02:02
and hit Continue. We are redirected back over to the home page. Now, the reason this doesn't quite work is because of the intended redirect from the response
02:11
we get back when we have that confirmed password response in Fortify. Let's dig into that now and actually see what's happening behind the scenes.
02:20
So if we open up our root list again, let's look at our password confirmation. This is the confirmable password controller. So let's go ahead and open that up.
02:29
And you can see here that once we do everything and everything's all good, we get this password confirmed response. So let's open up the actual implementation of this.
02:40
And you can see that this redirects us to the intended location. Now, the intended location is going to be where we want to be at.
02:48
That worked when we implemented this for our dashboard because we clicked to intend to go to the dashboard. But it's not going to work for this reason because we are manually triggering
02:59
this using a root again. This doesn't set the intended location. So we need to figure out how to get this working. And we're going to need to modify this response.
03:09
But what we will do is we will go and copy this over first of all. So I'm going to copy this entire thing. And we'll do just exactly what we've done before
03:17
with our custom responses. And let's put this in here and say password confirmed response. And let's paste that in.
03:27
And of course, change over the namespace now to app HTTP responses. And then of course, we can head over to our Fortify service provider and just switch this over.
03:38
So let's do exactly what we did before up here when we were attaching these to the container. And this is the, let's just check the name, password confirmed response.
03:48
And then this is going to be the concrete implementation of our password confirmed response. So there's a couple of things that we could do here. We could return back.
03:58
But that's not helpful because we kind of want when a user performs an action to go through to that place that they have intended to be. So let's just make sure that we are within our own password
04:09
confirmed response here. And let's look at changing this. So I'm going to change this to back just to demonstrate that this does work.
04:17
And then we'll come up with a better solution. So let's go over to security, hit show recovery codes, enter our password, hit continue. And you can see that technically now we're returned back.
04:27
Now we've returned back to our confirmation modal, which is not really what we want. The user's then going to have to close it off and then click to do what they want to do.
04:36
So that works, but it's not the best solution. So what we could do instead is we could redirect the intended location. But we could swap out what happens
04:45
if we don't have an intended location. So what would we want to redirect back to if we don't have an intended location, like what we're doing with our click
04:55
to trigger our list of recovery codes? Well, what we could do is just say stay on the same page, so kind of like redirecting back. So how do we do this?
05:05
Well, we can actually go ahead and use the route facade here. So let's pull this out. And we could grab the current route, and then we could grab the current route URI.
05:15
So that will basically, if we don't have an intended location, it will just stay on the same page. That's kind of what we want.
05:21
So let's try this out. We've got that 10-second delay, remember, between confirming our password. So that's asked us.
05:28
And if we click Continue, you can see that we stay on the same page. Now that's good, because now if we were to apply the same functionality to our dashboard,
05:35
we wouldn't see it stay on the same page. It would go to the intended location. So for example, if we go over to our web routes up to our dashboard, and we add in that middleware
05:45
to confirm our password, let's just confirm the name, password.confirm, that is still going to work as we intend. So if I click on dashboard, let's just wait 10 seconds and actually use that middleware with the delay.
06:01
So let's say require password using null. And let's just set that to 10 seconds. And let's try this out. So that's asking for our password.
06:16
But because we've not removed the intended, that is now going to go through to the dashboard. So it's working everywhere else, which is good. That's what we want.
06:24
But we're landing on the same page if we don't have an intended location, if we're triggering this manually. So with all that done, let's go back over to our two-factor
06:34
form and look at how we can actually close the modal once we are redirected back when we don't have an intended location. So I'm going to click on this, enter my password,
06:45
and click Continue. It's at this point now that for this specific use case, we want to just close the modal off and land back on this page. So how do we do this?
06:55
Well, we can go and for our password confirm modal, when we send this request through, we always want to close the modal. So that means if we're redirected
07:07
to the intended location, the modal will close anyway. But if we stay on the same page, we want to close the modal. So we're going to create out here a onSuccess callback. And we could extract this out to a function.
07:20
But we're then going to close the modal. Now, where does this close function come from? We don't have it in here at the moment. Well, if we just remind ourselves,
07:27
when we built our modal, we pulled in the useModal composable from Momentum modal, the package we're using. And we have this close trigger. So we can actually close this off directly inside of here.
07:38
So we don't need redirect. We don't need show. We can just go ahead and close this. So now, when the password confirmation was successful,
07:46
close the modal regardless of whether we're redirecting or not. So let's try this whole flow out now then. So let's go and go back over to our security section,
07:56
hit Show Recovery Codes. Now we can enter our password, press Continue. That closes the modal. Now we have confirmed our password.
08:05
Now, the flow of this isn't ideal because the intended location is an Axios request. We can't really redirect to an Axios request. It doesn't really work like that.
08:15
But we can go ahead and click this and enter our password and click it. Now, the reason that happened is because we have that 10-second delay.
08:22
But in reality, your user would then have would have confirmed their password and everything would be good. Now, to kind of get around this issue of this flow,
08:31
what we can do, now that we have modified the response for our password confirmed, we could use a TOAST here. So I'm going to get rid of this JSON response
08:41
because, again, we don't really need that. And we can say, with TOAST password confirmed, please continue, or whatever you want to say, just so it's clear that you can continue the action
08:56
that you are about to take. So let's click Show Recovery Codes, enter my password. And now it's a little bit clearer that I can then go ahead and access what I need to access.
09:07
So you can tweak this depending on how your app is going to work. But I think that's a good solution for closing that model off, redirecting back
09:16
to the same page if we don't have an intended location, if it's something like an Axios request, and then, of course, just being confirmed. Now, I'm going to go ahead and get rid of this from the roots
09:27
in Fortify because having a 10-second delay is not ideal. So we're going to change this back over to password.confirm. So let's switch that back over. And we are pretty much done with that fixed up time.

Episode summary

In this episode, we're tackling a tricky issue around password confirmation redirects, especially when fetching sensitive info like recovery codes that are behind a password-confirm middleware. Basically, the problem happens when a user hasn't recently confirmed their password: we want to prompt them for it, but the default redirect logic doesn't play nicely when our request is triggered by things like Axios, rather than a normal page navigation.

We start by exploring how the middleware is set up and intentionally reduce the confirmation timeout to 10 seconds so we can quickly test the flow. When we try fetching the recovery codes, we see the expected error about password confirmation being required. Then we catch that specific error and automatically trigger our password confirmation modal. However, after confirming the password, we're redirected awkwardly back to the homepage (which is not what we want for modals).

Digging into the underlying Fortify response, we see it uses the 'intended' redirect—perfect for normal page flows, but not for our use case. To resolve this, we override the password confirmed response so that if no intended location exists (like with our modal), we simply redirect back to the current page. This gives us a much smoother experience: after confirming the password in the modal, we stay in context instead of being booted elsewhere.

To round it out, we tweak our modal behavior so it always closes when confirmation is successful, regardless of the redirect. We add a toast notification to make the flow clearer to users, especially since there isn’t really an actual redirect happening after an Axios request confirms their password.

Finally, we test everything to make sure the fix works for both modal/AJAX workflows and standard page navigation, then revert the timeout to something more reasonable. Overall, in this episode, you'll learn how to handle these edge cases when combining password confirmation, modals, and API requests!

Episode discussion

No comments, yet. Be the first!