Backporting Timebox fixes to 11.x (laravel#55705)

valorin · JurianArie · taylorotwell · web-flow · commit 776653a688d0 · 2025-05-11T15:46:35.000-05:00
* Shift Timebox up a level to encapsulate the query too

* Add Timebox Duration into config

* Add Timebox to Password Broker

* Add early return inside reset

Co-authored-by: JurianArie &lt;28654085+JurianArie@users.noreply.github.com&gt;

* formatting

---------

Co-authored-by: JurianArie &lt;28654085+JurianArie@users.noreply.github.com&gt;
Co-authored-by: Taylor Otwell &lt;taylor@laravel.com&gt;
diff --git a/src/Illuminate/Auth/AuthManager.php b/src/Illuminate/Auth/AuthManager.php
@@ -127,6 +127,7 @@ public function createSessionDriver($name, $config)
             $this->createUserProvider($config['provider'] ?? null),
             $this->app['session.store'],
             rehashOnLogin: $this->app['config']->get('hashing.rehash_on_login', true),
+            timeboxDuration: $this->app['config']->get('auth.timebox_duration', 200000),
         );
 
         // When using the remember me functionality of the authentication services we
diff --git a/src/Illuminate/Auth/Passwords/PasswordBroker.php b/src/Illuminate/Auth/Passwords/PasswordBroker.php
@@ -9,6 +9,7 @@
 use Illuminate\Contracts\Auth\UserProvider;
 use Illuminate\Contracts\Events\Dispatcher;
 use Illuminate\Support\Arr;
+use Illuminate\Support\Timebox;
 use UnexpectedValueException;
 
 class PasswordBroker implements PasswordBrokerContract
@@ -34,19 +35,42 @@ class PasswordBroker implements PasswordBrokerContract
      */
     protected $events;
 
+    /**
+     * The timebox instance.
+     *
+     * @var \Illuminate\Support\Timebox
+     */
+    protected $timebox;
+
+    /**
+     * The number of microseconds that the timebox should wait for.
+     *
+     * @var int
+     */
+    protected $timeboxDuration;
+
     /**
      * Create a new password broker instance.
      *
      * @param  \Illuminate\Auth\Passwords\TokenRepositoryInterface  $tokens
      * @param  \Illuminate\Contracts\Auth\UserProvider  $users
      * @param  \Illuminate\Contracts\Events\Dispatcher|null  $dispatcher
+     * @param  \Illuminate\Support\Timebox|null  $timebox
+     * @param  int  $timeboxDuration
      * @return void
      */
-    public function __construct(#[\SensitiveParameter] TokenRepositoryInterface $tokens, UserProvider $users, ?Dispatcher $dispatcher = null)
-    {
+    public function __construct(
+        #[\SensitiveParameter] TokenRepositoryInterface $tokens,
+        UserProvider $users,
+        ?Dispatcher $dispatcher = null,
+        ?Timebox $timebox = null,
+        int $timeboxDuration = 200000,
+    ) {
         $this->users = $users;
         $this->tokens = $tokens;
         $this->events = $dispatcher;
+        $this->timebox = $timebox ?: new Timebox;
+        $this->timeboxDuration = $timeboxDuration;
     }
 
     /**
@@ -58,33 +82,35 @@ public function __construct(#[\SensitiveParameter] TokenRepositoryInterface $tok
      */
     public function sendResetLink(#[\SensitiveParameter] array $credentials, ?Closure $callback = null)
     {
-        // First we will check to see if we found a user at the given credentials and
-        // if we did not we will redirect back to this current URI with a piece of
-        // "flash" data in the session to indicate to the developers the errors.
-        $user = $this->getUser($credentials);
+        return $this->timebox->call(function () use ($credentials, $callback) {
+            // First we will check to see if we found a user at the given credentials and
+            // if we did not we will redirect back to this current URI with a piece of
+            // "flash" data in the session to indicate to the developers the errors.
+            $user = $this->getUser($credentials);
 
-        if (is_null($user)) {
-            return static::INVALID_USER;
-        }
+            if (is_null($user)) {
+                return static::INVALID_USER;
+            }
 
-        if ($this->tokens->recentlyCreatedToken($user)) {
-            return static::RESET_THROTTLED;
-        }
+            if ($this->tokens->recentlyCreatedToken($user)) {
+                return static::RESET_THROTTLED;
+            }
 
-        $token = $this->tokens->create($user);
+            $token = $this->tokens->create($user);
 
-        if ($callback) {
-            return $callback($user, $token) ?? static::RESET_LINK_SENT;
-        }
+            if ($callback) {
+                return $callback($user, $token) ?? static::RESET_LINK_SENT;
+            }
 
-        // Once we have the reset token, we are ready to send the message out to this
-        // user with a link to reset their password. We will then redirect back to
-        // the current URI having nothing set in the session to indicate errors.
-        $user->sendPasswordResetNotification($token);
+            // Once we have the reset token, we are ready to send the message out to this
+            // user with a link to reset their password. We will then redirect back to
+            // the current URI having nothing set in the session to indicate errors.
+            $user->sendPasswordResetNotification($token);
 
-        $this->events?->dispatch(new PasswordResetLinkSent($user));
+            $this->events?->dispatch(new PasswordResetLinkSent($user));
 
-        return static::RESET_LINK_SENT;
+            return static::RESET_LINK_SENT;
+        }, $this->timeboxDuration);
     }
 
     /**
@@ -96,25 +122,29 @@ public function sendResetLink(#[\SensitiveParameter] array $credentials, ?Closur
      */
     public function reset(#[\SensitiveParameter] array $credentials, Closure $callback)
     {
-        $user = $this->validateReset($credentials);
+        return $this->timebox->call(function ($timebox) use ($credentials, $callback) {
+            $user = $this->validateReset($credentials);
 
-        // If the responses from the validate method is not a user instance, we will
-        // assume that it is a redirect and simply return it from this method and
-        // the user is properly redirected having an error message on the post.
-        if (! $user instanceof CanResetPasswordContract) {
-            return $user;
-        }
+            // If the responses from the validate method is not a user instance, we will
+            // assume that it is a redirect and simply return it from this method and
+            // the user is properly redirected having an error message on the post.
+            if (! $user instanceof CanResetPasswordContract) {
+                return $user;
+            }
 
-        $password = $credentials['password'];
+            $password = $credentials['password'];
 
-        // Once the reset has been validated, we'll call the given callback with the
-        // new password. This gives the user an opportunity to store the password
-        // in their persistent storage. Then we'll delete the token and return.
-        $callback($user, $password);
+            // Once the reset has been validated, we'll call the given callback with the
+            // new password. This gives the user an opportunity to store the password
+            // in their persistent storage. Then we'll delete the token and return.
+            $callback($user, $password);
 
-        $this->tokens->delete($user);
+            $this->tokens->delete($user);
+
+            $timebox->returnEarly();
 
-        return static::PASSWORD_RESET;
+            return static::PASSWORD_RESET;
+        }, $this->timeboxDuration);
     }
 
     /**
@@ -200,4 +230,14 @@ public function getRepository()
     {
         return $this->tokens;
     }
+
+    /**
+     * Get the timebox instance used by the guard.
+     *
+     * @return \Illuminate\Support\Timebox
+     */
+    public function getTimebox()
+    {
+        return $this->timebox;
+    }
 }
diff --git a/src/Illuminate/Auth/Passwords/PasswordBrokerManager.php b/src/Illuminate/Auth/Passwords/PasswordBrokerManager.php
@@ -71,6 +71,7 @@ protected function resolve($name)
             $this->createTokenRepository($config),
             $this->app['auth']->createUserProvider($config['provider'] ?? null),
             $this->app['events'] ?? null,
+            timeboxDuration: $this->app['config']->get('auth.timebox_duration', 200000),
         );
     }
 
diff --git a/src/Illuminate/Auth/SessionGuard.php b/src/Illuminate/Auth/SessionGuard.php
@@ -96,6 +96,13 @@ class SessionGuard implements StatefulGuard, SupportsBasicAuth
      */
     protected $timebox;
 
+    /**
+     * The number of microseconds that the timebox should wait for.
+     *
+     * @var int
+     */
+    protected $timeboxDuration;
+
     /**
      * Indicates if passwords should be rehashed on login if needed.
      *
@@ -126,6 +133,7 @@ class SessionGuard implements StatefulGuard, SupportsBasicAuth
      * @param  \Symfony\Component\HttpFoundation\Request|null  $request
      * @param  \Illuminate\Support\Timebox|null  $timebox
      * @param  bool  $rehashOnLogin
+     * @param  int  $timeboxDuration
      * @return void
      */
     public function __construct(
@@ -135,13 +143,15 @@ public function __construct(
         ?Request $request = null,
         ?Timebox $timebox = null,
         bool $rehashOnLogin = true,
+        int $timeboxDuration = 200000,
     ) {
         $this->name = $name;
         $this->session = $session;
         $this->request = $request;
         $this->provider = $provider;
         $this->timebox = $timebox ?: new Timebox;
         $this->rehashOnLogin = $rehashOnLogin;
+        $this->timeboxDuration = $timeboxDuration;
     }
 
     /**
@@ -291,9 +301,17 @@ public function onceUsingId($id)
      */
     public function validate(array $credentials = [])
     {
-        $this->lastAttempted = $user = $this->provider->retrieveByCredentials($credentials);
+        return $this->timebox->call(function ($timebox) use ($credentials) {
+            $this->lastAttempted = $user = $this->provider->retrieveByCredentials($credentials);
 
-        return $this->hasValidCredentials($user, $credentials);
+            $validated = $this->hasValidCredentials($user, $credentials);
+
+            if ($validated) {
+                $timebox->returnEarly();
+            }
+
+            return $validated;
+        }, $this->timeboxDuration);
     }
 
     /**
@@ -391,27 +409,31 @@ protected function failedBasicResponse()
      */
     public function attempt(array $credentials = [], $remember = false)
     {
-        $this->fireAttemptEvent($credentials, $remember);
+        return $this->timebox->call(function ($timebox) use ($credentials, $remember) {
+            $this->fireAttemptEvent($credentials, $remember);
 
-        $this->lastAttempted = $user = $this->provider->retrieveByCredentials($credentials);
+            $this->lastAttempted = $user = $this->provider->retrieveByCredentials($credentials);
 
-        // If an implementation of UserInterface was returned, we'll ask the provider
-        // to validate the user against the given credentials, and if they are in
-        // fact valid we'll log the users into the application and return true.
-        if ($this->hasValidCredentials($user, $credentials)) {
-            $this->rehashPasswordIfRequired($user, $credentials);
+            // If an implementation of UserInterface was returned, we'll ask the provider
+            // to validate the user against the given credentials, and if they are in
+            // fact valid we'll log the users into the application and return true.
+            if ($this->hasValidCredentials($user, $credentials)) {
+                $this->rehashPasswordIfRequired($user, $credentials);
 
-            $this->login($user, $remember);
+                $this->login($user, $remember);
 
-            return true;
-        }
+                $timebox->returnEarly();
 
-        // If the authentication attempt fails we will fire an event so that the user
-        // may be notified of any suspicious attempts to access their account from
-        // an unrecognized user. A developer may listen to this event as needed.
-        $this->fireFailedEvent($user, $credentials);
+                return true;
+            }
 
-        return false;
+            // If the authentication attempt fails we will fire an event so that the user
+            // may be notified of any suspicious attempts to access their account from
+            // an unrecognized user. A developer may listen to this event as needed.
+            $this->fireFailedEvent($user, $credentials);
+
+            return false;
+        }, $this->timeboxDuration);
     }
 
     /**
@@ -424,24 +446,28 @@ public function attempt(array $credentials = [], $remember = false)
      */
     public function attemptWhen(array $credentials = [], $callbacks = null, $remember = false)
     {
-        $this->fireAttemptEvent($credentials, $remember);
+        return $this->timebox->call(function ($timebox) use ($credentials, $callbacks, $remember) {
+            $this->fireAttemptEvent($credentials, $remember);
 
-        $this->lastAttempted = $user = $this->provider->retrieveByCredentials($credentials);
+            $this->lastAttempted = $user = $this->provider->retrieveByCredentials($credentials);
 
-        // This method does the exact same thing as attempt, but also executes callbacks after
-        // the user is retrieved and validated. If one of the callbacks returns falsy we do
-        // not login the user. Instead, we will fail the specific authentication attempt.
-        if ($this->hasValidCredentials($user, $credentials) && $this->shouldLogin($callbacks, $user)) {
-            $this->rehashPasswordIfRequired($user, $credentials);
+            // This method does the exact same thing as attempt, but also executes callbacks after
+            // the user is retrieved and validated. If one of the callbacks returns falsy we do
+            // not login the user. Instead, we will fail the specific authentication attempt.
+            if ($this->hasValidCredentials($user, $credentials) && $this->shouldLogin($callbacks, $user)) {
+                $this->rehashPasswordIfRequired($user, $credentials);
 
-            $this->login($user, $remember);
+                $this->login($user, $remember);
 
-            return true;
-        }
+                $timebox->returnEarly();
 
-        $this->fireFailedEvent($user, $credentials);
+                return true;
+            }
 
-        return false;
+            $this->fireFailedEvent($user, $credentials);
+
+            return false;
+        }, $this->timeboxDuration);
     }
 
     /**
@@ -453,17 +479,13 @@ public function attemptWhen(array $credentials = [], $callbacks = null, $remembe
      */
     protected function hasValidCredentials($user, $credentials)
     {
-        return $this->timebox->call(function ($timebox) use ($user, $credentials) {
-            $validated = ! is_null($user) && $this->provider->validateCredentials($user, $credentials);
-
-            if ($validated) {
-                $timebox->returnEarly();
+        $validated = ! is_null($user) && $this->provider->validateCredentials($user, $credentials);
 
-                $this->fireValidatedEvent($user);
-            }
+        if ($validated) {
+            $this->fireValidatedEvent($user);
+        }
 
-            return $validated;
-        }, 200 * 1000);
+        return $validated;
     }
 
     /**

Original file line number	Diff line number	Diff line change
`@@ -71,6 +71,7 @@ protected function resolve($name)`
`71`	`71`	`$this->createTokenRepository($config),`
`72`	`72`	`$this->app['auth']->createUserProvider($config['provider'] ?? null),`
`73`	`73`	`$this->app['events'] ?? null,`
	`74`	`+ timeboxDuration: $this->app['config']->get('auth.timebox_duration', 200000),`
`74`	`75`	`);`
`75`	`76`	`}`
`76`	`77`