Password Confirm Min Time From Login

[CyberPunkCodes]

Ability to support a minimum time since login before prompting password.confirm.

Scenario: Your session expired while you where logged in. You come back, get on the computer, click on the tab for the site, and click a link to pick up where you left off (hours/days later lol). Ok, you have to login again, totally normal. However, the link you clicked on was a protected route via password.confirm. Maybe you clicked "Edit profile" or something. So, you JUST entered your email/pass to login again because the session expired. The login redirected you to the link you initially tried to go to (edit profile), just as it should. HOWEVER, it is a protected page, so it prompts you AGAIN for your password. What?! You literally just entered your password 2 seconds ago!

I know password.confirm is just doing it's job, however it is a bad user experience to have to login and immediately enter your password again.

Solution: Maybe the password.confirm middleware needs to allow us to set a time (in seconds) to not activate from their login time. It could be 2 minutes by default. I personally would configure it to probably 5 minutes.

[woodspire]

You could add a column to the user table containing the last login date & time.
Listen on the successful login event and update that column.
Create a middleware that extend password.confirm

If the time in the database is not long ago, return true else run the parent handle (password.confirm)