Support HMAC password hash format from Laravel 12.45.0+ (#578)

ams-ryanolson · web-flow · commit fd447754d2d3 · 2026-01-06T17:11:51.000-06:00
Laravel Framework v12.45.0 (PR laravel/framework#58107) changed how password hashes are stored in sessions - they're now stored as HMACs instead of raw hashes for improved security. This updates Sanctum's AuthenticateSession middleware to: 1. Use hashPasswordForCookie() when storing the password hash (if available) 2. Add validatePasswordHash() that tries HMAC format first, falls back to raw hash comparison for backward compatibility This ensures compatibility when both $middleware->authenticateSessions() and Sanctum stateful auth are enabled together. Fixes #577
diff --git a/src/Http/Middleware/AuthenticateSession.php b/src/Http/Middleware/AuthenticateSession.php
@@ -50,8 +50,11 @@ public function handle(Request $request, Closure $next): Response
         $shouldLogout = $guards->filter(
             fn ($guard, $driver) => $request->session()->has('password_hash_'.$driver)
         )->filter(
-            fn ($guard, $driver) => $request->session()->get('password_hash_'.$driver) !==
-                                    $request->user()->getAuthPassword()
+            fn ($guard, $driver) => ! $this->validatePasswordHash(
+                $guard,
+                $request->user()->getAuthPassword(),
+                $request->session()->get('password_hash_'.$driver)
+            )
         );
 
         if ($shouldLogout->isNotEmpty()) {
@@ -94,8 +97,33 @@ protected function getFirstGuardWithUser(Collection $guards)
      */
     protected function storePasswordHashInSession($request, string $guard)
     {
+        $guardInstance = $this->auth->guard($guard);
+
         $request->session()->put([
-            "password_hash_{$guard}" => $this->auth->guard($guard)->user()->getAuthPassword(),
+            "password_hash_{$guard}" => method_exists($guardInstance, 'hashPasswordForCookie')
+                ? $guardInstance->hashPasswordForCookie($guardInstance->user()->getAuthPassword())
+                : $guardInstance->user()->getAuthPassword(),
         ]);
     }
+
+    /**
+     * Validate the password hash against the stored value.
+     *
+     * @param  \Illuminate\Auth\SessionGuard  $guard
+     * @param  string  $passwordHash
+     * @param  string  $storedValue
+     * @return bool
+     */
+    protected function validatePasswordHash(SessionGuard $guard, string $passwordHash, string $storedValue): bool
+    {
+        // Try new HMAC format first (Laravel 12.45.0+)...
+        if (method_exists($guard, 'hashPasswordForCookie')) {
+            if (hash_equals($guard->hashPasswordForCookie($passwordHash), $storedValue)) {
+                return true;
+            }
+        }
+
+        // Fall back to raw password hash format for backward compatibility...
+        return hash_equals($passwordHash, $storedValue);
+    }
 }
