Fortify Laravel Package

What's Changed

• [1.x] Fix passkey password confirmation defaults by [@benbjurstrom](https://github.com/benbjurstrom) in https://github.com/laravel/fortify/pull/678

Full Changelog: https://github.com/laravel/fortify/compare/v1.37.1...v1.37.2

What's Changed

• [1.x] Bump actions/checkout from v4 to v6 by [@mon4ssi](https://github.com/mon4ssi) in https://github.com/laravel/fortify/pull/673
• Pin GitHub Actions to commit SHAs and add Dependabot config by [@joetannenbaum](https://github.com/joetannenbaum) in https://github.com/laravel/fortify/pull/674
• [1.x] update passkeys and set passkeys management middleware by [@benbjurstrom](https://github.com/benbjurstrom) in https://github.com/laravel/fortify/pull/676
• Bump shivammathur/setup-php from 2.37.0 to 2.37.1 in the github-actions group by [@dependabot](https://github.com/dependabot)[bot] in https://github.com/laravel/fortify/pull/677

New Contributors

• [@mon4ssi](https://github.com/mon4ssi) made their first contribution in https://github.com/laravel/fortify/pull/673
• [@joetannenbaum](https://github.com/joetannenbaum) made their first contribution in https://github.com/laravel/fortify/pull/674
• [@dependabot](https://github.com/dependabot)[bot] made their first contribution in https://github.com/laravel/fortify/pull/677

Full Changelog: https://github.com/laravel/fortify/compare/v1.37.0...v1.37.1

• Drop support for PHP 8.1 and Laravel 10 by [@benbjurstrom](https://github.com/benbjurstrom) in https://github.com/laravel/fortify/pull/669
• Fix incompatibility between Laravel Fortify and FormRequest::failOnUnknownFields() by [@crynobone](https://github.com/crynobone) in https://github.com/laravel/fortify/pull/670
• Feat/add passkeys by [@benbjurstrom](https://github.com/benbjurstrom) in https://github.com/laravel/fortify/pull/668

• Rewrite Fortify core guidelines and skill descriptions in imperative style by [@pushpak1300](https://github.com/pushpak1300) in https://github.com/laravel/fortify/pull/662
• Update reference from Jetstream to Starter Kits by [@MrPunyapal](https://github.com/MrPunyapal) in https://github.com/laravel/fortify/pull/663

• [1.x] Makes imports consistent by [@nunomaduro](https://github.com/nunomaduro) in https://github.com/laravel/fortify/pull/659

• Rename Skill by [@pushpak1300](https://github.com/pushpak1300) in https://github.com/laravel/fortify/pull/657

• Add [@throws](https://github.com/throws) annotation to create() docblock by [@mohammadRezaei1380](https://github.com/mohammadRezaei1380) in https://github.com/laravel/fortify/pull/634
• Add [@throws](https://github.com/throws) annotation to function() docblock by [@mohammadRezaei1380](https://github.com/mohammadRezaei1380) in https://github.com/laravel/fortify/pull/635
• Use scoped bindings for Octane compatibility by [@vrodriguero](https://github.com/vrodriguero) in https://github.com/laravel/fortify/pull/637
• Clarify Two-Factor Authentication database column requirements by [@mohammadRezaei1380](https://github.com/mohammadRezaei1380) in https://github.com/laravel/fortify/pull/638
• add [@throws](https://github.com/throws) \Illuminate\Validation\ValidationException to functions() in Http\Responses by [@mohammadRezaei1380](https://github.com/mohammadRezaei1380) in https://github.com/laravel/fortify/pull/639
• Clarify Sanctum usage in SPA authentication setup by [@mohammadRezaei1380](https://github.com/mohammadRezaei1380) in https://github.com/laravel/fortify/pull/641
• Clarify Two-Factor Authentication JSON responses for SPA mode by [@mohammadRezaei1380](https://github.com/mohammadRezaei1380) in https://github.com/laravel/fortify/pull/640
• Clarify required guard for SPA authentication setup by [@mohammadRezaei1380](https://github.com/mohammadRezaei1380) in https://github.com/laravel/fortify/pull/643
• add [@throws](https://github.com/throws) in function UpdateUserProfileInformation.php by [@mohammadRezaei1380](https://github.com/mohammadRezaei1380) in https://github.com/laravel/fortify/pull/644
• Update [@return](https://github.com/return) type of toResponse() to mixed for accuracy by [@mohammadRezaei1380](https://github.com/mohammadRezaei1380) in https://github.com/laravel/fortify/pull/645
• add [@throws](https://github.com/throws) ValidationException function in AttemptToAuthenticate.php by [@mohammadRezaei1380](https://github.com/mohammadRezaei1380) in https://github.com/laravel/fortify/pull/646
• Fix docblock for index() to reflect array or JsonResponse return type by [@mohammadRezaei1380](https://github.com/mohammadRezaei1380) in https://github.com/laravel/fortify/pull/650
• add [@throws](https://github.com/throws) ValidationException function in ConfirmTwoFactorAuthentication.php by [@mohammadRezaei1380](https://github.com/mohammadRezaei1380) in https://github.com/laravel/fortify/pull/649
• Fix two-factor QR code controller return type by [@mohammadRezaei1380](https://github.com/mohammadRezaei1380) in https://github.com/laravel/fortify/pull/652
• Update docblock return type for email verification store method by [@mohammadRezaei1380](https://github.com/mohammadRezaei1380) in https://github.com/laravel/fortify/pull/654

• Supports Laravel 13 by [@crynobone](https://github.com/crynobone) in https://github.com/laravel/fortify/pull/631

What's Changed

• [1.x] Add Skills support by [@pushpak1300](https://github.com/pushpak1300) in https://github.com/laravel/fortify/pull/630

Full Changelog: https://github.com/laravel/fortify/compare/v1.33.0...v1.34.0

• Added dedicated Request object to PasswordResetLinkController by [@chrispage1](https://github.com/chrispage1) in https://github.com/laravel/fortify/pull/628
• Change callback parameter type to callable|string by [@Propaganistas](https://github.com/Propaganistas) in https://github.com/laravel/fortify/pull/629

• [1.x] PHP 8.5 Compatibility by [@crynobone](https://github.com/crynobone) in https://github.com/laravel/fortify/pull/621

• [1.x] Add Features::canUpdatePasswords() method by [@jrd-lewis](https://github.com/jrd-lewis) in https://github.com/laravel/fortify/pull/617
• [1.x] chore: bump to pragmarx/google2fa v9 by [@joostdebruijn](https://github.com/joostdebruijn) in https://github.com/laravel/fortify/pull/619

• Resolves issue #592 - RecoveryCodeReplaced event dispatched twice by [@coolAlias](https://github.com/coolAlias) in https://github.com/laravel/fortify/pull/616

• [1.x] Add Laravel Fortify guidelines for boost by [@pushpak1300](https://github.com/pushpak1300) in https://github.com/laravel/fortify/pull/614

• Breaking Change: Revert "Validate password is a string when confirming password" by [@themsaid](https://github.com/themsaid) in https://github.com/laravel/fortify/pull/612

• [1.x] single indentation on multiline ternarys by [@browner12](https://github.com/browner12) in https://github.com/laravel/fortify/pull/605
• Validate password is a string when confirming password by [@devfrey](https://github.com/devfrey) in https://github.com/laravel/fortify/pull/606
• Fix conflicts with app factories, causing recursive definitions in IDE by [@crynobone](https://github.com/crynobone) in https://github.com/laravel/fortify/pull/609
• Add Fortify::encryptUsing() to allow customising the default encryption by [@crynobone](https://github.com/crynobone) in https://github.com/laravel/fortify/pull/611
• Regenerate session on register by [@valorin](https://github.com/valorin) in https://github.com/laravel/fortify/pull/610

• [1.x] Add InteractsWithTwoFactorState Trait to handle 2FA state between requests by [@pushpak1300](https://github.com/pushpak1300) in https://github.com/laravel/fortify/pull/604

• fix: add missing route name to /user/two-factor-recovery-codes by [@Barbapapazes](https://github.com/Barbapapazes) in https://github.com/laravel/fortify/pull/602

• feat() : make Fortify honour Model::encryptUsing to enable app key rotation by [@sebestenyb](https://github.com/sebestenyb) in https://github.com/laravel/fortify/pull/601

• Allow RedirectIfTwoFactorAuthenticatable to be resolved via the Container by [@Junveloper](https://github.com/Junveloper) in https://github.com/laravel/fortify/pull/599

• Delete existing tokens when user updates password by [@patrickomeara](https://github.com/patrickomeara) in https://github.com/laravel/fortify/pull/598

• Prevent empty username fields from being added to requests by [@edvardsr](https://github.com/edvardsr) in https://github.com/laravel/fortify/pull/590
• Supports Laravel 12 by [@crynobone](https://github.com/crynobone) in https://github.com/laravel/fortify/pull/591

• DisableTwoFactorAuthentication should always set two_factor_confirmed_at to null when it has a value by [@crynobone](https://github.com/crynobone) in https://github.com/laravel/fortify/pull/589

• [1.x] Use retrieveByCredentials() on the User Provider instead of a hardcoded Eloquent query by [@pascalbaljet](https://github.com/pascalbaljet) in https://github.com/laravel/fortify/pull/582
• Changed migration of users table by [@aronbeurskens](https://github.com/aronbeurskens) in https://github.com/laravel/fortify/pull/586

• Replace implicitly nullable parameters for PHP 8.4 by [@JeppeKnockaert](https://github.com/JeppeKnockaert) in https://github.com/laravel/fortify/pull/580

• Add Remember Me Functionality to Registered User Login by [@cvairlis](https://github.com/cvairlis) in https://github.com/laravel/fortify/pull/579

• [1.x] Supports PHP 8.4 by [@crynobone](https://github.com/crynobone) in https://github.com/laravel/fortify/pull/576

• Rename POST routes to avoid regression bugs by [@cima-alfa](https://github.com/cima-alfa) in https://github.com/laravel/fortify/pull/574

• Update logo to support dark/light theme by [@milewski](https://github.com/milewski) in https://github.com/laravel/fortify/pull/569
• Fix unnamed routes when views are disabled (with original code formatting) by [@cima-alfa](https://github.com/cima-alfa) in https://github.com/laravel/fortify/pull/571

• Adding context length configuration for 2FA to ensure better security standards by [@MattLoyeD](https://github.com/MattLoyeD) in https://github.com/laravel/fortify/pull/568

• [1.x] Add X-Retry-After to /user/confirm-password/status response by [@crynobone](https://github.com/crynobone) in https://github.com/laravel/fortify/pull/565

• [1.x] Support case insensitive password resets by [@mattmcdonald-uk](https://github.com/mattmcdonald-uk) in https://github.com/laravel/fortify/pull/562
• Dispatch RecoveryCodeReplaced Event by [@stephenjude](https://github.com/stephenjude) in https://github.com/laravel/fortify/pull/564

• Fire ValidTwoFactorAuthenticationCodeProvided Event when 2FA session is authenticated by [@stefanzweifel](https://github.com/stefanzweifel) in https://github.com/laravel/fortify/pull/559

• [1.x] Rehash password if required when user uses two factor by [@gdebrauwer](https://github.com/gdebrauwer) in https://github.com/laravel/fortify/pull/557
• [1.x] Add TwoFactorAuthenticationFailed event by [@antergos98](https://github.com/antergos98) in https://github.com/laravel/fortify/pull/558

• [1.x] Allow redirect()->intended() responses to be resolved via the Container by [@crynobone](https://github.com/crynobone) in https://github.com/laravel/fortify/pull/551

• [1.x] Use available $name property from SessionGuard if the value exists by [@crynobone](https://github.com/crynobone) in https://github.com/laravel/fortify/pull/553

Changed

• Add 2fa Events (#338)
• Laravel 9 support (#340)

Changed

• Customise the auth middleware name (#335)

Fixed

• Check if authenticated user has 2FA enabled (#334)

Fixed

• Fix an issue with array to string conversion (#333)

Changed

• Use boolean rather than filled for remember (#328)

Changed

• Add a check for two factor auth being enabled (#323)

Changed

• Allow verification rate limiter to be configurable (#313)

Changed

• Allow reset password redirect (#307)

Added

• Redirection customization (#298)
• Add ReplacedRecoveryCode event (#301)

Fixed

• Fix auth guard (#296)

Fixed

• Require password and confirmation (#245)

Fixed

• Fix two factor form without user (#233, 67d7743, #235)

Fixed

• Redirect to intended URL after registration (#222)

Fixed

• Fix password rule (#211)
• Adds a missing scenario for the password rule (#213)

Fixed

• Move route outside $enableViews (#203)

Fixed

• Fix missing current password (#194)

Security

• Revert "Retrieve user through provider" (#195)

Changed

• Retrieve user through provider (#189)

Fixed

• Tweak how rate limiting is implemented (8609af2)
• Fix Two Factor prepare auth session (#181)

Fixed

• Fix route prefix (#152)
• Fire Failed events (#154)

Changed

• Add password update custom response (#290, e2a16f6)

Changed

• Cleanup code (#261)
• Returns JSON response (#267)
• Naming 2FA routes (#269)

Changed

• Restrict guest Middleware to Fortify's guard (#258)

Fixed

• Remove password confirmation requirement for reset password (#254)

Fixed

• Better way of validating credentials (#248)
• Use configured username property for qr code url (#249)

Changed

• Add the prefix and domain configuration options (#143)
• Change how feature options are stored to work with config caching (b2430958)

Fixed

• Fix 2FA disabled routes via views config (#142)

Added

• PHP 8 Support (#130)
• Add views config option (#133, ff155d0)

Changed

• Redirect to intended URL after email verification (#119)
• Only use two factor action when enabled (#127)

Added

• Add FailedTwoFactorLoginResponse contract (#106)

Changed

• Redirect to intended after two factor login (#105)
• Allow Fortify views to accept Responsable objects (#107)
• Use the Rule::unique for new user validation (#108)

Added

• Add attempts method to rate limiter (#85)
• Add name to Profile update and Password update routes (#89)

Fixed

• Fix for empty password during confirmation (#87)

Added

• Add option to force the password to have a special character (#65)

Fixed

• Allow 'confirmPasswordView' to use view prefixes (#71)
• Send JSON response if request is an AJAX request (#75)

Fixed

• Fix flawed logic in the UpdateUserProfileInformation action (#68, fea6473, 91518af)

Changed

• Remove unnecessary bag (85a7dfb)

Fixed

• Fix test bug when use sqlite database (#69)

Added

• Allow the expected email address request variable to be changed (#28)
• Update configuration stub with middleware option (#55)

Changed

• Make routes more dynamic (#41)
• Add illuminate/support dependency (#46)
• Resend email verification after user update (#52, 951d943)

Fixed

• Only register two-factor-challenge routes if TFA feature enabled (#44)
• Added missing request to the throwFailedAuthenticationException method (#61)

Added

• Confirmed password status controller (fe5821f)
• Configurable password timeout (f0a6477, 2b4fa36)

Changed

• Switch the TwoFactorLoginResponse for a contract bound in container (#34)
• Enable password confirmation (9e9d154)

Changed

• Extract ConfirmPassword action (a9e68f2)

Fixed

• Update what is passed to custom callback (9215e54)

Added

• Google2fa v8 support (#25)
• Add support for password confirmation (#6, 3ed5e87, 865ed4f, c58a2fb)

• [1.x] Ensure logout route is authenticated by [@timacdonald](https://github.com/timacdonald) in https://github.com/laravel/fortify/pull/536

• [1.x] Bacon QR 3.0 support by [@eshimischi](https://github.com/eshimischi) in https://github.com/laravel/fortify/pull/534

• Specify return type array type by [@santigarcor](https://github.com/santigarcor) in https://github.com/laravel/fortify/pull/525
• [1.x] Make commands lazy by [@timacdonald](https://github.com/timacdonald) in https://github.com/laravel/fortify/pull/527

• [1.x] Adds fortify:install Artisan command by [@nunomaduro](https://github.com/nunomaduro) in https://github.com/laravel/fortify/pull/524

• Don't overwrite an already two factor secret unless force = true by [@danmatthews](https://github.com/danmatthews) in https://github.com/laravel/fortify/pull/518
• Use Date facade for storing the password confirmation timestamp by [@chrisvanlier2005](https://github.com/chrisvanlier2005) in https://github.com/laravel/fortify/pull/520

• [1.x] Merges develop by [@nunomaduro](https://github.com/nunomaduro) in https://github.com/laravel/fortify/pull/515

Fixed

• Pass request through to the callback (#21)

Added

• Allow granular authentication customization (cd8b6aa)

• Deprecate the password rule and use illuminate password rule by [@ricklambrechts](https://github.com/ricklambrechts) in https://github.com/laravel/fortify/pull/511

• Add new event by @taylorotwell in https://github.com/laravel/fortify/commit/2da721fead1f3bc18af983e4903c4e1df67177e7

• Fix paths in default config using nested arrays by [@sebj54](https://github.com/sebj54) in https://github.com/laravel/fortify/pull/501

• Added case-sensitivity option for usernames by [@Radiergummi](https://github.com/Radiergummi) in https://github.com/laravel/fortify/pull/485
• Added response contract for email verification notification by [@m-thalmann](https://github.com/m-thalmann) in https://github.com/laravel/fortify/pull/489

• Update logout to invalidate and regenerate session only if session is present (Issue #486) by [@karmendra](https://github.com/karmendra) in https://github.com/laravel/fortify/pull/487

• [1.x] Laravel Pint fixes by [@iruoy](https://github.com/iruoy) in https://github.com/laravel/fortify/pull/480

• Port security fixes to default login rate limiter by @staudenmeir in https://github.com/laravel/fortify/pull/473

• Fix contract implementation by @jessarcher in https://github.com/laravel/fortify/pull/472

• Revert "Add rate limiter for a registration" by @taylorotwell in https://github.com/laravel/fortify/pull/465

• Add rate limiter for a registration by @trbsi in https://github.com/laravel/fortify/pull/460

• Add ability to override routes with custom paths by @stephenglass in https://github.com/laravel/fortify/pull/458

Added

• Laravel v10 Support by @driesvints in https://github.com/laravel/fortify/pull/435

Changed

• Update PrepareAuthenticatedSession.php by @francoism90 in https://github.com/laravel/fortify/pull/434
• Uses PHP Native Type Declarations 🐘 by @nunomaduro in https://github.com/laravel/fortify/pull/421

Fixed

• Fix error while preparing PasswordResetResponse with views turned off by @leonkllr0 in https://github.com/laravel/fortify/pull/433

Changed

• Only fire event when actually updating the database to disable two factor authentication by @taylorotwell in https://github.com/laravel/fortify/commit/04b4b9c20e421c415d0427904a72e08a21bdec27

Added

• Add more Response contract bindings by @bdsumon4u in https://github.com/laravel/fortify/pull/425

Changed

• Update parameter order for hash_equals function in TwoFactorLoginRequest by @jayan-blutui in https://github.com/laravel/fortify/pull/422

Fixed

• Use boolean rather than filled for remember by @Codeatron5000 in https://github.com/laravel/fortify/pull/423

Fixed

• Fix error message when entering invalid 2fa code by @emargareten in https://github.com/laravel/fortify/pull/415
• Use Fortify username method on ConfirmPassword action by @jayan-blutui in https://github.com/laravel/fortify/pull/420

Changed

• Add and use constants for session flashes by @dwightwatson in https://github.com/laravel/fortify/pull/409
• Use current_password rule when changing password by @dwightwatson in https://github.com/laravel/fortify/pull/410
• Parameters order with hash_equals by @chivincent in https://github.com/laravel/fortify/pull/411

Fixed

• Only save user if need to by @taylorotwell in https://github.com/laravel/fortify/commit/9a68cf2deb37d1796b6e2fd97d3c61f086868914

Changed

• Return recovery errors under the recovery_code key by @jessarcher in https://github.com/laravel/fortify/pull/401

Fixed

• Fix second usage of 2FA code by @xwillq in https://github.com/laravel/fortify/pull/399

Fixed

• Call FailedTwoFactorLoginResponse::toResponse with TwoFactorLoginRequest by @ricklambrechts in https://github.com/laravel/fortify/pull/395

Added

• Added config option for custom OTP window by @robtesch in https://github.com/laravel/fortify/pull/385

Changed

• 2FA setup key by @ps-sean in https://github.com/laravel/fortify/pull/371
• Enable 2FA confirmation by default by @taylorotwell in https://github.com/laravel/fortify/commit/a6caadc80e348755de0e1da221a6253d9f2c48f9

Fixed

• Fix double error message for failed 2FA response by @driesvints in https://github.com/laravel/fortify/pull/369

Fixed

• Ensures route password.confirm is defined when not using views by @Frozire in https://github.com/laravel/fortify/pull/368

Security

• Cache 2FA token timestamp by @driesvints in https://github.com/laravel/fortify/pull/366

Fixed

• Fix Exception when sending empty 2FA confirmation code by @srdante in https://github.com/laravel/fortify/pull/361
• Unsupported operand types on rollback migration by @Jackpump in https://github.com/laravel/fortify/pull/362

Changed

• Include the otpauth url when retrieving the QR svg by @JanMisker in https://github.com/laravel/fortify/pull/356
• Confirmable 2FA by @taylorotwell in https://github.com/laravel/fortify/pull/358

Changed

• Prevent new login after 2FA challenge (#353)

Security

• Fix throttle bypass exploit (#354)

Changed

• Fix VerifyEmailResponse resolving (#349)

Added

• Add VerifyEmailResponse contract (#347)

Changed

• Switch to anonymous migrations (#348)

Added

• Allow full customization of authentication pipeline (6c36b08)

Changed

• Use PasswordValidationRules trait in CreateNewUser action (#18)
• Callable customization of any view (661d726)

Initial stable release.

• Fix incorrect key for error bag by @vaibhavpandeyvpz in https://github.com/laravel/fortify/pull/360