From a306583cd8e2294082d0a272316dda99ca8d1169 Mon Sep 17 00:00:00 2001
From: Arne Perschke <a.perschke@hctec.net>
Date: Sun, 24 Jul 2022 20:13:24 +0200
Subject: [PATCH] Fix issue #162

---
 .../2017_02_11_000000_create_users_table.php  |  8 +++++
 phpunit.xml                                   |  1 +
 src/Guard/SessionGuard.php                    | 19 +++++++++++
 tests/SessionGuardTest.php                    | 32 +++++++++++++++++++
 4 files changed, 60 insertions(+)
 create mode 100644 tests/SessionGuardTest.php

diff --git a/migrations/2017_02_11_000000_create_users_table.php b/migrations/2017_02_11_000000_create_users_table.php
index f7f796c..09f16b5 100644
--- a/migrations/2017_02_11_000000_create_users_table.php
+++ b/migrations/2017_02_11_000000_create_users_table.php
@@ -44,6 +44,14 @@ public function up()
                 'can_be_impersonated' => 1,
                 'created_at' => Carbon::now()->toDateTimeString(),
             ],
+            [
+                'name'       => 'Different Password User',
+                'email'      => 'different-password-user@test.rocks',
+                'password'   => bcrypt('different-password'),
+                'is_admin'   => 0,
+                'can_be_impersonated' => 1,
+                'created_at' => Carbon::now()->toDateTimeString(),
+            ],
             [
                 'name'       => 'SuperAdmin',
                 'email'      => 'superadmin@test.rocks',
diff --git a/phpunit.xml b/phpunit.xml
index 6de1139..bbd3853 100644
--- a/phpunit.xml
+++ b/phpunit.xml
@@ -17,6 +17,7 @@
             <file>tests/BladeDirectivesTest.php</file>
             <file>tests/RoutesTest.php</file>
             <file>tests/MiddlewareProtectFromImpersonationTest.php</file>
+            <file>tests/SessionGuardTest.php</file>
         </testsuite>
     </testsuites>
     <filter>
diff --git a/src/Guard/SessionGuard.php b/src/Guard/SessionGuard.php
index 7dff530..56b07f0 100644
--- a/src/Guard/SessionGuard.php
+++ b/src/Guard/SessionGuard.php
@@ -17,6 +17,8 @@ public function quietLogin(Authenticatable $user)
     {
         $this->updateSession($user->getAuthIdentifier());
 
+        $this->updatePasswordHashes($user);
+
         $this->setUser($user);
     }
 
@@ -35,4 +37,21 @@ public function quietLogout()
 
         $this->loggedOut = true;
     }
+
+    /**
+     * Removes the stored password hashes from the session.
+     *
+     * @param   void
+     * @return  void
+     */
+    protected function updatePasswordHashes(Authenticatable $user)
+    {
+        // Sort out password hashes stored in session
+        foreach (array_keys(config('auth.guards')) as $guard) {
+            $hashName = 'password_hash_' . $guard;
+            if ($this->session->has($hashName)) {
+                $this->session->put($hashName, $user->getAuthPassword());
+            }
+        }
+    }
 }
diff --git a/tests/SessionGuardTest.php b/tests/SessionGuardTest.php
new file mode 100644
index 0000000..9a928f3
--- /dev/null
+++ b/tests/SessionGuardTest.php
@@ -0,0 +1,32 @@
+<?php
+
+namespace Lab404\Tests;
+
+use Illuminate\Support\Facades\Hash;
+use Lab404\Tests\Stubs\Models\User;
+
+class SessionGuardTest extends TestCase
+{
+    /** @var String $guard */
+    private $guard;
+
+    public function setUp(): void
+    {
+        parent::setUp();
+        $this->guard = 'web';
+    }
+
+    /** @test */
+    public function it_updates_password_hash()
+    {
+        $hashName = 'password_hash_' . $this->guard;
+        $this->app['auth']->guard($this->guard)->loginUsingId('admin@test.rocks');
+        $startHash = Hash::make(auth()->user()->password);
+        $this->app['auth']->guard($this->guard)->getSession()->put($hashName, $startHash);
+        $this->app['auth']->guard($this->guard)->quietLogout();
+        $this->app['auth']->guard($this->guard)->quietLogin(
+            User::where('email', 'different-password-user@test.rocks')->first()
+        );
+        $this->assertNotEquals($startHash, $this->app['auth']->guard($this->guard)->getSession()->get($hashName));
+    }
+}