fix(auth): enforce global oauth_only and return validation errors instead of exceptions

- Add global instanceSettings()->oauth_only check in FortifyServiceProvider
- ResetUserPassword: Use ValidationException instead of Exception, add global check
- UpdateUserPassword: Use ValidationException instead of Exception, add global check
This commit is contained in:
Heyang Gong 2026-03-10 08:42:36 +08:00
parent 1ad047fb6b
commit 058ec42699
3 changed files with 17 additions and 4 deletions

View file

@ -6,6 +6,7 @@ use App\Models\User;
use Illuminate\Support\Facades\Hash;
use Illuminate\Support\Facades\Validator;
use Illuminate\Validation\Rules\Password;
use Illuminate\Validation\ValidationException;
use Laravel\Fortify\Contracts\ResetsUserPasswords;
class ResetUserPassword implements ResetsUserPasswords
@ -17,9 +18,12 @@ class ResetUserPassword implements ResetsUserPasswords
*/
public function reset(User $user, array $input): void
{
$settings = instanceSettings();
// Prevent OAuth-only users from resetting passwords
if ($user->oauth_only) {
throw new \Exception('OAuth-only users cannot reset passwords.');
if ($settings->oauth_only || $user->oauth_only) {
throw ValidationException::withMessages([
'email' => __('Password reset is disabled for OAuth-only accounts.'),
]);
}
Validator::make($input, [

View file

@ -6,6 +6,7 @@ use App\Models\User;
use Illuminate\Support\Facades\Hash;
use Illuminate\Support\Facades\Validator;
use Illuminate\Validation\Rules\Password;
use Illuminate\Validation\ValidationException;
use Laravel\Fortify\Contracts\UpdatesUserPasswords;
class UpdateUserPassword implements UpdatesUserPasswords
@ -17,9 +18,12 @@ class UpdateUserPassword implements UpdatesUserPasswords
*/
public function update(User $user, array $input): void
{
$settings = instanceSettings();
// Prevent OAuth-only users from updating passwords
if ($user->oauth_only) {
throw new \Exception('OAuth-only users cannot update passwords.');
if ($settings->oauth_only || $user->oauth_only) {
throw ValidationException::withMessages([
'current_password' => __('Password update is disabled for OAuth-only accounts.'),
]);
}
Validator::make($input, [

View file

@ -78,6 +78,11 @@ class FortifyServiceProvider extends ServiceProvider
$user &&
Hash::check($request->password, $user->password)
) {
$settings = instanceSettings();
// Prevent password login when global OAuth-only is enabled
if ($settings->oauth_only) {
return null;
}
// Prevent OAuth-only users from logging in with password
if ($user->oauth_only) {
return null;