Draft
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
We introduced the concept of "Elevated Sessions" in v6 (#11688), allowing you to prompt users for their password or a verification code before taking sensitive actions.
Until now, elevated sessions have only been available in the Control Panel. This PR brings them to the frontend, ahead of another PR I'm working on.
Note
I haven't added the
RequireElevatedSessionmiddleware to any routes yet but I'm planning to use it on another PR I'm working on. For testing purposes, I've added it to a random page in my sandbox app.Elevated Session page
Before you can take certain actions, you'll be redirected to a Statamic-looking authentication page where you'll be asked to confirm your identity.
If necessary, you may provide a custom page by specifying the URL in the
users.phpconfig file and using the{{ user:elevated_session_form }}tag.{{ user:elevated_session_form }} {{ if errors }} <div class="bg-red-300 text-white p-2"> {{ errors }} {{ value }}<br> {{ /errors }} </div> {{ /if }} {{ if method == "password_confirmation" }} <label>Password</label> <input type="password" name="password" /> {{ /if }} {{ if method == "verification_code" }} <p>A verification code has been sent to your email.</p> <label>Verification Code</label> <input type="text" name="verification_code" /> <a href="{{ resend_code_url }}">Resend code</a> {{ /if }} <button type="submit">Confirm</button> {{ /user:elevated_session_form }}The
methodvariable indicates how the user should confirm their identity:password_confirmation- User should enter their password.verification_code- User doesn't have a password, so they should enter the verification code sent to their email.passkey- User requires a passkey to login. Note: Passkeys aren't currently supported on the frontend.Users will be redirected back to the original page once they've confirmed their identity.
Docs PR: statamic/docs#1878