login update
This commit is contained in:
@@ -8,6 +8,18 @@ use Symfony\Component\HttpFoundation\Response;
|
||||
|
||||
class EnsureOnboardingComplete
|
||||
{
|
||||
/**
|
||||
* Paths that must always be reachable regardless of onboarding state,
|
||||
* so authenticated users can log out, complete OAuth flows, etc.
|
||||
*/
|
||||
private const ALWAYS_ALLOW = [
|
||||
'logout',
|
||||
'auth/*', // OAuth redirects & callbacks
|
||||
'verify/*', // email verification links
|
||||
'setup/*', // all /setup/* pages (password, username)
|
||||
'up', // health check
|
||||
];
|
||||
|
||||
public function handle(Request $request, Closure $next): Response
|
||||
{
|
||||
$user = $request->user();
|
||||
@@ -20,17 +32,18 @@ class EnsureOnboardingComplete
|
||||
return $next($request);
|
||||
}
|
||||
|
||||
$target = match ($step) {
|
||||
'email' => '/login',
|
||||
'verified' => '/setup/password',
|
||||
'password', 'username' => '/setup/username',
|
||||
default => '/setup/password',
|
||||
};
|
||||
|
||||
if ($request->is(ltrim($target, '/'))) {
|
||||
// Always allow critical auth / setup paths through.
|
||||
if ($request->is(self::ALWAYS_ALLOW)) {
|
||||
return $next($request);
|
||||
}
|
||||
|
||||
$target = match ($step) {
|
||||
'email' => '/login',
|
||||
'verified' => '/setup/password',
|
||||
'password', 'username' => '/setup/username',
|
||||
default => '/setup/password',
|
||||
};
|
||||
|
||||
return redirect($target);
|
||||
}
|
||||
}
|
||||
|
||||
@@ -14,5 +14,6 @@ class VerifyCsrfToken extends Middleware
|
||||
protected $except = [
|
||||
'chat_post',
|
||||
'chat_post/*',
|
||||
// Apple Sign In removed — no special CSRF exception required
|
||||
];
|
||||
}
|
||||
|
||||
Reference in New Issue
Block a user