From 628e880e1a6235b73eef2564d0c1bb65cf16dcf3 Mon Sep 17 00:00:00 2001 From: Josh Date: Wed, 27 May 2026 12:46:09 -0400 Subject: [PATCH 1/3] docs(appframework): clarify PasswordConfirmationRequired docblocks Signed-off-by: Josh --- .../Attribute/PasswordConfirmationRequired.php | 17 ++++++++++++++--- 1 file changed, 14 insertions(+), 3 deletions(-) diff --git a/lib/public/AppFramework/Http/Attribute/PasswordConfirmationRequired.php b/lib/public/AppFramework/Http/Attribute/PasswordConfirmationRequired.php index c41e5aa244515..d8c5614312336 100644 --- a/lib/public/AppFramework/Http/Attribute/PasswordConfirmationRequired.php +++ b/lib/public/AppFramework/Http/Attribute/PasswordConfirmationRequired.php @@ -12,14 +12,24 @@ use Attribute; /** - * Attribute for controller methods that require the password to be confirmed with in the last 30 minutes + * Attribute for controller methods that require password confirmation, if + * supported by the active authentication backend. + * + * The exact enforcement behavior depends on the password confirmation + * middleware. + * + * In non-strict mode, this normally relies on a recent prior confirmation, + * currently defined by the middleware as within the last 30 minutes. + * + * In strict mode, confirmation is attempted as part of the current request. * * @since 27.0.0 */ #[Attribute] class PasswordConfirmationRequired { /** - * @param bool $strict - Whether password confirmation needs to happen in the request. + * @param bool $strict Whether password confirmation must happen as part of + * the current request instead of relying on a recent prior confirmation. * * @since 31.0.0 */ @@ -29,10 +39,11 @@ public function __construct( } /** + * Returns whether password confirmation must happen during the current request. + * * @since 31.0.0 */ public function getStrict(): bool { return $this->strict; } - } From b99e14275e3b99a6a6aefbcf5dd6ebaec6362d0a Mon Sep 17 00:00:00 2001 From: Josh Date: Wed, 27 May 2026 17:31:39 -0400 Subject: [PATCH 2/3] chore: lint fixup Signed-off-by: Josh --- .../Http/Attribute/PasswordConfirmationRequired.php | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/lib/public/AppFramework/Http/Attribute/PasswordConfirmationRequired.php b/lib/public/AppFramework/Http/Attribute/PasswordConfirmationRequired.php index d8c5614312336..5dd6aa7eed5f8 100644 --- a/lib/public/AppFramework/Http/Attribute/PasswordConfirmationRequired.php +++ b/lib/public/AppFramework/Http/Attribute/PasswordConfirmationRequired.php @@ -29,7 +29,8 @@ class PasswordConfirmationRequired { /** * @param bool $strict Whether password confirmation must happen as part of - * the current request instead of relying on a recent prior confirmation. + * the current request instead of relying on a recent + * prior confirmation. * * @since 31.0.0 */ From 5d3c91ad51f4194a8058a77e945b5875e787cd49 Mon Sep 17 00:00:00 2001 From: Josh Date: Thu, 28 May 2026 09:51:10 -0400 Subject: [PATCH 3/3] docs(appframework): mention basic auth req for PasswordConfirmation Signed-off-by: Josh --- .../AppFramework/Http/Attribute/PasswordConfirmationRequired.php | 1 + 1 file changed, 1 insertion(+) diff --git a/lib/public/AppFramework/Http/Attribute/PasswordConfirmationRequired.php b/lib/public/AppFramework/Http/Attribute/PasswordConfirmationRequired.php index 5dd6aa7eed5f8..80606392b1751 100644 --- a/lib/public/AppFramework/Http/Attribute/PasswordConfirmationRequired.php +++ b/lib/public/AppFramework/Http/Attribute/PasswordConfirmationRequired.php @@ -22,6 +22,7 @@ * currently defined by the middleware as within the last 30 minutes. * * In strict mode, confirmation is attempted as part of the current request. + * Credentials must be provided via Basic HTTP authentication. * * @since 27.0.0 */