You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
@@ -149,17 +152,17 @@ The unlock link is temporary and validates the signature before performing the u
149
152
150
153
If you want to ensure that when a locked user attempts to log in, any existing sessions are terminated, you can enable the `logout_on_login` configuration option. This is particularly useful in scenarios where you want to prevent locked users from maintaining active sessions.
151
154
152
-
Also, is useful in scenario like third party admin panels (e.g. Filament, Nova) where you can't easily add the lockout middleware to the login route.
155
+
It is also useful in scenarios such as third-party admin panels (e.g. Filament, Nova) where you can't easily add the lockout middleware to the login route.
153
156
154
157
You can enable this feature by setting the `logout_on_login` option to `true` in your `config/lockout.php` file:
155
158
156
159
```php
157
160
'logout_on_login' => true,
158
161
```
159
162
160
-
You can also override the `logoutAfterLogin` method on your model that uses the `HasLockout` trait to customize the logout behavior further. The default behavior is:
163
+
You can also override the `logoutOnLockout` method on your model that uses the `HasLockout` trait to customize the logout behavior further. The default behavior is:
161
164
162
-
```PHP
165
+
```php
163
166
public function logoutOnLockout(?string $guard = null): bool
164
167
{
165
168
// Default common case behavior
@@ -172,6 +175,49 @@ public function logoutOnLockout(?string $guard = null): bool
172
175
}
173
176
```
174
177
178
+
## Lock on Login
179
+
180
+
This package optionally supports a "lock on login" flow that lets a user lock their own account immediately after a successful sign-in via a one-click, signed link sent to their email.
181
+
182
+
How it works
183
+
- When `lock_on_login` is enabled in the configuration, the package's `OnUserLogin` listener will attempt to send a login notification to the authenticating model after a successful login.
184
+
- The notification contains a temporary, signed URL (route name `lockout.lock`) that, when clicked, will immediately create a persistent lock for that account.
185
+
- The route that handles the link (`LockController`) will:
186
+
1. Resolve the login model for the supplied identifier.
187
+
2. Create a persistent lock for the model (via `lockModel` / the model's `lock()` helper).
188
+
3. Optionally send an unlock notification (if `unlock_via_notification` is enabled).
189
+
4. Redirect the user back to a configured route with a friendly status message.
190
+
191
+
Enable the feature
192
+
```php
193
+
// config/lockout.php
194
+
'lock_on_login' => true,
195
+
```
196
+
197
+
Important notes
198
+
- The authenticatable model must be notifiable (i.e., implement `notify()` / use the `Notifiable` trait) for the package to send the login notification.
199
+
- The notification class used for the login notification is configurable via `lockout.login_notification_class`. By default the package ships `\Beliven\Lockout\Notifications\AccountLogged`.
200
+
- The temporary signed lock URL lifetime is controlled by `lockout.lock_link_minutes` (default 1440 minutes).
201
+
- The lock route is protected by Laravel's `signed` middleware — the request must be a valid signed URL.
202
+
203
+
Example route (the package registers this for you if you include package routes):
- The `AccountLogged` notification uses translation keys under `lockout.notifications.account_logged.*`. You can change the notification class or customize translations to alter the subject / body of the email sent at login.
210
+
211
+
Security considerations
212
+
- Because the lock link grants the ability to immediately lock an account, the link is temporary and signed; ensure `APP_KEY` and your app URL are configured correctly so signature validation works reliably.
213
+
- The link includes a random entropy parameter to reduce predictability.
214
+
215
+
Customizing behavior
216
+
- Replace the login notification by setting `lockout.login_notification_class` in your config.
217
+
- If you want a custom flow when the link is clicked, you can override the `LockController` or register your own route/listener for `lockout.lock` and `lockout.unlock` events.
218
+
219
+
This feature is opt-in; leave `lock_on_login` disabled if you prefer not to send login notifications.
0 commit comments