Skip to content

Commit 30d7d5f

Browse files
docs: improve README.md
1 parent ae17300 commit 30d7d5f

1 file changed

Lines changed: 49 additions & 3 deletions

File tree

README.md

Lines changed: 49 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -109,6 +109,9 @@ return [
109109
'unlock_via_notification' => true,
110110
'notification_class' => \Beliven\Lockout\Notifications\AccountLocked::class,
111111
'notification_channels' => ['mail'],
112+
'lock_on_login' => false,
113+
'login_notification_class' => \Beliven\Lockout\Notifications\AccountLogged::class,
114+
'lock_link_minutes' => 1440,
112115
'max_attempts' => 5,
113116
'decay_minutes' => 30,
114117
'cache_store' => 'database',
@@ -149,17 +152,17 @@ The unlock link is temporary and validates the signature before performing the u
149152

150153
If you want to ensure that when a locked user attempts to log in, any existing sessions are terminated, you can enable the `logout_on_login` configuration option. This is particularly useful in scenarios where you want to prevent locked users from maintaining active sessions.
151154

152-
Also, is useful in scenario like third party admin panels (e.g. Filament, Nova) where you can't easily add the lockout middleware to the login route.
155+
It is also useful in scenarios such as third-party admin panels (e.g. Filament, Nova) where you can't easily add the lockout middleware to the login route.
153156

154157
You can enable this feature by setting the `logout_on_login` option to `true` in your `config/lockout.php` file:
155158

156159
```php
157160
'logout_on_login' => true,
158161
```
159162

160-
You can also override the `logoutAfterLogin` method on your model that uses the `HasLockout` trait to customize the logout behavior further. The default behavior is:
163+
You can also override the `logoutOnLockout` method on your model that uses the `HasLockout` trait to customize the logout behavior further. The default behavior is:
161164

162-
```PHP
165+
```php
163166
public function logoutOnLockout(?string $guard = null): bool
164167
{
165168
// Default common case behavior
@@ -172,6 +175,49 @@ public function logoutOnLockout(?string $guard = null): bool
172175
}
173176
```
174177

178+
## Lock on Login
179+
180+
This package optionally supports a "lock on login" flow that lets a user lock their own account immediately after a successful sign-in via a one-click, signed link sent to their email.
181+
182+
How it works
183+
- When `lock_on_login` is enabled in the configuration, the package's `OnUserLogin` listener will attempt to send a login notification to the authenticating model after a successful login.
184+
- The notification contains a temporary, signed URL (route name `lockout.lock`) that, when clicked, will immediately create a persistent lock for that account.
185+
- The route that handles the link (`LockController`) will:
186+
1. Resolve the login model for the supplied identifier.
187+
2. Create a persistent lock for the model (via `lockModel` / the model's `lock()` helper).
188+
3. Optionally send an unlock notification (if `unlock_via_notification` is enabled).
189+
4. Redirect the user back to a configured route with a friendly status message.
190+
191+
Enable the feature
192+
```php
193+
// config/lockout.php
194+
'lock_on_login' => true,
195+
```
196+
197+
Important notes
198+
- The authenticatable model must be notifiable (i.e., implement `notify()` / use the `Notifiable` trait) for the package to send the login notification.
199+
- The notification class used for the login notification is configurable via `lockout.login_notification_class`. By default the package ships `\Beliven\Lockout\Notifications\AccountLogged`.
200+
- The temporary signed lock URL lifetime is controlled by `lockout.lock_link_minutes` (default 1440 minutes).
201+
- The lock route is protected by Laravel's `signed` middleware — the request must be a valid signed URL.
202+
203+
Example route (the package registers this for you if you include package routes):
204+
```php
205+
Route::middleware(['signed'])->get('/lockout/lock', \Beliven\Lockout\Http\Controllers\LockController::class)->name('lockout.lock');
206+
```
207+
208+
Translation & notification text
209+
- The `AccountLogged` notification uses translation keys under `lockout.notifications.account_logged.*`. You can change the notification class or customize translations to alter the subject / body of the email sent at login.
210+
211+
Security considerations
212+
- Because the lock link grants the ability to immediately lock an account, the link is temporary and signed; ensure `APP_KEY` and your app URL are configured correctly so signature validation works reliably.
213+
- The link includes a random entropy parameter to reduce predictability.
214+
215+
Customizing behavior
216+
- Replace the login notification by setting `lockout.login_notification_class` in your config.
217+
- If you want a custom flow when the link is clicked, you can override the `LockController` or register your own route/listener for `lockout.lock` and `lockout.unlock` events.
218+
219+
This feature is opt-in; leave `lock_on_login` disabled if you prefer not to send login notifications.
220+
175221
---
176222

177223
## API Reference (quick)

0 commit comments

Comments
 (0)