app/Http/Controllers/Api/Client/AccountController.php

<?php

namespace App\Http\Controllers\Api\Client;

use App\Facades\Activity;
use App\Http\Requests\Api\Client\Account\UpdateEmailRequest;
use App\Http\Requests\Api\Client\Account\UpdatePasswordRequest;
use App\Http\Requests\Api\Client\Account\UpdateUsernameRequest;
use App\Services\Users\UserUpdateService;
use App\Transformers\Api\Client\UserTransformer;
use Illuminate\Auth\AuthManager;
use Illuminate\Auth\SessionGuard;
use Illuminate\Http\JsonResponse;
use Illuminate\Http\Request;
use Illuminate\Http\Response;
use Illuminate\Support\Facades\RateLimiter;
use Symfony\Component\HttpKernel\Exception\TooManyRequestsHttpException;
use Throwable;

class AccountController extends ClientApiController
{
    /**
     * The number of seconds that must elapse before the email change throttle resets.
     */
    private const EMAIL_UPDATE_THROTTLE = 60 * 60 * 24;

    /**
     * AccountController constructor.
     */
    public function __construct(private AuthManager $manager, private UserUpdateService $updateService)
    {
        parent::__construct();
    }

    /**
     * View account
     *
     * @return array<array-key, mixed>
     */
    public function index(Request $request): array
    {
        return $this->fractal->item($request->user())
            ->transformWith($this->getTransformer(UserTransformer::class))
            ->toArray();
    }

    /**
     * Update username
     *
     * Update the authenticated user's username.
     */
    public function updateUsername(UpdateUsernameRequest $request): JsonResponse
    {
        $original = $request->user()->username;
        $this->updateService->handle($request->user(), $request->validated());

        if ($original !== $request->input('username')) {
            Activity::event('user:account.username-changed')
                ->property(['old' => $original, 'new' => $request->input('username')])
                ->log();
        }

        return new JsonResponse([], Response::HTTP_NO_CONTENT);
    }

    /**
     * Update email
     *
     * Update the authenticated user's email address.
     */
    public function updateEmail(UpdateEmailRequest $request): JsonResponse
    {
        $user = $request->user();

        // Only allow a user to change their email three times in the span
        // of 24 hours. This prevents malicious users from trying to find
        // existing accounts in the system by constantly changing their email.
        if (RateLimiter::tooManyAttempts($key = "user:update-email:{$user->uuid}", 3)) {
            throw new TooManyRequestsHttpException(message: 'Your email address has been changed too many times today. Please try again later.');
        }

        $original = $user->email;

        if (mb_strtolower($original) !== mb_strtolower($request->validated('email'))) {
            RateLimiter::hit($key, self::EMAIL_UPDATE_THROTTLE);

            $this->updateService->handle($user, $request->validated());

            Activity::event('user:account.email-changed')
                ->property(['old' => $original, 'new' => $request->input('email')])
                ->log();
        }

        return new JsonResponse([], Response::HTTP_NO_CONTENT);
    }

    /**
     * Update password
     *
     * Update the authenticated user's password. All existing sessions will be logged
     * out immediately.
     *
     * @throws Throwable
     */
    public function updatePassword(UpdatePasswordRequest $request): JsonResponse
    {
        $user = Activity::event('user:account.password-changed')->transaction(function () use ($request) {
            return $this->updateService->handle($request->user(), $request->validated());
        });

        $guard = $this->manager->guard();
        // If you do not update the user in the session you'll end up working with a
        // cached copy of the user that does not include the updated password. Do this
        // to correctly store the new user details in the guard and allow the logout
        // other devices functionality to work.
        $guard->setUser($user);

        if ($guard instanceof SessionGuard) {
            $guard->logoutOtherDevices($request->input('password'));
        }

        return new JsonResponse([], Response::HTTP_NO_CONTENT);
    }
}
Base attempt at using vuex to handle logins 2018-06-05 23:00:01 -07:00			`<?php`

Switch namespace back to App 2024-03-12 22:39:16 -04:00			`namespace App\Http\Controllers\Api\Client;`
Base attempt at using vuex to handle logins 2018-06-05 23:00:01 -07:00
Switch namespace back to App 2024-03-12 22:39:16 -04:00			`use App\Facades\Activity;`
			`use App\Http\Requests\Api\Client\Account\UpdateEmailRequest;`
			`use App\Http\Requests\Api\Client\Account\UpdatePasswordRequest;`
Add api endpoint for updating username (#1826) 2025-11-03 08:31:07 +01:00			`use App\Http\Requests\Api\Client\Account\UpdateUsernameRequest;`
Enable "ordered imports" (#1746) 2025-09-24 13:34:19 +02:00			`use App\Services\Users\UserUpdateService;`
Refactor UserTransformers (#423) * remove AccountTransformer and update UserTransformer (client api) to match UserTransformer (application api) * rename "toVueObject" * fix tests * forgot to rename this * backwards compat * fix tests 2024-06-23 16:33:18 +02:00			`use App\Transformers\Api\Client\UserTransformer;`
Enable "ordered imports" (#1746) 2025-09-24 13:34:19 +02:00			`use Illuminate\Auth\AuthManager;`
			`use Illuminate\Auth\SessionGuard;`
			`use Illuminate\Http\JsonResponse;`
			`use Illuminate\Http\Request;`
			`use Illuminate\Http\Response;`
Add changes from upstream (#2293) Co-authored-by: DaneEveritt <dane@daneeveritt.com> Co-authored-by: danny6167 <danielb@purpleflaghosting.com> Co-authored-by: MrSoulPenguin <28676680+MrSoulPenguin@users.noreply.github.com> 2026-04-20 17:25:54 +02:00			`use Illuminate\Support\Facades\RateLimiter;`
			`use Symfony\Component\HttpKernel\Exception\TooManyRequestsHttpException;`
Enable "ordered imports" (#1746) 2025-09-24 13:34:19 +02:00			`use Throwable;`
Base attempt at using vuex to handle logins 2018-06-05 23:00:01 -07:00
			`class AccountController extends ClientApiController`
			`{`
Add changes from upstream (#2293) Co-authored-by: DaneEveritt <dane@daneeveritt.com> Co-authored-by: danny6167 <danielb@purpleflaghosting.com> Co-authored-by: MrSoulPenguin <28676680+MrSoulPenguin@users.noreply.github.com> 2026-04-20 17:25:54 +02:00			`/**`
			`* The number of seconds that must elapse before the email change throttle resets.`
			`*/`
			`private const EMAIL_UPDATE_THROTTLE = 60 * 60 * 24;`

Get the base email update working through the API. Still going to need to determine the best course of action to update the token on the client side. 2018-06-11 22:56:57 -07:00			`/**`
			`* AccountController constructor.`
			`*/`
Upgrade to Laravel 9 (#4413) Co-authored-by: DaneEveritt <dane@daneeveritt.com> 2022-10-14 10:59:20 -06:00			`public function __construct(private AuthManager $manager, private UserUpdateService $updateService)`
Get the base email update working through the API. Still going to need to determine the best course of action to update the token on the client side. 2018-06-11 22:56:57 -07:00			`{`
			`parent::__construct();`
			`}`

Small api docs improvements (#1032) * update scramble * cleanup application api endpoints * cleanup client api endpoints * fix security schema and make docs homepage nicer * remove duplicate myclabs/deep-copy * style(api-docs): use Blade template and Tailwind for styling * Publish scramble view * Use localStorage theme instead of config * Update routes/docs.php Co-authored-by: Lance Pioch <git@lance.sh> --------- Co-authored-by: Quinten <67589015+QuintenQVD0@users.noreply.github.com> Co-authored-by: RMartinOscar <40749467+RMartinOscar@users.noreply.github.com> Co-authored-by: Lance Pioch <git@lance.sh> 2025-02-26 16:12:19 +01:00			`/**`
			`* View account`
PHPstan updates (#1047) * Not found property rule * Make these “better” * Day 1 * Day 2 * Day 3 * Dat 4 * Remove disabled check * Day 4 continued * Run pint * Final changes hopefully * Pint fixes * Fix again * Reset these * Update app/Filament/Admin/Pages/Health.php Co-authored-by: MartinOscar <40749467+rmartinoscar@users.noreply.github.com> * Update app/Traits/CheckMigrationsTrait.php Co-authored-by: MartinOscar <40749467+rmartinoscar@users.noreply.github.com> --------- Co-authored-by: MartinOscar <40749467+rmartinoscar@users.noreply.github.com> 2025-03-03 14:41:19 -05:00			`*`
			`* @return array<array-key, mixed>`
Small api docs improvements (#1032) * update scramble * cleanup application api endpoints * cleanup client api endpoints * fix security schema and make docs homepage nicer * remove duplicate myclabs/deep-copy * style(api-docs): use Blade template and Tailwind for styling * Publish scramble view * Use localStorage theme instead of config * Update routes/docs.php Co-authored-by: Lance Pioch <git@lance.sh> --------- Co-authored-by: Quinten <67589015+QuintenQVD0@users.noreply.github.com> Co-authored-by: RMartinOscar <40749467+RMartinOscar@users.noreply.github.com> Co-authored-by: Lance Pioch <git@lance.sh> 2025-02-26 16:12:19 +01:00			`*/`
Base attempt at using vuex to handle logins 2018-06-05 23:00:01 -07:00			`public function index(Request $request): array`
			`{`
			`return $this->fractal->item($request->user())`
Refactor UserTransformers (#423) * remove AccountTransformer and update UserTransformer (client api) to match UserTransformer (application api) * rename "toVueObject" * fix tests * forgot to rename this * backwards compat * fix tests 2024-06-23 16:33:18 +02:00			`->transformWith($this->getTransformer(UserTransformer::class))`
Base attempt at using vuex to handle logins 2018-06-05 23:00:01 -07:00			`->toArray();`
			`}`
Get the base email update working through the API. Still going to need to determine the best course of action to update the token on the client side. 2018-06-11 22:56:57 -07:00
Add api endpoint for updating username (#1826) 2025-11-03 08:31:07 +01:00			`/**`
			`* Update username`
			`*`
			`* Update the authenticated user's username.`
			`*/`
			`public function updateUsername(UpdateUsernameRequest $request): JsonResponse`
			`{`
			`$original = $request->user()->username;`
			`$this->updateService->handle($request->user(), $request->validated());`

			`if ($original !== $request->input('username')) {`
			`Activity::event('user:account.username-changed')`
			`->property(['old' => $original, 'new' => $request->input('username')])`
			`->log();`
			`}`

			`return new JsonResponse([], Response::HTTP_NO_CONTENT);`
			`}`

Get the base email update working through the API. Still going to need to determine the best course of action to update the token on the client side. 2018-06-11 22:56:57 -07:00			`/**`
Small api docs improvements (#1032) * update scramble * cleanup application api endpoints * cleanup client api endpoints * fix security schema and make docs homepage nicer * remove duplicate myclabs/deep-copy * style(api-docs): use Blade template and Tailwind for styling * Publish scramble view * Use localStorage theme instead of config * Update routes/docs.php Co-authored-by: Lance Pioch <git@lance.sh> --------- Co-authored-by: Quinten <67589015+QuintenQVD0@users.noreply.github.com> Co-authored-by: RMartinOscar <40749467+RMartinOscar@users.noreply.github.com> Co-authored-by: Lance Pioch <git@lance.sh> 2025-02-26 16:12:19 +01:00			`* Update email`
			`*`
Finalize email/password changing in UI 2018-06-17 16:53:24 -07:00			`* Update the authenticated user's email address.`
Get the base email update working through the API. Still going to need to determine the best course of action to update the token on the client side. 2018-06-11 22:56:57 -07:00			`*/`
Add integration test covering account endpoint 2020-06-25 22:12:09 -07:00			`public function updateEmail(UpdateEmailRequest $request): JsonResponse`
Get the base email update working through the API. Still going to need to determine the best course of action to update the token on the client side. 2018-06-11 22:56:57 -07:00			`{`
Add changes from upstream (#2293) Co-authored-by: DaneEveritt <dane@daneeveritt.com> Co-authored-by: danny6167 <danielb@purpleflaghosting.com> Co-authored-by: MrSoulPenguin <28676680+MrSoulPenguin@users.noreply.github.com> 2026-04-20 17:25:54 +02:00			`$user = $request->user();`

			`// Only allow a user to change their email three times in the span`
			`// of 24 hours. This prevents malicious users from trying to find`
			`// existing accounts in the system by constantly changing their email.`
			`if (RateLimiter::tooManyAttempts($key = "user:update-email:{$user->uuid}", 3)) {`
			`throw new TooManyRequestsHttpException(message: 'Your email address has been changed too many times today. Please try again later.');`
			`}`

			`$original = $user->email;`

			`if (mb_strtolower($original) !== mb_strtolower($request->validated('email'))) {`
			`RateLimiter::hit($key, self::EMAIL_UPDATE_THROTTLE);`

			`$this->updateService->handle($user, $request->validated());`
Get the base email update working through the API. Still going to need to determine the best course of action to update the token on the client side. 2018-06-11 22:56:57 -07:00
Don't log activity if the email wasn't actually changed 2022-07-03 14:29:01 -04:00			`Activity::event('user:account.email-changed')`
			`->property(['old' => $original, 'new' => $request->input('email')])`
			`->log();`
			`}`
Log activity when modifying account details 2022-05-29 18:48:35 -04:00
Add integration test covering account endpoint 2020-06-25 22:12:09 -07:00			`return new JsonResponse([], Response::HTTP_NO_CONTENT);`
Finalize email/password changing in UI 2018-06-17 16:53:24 -07:00			`}`

			`/**`
Small api docs improvements (#1032) * update scramble * cleanup application api endpoints * cleanup client api endpoints * fix security schema and make docs homepage nicer * remove duplicate myclabs/deep-copy * style(api-docs): use Blade template and Tailwind for styling * Publish scramble view * Use localStorage theme instead of config * Update routes/docs.php Co-authored-by: Lance Pioch <git@lance.sh> --------- Co-authored-by: Quinten <67589015+QuintenQVD0@users.noreply.github.com> Co-authored-by: RMartinOscar <40749467+RMartinOscar@users.noreply.github.com> Co-authored-by: Lance Pioch <git@lance.sh> 2025-02-26 16:12:19 +01:00			`* Update password`
			`*`
Password change needs to require user login to reset some cookies closes #1793 2019-12-28 12:07:42 -08:00			`* Update the authenticated user's password. All existing sessions will be logged`
			`* out immediately.`
Finalize email/password changing in UI 2018-06-17 16:53:24 -07:00			`*`
Filament v4 🎉 (#1651) Co-authored-by: RMartinOscar <40749467+RMartinOscar@users.noreply.github.com> Co-authored-by: Boy132 <Boy132@users.noreply.github.com> Co-authored-by: Lance Pioch <git@lance.sh> 2025-09-08 13:12:33 -04:00			`* @throws Throwable`
Finalize email/password changing in UI 2018-06-17 16:53:24 -07:00			`*/`
Add integration test covering account endpoint 2020-06-25 22:12:09 -07:00			`public function updatePassword(UpdatePasswordRequest $request): JsonResponse`
Finalize email/password changing in UI 2018-06-17 16:53:24 -07:00			`{`
Add changes from upstream (#2293) Co-authored-by: DaneEveritt <dane@daneeveritt.com> Co-authored-by: danny6167 <danielb@purpleflaghosting.com> Co-authored-by: MrSoulPenguin <28676680+MrSoulPenguin@users.noreply.github.com> 2026-04-20 17:25:54 +02:00			`$user = Activity::event('user:account.password-changed')->transaction(function () use ($request) {`
			`return $this->updateService->handle($request->user(), $request->validated());`
			`});`
Fix changing a user password to not incorrectly handle logging out old sessions; closes #3531 2021-08-15 17:37:12 -07:00
Ensure tokens are found in the database using the expected logic 2022-05-22 16:05:58 -04:00			`$guard = $this->manager->guard();`
Fix changing a user password to not incorrectly handle logging out old sessions; closes #3531 2021-08-15 17:37:12 -07:00			`// If you do not update the user in the session you'll end up working with a`
			`// cached copy of the user that does not include the updated password. Do this`
			`// to correctly store the new user details in the guard and allow the logout`
			`// other devices functionality to work.`
Ensure tokens are found in the database using the expected logic 2022-05-22 16:05:58 -04:00			`$guard->setUser($user);`
Finalize email/password changing in UI 2018-06-17 16:53:24 -07:00
Update phpstan to latest (#804) * Fix these * Update phpstan * Transform these into their identifiers instead * Fix custom rule * License is wrong * Update these * Pint fixes * Fix this * Consolidate these * Never supported PHP 7 * Better evaluation * Fixes * Don’t need ignore * Replace trait with service * Subusers are simply the many to many relationship between Servers and Users * Adjust to remove ignores * Use new query builder instead! * wip * Update composer * Quick fixes * Use realtime facade * Small fixes * Convert to static to avoid new * Update to statics * Don’t modify protected properties directly * Run pint * Change to correct method * Give up and use the facade * Make sure this route is available * Filament hasn’t been loaded yet * This can be readonly * Typehint * These are no longer used * Quick fixes * Need doc block help * Always true * We use caddy with docker * Pint * Fix phpstan issues * Remove unused import --------- Co-authored-by: MartinOscar <40749467+RMartinOscar@users.noreply.github.com> 2025-01-16 14:53:50 -05:00			`if ($guard instanceof SessionGuard) {`
Ensure tokens are found in the database using the expected logic 2022-05-22 16:05:58 -04:00			`$guard->logoutOtherDevices($request->input('password'));`
			`}`
Password change needs to require user login to reset some cookies closes #1793 2019-12-28 12:07:42 -08:00
Add integration test covering account endpoint 2020-06-25 22:12:09 -07:00			`return new JsonResponse([], Response::HTTP_NO_CONTENT);`
Get the base email update working through the API. Still going to need to determine the best course of action to update the token on the client side. 2018-06-11 22:56:57 -07:00			`}`
Base attempt at using vuex to handle logins 2018-06-05 23:00:01 -07:00			`}`