Ensuring a new password is different.

[mikeeyo23]

How can I ensure that a reset password is different than a current password? Here is my current controller:

---

<?php

namespace App\Controllers;

use CodeIgniter\HTTP\RedirectResponse;
use CodeIgniter\Session\Session;
use CodeIgniter\Shield\Entities\User;
use CodeIgniter\Shield\Models\UserModel;

class ResetPassword extends BaseController
{
    public function forcePasswordView()
    {
        // Check if the user is not logged in
        if (!auth()->loggedIn()) {
            return redirect()->to(config('Auth')->loginRedirect());
        }

        // Load the 'auth/resetPassword' view
        return view('auth/resetPassword');
    }

    public function forcePasswordAction()
    {
        // Check if the user is not logged in
        if (!auth()->loggedIn()) {
            return redirect()->to(config('Auth')->loginRedirect());
        }

        // Get the UserModel
        $users = $this->getUserProvider();

        // Retrieve the user
        $user = auth()->user();

        // Validate the form input
        $rules = $this->getValidationRules();
        if (! $this->validate($rules)) {
            return redirect()->back()->withInput()->with('errors', $this->validator->getErrors());
        }

        // Update the user's password
        $password = $this->request->getPost('password');

        $user->fill([
        'password' => $password
        ]);

        // Save the updated user
        $users->save($user);

        // Remove force password reset flag
        $user->undoForcePasswordReset();

        // Logout user and redirect to login
        auth()->logout();
        return redirect()->to(config('Auth')->loginRedirect())->with('message', lang('Auth.changePasswordSuccess'));
    }

    protected function getUserProvider(): UserModel
    {
        $provider = model(setting('Auth.userProvider'));
        assert($provider instanceof UserModel, 'Config Auth.userProvider is not a valid UserProvider.');
        return $provider;
    }

    protected function getValidationRules(): array
    {
        return setting('Validation.changePassword') ?? [
            'password' => [
                'label' => 'Auth.password',
                'rules' => 'required|strong_password', // Add your password validation rules here
            ],
            'password_confirm' => [
                'label' => 'Auth.passwordConfirm',
                'rules' => 'required|matches[password]',
            ],
        ];
    }
}

[lonnieezell]

Probably the easiest way would be to use PHP's password_verify to compare the password they want to change it to against the existing password hash. This would have to be done prior to updating the user's password, obviously. If you want to get really clean you could turn it into a custom validation rule.

[datamweb]

try:

$result = auth()->check([
'email'    => auth()->user()->email,
'password' => $this->request->getPost('password'),
]);

if ($result->isOK()) {
return redirect()->to('anyroute')->withInput()->with('error', 'Your current password is the same as the chosen password.');
}