Generate HTML Password Rules Attribute in Laravel 13.9.0

Laravel v13.9.0 adds Password::toPasswordRulesString() for generating HTML passwordrules attributes so browsers and password managers can suggest compliant passwords automatically, along with Cloud queue metrics, optional disk storage for large SQS payloads, and more:

• Password::toPasswordRulesString() for HTML passwordrules attributes
• Cloud queue metrics for job processing telemetry
• Optional disk storage for large SQS queue payloads
• Concurrency::run() timeout support
• PendingDispatch conditionable with when() and unless()
• PreparesForDispatch interface for pre-dispatch job hooks
• foreignUuidFor schema blueprint helper
• ThrottlesExceptions backoff now accepts a Closure
• Enum support for contextual attribute binding

#What's New

#Password::toPasswordRulesString()

The Password validation rule now has a toPasswordRulesString() method that converts a Password instance into a passwordrules attribute string for HTML inputs.

The passwordrules attribute is a specification introduced by Apple that lets browsers and password managers — including Safari, 1Password, and Bitwarden — read an app's password constraints and generate a valid password automatically, rather than the user having to trial-and-error a suggested password against validation errors.

Each Password method maps to a specific rule token:

uncompromised() has no passwordrules equivalent and is not included in the output.

Here are the outputs for common combinations, verified against the merged tests:

Password::min(8)->toPasswordRulesString();
// 'minlength: 8;'
 
Password::min(8)->max(64)->toPasswordRulesString();
// 'minlength: 8; maxlength: 64;'
 
Password::min(8)->letters()->toPasswordRulesString();
// 'minlength: 8; required: lower;'
 
Password::min(8)->mixedCase()->toPasswordRulesString();
// 'minlength: 8; required: lower; required: upper;'
 
Password::min(12)->max(64)->mixedCase()->numbers()->symbols()->toPasswordRulesString();
// 'minlength: 12; maxlength: 64; required: lower; required: upper; required: digit; required: special;'

The most practical use is pairing it with Password::defaults() so the same policy you define in AppServiceProvider drives both server-side validation and the browser's password suggestions:

// app/Providers/AppServiceProvider.php
Password::defaults(fn () => Password::min(12)->max(64)->mixedCase()->numbers()->symbols());

<input
    type="password"
    autocomplete="new-password"
    passwordrules="{{ Password::defaults()->toPasswordRulesString() }}"
/>

When a user focuses the field in a supporting browser or password manager, they'll be offered a generated password that already satisfies your rules — no back-and-forth with validation errors.

PR: #60070 by @imliam

#Cloud Queue Metrics

Three PRs from @timacdonald add metrics tracking for Laravel Cloud queue connections. The new Illuminate\Foundation\Cloud\Queue decorator wraps any queue driver and emits events through a socket when jobs are queued and when processing starts and finishes. This gives Laravel Cloud visibility into job throughput, processing duration, and worker activity.

Config caching is also now supported for Cloud queues — prefix and suffix values are read from the config file rather than environment variables directly, making php artisan config:cache work correctly in Cloud deployments.

PRs: #60074, #60078, #60094

#Optional Disk Storage for Large SQS Payloads

SQS has a maximum message size of 1 MB. When a serialized job payload exceeds that limit, AWS rejects it with an InvalidParameterValue error. This release adds a built-in solution: an extended_store_options block in the SQS queue connection config that offloads large payloads to a filesystem disk (such as S3) and sends a small pointer through SQS instead. Workers fetch the full payload from disk when processing the job.

// config/queue.php
'sqs' => [
    // ...existing config...
    'extended_store_options' => [
        'enabled' => env('SQS_STORE_ENABLED', false),
        'disk' => env('SQS_STORE_DISK', 's3'),
        'prefix' => env('SQS_STORE_PREFIX', ''),
        'always' => false,
        'cleanup' => true,
    ],
],

• enabled — turn the feature on or off (defaults to false)
• disk — which filesystem disk to store payloads on
• prefix — path prefix for stored payload files on the disk
• always — when true, stores every payload to disk regardless of size
• cleanup — when true, deletes the disk file after the job is successfully processed

This is opt-in and backwards compatible. Existing SQS users are unaffected unless they set enabled to true.

PR: #59734 by @Orrison

#Concurrency::run() Timeout Support

Concurrency::run() uses the process driver by default, which runs each task through Laravel's process layer. That layer has a default 60-second timeout, but there was no way to customize it from Concurrency::run(). A new timeout parameter is now available for the process driver:

Concurrency::run([
    fn () => longRunningTask(),
], timeout: 300);

The fork driver is unchanged because spatie/fork does not support task timeouts. The sync driver also keeps its existing behavior since it runs tasks inline.

PR: #60105 by @dbpolito

#PendingDispatch Conditionable

PendingDispatch now implements the Conditionable trait, which adds when() and unless() methods. This lets you configure dispatched jobs inline without wrapping the dispatch call in conditionals:

SendPersonalDetailsToFraudDetectionTool::dispatch($customer)
    ->when($customer->hasSufficientPersonalDetails(), fn ($job) => $job->withoutDelay());
 
SendPersonalDetailsToFraudDetectionTool::dispatch($customer)
    ->unless($customer->hasSufficientPersonalDetails(), fn ($job) => $job->delay(180));

PR: #60047 by @kevinb1989

#PreparesForDispatch Interface

A new PreparesForDispatch interface adds a prepareForDispatch() method that runs before a job is pushed to the queue. The method can return false to cancel the dispatch entirely. This is useful for jobs dispatched from multiple call sites that all need the same pre-dispatch logic — for example, deduplicating IDs or checking whether a job is still needed before consuming queue capacity:

use Illuminate\Contracts\Queue\PreparesForDispatch;
 
class SyncPodcastsJob implements ShouldQueue, PreparesForDispatch
{
    use Queueable;
 
    public function __construct(public array $podcastIds) {}
 
    public function prepareForDispatch(): bool
    {
        $this->podcastIds = array_unique($this->podcastIds);
 
        return count($this->podcastIds) > 0;
    }
 
    public function handle(): void
    {
        // ...
    }
}

PR: #59879 by @jackbayliss

#foreignUuidFor Schema Helper

A new foreignUuidFor() method on schema blueprints provides an explicit API for migrations that want a UUID foreign key column. While the existing foreignIdFor() already handles UUID-backed models by detecting the key type, foreignUuidFor() makes the intent clear and mirrors the same model-aware behavior:

$table->foreignUuidFor(User::class)->constrained();

The helper infers the column name, related table name, and referenced primary key column from the model.

PR: #60091 by @Tresor-Kasenda

#ThrottlesExceptions Backoff Accepts a Closure

The backoff() method on ThrottlesExceptions middleware now accepts a Closure that receives the throwable. This is useful when the exception carries retry timing information — such as a Retry-After header from an external API — and you want to use it directly rather than a fixed backoff value:

(new ThrottlesExceptions(maxAttempts: 10, decaySeconds: 300))
    ->byJob()
    ->when(fn (Throwable $e) => $e instanceof ExternalAPIException && $e->isRateLimited())
    ->backoff(fn (Throwable $e) => $e instanceof ExternalAPIException
        ? $e->retryAfter() / 60
        : 2
    ),

PR: #60103 by @cosmastech

#Enum Support for Contextual Attribute Binding

The #[Auth], #[Authenticated], and #[Cache] contextual attributes now accept both UnitEnum and backed enum values in addition to strings. This lets you use enum cases to reference guards and cache stores in dependency injection:

use App\Enums\AuthGuard;
use Illuminate\Container\Attributes\Auth;
 
public function __construct(
    #[Auth(AuthGuard::Admin)]
    protected Guard $adminGuard,
) {}

PR: #60092 by @Tresor-Kasenda

#Miscellaneous Fixes and Improvements

• Scoped filesystem Cloud support — Storage::cloud() now works with scoped disks (#60030 by @jeremynikolic)
• Migration event names — MigrationStarted and MigrationEnded events now include the migration name (#60059 by @jackbayliss)
• Worker timeout exit code override — The worker timeout exit code can now be customized via WORKER_TIMEOUT_EXIT_CODE, matching the existing WORKER_MEMORY_EXIT_CODE behavior (#60072 by @jackbayliss)
• Guzzle PSR-7 multipart fix — Nested multipart array expansion now relies on guzzlehttp/psr7 to fix a serialization issue (#59984 by @RomainMazB)
• Generic paginate return types — Builder paginate methods now have generic return types for better IDE support (#60045 by @levikl)
• Lottery reset on teardown — Lottery is now reset during test case teardown to prevent test bleed (#60083 by @cosmastech)
• AWS credential provider fix — Custom AWS credential providers now work correctly with the queue driver (#60000 by @iWader)
• Unicode regex fixes — Unicode modifiers added to preg_split and SeeInHtml whitespace normalization (#60056, #60090)

References

• Official changelog
• Compare v13.8.0...v13.9.0