@sarah Perhaps, but in practice the global function calling the app container has never caused any problems for me. And you definitely could inject the config repository where needed, it's just not conventional Laravel. I prefer sticking with conventions.
@jclermont I've started to structure my controllers using the invokable style, with a single file for each endpoint/verb combination.
This has had a side effect of cleaning up my tests as well. Each file tests the authorization, success/failure paths, etc., in a short(er) file that's easier to read through.
@heiglandreas That's a fair point, and the default max being discussed is 72 (due to bcrypt internals), so it would not violate the NIST recommendation.
Sadly advertising a tool to set a max password length (to avoid the password being truncated at 72 chars) will cause people to abuse it to set the max length to whatever some projectmanager thinks is enough (12 chars).