I need to have multiple users logged in at the same time in Laravel. Similar to Google/Facebook but instead of switching between users/accounts work with all authenticated users simultaneously, similar to email apps where you can access email from all accounts from one list.
Structure:
Unique auth credentials A
-Account 1 (aka tenant)
Unique auth credentials B
-Account 2
-Account 3
While not building completely custom solution in Laravel, I can’t think of anything rather than start using User model for authentication purposes only and adding next authenticated user ids to the first logged in session to handle multiple users. But it just feels like a hack.
Has anyone have any ideas or past experience with multiple authenticated users?
Related
I have a Laravel user database (> 14k customers) and would like to authenticate and authorize all users accross multiple websites of our company (2-5 Laravel and .NET webs) from a single OAUTH server.
https://laravel.com/docs/9.x/passport seems to document only workflow when "OAUTH clients" are added per user (witch nice and also a requirement), but I want to have global "clients" available for all users. I dont want my users to be able to remove their access to other websites of our company and even more be required to add it one by one in order to use it.
Workflow:
User comes to one of company sites (1.company.com, 2.company.com, 3.company.com...) and is redirected to server oauth.company.com and after successful login redirected to the original target website.
User can add aditional clients, but are not required to add 1.company.com or other sites of our network.
Is that even possible with passport?
I need to add social login to a site that already has a user system that is very simple it only stores an email and a password and that's about it. I need to add facebook and twitter login options but I am facing a difficulty figuring out how to integrate that with the current system because it has an unique index at email so when a user tries to log in using a social account I first get their details and check if that email is already registered, if not then I register them automatically and then log them in and subsequent login requests find the email and log in the user automatically.
The problem comes when a user has been registered through the ordinary registration form, then I could create a fake social media account using a given email and could then log into a user's account on that site simply because they didn't have a social media account using that email.
I suppose I could add a column "regMethod" that would indicate which registration method was used and make that a complex unique key (email, regMethod) and have 0 be the native form, 1 facebook, 2 twitter and compare that when logging a user in but that seems rather hacky to me. Also if a single user uses all login methods for some reason the will have a number of accounts and not just a single account which is a problem.
I am pretty sure there must be a better solution to that problem and someone has overcome it already so I feel like I would be reinventing the wheel trying to solve it. How is this done in reality?
A simple possible solution to your problem I've been using for a site that allows different types of login (local or with a facebook account) was to seperate the user account data from the authentication data by having seperate tables for them.
First I had a table for the user data. You would then have two tables for possible authentcation, one LocalAuthentication containing anything related to you local authentication method like salt, password hashes etc. Then you will also have the table FacebookAuthentication and it only needs to contain a facebook access token. Both of these tables needs to reference the UserTable.
That way a single user could have multiple authentication to the same account.
just add facebook_id and twitter_id to your users table. Then
you'll have two choices :
Each social account is a new account (no merging), you just have to create and persist a new user object.
Once logged (classic way : login / pwd), you provide to users the ability to link their account with social accounts. In that case, you have to update your user table.
Dont forget to store the facebook_id or the twitter_id you'll get when the users uses the API.
I'm building a website where users can pay for a certain service provided by the owner. It's not an online shop, though the payment process is pretty similar.
The problem I'm facing lies in the different 'login' options during this payment process. One can use a Facebook-account to log in, register for an account/login using his account OR choose to fill in personal info without registering.
I was thinking about a 'consumers' table (one time users without an account), a 'users' table for registered users, a 'facebook_accounts' table with the Facebook info, and a 'user_has_facebook_account' table for linking Facebook accounts to registered users based on a shared email address.
However, what if a user logs in using Facebook without having a registered account with a password... It's really giving me a headache.
Any suggestions how I would go about designing a database to support this?
I would create only one table with customers. There you can have a field with the Facebook user ID. If someone login with Facebook, you can create a new record for him (you have email address etc. from Facebook). Therefore, you can set an empty local password or require the user to set a password for your page.
You should probably be adding people that login with Facebook to the Users table and creating them a default password, as well as storing the OAuth information / keys.
Your "User" objects should be singular and just have a different method for how they became "Users" to simplify things
I have a couple of questions regarding facebook integration and authentication in my social networking iOS application.
First of all, Users of my application are required to create an account and login before any content is available to them.
I have a separate backend system, so regular account registration inside my application is supported. When a user is logged in to an account he or she is supplied an access token which is used for future backend-requests, such as image-uploads.
Secondly, A user can choose to log in with Facebook, and thereby acquire an access token from the successfully opened FBSession.
This leads to my first question: How do I use the access token acquired from Facebook to authenticate my users with my backend system? Should I send the acquired token to my backend and have the system use that token for this particular user until further notice, or is there another way to go about this?
--
Now lets say that I solved the problem in the first question...
My second question: Imagine that a user created an account and logged in the normal way (i.e. without facebook) The next time that user wants to use the application, he or she chooses to log in with facebook. Now, In my backend-system, how would I know that these two users are the same, connect them and thereby be able to load the same content for both cases? Is it even possible to have hybrid accounts that supports double logins like that? A regular registration only requires email, username and password, so I cannot think of a way to determine that a facebook-loggedin-user is the same user as a normal-loggedin-user.
I Hope the above makes sense.
The only way to unite the two memberships is to use a common link as a username or identifier such as email. I am sure fb, google, yahoo and others relay the users email account information. Your database should allow for storing your user's email address. The hurdle then becomes what do you do when user login with facebook then the next day using gmail that's when it gets tricky and you have to implement some mechanism for those accounts to be linked.
A regular registration only requires email, username and password
In that case, you can ask the user to grant the email permission to your app. So, by matching both the emails (since, a regular registration requires email) you can determine that this facebook-loggedin-user is the same user as a normal-loggedin-user.
But yes, in some cases(very less) you might not be able to fetch the email (Register with Facebook sometimes doesn't provide email); but then, the registration process won't be completed- so that's not an issue I guess.
First of all let me start by saying that this question is not about different openID and oAuth implementations. There are many classes about these.
My question is what to do after authenticating a user:
How to add this user to the user table in the database?
How to handle different logins for the same user? (Remy Sharp's example suggests
something for openID)
How to combine oAuth and openID in the database?
Any ideas?
Your question has to main parts to it:
Authentication
Authorization
Usually the two are not treated differently if the identity provider (IP) is your own, which has been the most common setup in web apps until now.
When using an OpenId Provider such as Google, the authentication part is seperated from your control. You will get a token back telling you if the user is authenticated or not. The token will normally contain the following claims: Name, Email and Named Identity where the last is the unique id of the identity at the IP.
So far so good.
The trick is now as you ask, how do I authorize this user?
well, there are a couple of approaches to this.
First off, when you create a local user in your system, you can prepopulate the Name and Email values based off the claims you get from the IP. In this process, you can start and say that all users that have a profile stored in your system are authorized, or you can develop further processes that will add whatever details you need to know about the user.
Then, how do you avoid that the user is not re-registered if they switch from google to facebook as the IP?
This is where things get tricky. The most common claim that Google, Yahoo, Facebook will provide to you is the email address and Name. So what you can do, is try to match the incomming claim with existing customers in your app. This is not failsafe however, as people can have different emails in different systems.
The name value is also not safe.
In our setup, we start by matching emails, as we know that most IPs validate email addresses. This will reduce duplicates a lot. After that check, we start our own validation process where the goal is to see if the person is already registered. This process looks for the customers mobile number in our database, and if a match is found, we send a one-time-password to the customer to verify correct ownership of the phone number.
Since login is a time sensitive setup, we are created a simple SQL table that maps external identities to our customer numbers. This allows us to implement this kind of validation logic outside all our web apps (and thereby reduce code redundancy)
The most simple way would seem for me, to have a basic user table, where you add the user at register and have a extra 1:n table where you save possible authentications. Maybe you need more than one table, if there are methods, which need way more columns than others.
I implemented login via OpenID from google and met similar problems. I used openid library from janrain.
I don't created separate table for openid. I used secondary emails instead (secondary emails are stored in table of users).
While logining through google it's possible to demand user emails (I believe there's the same oportunity in any other openid provider). After I get response from google that user is logined, I look in table of users. If provided email was found in table (it doesn't matter whether it's primary or secondary) I login the user. If the email is not found, I ask user whether he has an account. If yes, he is proposed to login with existing login/password, after that I add secondary email to user. If the user doesn't have an account a new account is created.
So you don't need special new tables for these tricks.