I have a python backend for my telegram bot and I have a Laravel app as my frontend. I know it is not optimal, I just do this for practice.
Users are kept on python backend, I use Django on this app. My idea was to have a login form on laravel and sending login/password to python backend to actually authenticate and then keep the token in laravel session or something.
As I am not a big authorization expert I don't really know this approach is correct or even would work.
How should I approach this?
Related
I am working on a react native application for a website which is made in Laravel so all of its APIs are based on Laravel.
I am facing a problem of CSRF token when making POST request to the Laravel Backend. Every Time I am getting a response of Page is Expired.
I have done some research on the issue and found that CSRF tokens are generated by Laravel by default for security purposes. My question is how can I connect to Laravel API.
One solution which was suggested is to use JWT tokens but that's really not a feasible solution for me and I am not sure how to implement JWT Authentication in Laravel.
Another Solution which I have read is that whenever we visit a page made using Laravel then in window object window.csrfToken can be accessed which is the token I need for making the API calls. Is it true? and if it is then how can I get that in React Native Application (should I make a GET request for the website and try to get the token from there is it possible?)
One more solution I think is that we can bypass some routes in Laravel Middleware so that token is not checked.
I need some suggestions on the issue. Also need to know that above solutions are correct or not and which one should I use.
Thanks
I'm quiet new to slim, but I want to give it a try. I have created an application, which uses twig as view rendering.
A user should authenticate against a database (via a login form), before access administration. I created a login form, but now I'm stuck.
I found some libraries and middleware, helping with basic HTTP Authentification, but that is not quiet what I want.
I simply could store a session var, after checking the users information with my database, but is this actually secure?
Some people using authentication libraries, like Zend/Authentification oder Session.
Also, there is the whole token based authentification, but I don't know, if I should use this, when not creating an REST application.
I just want to understand, what does mean "secure" in a slim3 application and how to handle a user login with all it's aspects, to create a secure backend experience. Are there any libraries I should use, to build a middleware around?
Thanks for clarification/help.
I've been building applications in Slim for a little over 1 years, and I went through the same problem at the beginning, my tip for you is, as slim is meant to be a simple framework, it has nothing as default, so you you need to build the security of your application;
I started by trying some authentication libs, but starting to build mine.
Basically what i used
First I used Basiauth, with CSRF
Then I set out to build OAuth 2 authentication, ensuring token access to resources, and access rules.
For this I used a very powerful library https://oauth2.thephpleague.com/
I'm planning on creating a multi-page web app using Laravel as a back-end REST API and a Vue.js front-end to consume this API.
To be clear up front, I'm not interested in code snippets of exactly how to set this up, unless some will help visualize the architecture.
What I would like to know is how this 'Split-Stack' can be deployed in a completely separated manner. I.E. neither stack shares a codebase, and are stored in completely independent repositories.
I'm not very familiar with JavaScript frameworks beyond jQuery, so I think my lack of understanding lies mainly in the Vue.js department. Some questions which stand out in particular are:
Can a Vue.js application be hosted by a web server to serve static HTML files, if so, which one is compatible?
Can both the front and back end services run on the same server, on different ports for example, and what would be any best practices for this?
And how is login authentication affected by running a web app in this way, and should I be looking into creating some kind of OAuth authentication between the front and back ends?
After reading many blog posts, it is obvious that this architecture is possible, but I'm struggling to find details on how exactly this is configured to be completely separate.
The tools and technologies don't necessarily matter here, but any specifics for Vue.js and Laravel are appreciated.
I have a VueJS Front-End set up with an ExpressJS Back-End, which is very similar to what you are talking about. And yes, it is entirely possible. So let's take a look at each of your questions individually.
Can a Vue.js application be hosted by a web server to serve static HTML files, if so, which one is compatible?
Yes, when you run VueJS, you can either build it as a static application or serve it as a NodeJS Application.
See the Deployment section of the Vue CLI 3 documentation here. It explains how the /dist directory is used to serve the VueJS Application in the manner you are intending to.
Can both the front and back end services run on the same server, on different ports for example, and what would be any best practices for this?
I recently posted an example of how to host both your Front-End and API on the same server here. (Includes Coding Examples and Explanation). This answer references ExpressJS as the API, but the principles are the same. Really, just have your Front-End listening on port 80 and have your API operating on a different, unused port (ie: 8081).
And how is login authentication affected by running a web app in this way, and should I be looking into creating some kind of OAuth authentication between the front and back ends?
I handle all authentication on the back end. Basically, in the Vue Router, you can set a secure parameter. Then declare a router.beforeEach((to,from,next) => {}); call towards the end. This call should then check to see if the user has a valid login token and redirect them to the applications login page after setting a cookie with the URL the user was asked to login from so that they can be sent back to it after logging in.
In our case, we have the user redirected to the VueJS Route /saml/login. The /saml/login component. This component makes a call to the API and returns the address the user should be redirected to to login. In our case, it is the API (which is running on the same server, but a different port [see answer above]), www.example.com:8081/api/v1/saml_login. This then works with the IDP and receives the token and user data. This is also where you would perform you ACS functions (provisioning the user, updating the login time or user data, etc.) After receiving the token, it is placed into a cookie or other placeholder so that it can be used to validate against the token stored in the Database when the user was validated initially. (It is a best practice to set expiration's on your tokens). The user is then redirected to the url stored in the cookie that lets us know where they were asked to sign in from so they can view their content without having to look for it again. (Happy to share code on this if you want)
I think using Firebase or Auth0 Authentication is one of the best ways to do this. Firebase or Auth0 will take care of all the authentication for you and allow your backend to verify the authenticity of your front end. So that makes it much easer to separate the two.
There is an admin SDK for connecting Laravel to Firebase and there are templates and existing authentication SDK's for Vue. There are a few articles which sort of describe it but I haven't seen anything that pieces it all together yet. I was able to figure it out from 2 or 3 different articles and it ended up being easier than I thought it would be.
i am making a web app use with react 4 and lumen to backend api. i made a login form use on username and password but i don't know how can i logged the user and kick out from the pacge if the user is not logged in.
I looked for many login example for the react but almost all of it use redux and i a newbie on this so it is very complex for me.
I want to learn this logic that means how can i use and why ? how it can be stored secure? how can protect to user like php session in react. how can i use auth middleware like in laravel.
could i use session in react ? is it possible?
no one make an app about i told. i don't want to use express and nodejs. i am using php server on backend ?
please help me
React will be a different server same like php server, you will communicate through REST API Rest is stateless protocol so you cant use php session inside react application, recommended way to solve this issue is introduce JWT in backend Use jwt-auth this reference for that.
I'm working on developing a native android application to retrieve data for a user from my company's website.
Because the data is specific to the user, I need to authenticate with our web server, but I'm unsure of the best way to go about this. I've been reading about REST/SOAP/HTML form auth, but I can't really find any definite 'this is how its done' anywhere. I know mobile apps do this kind of thing all the time - just look at facebook/skype/any email app - you have to login before you can do anything.
My question is - how should I architect the server side code (php) to easily allow me to authenticate a user from my android device?
I'm fairly new to the 'web service' arena - does this fall into that category? Are there any tutorials you guys would recommend looking at?
Thanks!
While I haven't developed for Android, I can suggest that you simply rely on some stateless authentication scheme, such as HTTP Basic or Digest. This means that the credentials will be passed with each and every request, and you avoid having to keep track of state, which means you can keep your API nice and RESTful.
I suspect if I were writing an android app, in most cases, I'd probably first try to get communication working with something at-least-vaguely RESTful, using HTTP Basic auth, and JSON encoding (just because PHP makes (de)serializing JSON so easy).
Of course, depending on your problem domain, that might not be ideal, but it's a good architecture to try first, because it's pretty easy all-around. If it fails you, you can go back and start swapping parts out, until you find the right architecture.
Some mobile apps use OAuth to authenticate with a web server, such as twitter has. This may not be exactly what you're looking for, but none-the-less here's an example: You would log in to web service and authenticate the mobile app (which would have requested access) to be able to utilize your data on web service, like an access key (actually called a token) with which the mobile app then utilizes to communicate with the web service on your behalf; the token could be then passed as part of the url. You'll still likely want to consider SSL or some level of encryption.
This post may also be of help for you