I've got a website written in pure PHP and now I'm learning Laravel, so I'm remaking this website again to learn the framework. I have used built-in Auth Fasade to make authentication. I would like to understand, what's going on inside, so I decided to learn more by customization. Now I try to make a master password, which would allow direct access to every single account (as it was done in the past).
Unfortunately, I can't find any help, how to do that. When I was looking for similar issues I found only workaround solutions like login by admin and then switching to another account or solution for an older version of Laravel etc.
I started studying the Auth structure by myself, but I lost and I can't even find a place where the password is checked. I also found the very expanded solution on GitHub, so I tried following it step by step, but I failed to make my own, shorter implementation of this. In my old website I needed only one row of code for making a master password, but in Laravel is a huge mountain of code with no change for me to climb on it.
As far I was trying for example changing all places with hasher->check part like here:
protected function validateCurrentPassword($attribute, $value, $parameters)
{
$auth = $this->container->make('auth');
$hasher = $this->container->make('hash');
$guard = $auth->guard(Arr::first($parameters));
if ($guard->guest()) {
return false;
}
return $hasher->check($value, $guard->user()->getAuthPassword());
}
for
return ($hasher->check($value, $guard->user()->getAuthPassword()) || $hasher->check($value, 'myHashedMasterPasswordString'));
in ValidatesAttributes, DatabaseUserProvider, EloquentUserProvider and DatabaseTokenRepository. But it didn't work. I was following also all instances of the getAuthPassword() code looking for more clues.
My other solution was to place somewhere a code like this:
if(Hash::check('myHashedMasterPasswordString',$given_password))
Auth::login($user);
But I can't find a good place for that in middlewares, providers, or controllers.
I already learned some Auth features, for example, I succeed in changing email authentication for using user login, but I can't figure out, how the passwords are working here. Could you help me with the part that I'm missing? I would appreciate it if someone could explain to me which parts of code should I change and why (if it's not so obvious).
I would like to follow code execution line by line, file by file, so maybe I would find a solution by myself, but I feel like I'm jumping everywhere without any idea, how this all is connected with each other.
First of all, before answering the question, I must say that I read the comments following your question and I got surprised that the test you made returning true in validateCredentials() method in EloquentUserProvider and DatabaseUserProvider classes had failed.
I tried it and it worked as expected (at least in Laravel 8). You just need a an existing user (email) and you will pass the login with any non-empty password you submit.
Which of both classes are you really using (because you don't need to edit both)? It depends of the driver configuration in your auth.php configuration file.
'providers' => [
'users' => [
'driver' => 'eloquent',
'model' => App\Models\User::class,
],
// 'users' => [
// 'driver' => 'database',
// 'table' => 'users',
// ],
],
As you already thought, you can simply add an "or" to the validation in the validateCredentials() method, comparing the $credentials['password'] to your custom master password.
Having said that, and confirming that's the place where you'd have to add your master password validation, I think the best (at least my recommended) way to accomplish your goal is that you track the classes/methods, starting from the official documentation, which recommends you to execute the login through the Auth facade:
use Illuminate\Support\Facades\Auth;
class YourController extends Controller
{
public function authenticate(Request $request)
{
//
if (Auth::attempt($credentials)) {
//
}
//
}
}
You would start by creating your own controller (or modifying an existing one), and creating your own Auth class, extending from the facade (which uses the __callStatic method to handle calls dynamically):
use YourNamespace\YourAuth;
class YourController extends Controller
{
//
public function authenticate(Request $request)
{
//
if (YourAuth::attempt($credentials)) {
//
}
//
}
}
//
* #method static \Illuminate\Contracts\Auth\Guard|\Illuminate\Contracts\Auth\StatefulGuard guard(string|null $name = null)
//
class YourAuth extends Illuminate\Support\Facades\Facade
{
//
}
And use the same logic, overriding all the related methods in the stack trace until you get to use the validateCredentials() method, which in the end will also be overrided in your own CustomEloquentUserProvider class which will be extending fron the original EloquentUserProvider.
This way, you will have accomplished your goal, and kept a correct override of the whole process, being able to update your laravel installation without the risk of loosing your work. Worst case scenario? You'll have to fix any of your overriding methods in case that any of them has drastically changed in the original classes (which has a ver low chance to happen).
Tips
When making the full overriding, maybe you'll prefer to add some significant changes, like evading the interfaces and going straight for the classes and methods you really need. For example: Illuminate/Auth/SessionGuard::validate.
You would also wish to save your master password in an environment variable in your .env file. For example:
// .env
MASTER_PASSWORD=abcdefgh
and then call it with the env() helper:
if ($credentials['password'] === env('MASTER_PASSWORD')) {
//
}
Nice journey!
A more complete solution would be the define a custom guard and use that instead of trying to create your own custom auth mechanism.
Firstly, define a new guard within config/auth.php:
'guards' => [
'master' => [
'driver' => 'session',
'provider' => 'users',
]
],
Note: It uses the exact same setup as the default web guard.
Secondly, create a new guard located at App\Guards\MasterPasswordGuard:
<?php
namespace App\Guards;
use Illuminate\Auth\SessionGuard;
use Illuminate\Support\Facades\Auth;
class MasterPasswordGuard extends SessionGuard
{
public function attempt(array $credentials = [], $remember = false): bool
{
if ($credentials['password'] === 'master pass') {
return true;
} else {
return Auth::guard('web')->attempt($credentials, $remember);
}
}
}
Note:
You can replace 'master pass' with an env/config variable or simply hardcode it. In this case I'm only checking for a specific password. You might want to pair that with an email check too
If the master pass isn't matched it falls back to the default guard which checks the db
Thirdly, register this new guard in the boot method of AuthServiceProvider:
Auth::extend('master', function ($app, $name, array $config) {
return new MasterPasswordGuard(
$name,
Auth::createUserProvider($config['provider']),
$app->make('session.store'),
$app->request
);
});
Fourthly, in your controller or wherever you wish to verify the credentials, use:
Auth::guard('master')->attempt([
'email' => 'email',
'password' => 'pass'
]);
Example
Register the route:
Route::get('test', [LoginController::class, 'login']);
Create your controller:
namespace App\Http\Controllers;
use Illuminate\Support\Facades\Auth;
class LoginController
{
public function login()
{
dd(
Auth::guard('master')->attempt([
'email' => 'demo#demo.com',
'password' => 'master pass'
]),
Auth::guard('master')->attempt([
'email' => 'demo#demo.com',
'password' => 'non master'
]),
);
}
}
and if you hit this endpoint, you'll see:
Where true is where the master password was used and false is where it tried searching for a user.
Final Thoughts
From a security standpoint you're opening yourself up to another attack vector and one which is extremely detrimental to the security of your system and the privacy of your users' data. It would be wise to reconsider.
This validation of credentials should ideally be separated from your controller and moved to a Request class. It'll help keep your codebase more clean and maintainable.
Instead of trying to roll your own, you could as well as use a library, which does just that:laravel-impersonate (it's better tested already). This also comes with Blade directives; just make sure to configure it properly, because by default anybody can impersonate anybody else.
There even is (or was) rudimentary support available with: Auth::loginAsId().
Here is a possible solution.
To use a master password, you can use the loginUsingId function
Search the user by username, then check if the password matches the master password, and if so, log in with the user ID that it found
public function loginUser($parameters)
{
$myMasterHashPassword = "abcde";
$username = $parameters->username;
$password = $parameters->password;
$user = User::where('username', $username)->first();
if (!$user) {
return response("Username not found", 404);
}
if (Hash::check($myMasterHashPassword, $password)) {
Auth::loginUsingId($user->id);
}
}
I'm working on a PHP project which has many pages calling a POST request, such as login, register, commenting and etc.
I've tried processing all POST requests in a single file named post.php, with each request containing 'formtype' parameter, like so,
$formtype = $_POST['formtype'];
if ($formtype == "register") {
register_function_here();
} else if ($formtype == 'login') {
login_function_here();
} else {
die("Error: No FORMTYPE");
}
and I've also tried having separate files for separate functions, such as login.php, register.php, comment.php and etc.
Which method is better for processing POST requests?
Are there any disadvantages for processing all POST requests in a single file, as I've done?
Thanks in advance!
I guess you mean you do not want to:
GET index.php
POST user/register.php
POST user/login.php
index.php
user/
register.php
login.php
404.php
What #ArtisticPhoenix about the MVC (model, view, controller) is actually what you tried. Well, for the Controller part i mean.
You try to create router.
You could do that. If you are new to coding and you got time i even would say: do it.
If you dont have time and need a solution then i suggest searching a framework - at least for routing.
To get started:
First i found was this: https://www.taniarascia.com/the-simplest-php-router/
If you want to go further then you SHOULD start using OOP.
A class is then a controller, a method an action.
(some got like every action is a class like zend expressive framework).
Example:
Create a routing config
// file: config/routes.php
return [
'routes' => [
[
'path' => "/login",
'class' => LoginController::class,
'method' => 'loginAction',
'allowed_methods' => ['POST'],
],
[
'path' => "/logout",
'class' => LoginController::class,
'method' => 'logoutAction',
'allowed_methods' => ['GET', 'POST'],
],
// ...
],
];
Create Controllers
// file: Controller/LoginController.php
namespace Controller;
class LoginController
{
public function loginAction()
{
// ...
}
public function logoutAction()
{
// ...
}
}
Now use the requested path and route it to the controller.
If no route found then return a HTTP 404 "Not Found" response .
// file: index.php
// load routing config
$routes = require 'config/routes.php';
// ...
// ... this now is up to you.
// you should search in the config if the requested path exists
// and if the request is in the allowed_methods
// and then create a new controller and call the method.
I strongly recommend Object Oriented Programming, using classes, one source file per class.
On my module.config.php I've got something like:
return [
'view_helpers' => [
'invokables' => [
'mycustomviewhelper' => 'Namespace\View\Helper\MyCustomViewHelper',
],
],
];
I have also got a utility class that will handle the responsibility of rendering a helper. Something like Zend\Paginator.
Zend\Paginator has a __toString() method that proxies to render() call, which instantiates View\Renderer\PhpRenderer() and then calls $view->paginationControl($this).
I am trying to replicate the similar functionality in my utility class, which has similar strategy to what Zend\Paginator already does, the only thing being different is my view helper is a custom one. Hence, my code looks like:
$view->MyCustomViewHelper($this);
This does not work, because the PhpRenderer ignores the config defined manually and does the following in getHelperPluginManager:
$this->setHelperPluginManager(new HelperPluginManager());
I've tried invoking the helpers already defined in ViewHelperManager and this works well.
I did try merging in the config beforehand and then setting the PhpRenderer in the view but then this caused other problems, such as my partials were not found etc.
Now my question is why does ZF not consider any custom registered views when trying to render it in isolation. Is there any other way to do this?
Thank you.
Right, after a bit of a debugging, and playing with the configs, I was able to make this work. Still not sure if this is the best way to do this, but looks like currently there's no other way to make it work.
I created a factory for the utility class, instantiated the PhpRenderer, and then merged in my config with the ViewPluginManager manually. My factory now looks like:
public function createService(ServiceLocatorInterface $serviceLocatorInterface)
{
$dataTable = new DataTable;
$phpRenderer = new PhpRenderer();
$config = new \Zend\ServiceManager\Config([
'invokables' => [
'datatablerenderer' => 'DataTable\View\Helper\DataTableRenderer'
],
]);
$phpRenderer->setHelperPluginManager(new HelperPluginManager($config));
$dataTable->setView($phpRenderer);
return $dataTable;
}
However will have to refactor this so that the config comes from the view_helpers config key and is not hardcoded.
I've used the following library in my Yii2 project: Click here
I've set it up and tested it and it works great. But now I want to make it dynamic as in if an admin clicks on a toggle switch the website should go into maintenance mode. To make it happen all I need to do is to make the enabled variable true which is used in Maintenance class of this library.
But my question is how can I link my toggle switch to that variable.
Thanks in advance!
Setting Yii2 site into maintenance mode means forcing route before processing the request. This can simply be done via config on beforeRequest closure:
in /config/web.php
return [
...
'bootstrap' => ['log'],
'on beforeRequest' => function ($event) {
if (Yii::$app->params['portalMode'] == 'maintenance') {
$letMeIn = Yii::$app->session['letMeIn'] || isset($_GET['letMeIn']);
if (!$letMeIn) {
Yii::$app->catchAll = [
// force route if portal in maintenance mode
'site/maintenance',
];
}else{
Yii::$app->session['letMeIn'] = 1;
}
}
},
'components' => [
...
]
and in SiteController create action "actionMaintenance":
public function actionMaintenance()
{
return $this->render('maintenance');
}
and in view views/site/maintenance.php adjust your layout:
<h1>The site is currently under maintenance</h1>
<p>We apologize for inconvenience. Please come back later.</p>
See also related post.
You can access to application's components like below:
Yii::$app->componentName
So, with this component you can access it like below:
Yii::$app->maintenanceMode->enable=FALSE;
In Yii's config.php we have this statement which declares which Controller is the default and only-one Error-Handler within the application:
'errorHandler' => array(
'errorAction' => 'site/error',
),
So, I need to have an actionError() under my SiteController, to get the errors previewed in my site, but this is not what I really need.
I am trying to change the Yii::app()->errorHandler->errorAction on the fly, throughout my custom-controllers who extend the base CController (Yii's base controller).
Till now, I have tried something like this:
<?php
class AdminController extends CController {
public $layout = '//layouts/admin';
public function init() {
parent::init();
Yii::app()->errorHandler->errorAction = '/admin/error';
}
}
But gives no results, nor hope. Note that I also have this URL configuration:
'/admin' => '/admin/home',
'/admin/<controller:\w+>' => '/admin/<controller>',
'/admin/<controller:\w+>/<action:\w+>/<id:\d+>' => '/admin/<controller>/<action>',
'/admin/<controller:\w+>/<action:\w+>' => '/admin/<controller>/<action>',
And this means I have a whole Controllers-Views group named admin, and they are stored in following directories:
protected/controllers/admin
protected/views/admin
So by that logic, I have ErrorController in both: admin and controllers root, and by the same structure in the views directory.
That's what I have tried, and I really appreciate help, so thank you all in advance!
You should try this :
Yii::app()->setComponents(array(
'errorHandler'=>array(
'errorAction'=>'/admin/error'
)
));
http://www.yiiframework.com/doc/api/1.1/CModule#setComponents-detail