I have a multi tenancy build with Laravel. Now I have a system (main) website
main.com
where users can register.
After registration a tenant (subdomain) website is created and they are getting redirected to a new subdomain
tenantB.main.com.
Of course the Session is then deleted and they are not logged in anymore. I am trying to keep the session but the only solution I have found so far is to change the SESSION_DOMAIN in session.php config to
SESSION_DOMAIN=.main.com
The session will then remain on all subdomains but different tenants should not share their sessions. With that change if I login to tenantB.main.com I am also authenticated on tenantA.main.com which is not what I want.
Another approach I want to try is to send the session data when redirecting to the tenant subdomain (https://laravel.com/docs/7.x/redirects#redirecting-with-flashed-session-data):
redirect($this->redirectPath())->with('auth', 'abc')
But here I am stuck. How can I pass the current session? Or is that a totally wrong approach?
I would simply use a cookie. The information is best stored on the client side. That way the client is responsible for providing their own identification.
It is then the responsibility of your authentication middleware to check if the user has permission to access the current tenant subdomain.
Chances are laravel already is configured to use cookies for authentication. In that case, all you will have to do is to implement your own guard!
Auth::extend('tentantAuth', function ($app, $name, array $config) {
new TenantAuth(Auth::createUserProvider($config['provider']));
});
The TenantAuth class would then simply need to implement Illuminate\Contracts\Auth\Guard in order to be usable.
You can than use the extended authentication by updating your auth.php config file to use the driver 'tenantAuth'.
More information can be found under https://laravel.com/docs/7.x/authentication#adding-custom-guards
Related
The documentation doesn't talk much about logging in and out and handling security in general.In Symfony, you can secure pages of your site via a YML file. Does F3 have anything like that?
What is the recommended way to secure pages and handle a logged in user? I liked basic Auth, but it isn't very flexible, and it seems logging out is trickier. So I decided to set up a form for login/logout.
I would have assumed that Auth automatically creates a session, but from what I can tell it doesn't. So does that mean I need to manually do it?
Also, how do I block non authenticated visitors from the site? Do I need to add a SESSION check in each route?
The freedom when using F3 is that you can/must implement this on your own.
You got multiple options here or can create some other creative solutions too, if your project requires it. The included Auth plugin doesn't create a SESSION of course, because it cannot know if you want to use a SESSION to track your users or maybe use other solutions (cookie, JWT, etc).
So in most cases you need to create an Auth controller where you check if a user is logged in or not - here you would probably use the Auth plugin and create the SESSION if you want that. From there on you got serveral other options.. just to name a few:
use a base controller, that your other controllers will extend (or a Trait) and add a beforeroute there, where you'll check if the user is logged in and allowed to access that ressource.
check the user rights in the front controller (index.php) and don't even register the routes that the user has no access to.
use a 3rd party plugin to add access checks to routes, i.e. f3-access
use another middleware router to pre-flight the current request and add auth checks to multiple routes at once
Firstly I'm a real beginner with Laravel so I will try to describe my problem as best as I can.
I am building a website using Laravel however the information on users will not be stored on my server but rather externally on another server.
The only way to access the user's data is through an external API; I am not allowed access to their database. The API request returns a token and I use this token to check with their server to see if the user is logged in.
My question is: how do I authenticate the user so that I can still use Laravel's out of the box guards.
It's really handy to use methods like Auth::check() to determine if the user is still logged in.
You'll either need to modify Laravel's default authentication middleware in app/Http/middleware/Authenticate.php or you'll need to create your own middleware class that runs the authentication that you need. Create a class in the app/Http/middleware folder and register that middleware. https://laravel.com/docs/master/middleware
I am developing a web application in Laravel. Now I'm in the process of creating an android app. I need to create a web service (back end) in Laravel, but I don't know how to manage the sessions (auth) in the request.
My idea is to create a unique token for every session, and store it in a database. So, every request need the token be included, and my backend will check if the token is valid or not.
How can I modify the login functionality that comes with Laravel 5.0 to create an return the token?
I read the documentation and some articles in the internet, but it is still not clear to me.
You can create a token during registration of the app which should correspond with the user id. This token will be used together with the user id anytime you call any of your api's to authenticate the user.
You can create a filter named custom_authentication and check for the token validity inside that filter. Now just apply this filter before every routes, which you want to be authenticated.
Using only simple authentication token is not very secure, you need to go with HTTPS always.
If you want to make the API secure with HTTP, you might have to implement OAuth with the help of packages like this.
I'm building my first Cakephp application, but I'm pulling my hairs over this problem: I need my application (mydomain.com/cake-app) to co-operate with another non-cake php application (mydomain.com/custom-class) on the same server.
Both applications should share authentications and sessions, and I would like Cakephp to handle these.
However, custom-class will need to see who's logged in, and also add/edit users to my cake-app db, either by accessing my User Model, or by calling an setUser action in my UsersController. custom-class does not have access to the cake-app database.
How can I access Cakephp's AuthComponent and my User Model / UsersController from outside the Cakephp framework? What cake files do I need to include in my custom-class in order to accomplish this?
custom-class does not have access to the cake-app database.
The only way is an API then that doesn't require direct DB access. Implement a RESTful API for example that your none-cake app can call.
http://book.cakephp.org/3.0/en/development/rest.html
http://book.cakephp.org/3.0/en/views/json-and-xml-views.html
However, custom-class will need to see who's logged in, and also
add/edit users to my cake-app db, either by accessing my User Model,
or by calling an setUser action in my UsersController.
You'll have to read the cookie then and the cookie needs to require something you can send along with your API request so that the API knows who is asking for what.
You won't be able to simply require() or include() a few files from Cake and it will work, this isn't going to happen because the Auth system is a complete stack, you would have to initialize a request, controller, component collection, auth component and the auth adpater(s). Instead check how Cake writes and reads the Cookie and implement the same way in your custom class. But pay attention, Cake saves the cookie encrypted.
I have two Symfony applications. They point on the same database for sharing some tables.
So one user can login into app1 and app2 with the same username and password. But the session is blocked for the app is logged in. I'm using FosUserBundle.
My question is, how to share the session to the differents apps ?
I tried to add in the config.yml this line on the two apps :
framwork:
session:
cookie_domain: .my-domain.com
name: SFSESSID
Indeed app1 is available on app1.my-domain.com and app2 is available on app2.my-domain.com
Second possible answer is to listen login event and perform login when i view session of my second app. Right ?
Thanks.
Unfortunately it won't work in this way, because user will have your cookie only on one of domains. You can create an API to share information about that if user is logged in and recognize who he is, but the right way to do this is creating third application - Single Sign On which will be purposed only, and only to login and authorize user. Your two current apps will always authorize and authenticate user with SSO.
To implement this you can use https://github.com/FriendsOfSymfony/FOSOAuthServerBundle/ as a server and https://github.com/hwi/HWIOAuthBundle as Clients.
Or, if you want to do this really quickly but messy you can create a JS script which will call the second page and create own cookie there. But if somebody asked you I haven't recommended you that.
Piotr