I am really struggling with Laravel auth. I read the manual many times, went to the code, but I still don't understand how the level of intrication of the Auth module.
As far as I understood, the app files that take part of the Auth are:
Manager: Auth (Illuminate\Auth\AuthManager)
Service Provider: AuthServiceProvider (Illuinate\Foundation\Support\ProvidersAuthServiceProvider)
Middleware: Authenticate
Gate
Model: User
Controller: LoginController
It seems these controllers LoginController, RegisterController, ... are called by magic, hardcoded deep down in Illuminate\Routing\Router. But, I do not want to use or register any ResetPasswordController, neither ForgotPasswordController simply because I do not hold any passwords on my application.
So in my case I do no store any email or password in my database. My authentication is done with OAuth2, the only think I do, is collecting an access token that I store on my database.
The question is:
How can I use the builtin Laravel Auth system that I am forced to use anyway because some providers require an access to app('auth')?
What then is the best solution in my case?
Rewrite the whole Auth Manager and override the Router to remove the burred links to the unneeded controllers
Tweak the existing Auth system to fulfill my needs
I am quite lost...
Related
I am new in laravel and I have one problem with middleware. On official laravel site, I found code for creating controller.
When I creating controller it is recommended to add middleware in constructor or this is only if I need some additional functionalities?
Also, if I include auth middleware, did I get some benefits by default, like security checks or similar or I must to rewrite middleware code first?
class UserController extends Controller {
/**
* Instantiate a new controller instance.
*
* #return void
*/
public function __construct() {
**//this part includes some protection or similar by default ?**
$this->middleware('auth');
}
}
Middleware is used when you want to filter the HTTP requests entering your application.
For example, including the built-in auth middleware will restrict non-authenticated users from accessing a page and redirect them to the login screen.
You can include middleware into your controller and routes.
In the controller you do it like so:
public function __construct()
{
$this->middleware('auth');
}
For a route you do this:
Route::get('/page', 'MyController#myMethod')->middleware('auth');
Do I need to include this part of code when I creating controller or not ?
As I said in my comment, it really depends on the desired functionality whether you use it or not.
An example
Your homepage should probably be accessible for anyone who visits you website, while your dashboard should only be displayed to authenticated users.
That's where you would include the auth middleware.
Question #1
Do you need to use $this->middleware('auth'); in your controller?
Answer: Only if you want to protect all of the methods of that controller from non-authenticated users and only allow signed in users to access controller actions.
Question #2
Do you get benefits for using the auth middleware?
Answer: Yes you do, only authenticated users can access the controller or routes protected by auth.
** Question #3**
Do you need to write your own middleware?
Answer: Only if you need to override a middleware or need extra functionality that is not already provided (php artisan make:auth), but if you are rolling your own login functionality then you will likely need/want to create your own middleware.
Resources:
Look in App\Http\Kernel.php and you will see that the $routeMiddleware array matches the auth middleware to the \Illuminate\Auth\Middleware\Authenticate::class which actually verifies that the current user is logged in and allows them to pass, if they are not logged in then it will redirect them to the '/login' route.
You will see that Laravel uses quite a bit of middleware by default, such as starting the session, encrypting cookies and protecting against CSRF forgery.
There are several ways to implement middleware, which I'm sure you saw in the docs.
Some Helpful Video Tutorials:
I suggest you watch each of the free series usually titled Laravel from Scratch on Laracasts.com. I would also suggest watching all of from Laravel 5.7 back to 5.1 or 5.0 as Jeffrey Way may use different techniques in similar situations and it will provide you with a great tips and helpful information as to how things work along with some Laravel best practices along the way. I've subscribed to him for years and work in Laravel everyday and I still learn some new things from watching his videos, a subscription is easily worth 10-20 what he charges.
The documentation doesn't talk much about logging in and out and handling security in general.In Symfony, you can secure pages of your site via a YML file. Does F3 have anything like that?
What is the recommended way to secure pages and handle a logged in user? I liked basic Auth, but it isn't very flexible, and it seems logging out is trickier. So I decided to set up a form for login/logout.
I would have assumed that Auth automatically creates a session, but from what I can tell it doesn't. So does that mean I need to manually do it?
Also, how do I block non authenticated visitors from the site? Do I need to add a SESSION check in each route?
The freedom when using F3 is that you can/must implement this on your own.
You got multiple options here or can create some other creative solutions too, if your project requires it. The included Auth plugin doesn't create a SESSION of course, because it cannot know if you want to use a SESSION to track your users or maybe use other solutions (cookie, JWT, etc).
So in most cases you need to create an Auth controller where you check if a user is logged in or not - here you would probably use the Auth plugin and create the SESSION if you want that. From there on you got serveral other options.. just to name a few:
use a base controller, that your other controllers will extend (or a Trait) and add a beforeroute there, where you'll check if the user is logged in and allowed to access that ressource.
check the user rights in the front controller (index.php) and don't even register the routes that the user has no access to.
use a 3rd party plugin to add access checks to routes, i.e. f3-access
use another middleware router to pre-flight the current request and add auth checks to multiple routes at once
Firstly I'm a real beginner with Laravel so I will try to describe my problem as best as I can.
I am building a website using Laravel however the information on users will not be stored on my server but rather externally on another server.
The only way to access the user's data is through an external API; I am not allowed access to their database. The API request returns a token and I use this token to check with their server to see if the user is logged in.
My question is: how do I authenticate the user so that I can still use Laravel's out of the box guards.
It's really handy to use methods like Auth::check() to determine if the user is still logged in.
You'll either need to modify Laravel's default authentication middleware in app/Http/middleware/Authenticate.php or you'll need to create your own middleware class that runs the authentication that you need. Create a class in the app/Http/middleware folder and register that middleware. https://laravel.com/docs/master/middleware
My actual project needs to implement an ACL for the diferent roles in my users.
For now, I have like 4 roles defined by the client (Administrator, Head of Departament, Secretary and Teachers) but he wants to create more roles whenever he needs it.
Knowing this the clue is I want to know if is there any way to control the system access without checking the access in each method of my system. Laravel provides my the Authorization services but is not enough for the desing of my system, but I think is a deprecated way checking every method.
My idea is implement something before enrouting any request and check if the user has access depending on his roles, in this way I won't need to check it in every method as the actual solution that laravel Authorization services, laravel-acl of Kodeine or similars offers me.
If someone has an idea to set forth this Idea please answer this.
Also I want to know if this could affect the system security and how and how I can handle that.
Thanks in advance.
If you want to use role-base access control only, it's very easy to create own middleware where you check passed roles. Now in your routes you can protect routes depending on user roles, for example:
Route::group(['middleware' => 'authorize:admin,secretary'], function() {
// your route here
});
You have sample role middleware in Laravel documentation here.
I'm building my first Cakephp application, but I'm pulling my hairs over this problem: I need my application (mydomain.com/cake-app) to co-operate with another non-cake php application (mydomain.com/custom-class) on the same server.
Both applications should share authentications and sessions, and I would like Cakephp to handle these.
However, custom-class will need to see who's logged in, and also add/edit users to my cake-app db, either by accessing my User Model, or by calling an setUser action in my UsersController. custom-class does not have access to the cake-app database.
How can I access Cakephp's AuthComponent and my User Model / UsersController from outside the Cakephp framework? What cake files do I need to include in my custom-class in order to accomplish this?
custom-class does not have access to the cake-app database.
The only way is an API then that doesn't require direct DB access. Implement a RESTful API for example that your none-cake app can call.
http://book.cakephp.org/3.0/en/development/rest.html
http://book.cakephp.org/3.0/en/views/json-and-xml-views.html
However, custom-class will need to see who's logged in, and also
add/edit users to my cake-app db, either by accessing my User Model,
or by calling an setUser action in my UsersController.
You'll have to read the cookie then and the cookie needs to require something you can send along with your API request so that the API knows who is asking for what.
You won't be able to simply require() or include() a few files from Cake and it will work, this isn't going to happen because the Auth system is a complete stack, you would have to initialize a request, controller, component collection, auth component and the auth adpater(s). Instead check how Cake writes and reads the Cookie and implement the same way in your custom class. But pay attention, Cake saves the cookie encrypted.