I have used "JWT Authentication for WP-API" plugin to login and to generate a token.
On the JSON response I have only some data from the wp_users table.
How can I change it to take some others value from wp_usermeta table on response, because I want to know user status level.
You need to use the filters jwt_auth_token_before_sign or jwt_auth_token_before_dispatch.
The first filter receives the token data, and a user object.
In another plugin or in your theme, you'd need to call add_filter.
I'm a bit rusty on my Wordpress, and I do not have a WP instance handy to test this out, but this is the general theory:
Basic example:
add_filter('jwt_auth_token_before_sign', 'add_user_info_jwt', 10, 2);
function add_user_info_jwt($token, $user) {
// fetch whatever information you want from the user, probably using the $user
// object as starting point.
$token['roles'] = implode(',', $user->roles);;
return $token;
}
The $token you receive will have this starting structure and information:
$token = [
'iss' => get_bloginfo( 'url' ),
'iat' => $issuedAt,
'nbf' => $notBefore,
'exp' => $expire,
'data' => [
'user' => [
'id' => $user->data->ID,
]
]
];
Related
I am having trouble with authenticated user in my Laravel/Vue app. Once you log in, you can choose to make a purchase via Stripe which leads you off the page, and returns back upon payment.
Just to make sure, I've made an endpoint:
Route::get('test', function(){
return Auth::user();
});
And before and after Stripe, when I hit it, I do get back the user. So authentication is in order.
What happens though is that Stripe upon payment event makes a webhook callback to my route:
Route::post('api/stripe/checkout-session-completed', 'StripeController#checkoutSessionCompleted');
Inside a hook, event is fired which should propagate number of credits purchased to the user who made the purchase, however I am always getting that Auth::user() is not defined.
use Illuminate\Support\Facades\Auth;
...
public function checkoutSessionCompleted()
{
...
$this->handleCheckout($session); // this is Stripe session object
...
}
private function handleCheckout($session)
{
...
event(new PaymentSuccessful($payment, Auth::user()));
...
}
Was this supposed to happen? How can I get the currently auth user if not like this?
Looks like sessions aren't shared when external source makes a POST request to your route. I made a workaround to include user ID within Stripe session metadata, so I can find user by that same ID when request returns via webhook.
$stripeSession = Session::create([
'success_url' => route('stripe.success') . '/?session_id={CHECKOUT_SESSION_ID}',
'cancel_url' => route('stripe.cancel'),
'payment_method_types' => ['card'],
'mode' => 'payment',
'line_items' => [
[
'price_data' => [
'currency' => 'eur',
'product' => env('STRIPE_PRODUCT_ID'),
'unit_amount' => $price->stripe_price * 100,
],
'description' => "Credits to receive: $price->quantity",
'quantity' => 1,
],
],
'metadata' => [
'quantity' => $price->quantity,
'user_id' => Auth::user()->id,
],
'customer_email' => optional(Auth::user())->email ?? null,
'client_reference_id' => optional(Auth::user())->id ?? null,
]);
UPDATE:
As it turns out, I need to enable this setting for data to show up, and using tabs is the correct thing to do.
When an envelope is sent, write the initial value of the field for all recipients
=================================================================
Not sure why this one is not mentioned in API properly ... but how does one go about filling template's custom data label with template?
So, I create a template like this:
$envelope_definition = new EnvelopeDefinition([
'status' => 'sent',
'template_id' => $args['template_id'],
]);
then I create a signer:
$signer = new TemplateRole([
'email' => $args['signer_email'],
'name' => $args['signer_name'],
'role_name' => 'signer',
]);
Here is where the disconnect happened, where do I add a pre-defined template value? I tried two things so far:
1. Add tabs to $signer like so, but by doing so, it ereases all field value in the final document,
new Tabs([
"text_tabs" => [
new Text([
"tab_label" => "price",
"value" => "123456789",
]),
],
]),
Call $envelope_definition->setCustomFields() , like this :
$envelope_definition->setCustomFields(new CustomFields([
'text_custom_fields' => [
'price' => new Text([
'tab_label' => 'price',
'custom_tab_id' => 'price',
'value' => '123456789',
]),
],
]));
It will throw me a C# error, which I don't understand at all:
Error while requesting server, received a non successful HTTP code [400] with response Body: O:8:\"stdClass\":2:{s:9:\"errorCode\";s:20:\"INVALID_REQUEST_BODY\";s:7:\"message\";s:718:\"The request body is missing or improperly formatted. Cannot deserialize the current JSON object (e.g. {\"name\":\"value\"}) into type 'System.Collections.Generic.List`1[API_REST.Models.v2_1.textCustomField]' because the type requires a JSON array (e.g. [1,2,3]) to deserialize correctly.\r\nTo fix this error either change the JSON to a JSON array (e.g. [1,2,3]) or change the deserialized type so that it is a normal .NET type (e.g. not a primitive type like integer, not a collection type like an array or List<T>) that can be deserialized from a JSON object. JsonObjectAttribute can also be added to the type to force it to deserialize from a JSON object.\r\nPath 'customFields.textCustomFields.price', line 1, position 45.\";}"
API docs seems to be focusing on creating template and values adhoc ... anyone have something that works? Thanks a lot!
You can find valid PHP example here which shows how to prepopulate template tab values while creating an envelope.
You didn't follow the example correctly.
You didn't create a \DocuSign\eSign\Model\TextCustomField object.
Here it is from Amit's link:
# Create an envelope custom field to save the our application's
# data about the envelope
$custom_field = new \DocuSign\eSign\Model\TextCustomField([
'name' => 'app metadata item',
'required' => 'false',
'show' => 'true', # Yes, include in the CoC
'value' => '1234567']);
$custom_fields = new \DocuSign\eSign\Model\CustomFields([
'text_custom_fields' => [$custom_field]]);
$envelope_definition->setCustomFields($custom_fields);
I'm authenticating my users on my web service and then creating Firebase custom token via php-jwt:
// Requires: composer require firebase/php-jwt
use Firebase\JWT\JWT;
// Get your service account's email address and private key from the JSON key file
$service_account_email = ...;
$private_key = ...;
function create_custom_token($uid, $is_premium_account) {
global $service_account_email, $private_key;
$now_seconds = time();
$payload = array(
"iss" => $service_account_email,
"sub" => $service_account_email,
"aud" => "https://identitytoolkit.googleapis.com/google.identity.identitytoolkit.v1.IdentityToolkit",
"iat" => $now_seconds,
"exp" => $now_seconds+(60*60), // Maximum expiration time is one hour
"uid" => $uid,
"claims" => array(
"premium_account" => $is_premium_account
)
);
return JWT::encode($payload, $private_key, "RS256");
}
But the users that I authenticate this way, don't show the administrator-friendly "Identifier" and "Providers" fields in the "Authentication" panel in the Firebase Console:
The first two are users that I authenticated via this custom authentication process, and the last one is a user that I authenticated directly via Google.
How can I populate the "Identifier" and the "Providers" fields for users created via custom authentication?
The "Providers" column will only display an icon if the information attached to a user matches one or more of the the given providers in the "Sign-In Methods" section (https://console.firebase.google.com/project/_/authentication/providers).
Custom providers don't have a distinct icon, and Firebase wouldn't know what to display in the "Identifier" column (the UID is already in its own column at the end).
However, you do have some control for the display of the columns by creating them in advance (meaning: before signing them in for the first time), or by updating the user information after the user entry has been created.
I prepared an example showing which combination of fields leads to which display:
Please note:
The display name has no effect: if it is the only data provided, the user is considered anonymous.
Email + Password match the "Email/Password" Provider
Phone Numbers will alway match the "Phone" provider
The icons for a matched provider will be displayed in the column, even if a provider has been disabled.
Emails and Phone numbers have to be unique. If your application allows multiple users with the same email address/phone number, you will get into trouble, if you just want to see more information about the users of your Firebase project.
You can create and update users via the Firebase Auth REST API, but I would suggest to use one of the official Firebase Admin SDKs SDK to do it - in case you want to stick to PHP, I happen to know an unofficial one: kreait/firebase-php (Documentation) (Disclaimer: I'm the maintainer of the PHP SDK :) ).
On a non-technical note: I wouldn't bother too much with the user list in the Firebase Web Console: use the Firebase CLI tool or one of the official (or unofficial ;) ) Admin SDKs to create an overview that meets your needs.
You mentioned in the Bounty Annotation that you asked this in the Firebase Slack Community without an answer - you can find me and other PHP developers in the #php channel. I enabled notifications for the channel, so please feel free to join if you have further questions.
FYI, this is the code I wrote with the PHP SDK to create the data for the screenshot above:
<?php
declare(strict_types=1);
use Kreait\Firebase;
use Kreait\Firebase\Util\JSON;
require_once __DIR__.'/vendor/autoload.php';
$serviceAccount = Firebase\ServiceAccount::fromJsonFile(__DIR__.'/service_account.json');
$firebase = (new Firebase\Factory())
->withServiceAccount($serviceAccount)
->create();
$auth = $firebase->getAuth();
// Remove all users
foreach ($auth->listUsers() as $user) {
$auth->deleteUser($user->uid);
}
// Simulate custom auth
$ct = $auth->createCustomToken('a-custom-auth');
$r = $auth->getApiClient()->exchangeCustomTokenForIdAndRefreshToken($ct);
echo JSON::prettyPrint($auth->getUser('a-custom-auth'));
echo JSON::prettyPrint($auth->createUser([
'uid' => 'displayname-only',
'displayName' => 'Jérôme Gamez',
]));
echo JSON::prettyPrint($auth->createUser([
'uid' => 'email-only',
'email' => 'jerome#example.org',
]));
echo JSON::prettyPrint($auth->createUser([
'uid' => 'email-and-password',
'email' => 'jerome#example.com',
'password' => 'password'
]));
echo JSON::prettyPrint($auth->createUser([
'uid' => 'phone-only',
'phoneNumber' => '+49-123-1234567',
]));
echo JSON::prettyPrint($auth->createUser([
'uid' => 'email+name+phone',
'email' => 'jerome#example.net',
'displayName' => 'Jérôme Gamez',
'phoneNumber' => '+49-123-7654321',
]));
echo JSON::prettyPrint($auth->createUser([
'uid' => 'email+name+password+phone',
'email' => 'jerome#example.de',
'displayName' => 'Jérôme Gamez',
'password' => 'example123',
'phoneNumber' => '+49-321-7654321',
]));
I am using Silex 2.0 (I know - it's development version and not fully released yet) along with CNAM's JWT security provider (see: https://github.com/cnam/security-jwt-service-provider) to write an API for an open source application I am writing.
In short, there are three types of users that I care about:
Sitewide admins (ROLE_ADMIN) that have complete access
Commissioners (ROLE_COMMISH) who create objects they own, and can edit their own objects
Anonymous users who access read-only information.
As such, there are three sections of routes that go along with these "roles":
/admin/* where administrators can perform their uber actions
/commish/* where commissioners or admins can perform their actions on their objects
/* where all users can read information
The issue that I've come across is that while I can setup 3 firewalls, one for each, there are times in the 3rd route category (GET /object/1 for instance) where it needs to be accessibly anonymously, but if the user provides a valid JWT token, I need to access that user in order to perform some additional logic on the data I hand back in the response.
As I have it setup currently (more on my config below), it's all-or-nothing: I either restrict an entire firewall to only authenticated users with a certain role, or I open it up to anonymous users (and therefore cannot view user information).
Is it possible to have a route that anyone can hit, but logged in users can also be seen?
Current security configuration:
$app['users'] = function () use ($app) {
return new UserProvider($app);
};
$app['security.jwt'] = [
'secret_key' => AUTH_KEY,
'life_time' => 86400,
'algorithm' => ['HS256'],
'options' => [
'header_name' => 'X-Access-Token'
]
];
$app['security.firewalls'] = array(
'login' => [
'pattern' => 'login|register|verify|lostPassword|resetPassword',
'anonymous' => true,
],
'admin' => array(
'pattern' => '^/admin',
'logout' => array('logout_path' => '/logout'),
'users' => $app['users'],
'jwt' => array(
'use_forward' => true,
'require_previous_session' => false,
'stateless' => true,
)
),
'commish' => array(
'pattern' => '^/commish',
'logout' => array('logout_path' => '/logout'),
'users' => $app['users'],
'jwt' => array(
'use_forward' => true,
'require_previous_session' => false,
'stateless' => true,
)
)
);
$app['security.role_hierarchy'] = array(
'ROLE_ADMIN' => array('ROLE_MANAGER'),
);
$app->register(new Silex\Provider\SecurityServiceProvider());
$app->register(new Silex\Provider\SecurityJWTServiceProvider());
Additionally, I've attempted another approach where I match all routes under a single firewall, but then protect certain ones by using securty.access_rules configuration, but it does not work. An example of what I've tried:
$app['security.firewalls'] = array(
'api' => array(
'pattern' => '^/',
'logout' => array('logout_path' => '/logout'),
'anonymous' => true,
'jwt' => array(
'use_forward' => true,
'require_previous_session' => false,
'stateless' => true
)
)
);
$app['security.access_rules'] = array(
array('^/admin', 'ROLE_ADMIN'),
array('^/commish', 'ROLE_MANAGER'),
array('^/', 'IS_AUTHENTICATED_ANONYMOUSLY')
);
You can use $app['security.jwt.encoder'] to decode jwt and either create a custom trait and extending the route object or using midddlewareeeither on the route level or an easier way would be to use a middleware on the application level. I had similar issue and this is how i solved it, something like below
ex.
$app->before(function (Request $request, Application $app) {
$request->decodedJWT = $app['security.jwt.encoder']->
decode($request->headers->get('X-Access-Token'));
});
and then you can access the decoded jwt form any route by doing this
$app->get('/object/1', function(Request $request) {
$decodedJWT = $request->decodedJWT;
// do whatever logic you need here
})
So: so far I have not found this to be possible through the "normal" way, which is disappointing. I will not mark what I detail below as the "answer" for a few days, hoping that someone can chime in and offer a better, more "official" way to solve the dilemma.
TL;DR: I manually check the request headers for the access token string, then decode the token using the JWT classes in order to load the user account in routes outside of the firewall. It's incredibly hacky, it feels downright dirty, but it's the only solution to the issue that I see at the moment.
Technical Details: First, you must acquire the token value from the request header. Your controller method will have been handed a Symfony\Component\HttpFoundation\Request object, from which you can access $request->headers->get('X-Access-Token'). In most instances the user will not be authenticated, so this will be empty, and you can return null.
If not empty, you must then use Silex's instance of JWTEncoder to decode the token contents, create a new token instance of JWTToken, set the context to the decoded value from the encoder, and finally you can access the username property from said token - which can then be used to grab the corresponding user record. An example of what I came up with:
$request_token = $request->headers->get('X-Access-Token','');
if(empty($request_token)) {
return null;
}
try {
$decoded = $app['security.jwt.encoder']->decode($request_token);
$token = new \Silex\Component\Security\Http\Token\JWTToken();
$token->setTokenContext($decoded);
$userName = $token->getTokenContext()->name;
//Here, you'd use whatever "load by username" function you have at your disposal
}catch(\Exception $ex) {
return null;
}
And obviously, any code calling this function would need to know that because the request is outside of the firewall, there is zero guarantee that a user will be returned (hence the hacky try-catch that silences exceptions by just returning null).
Edit: I've updated the code here to use Silex's built-in DI container (provided by Pimple) so there's no need to create a new instance of the JWT encoder by hand. I'm also marking #user5117342 's answer as the correct one, as using some sort of Silex middleware approach is far more robust.
Edit (April 2016): Using the updated cnam/security-jwt-service 2.1.0 along with symfony/security 2.8, there's a slight update that makes the code above a little simpler:
$request_token = $request->headers->get('X-Access-Token','');
if(empty($request_token)) {
return null;
}
try {
$decodedToken = $app['security.jwt.encoder']->decode($request_token);
$userName = $decodedToken->name;
//Here, you'd use whatever "load by username" function you have at your disposal
}catch(\Exception $ex) {
return null;
}
The issue with the newer dependencies is that the JWTToken constructor requires 3 parameters which are difficult to obtain in most service layers, not to mention is quite out of place. As I was updating my Composer dependencies, I ended up finding out that I didn't actually need to create a JWTToken in order to get the username I needed.
Of course, it's to be noted I'm only using this method on public (anonymous) API routes to provide some niceties to users who are logged in - my app doesn't deal with sensitive data so I'm not overly concerned with this avenue outside of the firewalls. At worst a black hat user would end up seeing non-sensitive data that they normally wouldn't, but that's it. So YMMV.
Your are must be use regular expression e.g.
$app['security.firewalls'] = array(
'login' => [
'pattern' => 'login|register|oauth',
'anonymous' => true,
],
'secured' => array(
'pattern' => '^/api|/admin|/manager',
'logout' => array('logout_path' => '/logout'),
'users' => $app['users'],
'jwt' => array(
'use_forward' => true,
'require_previous_session' => false,
'stateless' => true,
)
),
);
I have a mongo db structure for users with "username" and "password". I am trying to use the Auth in cakephp login but it seems like its not working for me. I tried removing the $this->data but still it did not work.
My password is hashed using Security::hash($this->data['User']['password'])
if(!empty($this->data))
{
if($this->Auth->login($this->data))
{
echo "yes";
}
else{
echo "no";
}
}
In my app controller I have this:
public $components = array('DebugKit.Toolbar', 'Session', 'Auth' => array(
'loginAction' => array(
'controller' => 'pages',
'action' => 'home'
),
'authenticate' => array(
'Form' => array(
'fields' => array('username' => 'username', 'password' => 'password')
)
)
));
Here is the result when I debug the login method:
array(
'User' => array(
'password' => '*****',
'username' => 'test#test.com',
'remember' => '0',
'auto_login' => '0'
)
)
I don't know why I cannot use Auth with mongodb. Thanks for the help in advance.
EDIT:
When i tried and take away the layout, it shows me a query at the bottom of the page saying:
db.users.find( {"username":"test#test.com","password":"2fdf49ffc396453960802df8fc2417655d1e8fca"}, [] ).sort( [] ).limit( 1 ).skip( 0 )
The hashed value of the password that I inputted from the form is different from the hash value that is being queried. The hashed value should be "a2374c309ab7823dcd9b4e21dae7511f7a9c7ec5". Why is it that cakephp is converting the password into another hash value?
There are two ways of using $this->Auth->login(). The CakePHP API documentation explains it:
If a $user is provided that data will be stored as the logged in user. If $user is empty or not specified, the request will be used to identify a user.
The manual also mentions:
In 2.0 $this->Auth->login($this->request->data) will log the user in with whatever data is posted ...
So for the login method of the users controller you shouldn't pass anything:
if($this->Auth->login()) {
// user is now logged in
}
Should you need to manually login a user you can pass the user data as an array:
if($this->Auth->login($this->request->data['User'])) {
// user is now logged in
}
Where $this->request->data['User'] is something like:
array(
'id' => 1,
'username' => 'admin',
'password' => '1234',
);
Note: In both cases you don't need to hash the password as it is done automatically.
I was able to find out the answer. Its because cakephp is automatically hashing the password when searching in the database.
The problem that I had was when I was saving the users' password, I am was using
Security::hash($this->data['User']['password'])
I should have used this one instead:
AuthComponent::password($this->data['User']['password'])
Thank you for all the help especially to #xgalvin