on my site I have users that I manage thanks to FOSUserBundle.
I am using the "enabled" attribute which is part of the FOSUser model.
However, when one of my users is disabled, they can not connect anymore. It will have the message "Your comtpe is disabled".
However, on my site, when a user is disabled, I want to give him the opportunity to connect and view certain pages of the site.
How can I remove this prohibition from logging in after deactivation? Thank you
EDIT :
On my site, the notion of disabled user is different.
A "disabled" user on my site will just lose the ability to use the site normally. He will only have access to his "My Account" space, on which he can redo a request to reactivate his account, which will be studied by the administrator.
He will then receive an email from the administrator with his answer. If his request is accepted, his account will be reactivated and he will be able to use all the functionalities of the site again.
That's why I do not want FOSUserBundle to stop me from logging in when the user is disabled
Related
I am struggling with a seemingly simple issue around firewalls and user providers in Symfony 4.4.
I am using 2 firewalls & user providers for different user groups.
On my homepage, I want to spare logged in users the marketing page and redirect them to the logged in area immediately. So I need to check if the browser is already logged in to either one of the firewalls. If yes, redirect to a specific page in the login-area.
Here's what's happening though:
I tried to create a firewall using a chained user provider for the homepage, but it cannot access the logged in users from the other firewalls. The user is always null.
So my question is:
How can I check if a user is logged in to a firewall/user provider that does not apply to the page I am currently on?
Our customer hosts online and in-person educational courses. My company has created a website for them that allows visitors to browse the catalog of courses and sign up for them. We're now working to implement authentication using auth0 to integrate our website with the customer's new SSO solution.
User registration and login work, but there is a requirement made by project management that we have so far been unsuccessful to implement. The scenario:
A new user visits the website and finds a course they want to take.
They click on "Register for this course". Since they are not logged
in, they will now be redirected to the Log In/Register page. They sign
up for a new account. After completing the registration process, they
should be redirected back to the page of the course they originally
came from.
The auth0 workflow is set up in such a way that after completing the multi-step registration process (which includes e-mail verification and entering a code sent to the user's mobile phone), the user is redirected to a "continue" page ("customer-site.com/our-site/continue").
At this point however, we lack the information which course page the user originally initiated the registration process from, since the "continue" page apparently isn't provided any parameters (contrary to what the answers to this question and this question claim, we do not receive a state parameter — is there possibly an issue with the way our customer's auth0 workflow is set up?).
The way we went about this: we encoded our state information and passed it to the login method of auth0:
$auth0->login(base64_encode($my_state));
At the end of a regular login, auth0 redirects the user to our callback page and the state parameter is present and contains the data we provided ($my_state).
If the user performs a registration instead, they are redirected to our continue page, which doesn't receive a state parameter. This redirection to continue happens after the user confirms their e-mail address, the url looks like this:
https://<our-page.com>/continue&supportSignUp=true&supportForgotPassword=true&email=<user e-mail>&message=Your%20email%20was%20verified.%20You%20can%20continue%20using%20the%20application.&success=true&code=success#&language=de
We have read auth0 documentation detailing similar topics (actually redirection after login, not registration), which recommend using cookies for this. However, project management requires a solution that doesn't require the use of cookies.
Since the SSO infrastructure is owned by our customer, we can't make changes to the auth0 settings directly, but we can make requests.
Is it possible to redirect users after registration to the page where they were before initiating registration? Is it possible to do so without the use of cookies?
In the latest version of our SAAS product, we are designing it to allow our customers to deploy multiple instances of the software.
We require the sign up and login to be tightly integrated into the primary domain - the "sells the product to new customers" website PrimaryDomain.com which features "Sign Up" and "Login" forms that use jQuery/AJAX to give responsive feedback on data submission.
When a customer successfully logs in, they are to be presented with a list of all their installed instances of our product. All installed instances of our product can be hosted across dozens of domains, but to keep this question simple, they are hosted on [subdomain].SecondaryDomain.com (code + database).
Every installed instance also features an admin panel which currently customers need to manually login to each individual instance as required.
We want the customer to be able to click on 'view admin panel' next to any of their installed instances and automatically be logged in on [subdomain].SecondaryDomain since they were logged in on PrimaryDomain.com.
SecondaryDomain.com naturally doesnt have access to the cookies or session variables of PrimaryDomain.com so what is the best way to allow SecondaryDomain.com to authorise?
We have considered a few different options, such as;
Researching some clever way that the domains can share cookie/session data?
Generate a token that is passed with the url when clicking 'view admin panel' to the second domain. The token is unique to the userid plus subdomain (such as an md5 hash) and then validating it on the receiving end.
Recording a one-time-use token into the database and sending with the url and having SecondaryDomain.com connect to PrimaryDomain.com's database to verify the one-time-use token and set appropriate session and cookie variables.
The one-time-use token seems like the right approach, but i havent been able to find any concrete answers on (a) if this is even the RIGHT approach, and (b) what the security implications are around it?
I recommend SAML for this case. SAML requires you to have an identity provider (IdP) and service providers (SP). The user will login to the IdP and present the token to any SP visited. The SPs need to be configured to assert the token against the IdP. You probably want to look into Auth0's SAML SSO offering for more information, but there are other providers out there that do the same thing.
I've managed to have an user sign in for my website through Facebook. It works this way:
User goes to my website and chooses to sign in with Facebook
Users goes to Facebook to authorize my app
If the app is authorized, the user comes back to my website and gets registered into my database
The user remains logged in via a cookie set by my website
I store these pieces of information from Facebook: username, email and ID.
What should happen if:
User logs out from Facebook and is still logged into my website? I still have that cookie and session that lets the user remain online, so even if the user isn't logged on Facebook, my users still can benefit from my website. Is this behavior normal or should it be avoided?
An user removes my Facebook App from his authorized apps list? The user is now part of my database, but the user removed the app from his account. How should I deal with this? How can I check if the App->Website connections are still valid for that user? If an user removed the app from his account, should I also remove him from my database? If yes, again, how do I make that check?
There are quite a few other things that are puzzling me and I think I should dedicate another question to those later on.
I'm using Facebook PHP SDK for all these tasks.
P.S: I only use Facebook as an authentication method for my website, nothing more.
To answer your question here are few things we do for the facebook connect
If user choose to create an account with the FB connect, we grab the
details like firstname,lastname, email, fb_userid and then save to
our database.
If the same user when comes user has to click on the FB login button and we check in our database if the API return fb_userid is in
our database and process the login and give access to the user pages.
So ideally we never store the fb_userid in the cookie and next time if the user comes just do the autologin.
Now what if user remove the app from FB, since we do not allow auto login by cookie saved data the user must click on the login button and then re-authorized the app. Since the fb_userid is already in our db, we detect the user after giving permission and let them login.
We have one advantage in our case , i.e. our web app requires monthly subscription so user has to pay for that. So usually people who do want to continue they come to our web site and cancel the account, we then remove the user info and that way fb_userid is also removed at our end. This makes us not to worry what if user remove the app from their FB, since if someone has to cancel they will do it from our website since they are in monthly recurrent billing.
I suppose in your case its not as above point, so you can do the following without violating any terms and conditions
Do not store the session in cookie and make user login with FB button
each time they come to your website. Also make a small note on your
website next to FB login button as "what is this ?" as may be a tool
tip and mention that the website will store the users fb_userid and
this will not be shared with any 3rd party.
Also mention that in case they remove the app from their facebook the id will be still there in our database and create
a cancel account page where user can cancel the account, but that
needs the user to be logged in. Once they cancel the account remove
the FB id from your DB.
Finally I dont think any API call could be used to see if the user has removed the app for offline users, but people who have logged to your site using the FB connect different permissions could be checked as
$permissions = $facebook->api( "/me/permissions" );
If the app requires Facebook, then you need to test the cases you mention and generate appropriate error messages. Beyond that, you just provide obvious ways for your user to clean up, like a working uninstall command.
On a website I have implemented the login using OpenID (based on StackOverflow).
But I can't seem to logout.
On my host I can logout but when the user tries to login again (especially with google) the authentication goes through without requiring the user to type in name and password.
How can I indicate to the OpenID Provider that a user is no longer logged into the site?
OpenID authenticates users to your site, when then starts a session on your site. You destroy or invalidate your site's session separately from the user's session with their OpenID provider.
User visits joewidgets.com > User logs in with OpenID (with a new or existing provider session) > ... User clicks logout > joewidgets.com destroys/invalidates the session.
If the user has their OpenID provider keep them logged in, and your system automatically checks, then it will create a new local session. (Un)fortunately, you don't/can't worry about what the user does or does not do at their provider, which is a pro/con of OpenID.
There is an argument at Social Lipstick which calls for "Single Sign-Out", but OpenID does not currently provide this function.
This is called Single Logout or Single Sign-Out, which OpenID doesn't support. In my opinion, SSO without logout is a big security hole. Logging out a single site doesn't mean much if others can just get in with a few clicks.
For now, we have to remember the provider. If it's someone we know, we trigger the logout process for them. For Google, the URL is,
https://www.google.com/accounts/Logout
The logout flow is ugly but it does the job.
That's generally something handled by the OpenID provider - for instance, if the user remains logged into their Google account and checked the box to "remember" the OpenID authorization for your particular site, then the provider will transparently log them in and redirect them back without displaying the login prompt.
"It's a feature not a bug"
The id provider can choose to keep the user authorized for the provider through cookies, and further can choose not to re prompt the user about sharing the same information that was shared previously (with a prompt). So when the user on Site A, asked to be authorized through Site B, and got redirected, Site B first asked for the user to authenticate him or her self. Then Site B asked if it should share any information (and sometimes which information) with Site A. At this point it will also customarily ask if you want to automatically share this same information in the future. Some providers will assume yes, some no, some won't ask. Site B then redirects to Site A and shares the information, you're now logged in.
If Site A makes a second redirection to Site B to request a login, Site B might
1) Already have a cookie that authenticates the current user of Site B.
2) Already have a record of what information is acceptable to share with Site B.
3) Automatically share this information through a redirect without pausing to prompt the user at all.
This is a feature centered around convenience.