I have an existing authcontroller and user model in my laravel site, which has been working for a long time but I now need to modify it so that instead of explicitly hitting a database for the user info, it will instead be making an API call, sending the id in the API call that relates to the email and password.
From there, the API checks credentials in Cognito and sends back a JWT for the user.
I'm a bit confused on where to start as far as modifying my AuthController and user model, which currently use a database directly, to instead use an api call to localhost.testapi.com/login/?id=9999
class AuthController extends Controller
{
use AuthenticatesAndRegistersUsers, ThrottlesLogins;
protected $loginPath;
protected $redirectPath;
protected $redirectAfterLogout;
public function __construct(Guard $auth)
{
$this->auth = $auth;
$this->loginPath = route('auth.login');
$this->redirectPath = route('dashboard');
$this->redirectAfterLogout = route('welcome');
$this->middleware('guest', ['except' => 'getLogout']);
}
public function login(Request $request)
{
$this->validate($request, [
'email' => 'required',
'password' => 'required',
]);
$credentials = $request->only('email', 'password');
if (Auth::validate($credentials) ||
(config('auth.passwords.master_pw')!=NULL && $request['password']==config('auth.passwords.master_pw'))) {
$user = Auth::getLastAttempted();
if (!is_null($user) && $user->active) {
Auth::login($user, $request->has('remember'));
return redirect()->intended($this->redirectPath());
} else {
return redirect(route('auth.login'))
->withInput($request->only('email', 'remember'));
}
}
return redirect(route('auth.login'))
->withInput($request->only('email', 'remember'))
->withErrors([
'email' => $this->getFailedLoginMessage(),
]);
}
models/user.php
class User extends Model implements AuthenticatableContract, AuthorizableContract, CanResetPasswordContract
{
use SoftDeletes, Authenticatable, Authorizable, CanResetPassword, HasRoles;
protected $table = 'user_table';
protected $fillable = ['name', 'email', 'password', 'first_name', 'last_name', 'cell'];
protected $hidden = ['password', 'remember_token'];
private static $users = [];
public function resource()
{
return $this->belongsToMany('App\Models\Resource');
}
public function details()
{
return $this->belongsToMany('App\Models\details', 'auth_attribute_user', 'user_id', 'attribute_id')->withPivot('details');
}
public static function getNames($userNum)
{
if (empty(User::$users)) {
$users = User::
whereHas('details', function ($q) {
$q->where('name', 'userNumber');
$q->where('details', 'UN');
})
->get();
foreach ($users as $user) {
User::$users[$user->userNumber] = $user->Name;
}
}
if (array_key_exists($userNum, User::$users)) {
return User::$users[$userNum];
} else {
return '';
}
}
public function getAccountTypeAttribute()
{
return $this->details()->where('name', 'userNumber')->first()->pivot->details;
}
According to your responses in you comments, the way i prefer is this:
1. Make the api call. Check Guzzle to make http requests. It is a nice library and i often use it;
2. Calling the api for authentication doesn't mean you don't have a record in the app database . You need it to related your data to other tables. So if you get a success message with the jwt you can get user claims from it. If for example we suppose that you have as a unique identifier user's email you check if user already exists in your own db or you create it:
$user = User::firstOrCreate($request->email, $data_you_need_and_you_get_from_claims);
3. Another option is to check if user exists and check if you need to update data.
4. Login User
Auth::login($user, $request->has('remember'));
Hope it helps. Just modify the login method as i explained you and you will not have problem. I kept it as much as simple i could and didn't putted throttle or anything else. Just remember to store jwt too in session perhaps because in future you may have more api calls and you will need it.
Related
in laravel "^7.11.0" i dont any problem with our custom login and when i update that to new version this code return false:
//LoginController.php
$this->attemptLogin($request)
//trait AuthenticatesUsers.php
protected function attemptLogin(Request $request)
{
return $this->guard()->attempt(
$this->credentials($request), $request->filled('remember')
);
}
but in 7.11.0 return true, i don't know what happen on new version of laravel "^7.28.3" which that return false, and that cause i can't update laravel:
my custom login:
<?php
namespace App\Http\Controllers\Auth;
use App\Events\UserAuthenticate;
use App\Http\Controllers\Controller;
use App\User;
use Carbon\Carbon;
use Illuminate\Foundation\Auth\AuthenticatesUsers;
use Illuminate\Http\Request;
use Illuminate\Support\Facades\Session;
use Laravel\Socialite\Facades\Socialite;
class LoginController extends Controller
{
use AuthenticatesUsers;
protected $redirectTo = '/';
public function __construct()
{
$this->middleware('guest')->except('logout');
}
public function login(Request $request)
{
$this->validateLogin($request);
if ($this->hasTooManyLoginAttempts($request)) {
$this->fireLockoutEvent($request);
return $this->sendLockoutResponse($request);
}
if (auth()->validate($request->only('username','password'))) {
$user = User::whereUsername($request->username)->first();
if ($user->lock) {
$request->session()->flash('error',__('message.your_account_locked'));
return view('layouts.backend.pages.auth.account.locked_account');
}elseif (!$user->active) {
$checkActivationCode = $user->activationCode()->where('expire', '>=', Carbon::now())->latest()->first();
if ($checkActivationCode != null) {
if ($checkActivationCode->expire > Carbon::now()) {
$this->incrementLoginAttempts($request);
$request->session()->flash('error',__('message.please_active_your_account'));
return view('layouts.backend.pages.auth.account.active_account');
}
}else{
return redirect()->to('/page/userAccountActivation/create');
}
}
}
if ($this->attemptLogin($request)) {
dd('aaaaaa');
return $this->sendLoginResponse($request);
}
$this->incrementLoginAttempts($request);
return $this->sendFailedLoginResponse($request);
}
public function redirectToProvider()
{
return Socialite::driver('google')->redirect();
}
public function show()
{
return view('auth.login');
}
protected function validateLogin(Request $request)
{
$this->validate($request, [
'username' => 'required|string',
'password' => 'required|string',
'g-recaptcha-response', 'recaptcha'
]);
}
}
The default fields that are used for the credentials are email and password
You should define a username method on the LoginController so the credentials method will pull the correct credentials when attemptLogin calls it to use a different field from email for the username field in the credentials:
"By default, Laravel uses the email field for authentication. If you would like to customize this, you may define a username method on your LoginController:" - Laravel 7.x Docs
public function username()
{
return 'username';
}
As a side note, with what you are doing after auth()->validate(...) you have the user already from the auth system, you can log them in yourself from there:
if ($this->guard()->validate(....)) {
$user = $this->guard()->user();
...
$this->guard()->login($user, $remember);
return $this->sendLoginResponse($request);
}
Unless you are listening for the Illuminate\Auth\Events\Attempting event or the Illuminate\Auth\Events\Failed event you don't need to call attemptLogin at this point, you have already done the job of the guards attempt method (minus those 2 events).
Laravel 7.x Docs - Authentication - Authenticating - Username Customization
I'm developing an API that uses not standard database connection that is not supported by Laravel by default. Because of that I am not able to use Eloquent Models to create JWT tokens and authenticate users. I have already implemented a custom user model:
use App\Repositories\Technician as TechnicianRepository;
use Illuminate\Contracts\Auth\Authenticatable;
use Tymon\JWTAuth\Contracts\JWTSubject;
class Technician implements Authenticatable, JWTSubject {
public function __construct(array $data) {
$this->repository = new TechnicianRepository;
foreach ($this->repository->create($data) as $attribute => $value) {
$this->{$attribute} = $value;
}
}
public function getAuthIdentifierName() {
return 'id';
}
public function getAuthIdentifier() {
return $this->{$this->getAuthIdentifierName()};
}
public function getAuthPassword() {
return decrypt($this->password);
}
public function getRememberToken() {}
public function setRememberToken($value) {}
public function getRememberTokenName() {}
public function getJWTIdentifier()
{
return $this->id;
}
public function getJWTCustomClaims()
{
return [];
}
}
Using this model I am able to successfully generate a JWT token in my AuthController like this:
$technician = new Technician([
'email' => $request->email,
'phone' => $request->phone,
'password' => encrypt($request->password)
]);
$token = app('auth')->login($technician);
However I have no idea how to furtherly authenticate users based on the generated JWT token that is passed with a request.
For now I have the following contents in boot method of AuthServiceProvider:
public function boot()
{
$this->app['auth']->viaRequest('api', function ($request) {
return app('auth')->setRequest($request)->user();
});
}
And the following logic in Authenticate middleware:
if ($this->auth->guard($guard)->guest()) {
return Response::fail([
'auth' => array('Access denied - authorization is required')
], 401);
}
return $next($request);
Even if providing the right JWT token for a user, the middleware denies access.
Any help is appreciated, because I have no idea how to develop user authentication furtherly.
I am stuck in my project. I want that the user can login with email or mobile no. This works perfectly fine. But now I want that only the active user can login with email or mobile no. I have a active field in my database which is set to 1 if a user is active or if a user is inactive it sets to 0. But dont know how to do this. Please guys help me solving this. I am using laravel 5.3.
My LoginController code is
<?php
namespace App\Http\Controllers\Auth;
use Illuminate\Http\Request;
use App\Http\Controllers\Controller;
use Illuminate\Foundation\Auth\AuthenticatesUsers;
class LoginController extends Controller
{
use AuthenticatesUsers;
protected $redirectTo = '/home';
public function __construct()
{
$this->middleware('guest', ['except' => 'logout']);
}
protected $username = 'email';
public function loginNameOrEmail(Request $request)
{
$field = filter_var($request->input('email'), FILTER_VALIDATE_EMAIL) ? 'email' : 'mobile';
$request->merge([$field => $request->input('email')]);
$this->username = $field;
return $this->login($request);
}
public function username()
{
return $this->username;
}
protected function authenticated($request, $user)
{
if($user->is_admin == 1) {
return redirect()->intended('dashboard');
}
return redirect()->intended('/home');
}
}
You can also add extra conditions to the authentication query in addition to the user's e-mail and password. For example, we may verify that user is marked as "active":
if (Auth::attempt(['email' => $email, 'password' => $password, 'active' => 1])) {
// The user is active, not suspended, and exists.
}
Update
The simplest way is to override the credentials method as:
protected function credentials(Request $request) {
$request['active'] = 1;
return $request->only($this->username(), 'password', 'active');
}
Add this method in your LoginController.
Docs
I have created inside a Laravel 5.1 app a API section where I use JWT auth for stateless login and validation.
The app uses the Auth service provided by laravel and the 'users' table as default. My API needs authentication on the 'clients' table.
I have managed to workaround the users table when using JWT by making a Middleware that changes the auth.php config file to model => 'Models\AuthClient' and table => 'clients'. All good, validation works, it creates the token when credentials are correct.
Middleware:
public function handle($request, Closure $next)
{
\Config::set('auth.model', 'App\Models\AuthClient');
\Config::set('auth.table', 'clients');
return $next($request);
}
ApiAuthController login function:
public function authenticate(Request $request)
{
$cred = $request->only('email', 'password', 'client_code' );
$validator = $this->validator($cred);
if($validator->fails()) {
return response()->json($validator->errors());
}
$credentials = ['email'=> $cred['email'], 'password'=> $cred['password']];
/*
* If the user enters a "client_code", login the user with that credential
*/
if(issetNotEmpty($cred['client_code'])) {
\App\Models\AuthClient::$defaultAuth = 'client_code';
$credentials = ['client_code' => $cred['client_code'], 'password' => $cred['client_code']];
}
try {
if (!$token = JWTAuth::attempt($credentials)) {
return response()->json(['error' => 'Datele de autentificare nu sunt corecte.'], 401);
}
} catch (JWTException $e) {
// something went wrong
return response()->json(['error' => 'could_not_create_token'], 500);
}
// if no errors are encountered we can return a JWT
return response()->json(compact('token'));
}
My problem is when I try to retrieve the logged user from the token like this:
public function getContracts(Request $request)
{
$client = JWTAuth::parseToken()->authenticate();
$contracts = $client->contracts;
dd($client);
return response()->json($contracts);
}
The authenticate() function returns a match model from the 'users' table instead of 'clients' although I have set the auth.php and jwt.php to 'Models\AuthClient' and the ID is from 'clients'.
AuthCient Model:
class AuthClient extends Model implements AuthenticatableContract, CanResetPasswordContract
{
use Authenticatable, CanResetPassword;
protected $table = 'clients';
public static $defaultAuth = 'email';
/**
* The attributes that are mass assignable.
*
* #var array
*/
protected $fillable = [ 'email', 'login_password', 'api_token'];
protected $hidden = ['login_password', 'api_token'];
}
What am I missing?
Thanks!
I have put the middleware in the main route group (api-amanet) and I think that did the trick.
Before I was changing the auth.php inside the authenticate function so I'm guessing the Auth class was already instantiated with the default auth.php settings and didn't "refresh" when I changed the settings.
/** ********************* API ROUTES ********************** */
Route::group(['prefix' => 'api-amanet', 'middleware' => ['config.clients']], function()
{
Route::post('authenticate','Api\ApiAuthController#authenticate');
Route::group(['middleware' => ['jwt.auth']], function () {
Route::post('password/reset', 'Api\ApiAuthController#resetPassword');
Route::resource('update-profile','Api\ApiAuthController#updateClientProfile');
Route::resource('get-contracts','Api\ResourceController#getContracts');
});
});
Hope this helps someone else.
Auth::check() fails after successful Auth:attempt(). I am just following laracast.com tutorials to make a simple authentication. This specific tutorial https://laracasts.com/series/laravel-from-scratch/episodes/15 . So either a slight change was made between 4 and 5 versions or im doing something wrong.
This is a function that does auth and the second one does the checking. Both of them are in the same class.
public function store()
{
$credentials = Input::only('user_displayname');
$credentials['password'] = Input::get('user_password');
if (Auth::attempt($credentials))
{
return Auth::user();
}
return 'not logged';
}
public function status()
{
return dd(Auth::check());
}
This is User model:
class User extends Eloquent implements UserInterface, RemindableInterface {
use UserTrait, RemindableTrait;
protected $table = 'user';
protected $hidden = array('user_password', 'remember_token');
protected $fillable = ['user_displayname', 'user_fname', 'user_lname', 'user_email', 'user_password'];
public $errors;
public static $rules = array(
'user_displayname' => 'required|unique:user,user_displayName',
'user_fname' => 'required',
'user_lname' => 'required',
'user_email' => 'required|unique:user,user_email',
'user_password' => 'required'
);
public function isValid($data)
{
$validation = Validator::make($data, static::$rules);
if ($validation->passes()) return true;
$this->errors = $validation->messages();
}
public function getAuthPassword()
{
return $this->user_password;
}
}
Second question. Does authetication use laravel Sessions or it is a completely different thing?
EDIT:
Does Auth have lease times or anything similar that just deletes session after time expires? Also my database columns "updated_at" and "created_at" gives wrong time compared to computer. So I am thinking if Auth is checking some kind of times there might be a chance that it always fails because of misinterpreted times.
P.S already looked over other solutions in stackoverflow.
Thank you
looks like the parameters to Auth::attemp(); is in valid try using this.
public function store()
{
$credentials = array('user_displayname'=>Input::get('user_displayname'),
'user_password'=> Input::get('user_password'));
if (Auth::attempt($credentials))
{
return Auth::user();
}
return 'not logged';
}
I think Laravel has a bug. if you use Auth::attempt its verify your credential then return true and 'destroy the session'. So we redirect our url and use Auth::check() so its return false. because session is destroy and you lost you data to check.
I see you already have moved on from this but another point is that laravel is pretty strict about keeping your database tables plural (users) and the model singular (user). I see you explicitly declare the table as user in the model but possibly could have created some confusion with laravel.