I am attempting to create a 2FA Middleware with CakePHP 3. I have created the middleware basics just fine, however, I do not know how to get the user id of the current user in the middleware, typically I get the id like so...
$this->Auth->user('id');
Is there anyway to load the AuthComponent in the Middleware?
If not, how can I go about getting the current user id?
I think You can use request session handler to grab current user id
$this->request->session()->read( 'Auth.User.id' )
Use the official authentication plugin which replaces the AuthComponents authentication part: https://github.com/cakephp/authentication This will oficially replace the component approach in the next release.
It features also a middleware, just make sure it's in the pipe before yours and you can use $request->getParam('identity').
Related
I've used this command to create the auth for login, register and so on:
php artisan make:auth
I've changed the schema of my users table to have a field to determine whether the user can actually login.
I do not want all users to be able to login because some users are created to be related to another table and not to actually use the dashboard. I want to prevent unauthorised users losing in if they try to.
When the user logs in I want to run a check of this field to get the value and then perform an action based on that value.
I'm not sure on the best way to do this when using Laravel's auth.
Laravel auth provides a set of events and one is Illuminate\Auth\Events\Authenticated which triggers when the user authenticates.
You may add a listener to this and do your logic based on that.
Please refer:
https://laravel.com/docs/5.5/authentication#events
https://laravel.com/docs/5.5/events#registering-events-and-listeners
the previous answer by PSJ will defentley help you, another way to protect your dashbord, would be to assign roles to the users as a examle take a look at entrust or laratrust so you can check permissions for each view seperatly and for each Controller using Middelware. Works out off the box with laravel -auth.
The documentation doesn't talk much about logging in and out and handling security in general.In Symfony, you can secure pages of your site via a YML file. Does F3 have anything like that?
What is the recommended way to secure pages and handle a logged in user? I liked basic Auth, but it isn't very flexible, and it seems logging out is trickier. So I decided to set up a form for login/logout.
I would have assumed that Auth automatically creates a session, but from what I can tell it doesn't. So does that mean I need to manually do it?
Also, how do I block non authenticated visitors from the site? Do I need to add a SESSION check in each route?
The freedom when using F3 is that you can/must implement this on your own.
You got multiple options here or can create some other creative solutions too, if your project requires it. The included Auth plugin doesn't create a SESSION of course, because it cannot know if you want to use a SESSION to track your users or maybe use other solutions (cookie, JWT, etc).
So in most cases you need to create an Auth controller where you check if a user is logged in or not - here you would probably use the Auth plugin and create the SESSION if you want that. From there on you got serveral other options.. just to name a few:
use a base controller, that your other controllers will extend (or a Trait) and add a beforeroute there, where you'll check if the user is logged in and allowed to access that ressource.
check the user rights in the front controller (index.php) and don't even register the routes that the user has no access to.
use a 3rd party plugin to add access checks to routes, i.e. f3-access
use another middleware router to pre-flight the current request and add auth checks to multiple routes at once
I am using Laravel Passport (auth:api), all works well however I've came with the idea to log record user requests on a specific route.
When an GET request is made to /movie/65 I would like to store in movie_view the following data: user_id, movie_id (if the user is logged in)
However in my controller I am unable to call $request->user() without setting auth:api middleware.
What is the best practice you recommend to achieve this?
Default Auth Type should be set to 'api' in config/auth.php
Source: https://laracasts.com/discuss/channels/general-discussion/optional-authentication-for-api?page=0 (it was very hard to find)
Best way to do this is:
if (\Auth::guard('api')->check()) {
$user = \Auth::guard('api')->user();
}
you have to setup the guard to 'api', the default one is 'web'.
You can create a custom middleware as suggested here -- https://laracasts.com/discuss/channels/laravel/how-to-handle-route-with-optional-authentication. Then apply api guard to it. Let say you assign that custom middleware as auth.optional in Kernel.php, then you can use that middleware as auth.optional:api (with that api guard). Then you can access user thru $request->user() in your case above.
Firstly I'm a real beginner with Laravel so I will try to describe my problem as best as I can.
I am building a website using Laravel however the information on users will not be stored on my server but rather externally on another server.
The only way to access the user's data is through an external API; I am not allowed access to their database. The API request returns a token and I use this token to check with their server to see if the user is logged in.
My question is: how do I authenticate the user so that I can still use Laravel's out of the box guards.
It's really handy to use methods like Auth::check() to determine if the user is still logged in.
You'll either need to modify Laravel's default authentication middleware in app/Http/middleware/Authenticate.php or you'll need to create your own middleware class that runs the authentication that you need. Create a class in the app/Http/middleware folder and register that middleware. https://laravel.com/docs/master/middleware
I'm making web app that will be fully based on Ajax requests.
As I understand the only way to achieve that goal is to send identity and password with every Ajax request or am I wrong?
I'd like to use ZfcUser to perform actions connected with register, login and logout but if I'm calling that on server side: $this->getServiceLocator()->get('controllerPluginManager')->get('zfcUserAuthentication')->getAuthService()->getIdentity(); I always receive last logged user.
Is it possible to handle multiple users at once using ZfcUser plugin (or maybe simply Zend 2)?
Can Zfcuser remember in any data structure all users that are actually logged in?
If you are in a controller you can use $this->ZfcUserAuthentication()->getIdentity() to get the identity. If you are anywhere else, use the servicemanager/locator to get 'zfcuser_auth_service' which you then can use to call getIdentity().
The Auth Service will give you the user based on session, so you should never users from another session. Doesn't matter if you use ajax or not.