I have developed a nutrition platform that I'm using with my clients. It's somewhat similar to MyFitnessPal.
Some of my clients need help refining their diets so I need to log into their account to make changes to their plan.
What's the best option to achieve this? I thought of maybe having a master password that lets me log into any clients account but I don't know how to implement this.
My postLogin() method in the LoginController doesn't seem to be doing anything.
In our applications we have a route/controller method in the admin backend that does something like auth()->login($user); then redirects you to the route the usual user would go to when they first login.
Docs:
https://laravel.com/docs/5.4/authentication#other-authentication-methods
Related
I need to set up a single user registration and login page to work for separate Laravel applications or projects, such that if a user registers on the first application, he or she can use that profile to login into the other application without needing to register again on the second application.
The most basic approach would be to connect both projects to the same database, and make sure they both have the same application key (the APP_KEY entry) set in the .env file, as this is what is used for the EncryptionServiceProvider.
A more complete, and thought-through approach would be to implement some form of Single Sign On (SSO) in both projects. Something such as zefy/laravel-sso could be a good starting point.
Yet another option, if it fits your usecase, might be to implement Social Authentication instead. Each project would maintain their own record of users, but since authentication would happen via third parties, that might not matter. Socialite might be a good starting point for this.
A good approach is to ensure that in the other applications there is an authentication to the database or services warehousing the user credentials your application should be able to reach this endpoint and check if that user is already authenticated/validated/signed
you can check
https://www.cloudways.com/blog/setup-laravel-login-authentication/
I have an application which has two parts back-end, and front-end. In the back-end admin can log in, and in the front-end the client can log in. Now it has been implemented. All application's query is done by logged in user id in both admin and client end.
Now my app needs a functionality where admin can view client data as same as client see their profile.There are a lot of things in client end. I can you use Auth::loginUsingId($client_id). Here client profile is showing perfectly but admin loggin session is lost as expected.
How to achieve this while admin login remain and admin can see client full data?
Let me introduce the simpliest way to have login as client functionality. First, define asuser and returnback routes.
Routes and actions
Route::get('/asuser/{user}', 'AdminController#asuser')
->where('user', '[0-9]+')
->name('asuser');
Route::get('/returnback', 'ClientController#returnback')
->name('returnback');
In admin's controller:
public function asuser(User $client, Request $request) {
/* insert checking if user has right either here with some field
* like $user->is_admin or using middleware settings and Policy
*/
# who user is
$fromId = Auth::user()->getId();
# logging as a client
Auth::login($client, true);
# but keeping admin in a session
$request->session()->put('adm_id', $fromId);
return redirect()->route('some-client-route')
->with('status', 'You are logged in as a client');
}
And for returning back ClientController
public function returnback(Request $request) {
$fromId = Auth::user()->getId();
# getting admin id
$admId = $request->session()->pull('adm_id');
$adminUser = User::find($admId);
if (!$adminUser) {
return redirect()->back()
->with('status', 'Not allowed');
}
# logging out as a client and logging in as admin
Auth::logout();
Auth::login($adminUser, true);
return redirect()->route('some-admin-route')
->with('status', 'Welcome back!');
}
Is it ready for production
No, it's not. That's not a great solution, it's just a glimpse how to use it. Sessions have lifetime, so if admin doesn't return back in its lifetime, session variables are lost and he becomes a client (if remember me=true, as in the code above). You can store value not in a session but in a database column.
In addition as t1gor mentioned, you must pay attention to the fact that you can't log client's actions and send events when admin is a client. That's the most serious problem of logging as a client. Anyway, I suppose, it is easier to solve that, than to move all the auth logic out of the views.
Well, hope it is helpful.
I think a good way to manage client/user profiles is to implement an user management section at your backend, display and edit your users and their profiles there.
Laravel does not provide mixed sessions. You can only be authenticated as one user at a time. If you really need this kind functionality in Laravel 5.0 you could solve this by hackish user ping-pong (e.g. login temporarily as client and switching back to admin right after).
But it seems like your problem is more Authorization-related (in contrast to Authentication). Laravel implemented an authorization layer in v5.1.11. Since v5.0 is not supported anymore you should update regardless of this feature.
You can find more information about authorization in the official documentation: https://laravel.com/docs/5.1/authorization
I would rather suggest you separate the view logic e.g. business logic into some common layer rather then doing a "login-as-client" functionality. Even though it looks like a short-cut, you'll have a whole lot of things to think about.
For instance, how do you log application events now? Add a check everwhere that the session has a adm_id and log it instead of userId? This is just one example.
What I would have done:
Separate the view (e.g. user profiles, user content, etc.) from the session so that it is accessed by the ID in the URL or whatever else method, not by currently logged in user id.
Implement a propper role-based ACL. There are plenty of packages already. In your example, you wouold have an admin role and a client role, both havin permission object view-client-profile, for instance.
In the end, this might take a lot more time for development, but would defenitely save you some time debugging/troubleshooting with the angry client on the phone. Hope that helps.
I think middleware is the best possible option to filter the content between the admin and the normal user,because the code in the middleware run before any function call.
You just only need to set the usertype in the session and filter accordingly.
Visit:https://laravel.com/docs/5.4/middleware
My actual project needs to implement an ACL for the diferent roles in my users.
For now, I have like 4 roles defined by the client (Administrator, Head of Departament, Secretary and Teachers) but he wants to create more roles whenever he needs it.
Knowing this the clue is I want to know if is there any way to control the system access without checking the access in each method of my system. Laravel provides my the Authorization services but is not enough for the desing of my system, but I think is a deprecated way checking every method.
My idea is implement something before enrouting any request and check if the user has access depending on his roles, in this way I won't need to check it in every method as the actual solution that laravel Authorization services, laravel-acl of Kodeine or similars offers me.
If someone has an idea to set forth this Idea please answer this.
Also I want to know if this could affect the system security and how and how I can handle that.
Thanks in advance.
If you want to use role-base access control only, it's very easy to create own middleware where you check passed roles. Now in your routes you can protect routes depending on user roles, for example:
Route::group(['middleware' => 'authorize:admin,secretary'], function() {
// your route here
});
You have sample role middleware in Laravel documentation here.
I have a Laravel 5.1 app using Sentinal for security. Right now we're just using the two stock groups, Users and Admins. Recently I invited a colleague to start testing my app, so I created a user for him. I forgot to add him to the Admins group. When he logged on in infinite redirect loop started because the authentication redirect sends users to a route called home, but you can't load home if you aren't in Admins, and get redirected back to login. Which redirects you back to home.
This is a business rule, we only want Admins using the part of the app that they need to authenticate to, but we'd like to do something friendlier than sending a 403 if you aren't an Admin. I would like to send Authenticated Users to a specific route, or even just redirect them to a static page.
I think I've almost worn out Google trying to get a clue about how to do this. Seems like this should be easy-peasy. I could start hacking the vendor code, but I can't believe that there isn't a more graceful way to do this.
Sorry if this is a dumb question. I'm fairly new to Laravel.
OK folks, I got this working. I wrote a piece of middleware called RedirectIfNotAdmin.
I couldn't find a Sentry or Guard property/method that could tell me about group membership, so I made plain ol' eloquent models for my users and groups tables. I created a many-to-many between those models. In my middleware I use Sentry to get a user id, with that I instantiate one of my own User models. In my User model I implemented a method isAdmin() which gets the groups for the User and returns true if one of them is 'Admins'.
If that isAdmin() method returns false, I redirect to a page that explains that the user doesn't have permissions.
Quite a bit more elaborate solution than what I expected I would need to write. I really thought rydurham/sentinal would have this pretty much solved. Maybe Sentinal does have a cleaner solution and I'm too dense to find it. If anybody would like to comment on a better way to solve this, I'm all ears.
I've been using CakePHP's Auth helper for a while now, and while it's been successful, recently I was asked to re-tool our system. We're to allow users to log in using their Active Directory credentials.
Actually authenticating users is easy, and I already have the code to do this. However, Auth itself is shrouded in mystery, and I haven't swam through it's source code yet. What I'd like to do is have the system attempt to authenticate using the standard Auth method, and if that fails, fallback on Active Directory and attempt to authenticate that way.
Database wise, I figure I'll need to modify my users table to store the Active Directory credentials in some way (something as simple as storing the AD username should suffice actually, since it's just a link) and then manually log that user in. Is there a way to just tell Auth that "Hey, I'm logged in as this user now" without doing a POST to login()?
The main reason I'm doing all of this is to avoid having to rewrite tons of code elsewhere in the project by switching away from Auth entirely. That may be a bad idea though, if I'm introducing some hidden insecurity that's going to bite me later.
Oh: We're using CakePHP 1.3. I'm not against upgrading the project to version 2.0, but I'll avoid it unless there's a good reason to.
I believe you can just call: $Auth->login($user); where $user contains the queried data. So if you have the Active Directory credentials associated with the user account record in the database, you can just do:
$user = $this->User->find('first', array('conditions' => array({ACTIVE RECORD SEARCH})));
$Auth->login($user);
and now you are logged in as that user.