In Laravel 5, if basic auth fails for a user then the default message that is returned is an "Invalid Credentials" error string. I am trying to return a custom JSON error when this situation occurs.
I can edit the returned response in vendor/laravel/framework/src/Illuminate/Auth/SessionGuard.php
however I have not seen where you can change the behavior of this message outside of the vendor directory. Is there a way?
Looks like there were some ways to do this through Laravel 4: Laravel 4 Basic Auth custom error
Figured it out, looks like I had to create custom middleware to handle this.
Note that this solution didn't work when calling my API from my browser, only when calling it from a tool like Postman. For some reason when calling it from my browser I always got the error before seeing the basic auth prompt.
In my controller I changed the middleware to my newly created one:
$this->middleware('custom');
In Kernel I added the location for it:
protected $routeMiddleware = [
'auth.basic.once' => \App\Http\Middleware\Custom::class,
]
Then I created the middleware. I used Stateless Basic Auth since I'm creating an API:
<?php
namespace App\Http\Middleware;
use Auth;
use Closure;
use Illuminate\Http\Request as HttpRequest;
use App\Entities\CustomErrorResponse
class Custom
{
public function __construct(CustomErrorResponse $customErrorResponse) {
$this->customErrorResponse = $customErrorResponse
}
public function handle($request, Closure $next)
{
$response = Auth::onceBasic();
if (!$response) {
return $next($request);
}
return $this->customErrorResponse->send();
}
}
Related
I'm currently learning Lumen, I'm running a fresh install of Laravel 6.x .
I'm using RESTClient to stimulate my Lumen API/send http-Requests.
I want to set up some basic authentication with JWT now, and I already accomplished this.
I get a valid JWT and when I pass it through the following code, the firebase middleware (5.x) accepts the token, if valid, and rejects it if invalid.
The code doing the validation resides inside my AuthServiceProvider.php:
<?php
namespace App\Providers;
use App\User;
use Firebase\JWT\JWT;
use Illuminate\Support\Facades\Gate;
use Illuminate\Support\ServiceProvider;
//new Code
class AuthServiceProvider extends ServiceProvider
{
public function register()
{
//
}
public function boot()
{
// Here you may define how you wish users to be authenticated for your Lumen
// application. The callback which receives the incoming request instance
// should return either a User instance or null. You're free to obtain
// the User instance via an API token or any other method necessary.
$this->app['auth']->viaRequest('api', function ($request) {
$key = 'pawifjopawiejfpoaiwejfpoji';
$jwt = preg_replace('/^Bearer (.*)/', '$1', $request->header('Authorization'));
$decoded = JWT::decode($jwt, $key, ['HS256']);
//return User::where('email', $decoded->email)->first();
return "Hello From Auth!";
});
}
}
The router calling the middleware and routing its result to the controller resides in web.php and looks like this:
$router->get('myStorage', ['middleware' => 'auth', 'uses' => 'AuthController#myStorage']);
Now, my problem is this:
I've looked into all the depenencies inside providers/AuthServiceProvider.php, ServiceProvider.php insinde vendor/Illuminate/Support, Authenticate.php inside app/http/middleware and also bootstrap/app.php where the registering takes place.
The "auth" key/denominator, as it appears multiple times inside the sourcecode and also references the authentication middleware during routing, remains a mystery to me.
I don't know what object it points to.
I've tested changing it to "auth2" in all the places I found it (see above), but then I get this exception thrown by Lumen:
(2/2) BindingResolutionException
Target class [auth2] does not exist.
So somewhere, this class must have been defined.
Inside Authenticate.php, there is this line in the head of the code
use Illuminate\Contracts\Auth\Factory as Auth;
And I've manipulated it, alongside its occurrences in the whole code of authenticate.php .
But I always get the same error.
I want to know where this "auth" is coming from, because I also want to employ a middleware for AUTHORIZATION, following the AUTHENTICATION.
The routes would then look kinda like this:
$router->get('myStorage', ['middleware' => ['authenticate', 'authorize'], 'uses' => 'AuthController#myStorage']);
To do this, I think I need a better understanding of how and where this (third-party) middleware/its components are defined. Otherwise I will probably run into issues when registering this stuff for example.
I have a requirement where there is an API method (guarded by the well-known package tymon/jwt-auth) and I need to also be able to access it using the basic session based web middleware.
I don't want to repeat the route in both api.php and web.php even though that would totally work.
I tried adding both to the route but they simply don't work, like: ['auth:api', 'web']
I also tried creating a new middleware with the intention of checking both api and web like so:
class CombinedAuth
{
public function handle($request, Closure $next)
{
$web = Auth::guard('web')->user();
if ($web) {
return $next($request);
}
$api = Auth::guard('api')->user();
if ($api) {
return $next($request);
}
if(!$web && !$api) {
throw new AuthorizationException;
}
}
}
and that also doesn't work. The api middleware works fine but the web middleware doesn't and it always signs me out and redirects to the login page.
So Is there a neat way of protecting a route with api and web middlewares at the same time in Laravel 5.8?
You can use 'auth:api,web' to check for multiple guards.
Using multiple can middleware calls in Laravel 9 route;
<?php
Route::get('/', function () {
return view('money');
})
->middleware([
'can:manage,App\Models\Payment',
'can:manage,App\Models\Withdraw',
]);
?>
Problem: I need to implement a basic authentication on my API created with Laravel 5.4. Since we need to implement it without a database (just getting credentials from config()), I tried to create a registered middleware like the following one:
<?php
namespace App\Http\Middleware;
class AuthenticateOnceWithBasicAuth
{
public function handle($request, $next)
{
if($request->getUser() != conf('auth.credentials.user') && $request->getPassword() != conf('auth.credentials.pass')) {
$headers = array('WWW-Authenticate' => 'Basic');
return response('Unauthorized', 401, $headers);
}
return $next($request);
}
}
It works, but this way I can only have one credentials for the whole API.
I've tried to create more then one credentials in the config, saving user and password from request, but this way, it works like basic auth is disabled.
Question: is there any way to achieve this? How can I have multiple credentials in my config file, without using a database?
You can save your authorized usernames and password in your config file as a Collection.
config/myconfig.php
return [
'authorized_identities' => collect([
['user1','password1'],
['user2','password2'],
...
]),
];
and then in your middleware
if(config('myconfig.authorized_identites')->contains([$request->getUser(),$request->getPassword()]))
You can have an array of credentials and try to match the input with anyone of them and validate. To be honest you could easily implement this with a sqlite database. It requires minimalistic setup and you can get started and use it within 5 mins.
I am trying to modify the Laravel Auth registration system in that I'd like to require that a token parameter be provided in order for the user to be able to access the registration page (ie http://website.dev/register/{tokenhere}). Below is the pertinent code:
From my routes\web.php file:
Route::get('/register/{token}', function() {
//
})->middleware('token');
From my \App\Http\Middleware\CheckToken.php file:
<?php
namespace App\Http\Middleware;
use Closure;
class CheckToken
{
public function handle($request, Closure $next)
{
if($request->token != 'test') { #just hard coding something here for testing purposes
return redirect('home');
}
return $next($request);
}
}
I also added 'token' => \App\Http\Middleware\CheckToken::class to the $routeMiddleware array in \App\Http\Kernel.php
However, I go to http://website.dev/register and I'm able to access the page, despite not providing a token parameter. I can also see that if I provide the 'test' parameter that the middleware is looking for (http://website.dev/register/test), I get a blank page.
Hoping someone can point me in the right direction. I'm quite new to MVC and Laravel. Thanks for your time!
You can just create custom route, like /register/{token} and handle this token in the controller. Maybe even set in middleware group if you want.
I am using a session separately other than the default authentication sessions. If an user try to access my secured page, he should have the session set. If anyone without that session try to access means, they will be redirected to error page. I am using Laravel 5.3
The user can view the below two pages only if the session variable named 'secured_user' is set. Otherwise they will be redirect to the error page
Route::get('/secured-page1', 'ValidationController#CheckSecuredLogin_1');
Route::get('/secured-page2', 'ValidationController#CheckSecuredLogin_2');
The best option would be a policy.
You can create certain constrains and couple it with your models. Policies are especially suitable for changing your logic later on.
See here: Create Policy
Within you PagesPolicy, you can add this function:
public function before(User $user, $ability)
{
if ($user->isSuperAdmin()) {
return true;
}
}
public function seeSecurePage(User $user)
{
// Your custom Code and session handling
if(session("secured_user")) return true;
return false;
}
and in your controller.
$user->can("seeSecurePage","Pages");
If "can" fails, it will automatically redirect to error 403.
P.S.: Another possibility are Gates
You should use Laravel Middlewares to achieve this, I think middlewares are made for the work you need:
First create a new middleware by running the artisan command:
php artisan make:middleware CheckSesison
Then the CheckSession would look like this:
<?php
namespace App\Http\Middleware;
use Closure;
class CheckSession
{
public function handle($request, Closure $next)
{
if ($session_value != 'YOUR_DESIRED_VALUE') {
return redirect('home');
}
return $next($request);
}
}
Now in your routes file you can use laravel's route middleware() method to implement it like this:
Route::get('/secured-page1', 'ValidationController#CheckSecuredLogin_1')
->middleware(CheckSession::class);
Hope this helps!
In addition to the awnser above, you could also use middleware that's used on the routes and even group them if required. It is a simple, quick and clean solution. Inside the middelware you simple check if the session you require is there and depending on the result you take any action necessary.
Laravel middleware docs