Firstly I'm a real beginner with Laravel so I will try to describe my problem as best as I can.
I am building a website using Laravel however the information on users will not be stored on my server but rather externally on another server.
The only way to access the user's data is through an external API; I am not allowed access to their database. The API request returns a token and I use this token to check with their server to see if the user is logged in.
My question is: how do I authenticate the user so that I can still use Laravel's out of the box guards.
It's really handy to use methods like Auth::check() to determine if the user is still logged in.
You'll either need to modify Laravel's default authentication middleware in app/Http/middleware/Authenticate.php or you'll need to create your own middleware class that runs the authentication that you need. Create a class in the app/Http/middleware folder and register that middleware. https://laravel.com/docs/master/middleware
Related
All my database related files are in config folder (fetch, post, update, delete). and I'm using ajax on the client side to use that data. my question is how can I secure my API files. I've studded about JWT and I think it is only for user login and signup. I want that when someone opens my api url like: 'http://localhost/config/getPosts.php' they should be authenticated before they can see the posts. I've also used basic auth but it is not secure according to my research.
What you want to do is to create a way to check if the user is currently logged in with JWT (Usually done with a middleware) and if not return a 401 error. Then assign the middleware to those routes so you protect those routes with the JWT check.
I have a multi tenancy build with Laravel. Now I have a system (main) website
main.com
where users can register.
After registration a tenant (subdomain) website is created and they are getting redirected to a new subdomain
tenantB.main.com.
Of course the Session is then deleted and they are not logged in anymore. I am trying to keep the session but the only solution I have found so far is to change the SESSION_DOMAIN in session.php config to
SESSION_DOMAIN=.main.com
The session will then remain on all subdomains but different tenants should not share their sessions. With that change if I login to tenantB.main.com I am also authenticated on tenantA.main.com which is not what I want.
Another approach I want to try is to send the session data when redirecting to the tenant subdomain (https://laravel.com/docs/7.x/redirects#redirecting-with-flashed-session-data):
redirect($this->redirectPath())->with('auth', 'abc')
But here I am stuck. How can I pass the current session? Or is that a totally wrong approach?
I would simply use a cookie. The information is best stored on the client side. That way the client is responsible for providing their own identification.
It is then the responsibility of your authentication middleware to check if the user has permission to access the current tenant subdomain.
Chances are laravel already is configured to use cookies for authentication. In that case, all you will have to do is to implement your own guard!
Auth::extend('tentantAuth', function ($app, $name, array $config) {
new TenantAuth(Auth::createUserProvider($config['provider']));
});
The TenantAuth class would then simply need to implement Illuminate\Contracts\Auth\Guard in order to be usable.
You can than use the extended authentication by updating your auth.php config file to use the driver 'tenantAuth'.
More information can be found under https://laravel.com/docs/7.x/authentication#adding-custom-guards
I'm using the laravel framework. In my case, I need to save the data (login or register for example) in remote database on cloud.
But the communications with database and laravel, I need to use a rest api.
I have a php class in laravel with functions (login function for example) and in this function I have created the connection logic to my remote rest API (send email and password).
Now, I made connection to remote database and check if the email and password exists and return back a message (if true then I return the view, false i show a error message).
Till this it works fine. But I have a problem. Because I am not using the laravel authentication mechanism in routes file. I am unable to use the middleware to prevent direct access to routes without login. What is the best way to add this security?
I need your help. Thanks a lot.
Regards
It is also possible to create a local useraccount, with the credentials of the account recieved from the API. On this way, you can load all the needed data in your website and also use the auth middleware.
There are multiple ways to do so, maybe you can create your own cookie and check it before any output.
I am developing a web application in Laravel. Now I'm in the process of creating an android app. I need to create a web service (back end) in Laravel, but I don't know how to manage the sessions (auth) in the request.
My idea is to create a unique token for every session, and store it in a database. So, every request need the token be included, and my backend will check if the token is valid or not.
How can I modify the login functionality that comes with Laravel 5.0 to create an return the token?
I read the documentation and some articles in the internet, but it is still not clear to me.
You can create a token during registration of the app which should correspond with the user id. This token will be used together with the user id anytime you call any of your api's to authenticate the user.
You can create a filter named custom_authentication and check for the token validity inside that filter. Now just apply this filter before every routes, which you want to be authenticated.
Using only simple authentication token is not very secure, you need to go with HTTPS always.
If you want to make the API secure with HTTP, you might have to implement OAuth with the help of packages like this.
I'm building my first Cakephp application, but I'm pulling my hairs over this problem: I need my application (mydomain.com/cake-app) to co-operate with another non-cake php application (mydomain.com/custom-class) on the same server.
Both applications should share authentications and sessions, and I would like Cakephp to handle these.
However, custom-class will need to see who's logged in, and also add/edit users to my cake-app db, either by accessing my User Model, or by calling an setUser action in my UsersController. custom-class does not have access to the cake-app database.
How can I access Cakephp's AuthComponent and my User Model / UsersController from outside the Cakephp framework? What cake files do I need to include in my custom-class in order to accomplish this?
custom-class does not have access to the cake-app database.
The only way is an API then that doesn't require direct DB access. Implement a RESTful API for example that your none-cake app can call.
http://book.cakephp.org/3.0/en/development/rest.html
http://book.cakephp.org/3.0/en/views/json-and-xml-views.html
However, custom-class will need to see who's logged in, and also
add/edit users to my cake-app db, either by accessing my User Model,
or by calling an setUser action in my UsersController.
You'll have to read the cookie then and the cookie needs to require something you can send along with your API request so that the API knows who is asking for what.
You won't be able to simply require() or include() a few files from Cake and it will work, this isn't going to happen because the Auth system is a complete stack, you would have to initialize a request, controller, component collection, auth component and the auth adpater(s). Instead check how Cake writes and reads the Cookie and implement the same way in your custom class. But pay attention, Cake saves the cookie encrypted.