I am trying to build a RESTful API, I am using Lumen and I set up lucadegasperi's Laravel Oauth2 - Password Grant.
In Postman, I am posting 5 parameters:
grant_type => password
client_id => 123
client_secret = abc
username => testuser
password => secret
And in response, I receive an access_token successfully. However, in the end-user scenario, where there are 2 form fields (username and password) only, it doesn't seem logical to place client_id, client_secret and grant_type as hidden fields and post them from there. So should I hard-code these 3 parameters (grant_type and valid client_id and client_secret in the Controller where I validate username and password? It feels wrong too. Where should I put it? What is the optimum way of using it?
This is my verify() function:
public function verify($username, $password)
{
$credentials = [
'username' => $username,
'password' => $password,
];
if (Auth::once($credentials)) {
return Auth::user()->id;
}
return false;
}
Related
This question has been asked many times, but decent solution couldn't be found.
I do this - $newToken = auth()->refresh();
in my custom claims, I have
public function getJWTCustomClaims()
{
return [
'is_verified' => $this->verified,
'email' => $this->email,
'role' => $this->getMainRole()->name
];
}
Scenario - first, when I login, it returns me the jwt token. in that jwt token, I have is_verified , email, role set. Let's say is_verified was 0 at the time i got the token. Now, I changed it to 1 in database. NOw when I refrehs the token, as I showed you above, returned jwt token still has is_verified equal to 0, but it should have 1. Any idea how to fix it?
Try with $newToken = auth()->refresh(false, true);
Second parameter is "reset claims":
JWTGuard class -
public function refresh($forceForever = false, $resetClaims = false)
To create a user without the end-user having to type in the details.
Something akin to
User::classcreate([
'email' => $email,
'password' => $rand_pass,
.....
]);
Thanks for the ideas and feedback in advance :)
The use case is.
The end-user invites another user to use the service by typing in their email and it creates a user with a random password before sending a email to the new user with their created details.
You're almost there with your code. It should look like this:
User::create([
'email' => $email,
'password' => bcrypt($rand_pass),
]);
But if you want to hash the password, you should also send the password to that user through email (which is not very secure). When the users logs in for the first time, you should at least require him to change the password.
You can simply use create() method of your User model:
$userData = [
'email' => 'some#email.com',
'password' => 'somepassword'
];
$newUser = User::create($userData);
You'll also need your password hashed in order for it to work with Laravel's authorization. Add the following to your user model - it will hash password before it's saved to the database:
public function setPasswordAttribute($password)
{
$this->attributes['password'] = Hash::make($password);
}
I need to do some extra checks on a user, I would like to get the user by username and password.
Firstly:
Is there a built in function that gets a user by username and password without authenticating them?
Secondly:
If the above is no, then how do I correctly hash the password, because if I use Hash::make( $password ) and then compare to the database, it is not the same... You would usually use Hash::check but I need to actually get the user by username and password.
In Laravel 5.2
You can use Auth::once($credentials) to validate credentials and thereafter Auth::getUser(); to get the user.
$credentials = Request::only('username', 'password');
if(!Auth::once($credentials)) {
// Invalid user credentials; throw Exception.
}
$user = Auth::getUser();
First:
If you want to check if user data to authentication is correct you can use:
if (Auth::validate($credentials))
{
//
}
But if you want to get user from database with user and password, you can use:
$user = User::whereName($username)->wherePassword(Hash::make($password))->first();
Second
To store password in database you should use Hash::make($password) as you showed and it works without any problems. Using Auth::validate should solve the issue.
Yes, there is a built in function you should use. I recommend you to read the docs. But here's a good example, it's pretty self-evident:
$input = array(
'username' => Input::get('username'),
'password' => Input::get('password'),
);
$remember = (boolean)Input::get('remember'); //'Remember me' checkbox
if (Auth::attempt($input, $remember)) {
return Redirect::intended('dashboard')->with("success", "You're logged in!"); //Redirect the user to the page intended to go to, with the dashboard page as default
}
Registering a user looks something like this:
$input = array(
'username' => Input::get('username'),
'email' => Input::get('email'),
'password' => Hash::make(Input::get('password')) //Encrypt password
);
$user = User::create($input);
I also recommend you to read about input validation. I hope this helps, good luck.
Edit: I didn't read the "without authenticating them" part. You should use Auth::validate($input) as Marcin already explained.
Laravel 5.7
To check a users credentials without logging them in, I had to do this:
$user = User::whereEmail($request->email)->first();
$user = password_verify($request->password, optional($user)->getAuthPassword()) ? $user : false;
Laravel auth validation makes use of https://www.php.net/manual/en/function.password-verify.php
To login in yii, i want to do it on a database table (mysql) instead of the default "admin" and "demo" default values provided in the UserIdentity class. The thing is, my user table in the database that i created does not use username and password fields for authentication, but rather email and password fields. So when i change all the "username" to "email" variables in UserIdentity.php, LoginForm.php, SiteController.php, login.php, i get an error:
Property "UserIdentity.email" is not defined.
and the error points to the change i made here by replacing username with email as shown below:
public function authenticate()
{
$user = User::model()->findByAttributes(array(
'email' => $this->email
));
Help on this would be much appreciated.
You may change email on login in UserIdentity.
$user = User::model()->findByAttributes(array(
'email' => $this->username
));
Or add new field 'email' to UserIdentity and use it.
I'm on Drupal 5.x and I'm trying to add new users to the site using a script that calls drupal_bootstrap(). After generating the username, email, password, and role array, I create the new user like so:
$newuser = array( 'name' => $username, 'mail' => $email, 'status' => 1, 'pass' => $password, 'roles' => $roles);
$user = user_save('', $newuser);
I know that with this code I can test the $user object returned by user_save(), but how do I test if the user was created and inserted correctly? Do I have to query the database to test if the user was created successfully?
In drupal 5 it's not easy to see it it fails like in drupal 6. But since it returns a fresh user object from the db, you can inspect it to see if the data was saved properly. So if you try to insert a user and it failed, it will return FALSE.