I am currently developing a web application with Laravel 5.0 and I authenticate my users with Facebook and Twitter using the socialite plugin.
Everything is working well now, I actually already made a post about it when I was struggling with it when I started. So if you want to see the code I'm running you can refer to my previous article.
But now I would like to keep those sessions "alive"? , I don't want to click on the login button everyday and I am having a hard time finding information about it...
The thing is I am not even sure if I look at the right place.. because I am a real newbie in this area and I don't know If I should read more about the Facebook and Twitter SDK or should I look on the Laravel side only ?
I've must have read the Laravel authentication chapter a hundred times but I really don't know where to start. Remembering a token sounds like the way to go but I have no idea whatsoever how to implement it in my current environment.
This is the method provided by Laravel:
if (Auth::attempt(['email' => $email, 'password' => $password], $remember))
{
// The user is being remembered...
}
But when we use the socialite plugin we have to log in the user with the Auth::loginUsingId(id); method, am I wrong ? So how can we remember the user with this method ? Is it possible ? Is it the way to go ?
I hope my problem is clear enough. So if anyone could tell me where should I focus my researches that would be great !
Related
I apologize in advance if you don't understand at any point.
context** I am building a web application in Laravel, although I am very new, I am doing well. I implemented the laravel fotify package for user authentication and others, all perfect. Now, in the same way, I use Laravel Socialite to allow login and registration with Google.
now, according to laravel fortify I can implement email verification, which I did according to the documentation and it works perfect. My question or use case that I would like to solve is:
that users who logged in with google are not asked for this verification, since I consider it a bit redundant, however I still have not found the solution.
In my users table, I have a type_auth field where I store the type of authentication that was done. example: google
My idea is to cancel the verification using this field.
I would appreciate any ideas or if this is impossible.
thank you.
I'm wondering if someone could shed some light on an issue im having.
I am following a tutorial on Laracasts about building a forum using Laravel ( 5.4 ) and TDD.
At the moment we have developed the authentication system and now its moving on to actually posting a 'thread'.
In the tutorial, only logged in users can post, then the post is associated with the user that posted it.
But, how would i go about allowing non-logged in users to post as well.
What would be the best approach to take to this?
Any help would be greatly appreciated.
Solution, maybe not good : Create anonymous user in your users table (with ID = 0 for example). And after if user is not logged in to post a thread, you use anonymous user, and you store IP address in your thread table.
Storing IP Address will permit you to attribute thread when user will decide to create his account (and replace 0 by the real user_id in the futur)
Laravel Provides an authentication which can be injected in the constructor of your controller .
Check this link for your reference
https://laravel.com/docs/5.4/authentication
or Since your watching Laracast what the Laravel from Scratch the part where jeffrey is creating a Blog
Good Luck
For security reasons I need Github to ask the user to login again to confirm it's actually the owner of the GitHub account trying to use the OAuth2 on my current single-sign-on project.
For Linkedin and Google I am having the same issue, for Facebook there is an option in developers.facebook.com that force reauth for OAuth2 everytime but for now I've used this code to force Facebook Reauth:
public function getRequestParams() {
return array(
'auth_type' => 'reauthenticate'
);
}
I've been searching all afternoon yesterday and have also spend my whole morning on it again now. This is a MANDATORY thing for the web application of the customer, the application MUST reauth for Linkedin/Facebook/Github/Google, I can probably get it to work with Linkedin/Google but I don't see any solution with Github.
Simply asking for a new token doesn't do anything either because then the Github account is still logged in and will just automatically authorize it. And obviously I can't temper with the cookies from a other URL.
Is there anyway I can do this? I am pretty sure there is no way at all to do it via a OAuth2 Parameter (or else I would be able to add it to my abstract class allowing it to work with any SingleSignOn I add, which would be optimal but seemingly impossible).
I've asked a similar question here for OAuth2 but I believe it's just not possible OAuth2 Single-sign-on component, force reauthentication
But specificly for Github, any possibility to force the user to login everytime there is an OAuth call made?
So I've been work quite a lot more on our SSO adapter and I've had to conclude that it is impossible to do this. These are the two conclusions I came to.
OAuth2 is a framework that does not offer any functionality, you use it for example to make something abstract and use the same methods for Github/Facebook/Linkedin/etc without having to use 5 different SDK's
If the Social Media doesn't offer the functionality then you can't do it. Unless you want to do some almost border line-hacking and destroy the users sessions/cookies whatever. Even if it was possible it possibly isn't legal and it surely isn't user friendly.
We've ended up accepting that there's a small chance that someone can exploit logging in to another users account like that, but considering you need physical access or have to be able to remote control someones computer we decide that this is something that the user is supposed to control and we really can't do more about unless we do not offer the social media at all.
I have written an api for a project that uses, oauth2 to authenticate users, and lock down that api to only people with an access token, and it works fantastically well, we have a route group that looks like this,
Route::group(array('prefix' => 'api', 'before' => 'oauth'), function() {
});
The problem I am now facing is that scope of the project has changed and we need to extend the api a little bit. Basically at the moment, the API is used to create projects, and a project a can have a team that can CRUD a project.
The scope has changed now so that a project can also have client user who can follow a unique link to monitor the progress of the project, and update certain aspects of the project.
The problems are 2 fold,
1) You cant do anything on our API without an access token, so even a GET request for data to build the page would be turned down for a client user.
2) To get a access token you need a username and password. The key thing for a client user is that do not need to login, they should be able to just get a unique URL in email, and then load the project.
I figure that creating a custom grant type would be the best solution is that correct? If that is correct does anyone have any guidance on creating one?
If that is not the best way what other options do I have available to me?
I'm using laravel. I know it has a functionality to do login really easy. But, as far as I know it just work with the laravel database. However, I have the database outside of my server so I am using an API to get everything I need. My question is how can I still use the Authentication function using my API?
It is really easy to connect to the API and check if the user and password match, but after that How can I keep using the auth function of laravel for logout, guest and auth pages, etc.
Other example that may work if it is easier to you understand it that way is imagine that I have my users on a text file instead on a database.
Please help me and thanks in advance.
You could use Auth::login($user); to simply do it after verifying credentials using API