I have a Laravel 4 web application where users can login and edit their profile.
I've created an API package that allows the user to login with their username/password and get a json dump of their profile.
Now, I don't want the API users to use their username/password but instead to use an app_id / app_key from another table in the database.
How to accomplish this with Laravel 4? It would be fantastic if I can create an Auth driver that works the same way Auth:attempt() would so I don't have to change any of my business logic, but I don't know how to inject a new Auth service provider that ONLY works inside of the API package.
You can change your Auth settings at where you want. You can create a filter in filters.php like that:
Route::filter('api_auth', function()
{
Config::set('auth.table', 'api_table');
// you can even change your model
// Config::set('auth.model', 'Apiuser');
});
And use before any route in routes.php like that:
Route::get('user', array('before' => 'api_auth', function()
{
// some stuff
}));
So that, you can use different settings and do what you want.
BTW, I tried this method at Laravel 3, it worked. I looked docs of laravel 4, I couldn't see anything prevent this work.
Related
I'm working on a project with laravel. in my project there's two type of users one of them are admins and other one is normal users.
btw project is only provides API and there's no blade views.
I give a token to any user or admin logins with the api. and application will identify user or admin by sending that token with an authorization header and I check if token is validate and the user type is admin then give access to the admin features for that client.
here's my code for this part:
$admin = Auth::guard('admin-api')->user();
if ($admin) {
// allow to use admin features
}
else {
return response()->json(['error' => 'token is invalid'], 401);
}
I read something about applying Restrictions on a controller class in laravel and it was written there to add a constructor like this into controller class:
public function __construct() {
$this->middleware('admin-api');
}
and also there's something like that just for Restricting routes. like this
but I just want to know is it necessary to add same constructor to my controller class while the project just provides API? or the way that I'm doing is correct?
You are doing it right.
I would prefer restricting the request via routes, so there is no need to add constructor on each new Controllers.
Route::middleware(['admin-api'])
->group(function () {
Route::get('cart', 'Carts\CartController#retreive');
Route::post('cart/coupon', 'Carts\CartCouponController#addCoupon');
Route::delete('cart/coupon', 'Carts\CartCouponController#deleteCoupon');
Route::delete('cart/flyer', 'Carts\CartController#deleteFlyer');
});
This will apply the admin-api middleware on all the routes in the group and there is no need to add a constructor on Carts\CartController and Carts\CartCouponController, just to have middleware restriction.
I am using the Laravel 5.2 Auth system coming up with this command :
php artisan make:auth
Although this works totally fine as is, my goal is to use an external API to perform login, registering and changing password while still being able to use the core function of the Auth class.
So taking the login for example, I want to use something like
function login(ApiController $api) {
// This function return data or error code and message in JSON
$login = $api->login([ $credentials['email'], $credentials['password']]);
if($login->success)
// login successfully like normal Auth would do
else
// redirect to main page with $login->message
}
By the way, I want to pass fields coming up from $login to the Auth class, like we can actually do Auth::user()->email giving us the email, I'd want to set value like "database field" but with my API JSON fields behind
I looked on the Internet and found something to do inside AuthController and something related to ServiceProvider, but I don't know how to follow my exact needs
Adding a custom user provider would help in this case. There is no need to play with AuthController here. Check this Laravel Docs page.
You will need to create a new User Provider which implements Illuminate\Contracts\Auth\UserProvider, specify it in AuthServiceProvider and update your auth config file accordingly.
Here are the links to the framework's default User Providers for reference :
1) DatabaseUserProvider
2) EloquentUserProvider
I ended up coding my own Auth system...
Using session() and Input()
I am using Laravel 5.1 for my project. I am trying to secure Routes and make sure only logged in user can access certain routes. I am aware about middlewares but I am wondering if anyone post an example or a link explaining about middleware and how to protect a page using middleware.
Thanks
To build on the answer given by Joe Rose, you can also specify the middleware in your controller rather than in your routes.php file.
E.g you could have your routes set out like
Route::get('/example', 'ExampleController#index');
Route::post('/example/post', 'ExampleController#post');
Route::resource('blog', 'BlogController');
And then inside your controller reference it like so:
class ExampleController extends Controller
{
public function __construct()
{
$this->middleware('auth');
}
//....
If you're looking for more info, check out the link to the docs Joe gave, and also this blog post which explains what middleware is really well and how to create your own if you need to.
You are correct about using middleware. The included Auth middleware is what you should use, as long as you are also using the included Auth controller to authenticate users. You would write your route like this:
Route::get('/page', array(
'uses' => 'Controller#method',
'middleware'=>'auth'
));
(The above example is using a GET request, but it could other request types, like POST for example).
This will use the default behavior of the middleware which checks to see if the user is logged in (authenticated). You can also extend or overwrite the built-in functions to allow you to direct the application on where to send the user if they are or are not logged in, etc. Laravel's official documentation is a good starting point: link
I'm using the HMVC package to consume my own API. However it also includes some POST requests which require authenticaton. Obviously I can't just dump in my password in the request nor do I find ENV variables an elegant solution.
Is there a way to check inside the basic auth filter whether the request is made internally?
The filter is applied to the controller, not the route
First option
You could add the exception test on the filter, so that you only apply the filter rule if the request is not from localhost.
Second option
You would apply the filter on the Route, so that you wouldn't have problems accessing the controller locally.
Route::get('profile', array('before' => 'auth', function()
{
// Only authenticated users may enter...
}));
Source: http://laravel.com/docs/4.2/security#protecting-routes
Third option
It doesn't seem an elegant solution either, but a workaroung would be to look if the request comes from localhost, you could manually authenticate the user.
$user = User::find(1);
Auth::login($user);
Source: http://laravel.com/docs/4.2/security#manually
I am wanting to create an Android / iPhone application to enable mobile phone users to have the same functionality as the website.
The website's authentication works as planned:
Auth::attempt(array('email'=>Input::get('email'), 'password'=>Input::get('password')))
What I have is another auth.php within the public/app/ folder (I will add the .htaccess later!) that will authenticate users logging in through their mobile phones. Ideally, to make it simpler, I'm wanting to use all of the Laravel controller functions that my web app uses.
I know the Auth:: function resides in the BaseController but I'm unsure of how to access this within the /public folder, or if this is it the suggested method.
As anyone else authenticated a user through their mobile phone through Laravel?
Any help would be hugely appreciated. Many thanks.
I would suggest to create a route in the app/routes.php for authenticate a mobile user.
Route::post('mobile/auth', function() {
// your stuff
});
or via controller:
// app/routes.php
// connect the route to a controller
Route::post('mobile/auth', 'MobileAuthController#auth');
class MobileAuthController extends BaseController
{
public function auth()
{
// ...
}
}
Is this what you mean? or else i misunderstand you.
You're authentication is pretty basic, checkout the damn good documentation on the laravel website for better examples.