Currently after login Lithium stores in session and cookies all rows from users table like password, hash etc. How to remove (don't allow to store) some of the information like password and hash?
The Session class stores what you tell it to! After Auth::check is done, you should only store the session identifier and/or absolutely necessary data in the cookie. Also make sure to use the Encryption provided by lithium (AES) out of the box.
For more detailed help, please post your login controller and all appropriate model/filters.
Passing options to Auth::check will get passed down to the adapter as well (plus some extras) -- for this I'm assuming you're using the Form adapter for the Auth class.
Try doing this when you perform your check: Auth::check('config', $data, array('fields' => array('fields', 'you', 'want'))
The key here is that array we tacked on the end with the fields key in it, this will be passed down to the Form adapter which takes in those options and uses them to query your model for a matching user. By telling it explicitly which fields to return, it will only pass those back to the Auth class for storing away.
Since this commit you can pass an option 'persist' => array('field1','..') to Auth::check, or set them as default in your bootstrap session config, to store only specified fields.
So either you set this in your bootstrap/session.php
Auth::config(array(
'user' => array(
'adapter' => 'Form',
'session' => array(
'persist' => array('_id','username')
),
'model' => 'Users'
)
));
or you define the fields, when calling Auth::check() - this will override everything from the config above!
Auth::check('user', $this->request, array(
'persist' => array('username','email')
))
Note: If not defined explicitly the password is never stored by default.
Related
I did asked a question setting value in component dynamically from database, providing example for swiftmailer. The same was answered perfectly here
but that answer applies to mailer component only, so how I can achieve the similar functionality for example, I need to added in my config.php values like:
'pp' => [
'class' => 'app/components/paypal', // note: this has to correspond with the newly created folder, else you'd get a ReflectionError
// Next up, we set the public parameters of the class
'client_id' => 'YOUR-CLIENT-ID-FROM-PAYPAL',
'client_secret' => 'YOUR-CLIENT-SECRET-FROM-PAYPAL',
// You may choose to include other configuration options from PayPal
// as they have specified in the documentation
],
If you need to provide these credentials from the database on runtime you can define it via your code using the setComponents() method of the yii\base\Application class where you are retrieving the settings from the database for paypal and remove it from the config file.
Add the following lines to set the component on runtime and then call the desired method
Yii::$app->setComponents(
[
'pp' => [
'class' => 'app/components/paypal', //note: this has to correspond with the newly created folder, else you'd get a ReflectionError
// Next up, we set the public parameters of the class
'client_id' => 'YOUR-CLIENT-ID-FROM-PAYPAL',
'client_secret' => 'YOUR-CLIENT-SECRET-FROM-PAYPAL'
// You may choose to include other configuration options from PayPal
// as they have specified in the documentation
]
]
);
//now you can call the desired method for the pp with the above credentials
Yii::$app->pp->checkout();
I need to customise the logic for Laravel's authentication. I found a solution on SO, by overriding the credentials method in the LoginController like so:
return ['email' => $request->{$this->username()}, 'password' => $request->password, 'status_id' => $whatever];
But now I discovered an issue where a user can still reset their password and then they get signed in automatically. So how can I disable password resets for users who should not be allowed to sign in?
There is a method on the ResetsPasswords trait called resetPassword()
Override this in your Auth/ResetPasswordController and replace the line
$this->guard()->login($user);
with whatever functionality you want to achieve after the password reset.
If you want to prevent a disabled user from resetting their password, use a middleware to check if the account is disabled before continuing with the password reset.
You can create a new column to your user table isbanned that excepts only boolean value. And check further of this column value of a user that requests for reset password. If the value is TRUE, don't give the reset link, otherwise, give it.
Below you can see this example:
if (Auth::attempt(array('phone' => $request->input('phone'), 'password' => $request->input('password'), 'isactive' => '1', 'isbannes' => '0'), $remember)){
// your logic
}
Hope this helps you.
I'm creating an application using the Yii2 framework. The application contains role & permission kind of logic so I moved the session to the database level. My basic configuration is as below.
'session' => [
'class' => 'yii\web\DbSession',
'sessionTable' => 'user_session',
'writeCallback' => function($session){
return [
'user_id' => Yii::$app->user->id,
'last_write' => (new \yii\db\Expression('NOW()'))
];
}
]
In the user_session table, each user's session is saved. My question is how can I modify/update particular user's session. I have a user id and from that, I can retrieve its session data. But can't modify it (I don't know how can I).
I tried readSession() method, but the data is in serialized form (I guess).
__flash|a:0:{}id|s:26:"ajmj0p5r5gjub1d7cajf42n7v1";expire|s:10:"1508852343";data|s:1932....
How can I modify these data so the user may have new permission data if updated by the Admin user?
How can I get currently online user data with all the parameters from the database? Right now I get it's ID by using this:
echo Yii::$app->user->getId();
Can I reach other data somehow or do I have to create a function which gets all the information by the user ID?
You can access to all the identity values in this way
this for username
Yii::$app->user->identity->username
check for your User models for others attributes
http://www.yiiframework.com/doc-2.0/guide-security-authentication.html
http://www.yiiframework.com/doc-2.0/yii-web-identityinterface.html
http://www.yiiframework.com/doc-2.0/yii-web-user.html
(and your User model of course)
You can access the model of the currently logged in user with:
$user = Yii::$app->user->identity;
This will return either null (if the user is not logged in) or an instance of the identityClass you defined for the user component in your config. Ex:
'user' => [
'identityClass' => 'app\models\User',
'enableAutoLogin' => true,
],
So you can use it like any other model class and access it's attributes and/or methods. Just make sure you configure correctly the user component and the identityClass exists and can be accessed.
current user is:
Yii::$app->user->identity
it can be null, so check it before accessing fields
I need to write a very specific authentication for my web application. There is API on the side which accepts login + password pair and returns the result (and, a token). I don't want to store any login information on the Yii2 side besides a login token i've got from API. And this must be the only way i auth my clients (so i don't use OAuth-like application).
What is the best practive to override "classic" code in Yii2? Just use filters and modify User model?
Example:
First, i recieve a token and save it somewhere for a session:
$token = GatewayAPI::login($user, $password);
Then, every internal request i do will look like this:
$result = GatewayAPI::addPosition($token, $data);
So, i don't have any database to work with, just cache and memory. Almost everything is handled on API side.
My task is to implement login check - if token is recieved from API - then it's considered as a success. And to store that token for use within current session (probably in memcache, it must not be opened to public).
As a matter of fact Yii2 does not require login/password anywhere.
You don't need to modify or extend User model if you mean \yii\web\User.
You need to create your own class implementing IdentityInterface and set this class as userIdentity in your config components->user->identityClass:
[
'components' => [
'user' => [
'class' => 'yii\web\User', // not necessary, this is by default
'identityClass' => 'my\namespace\User'
]
]
]
There are 5 methods in the interface and they are not about login/pass. This class of yours may store in your db everything you want.
For example you may copy any of popular user modules to your project, remove everything related to storing and searching by login/pass from that User model and add your API functionality - and it will work.
UPD.
Your added functionality will look like this:
$token = GatewayAPI::login($user, $password);
$user = \my\namespace\User::findOne(['token' => $token]);
Yii::$app->user->login($user);