I'm trying to use the following technique described on symfony.com : http://symfony.com/doc/current/cookbook/testing/http_authentication.html
in an attempt to functionally test a controller that requires a user to be logged in.
So far, my login form is working, I can login, and the Symfony2 debug web toolbar is showing my user as authenticated. Also, I have already written a functional test for the login process itself, this passes. So I now by two scenarios, that my login is working.
The only problem I'm having, is when trying to simulate HTTP authentication like so for other controllers:
$client = static::createClient(array(), array(
'PHP_AUTH_USER' => 'tester',
'PHP_AUTH_PW' => 'testpass',
));
I can see by inspecting the $client, that I am being redirected to my login page, the moment I try something like this:
$crawler = $client->request('GET', '/');
I know that the user tester with password testpass exists in the DB, as I can login with that account via browser as well.
I can use the following code from the security controller test:
$client = $this->createClient(array(), array('HTTP_HOST' => 'myapp.test'));
// Visit user login page and login
$crawler = $client->request('GET', '/login');
$form = $crawler->selectButton('Login')->form();
$crawler = $client->submit($form, array('_username' => 'tester', '_password' => 'testpass'));
// ... carry on with remainder of tests
but I'm not too sure if this is the most efficient way to do this.
I'm a bit stunned as to what is wrong. Any ideas? Was there a change applied to Symfony2 that means that this process has changed and the HTTP authentication simulation now doesn't work or works differently?
Thinking about it, I might just do the login using the following setUp method:
public function setUp()
{
// Perform user login.
$this->client = $this->createClient(array(), array('HTTP_HOST' => 'scire.test'));
$crawler = $this->client->request('GET', '/login');
$form = $crawler->selectButton('Login')->form();
$this->client->submit($form, array('_username' => 'tester', '_password' => 'tester'));
}
The HTTP authentication won't work here, unless I alter my config_test.yml with some security setup to allow HTTP authentication.
Note to self: HTTP authentication is different from using a Doctrine user provider!!!
Send your request like this:
<?php
$client->request(
'GET',
'/',
array(),
array(),
array('PHP_AUTH_USER' => 'username', 'PHP_AUTH_PW' => 'pa$$word')
);
This actually sends the information as real authentication header information.
Related
I have a Laravel web application (website.nl) AND an Laravel API (api.website.nl).
When the user logs in with the login form on the website. A post request is done to the API. When the login request is successfull a token AND User object is send back in the form of a JSON string. The login method looks like this.
public function login(Request $request)
{
$email = $request->input('email');
$password = $request->input('password');
$response = $this->client->request('POST', self::$apiRootUrl . '/login', [
'headers' => [
'Accept' => 'application/json',
],
'form_params' => [
'email' => $email,
'password' => $password
],
]);
$result = json_decode($response->getBody()->getContents());
if (isset($result->success->token))
{
$user = User::create([
'id' => $result->success->user->id,
'name' => $result->success->user->name,
'email' => $result->success->user->email,
'password' => $password
]);
Auth::login($user);
$this->apiToken = $result->success->token;
return $this->sendLoginResponse($request);
}
return $this->sendFailedLoginResponse($request);
}
Where I want this login function to be as stupid as possible, meaning, let the API figure out if this is a valid login request. This method only passes the arguments.
The main website should not have a database. It only uses the API to login, get a token, and do requests with that token to gather data for the user to see on the main website's dashboard.
For this reason my question is this: How can I store the User object retrieved from the API in such a manner that it will be query-able like an Eloquent model. But without the need to store it in a database. Again, the main website shouldn't need a database. It only communicates with the API for it's data.
I hope this question makes sense, if not, please ask for more details.
I don't want to create a duplicate database with migrations on the main website. Because that's the job of the .api subdomain. Also, all the models are used within a session. Never being stored for a longer time, because that's also located in a store method on the .api subdomain.
This would require you to write your own grammar for Eloquent, an ActiveRecord implementation for the API you're using.
In theory it's possible, in practice it's a lot of work.
Take a look here for how Laravel implements the database types it currently supports.
https://laravel.com/api/5.8/Illuminate/Database/Schema/Grammars.html
I am developing a laravel back-end to work with Vue JS, and trying to implement user registration. I have downloaded passport to authenticate users, but I am having trouble understanding exactly how a new user registers for the website.
From the research I have done it seems like you would want to make a route for the registration that can be accessed without using laravel passport, and then once the user is created grant it a token.
Once the user is registered Would I use a personal grant token, Implicit, or use passports CreateFreshApiToken middleware.
Should I put all my routes in web or the api route file?
You may create a route in your api where anybody can register a new user , so you do not use any auth middlewares, like for example:
Route::post('users', 'AuthController#register'); // Signup
and in your controller the related method:
/**
* API Register
*
* #param Request $request
* #return \Illuminate\Http\JsonResponse
*/
public function register(Request $request)
{
$rules = [
'name' => 'unique:users|required',
'email' => 'unique:users|required',
'password' => 'required',
];
$input = $request->only('name', 'email','password');
$validator = Validator::make($input, $rules);
if ($validator->fails()) {
return response()->json(['success' => false, 'error' => $validator->messages()]);
}
$name = $request->name;
$email = $request->email;
$password = $request->password;
$user = User::create(['name' => $name, 'email' => $email, 'password' => Hash::make($password)]);
}
from this point the type of passport OAuth2 authorization code flow you choose will influence your implementation on the consumer app.
You may go for the classical OAuth2 flow where basically you have this steps:
Register the consumer application to the OAuth2 server and obtain the Client Id and Secret
The consumer application request an authorization code to the OAuth2 server using the Client Id and Secret
Once obtained the authorization code the consumer application can now request an access token to the OAuth2 server
The consumer application can now have access to the Api using in every request to the server its access token that it is sent in the header request.
Obviously each step above is an HTTP request and how you do it depends on the technology you use in the consumer application.
For example in php, you can use Guzzle and send an access token request like this:
$http = new \GuzzleHttp\Client;
$response = $http->post('http://yourserver.com/oauth/token', [
'form_params' => [
'grant_type' => 'authorization_code',
'client_id' => 'client-id',
'client_secret' => 'client-secret',
'redirect_uri' => 'http://example.com/callback',
'code' => $request->code,
],
]);
On the other side you may want to use a simpler way to retrieve access tokens, avoiding all the authorization code request etc. using Laravel passport Personal Access Tokens. In this way you can issue access tokens for the user simply doing:
$user = App\User::find(1);
// Creating a token without scopes...
$token = $user->createToken('Token Name')->accessToken;
I encourage you to take a look to the Passport Laravel documentation and check all the possibilities offered.
What I am trying to do is to login to an external API and retrieve a JSON file. For this I am using Guzzle in Laravel.
I have setup a controller to do this:
$client = new Client([
'base_uri' => 'https://www.space-track.org',
'timeout' => 2.0,
]);
I access the JSON file using:
$response = $client->request('GET', '/basicspacedata/query/class/boxscore');
In order to get the JSON file I am required to login to the API. The API tutorial tells me:
Login by sending a HTTP POST request ('identity=your_username&password=your_password') to: https://www.space-track.org/ajaxauth/login
What I am unable to do is login to the API using Guzzle. I tried following a few Guzzle tutorials and using the 'auth' array to which none worked.
Basically, what I am unable to do is to login to the API using Guzzle.
Here is a basic flow that should work
// Initialize the client
$api = new Client([
'base_uri' => 'https://www.space-track.org',
'cookies' => true, // You have to have cookies turned on for this API to work
]);
// Login
$api->post('ajaxauth/login', [
'form_params' => [
'identity' => '<username>', // use your actual username
'password' => '<password>', // use your actual password
],
]);
// Fetch
$response = $api->get('basicspacedata/query/class/boxscore/format/json');
// and decode some data
$boxscore = json_decode($response->getBody()->getContents());
// And logout
$api->get('ajaxauth/logout');
dd($boxscore);
Now if it's not a one off request and you're planing on extensively using this API you can wrap this "ugliness" in your own service class that exposes a meaningful internal API that allows you to write then something along the lines of
$spaceTrack = new App\Services\SpaceTrack\Client();
$boxscore = $spaceTrack->getBoxscore();
dd($boxscore);
I want to do basic access authentication using Guzzle and I am very new to programming. I have no clue what to do. I tried to do this using curl but my environment requires using guzzle.
If you're using Guzzle 5.0 or newer, the docs say that basic auth is specified using the auth parameter:
$client = new GuzzleHttp\Client();
$response = $client->get('http://www.server.com/endpoint', [
'auth' => [
'username',
'password'
]
]);
Please note that the syntax is different if you're using Guzzle 3.0 or earlier. The constructor is different, and you also need to explicitly use the send method on a request to get a response:
$client = new Guzzle\Http\Client();
$request = $client->get('http://www.server.com/endpoint');
$request->setAuth('username', 'password');
$response = $request->send();
A brief addendum
In response to #Matthwew-Knill, yes, you can set a default authorization and implicitly have Guzzle send it in each further request. #Nick's answer is on point. The client constructor takes every parameter you could think of and then some.
Another approach, if you want to get creative, would be to instantiate the client passing it default headers to send on every further request. Simple auth is, after all, an Authorization header. It's computed as:
$client = new Client([
'headers'=>[
'Authorization'=> Basic base64_encode(<username>:<password>)
]
]);
Last but not least please note that filling a simple auth dialog happens only once (upon the virst visit of a given session). This is usually achieved by setting a cookie on the visitor's browser. That cookie in turn contains enough info for the server to identify its matching active session.
Usually, Guzzle requests are stateless, but you can configure Guzzle with a middleware chain to either modify request or responses, for debug purposes and, for this use case, to remember cookies, thus becoming partially stateful.
Please check the detailed procedure in Guzzle Docs. The important thing is that, by instantiating the client with a cookiejar middleware, therefore having the client include it from then on, the first request will remember the server's set-cookie header, and will send it as every further cookie header, making the server recognize the client as a logged in user. Of course, you could also inspect the first response's headers yourself and send its value from then on.
There might be other ways, but I can't think of another right now.
In additional to #amenadiel answer. Sometimes handy specify auth parameters in constructor:
$client = new Client([
'auth' => ['username', 'password'],
]);
Then every request will use this default auth parameters.
This dint work when I used Guzzlev6 and used the advice from #amenadiel. When you use curl, your syntax would look something like
curl -u someone#gmail.com:password http://service.com
behind the scenes it actually takes the "someone#gmail.com:password" bit, base64 encodes it and sends the request with an "Authorization" Header with the encoded value. For this example, that will be:
Authorization: Basic c29tZW9uZUBnbWFpbC5jb206cGFzc3dvcmQ=
Advice from #amenadiel appended an "auth: username,password" header and hence, my authentication kept failing. To achieve this successfully, just craft the header when you are instantiating a Guzzle Client request, i.e
$client = new GuzzleHttp\Client();
$credentials = base64_encode('someone#gmail.com:password');
$response = $client->get('http://www.server.com/endpoint', [
'Authorization' => ['Basic '.$credentials]
]);
That would append the header as curl would, and whatever service you are trying to connect to will stop yelling at you,
Cheers.
According to the Guzzle 6 documentation, you can do a request with basic authorization as simple as this:
$client = new Client();
$response = $client->request(
'POST', /*instead of POST, you can use GET, PUT, DELETE, etc*/
$url,
[
'auth' => ['username', 'password'] /*if you don't need to use a password, just leave it null*/
]
);
echo $response->getBody();
NOTE: You don't need to use base64_encode() at all because it already does it before the request.
I've tested and it works :)
See more at: Guzzle 6 Documentation
$response = $client->request( 'GET', 'your_url', [
'auth' => [
'your_username',
'your_password'
],
'headers' => [
'if you want to pass something in the headers'
]
]
);
You can also configure the auth params when instantiating the client instead of adding it to each request:
$this->client = new \GuzzleHttp\Client([
'base_uri' => $this->endpoint,
'headers' => [
'Authorization' => ['Basic '.base64_encode($this->username.':'.$this->password)],
],
]);
Here are the various doc links for Guzzle 6:
Creating a Client
Request Options
Auth Request Options
According to what #bourgeois247 said about base64 encoding, the following worked perfectly for me on Guzzle 6:
$client = new Client();
$credentials = base64_encode('username:password');
$response = $client->post('url',
[
'headers' => [
'Authorization' => 'Basic ' . $credentials,
],
]);
If you use it with symfony, you can also define it in your configuration file (config/packages/eight_points_guzzle.yaml for symfony4 or flex or config.yml for the other version)
In your configuration file :
eight_points_guzzle:
clients:
your_service:
# Write here the host where to do requests
base_url: "yourURL"
options:
timeout: 30
auth:
- yourLogin # login
- yourPassword # password
plugin: ~
Then, in your service, controller, etc....
$client = $this->getContainer()->get('eight_points_guzzle.client.your_service');
$response = $client->get('yourRoute');
See : https://packagist.org/packages/eightpoints/guzzle-bundle
I'm building a Laravel API which authenticates users using an authentication token. For any routes that need authentication, I'm wrapping them in an auth filter:
Route::group(array('before' => 'auth'), function() {
Route::get('user/account', 'UserController#getAccountDetails');
});
My auth filter basically decrypts the passed in authentication token and checks if it's valid:
Route::filter('auth', function()
{
// Try catch because Crypt::decrypt throws an exception if it's not a valid string to decrypt
try {
$authToken = Crypt::decrypt(Request::header('Authorization'));
// If there's a user tied to this auth token, it's valid
$user = AuthToken::where('token', '=', $authToken)->first()->user()->first();
if (!$user) {
throw new \Exception();
}
// Make the user globally accessible in controllers
} catch (\Exception $e) {
return Response::json([
'data' => [
'error' => 'You must be logged in to access this resource.'
],
'success' => false,
'status' => 403
], 403);
}
});
Pretty simple stuff, but I'm stuck on the next part. I want to be able to easily retrieve the current user record in my controllers and models.
For example, if I used Laravel's Auth library I could get the current user by doing Auth::user() in my controllers. I'd like to have that kind of functionality but I'm not sure how to build it. Could I write a class that gets instantiated after authentication with a static method that returns a User model?
Not sure if that's an option for you, but maybe you would like to use oauth2 instead of writing "your own" token based authentication?
There is quite nice ouath2 server wrapper for laravel project: oauth2-server-laravel.
According to it's documentation you can (for example for password flow authentication) put this in it's config:
'password' => array(
'class' => 'League\OAuth2\Server\Grant\Password',
'access_token_ttl' => 604800,
'callback' => function($username, $password){
$credentials = array(
'email' => $username,
'password' => $password,
);
$valid = Auth::validate($credentials);
if (!$valid) {
return false;
}
return Auth::getProvider()->retrieveByCredentials($credentials)->id;
}
)
And than you can you can authenticate (via username and password in that case) sending post request like that:
POST https://www.example.com/oauth/access_token?
grant_type=password&
client_id=the_client_id&
client_secret=the_client_secret&
username=the_username&
password=the_password&
scope=scope1,scope2&
state=123456789
Request will return generated token, and then you can make api calls as usual, just putting the token in the post data.
In your api logic getting the user by token is quite simple in that case, just run:
User::find(ResourceServer::getOwnerId());
It will makes stuff like: refresh tokens, other grant flows, scope access, clients management a lot easier. Out of the box in fact.
You can also secure any particular route like that:
Route::get('secure-route', array('before' => 'oauth', function(){
return "oauth secured route";
}));
You can find more details in oauth2-server-laravel documentation: https://github.com/lucadegasperi/oauth2-server-laravel
And oauth2 documentation: http://oauth.net/documentation/
It is true that the Auth::user() method is quite convenient. So, why not simply extend the Auth class to write your own authentication driver ? You can find all needed doc here.
You can then just use the Auth facade just like in every other laravel app you could write… wonderful, isn't it ?