I am developing a small intranet to serve authenticated-only assets using Laravel 9. I install laravel:breeze in order to include login functionality and it works for users that register using breeze form in /register route.
I have an external database with the current users that I want to use instead of manually registering one by one.
Is there any approach for achieving this?
I have an app which uses another app for the users database. And it sure is using authenticate-by-id feature. Here how it goes:
A user opens MY_APP and is opening login url which prompt him/her to login using Gmail (might be different in your case)
MY_APP receives the Gmail account
Check the existence of the account in MY_APP database: authenticate it if exists, and proceed to the next step if otherwise
MY_APP checks the existence of the account in the USERS_DB_APP through an API
If the account is not exists, the login request will be denied
Otherwise:
Save the user record from USERS_DB_APP to my own MY_APP database
Then proceed authenticate the user using its just-created id
Your actual case might be different from this. But I hope it can gives you an insight to some level.
Related
I have a problem authenticating users in my banking application. I want super users to be created and authenticated using email. However, I want that normal users be registered and assigned account numbers. The normal users would then use the account numbers to login. How do you achieve authentication of these different kinds of users with different username fields in one django project.
I have tried overriding the USERNAME_FIELD to account numbers so that normal users would use that to login. It doesnt help to login normal users. For superusers, it prompts for account number when I run
python manage.py createsuperuser
Kindly assist in understanding how to handle this kind of custom authentication.
Django is ready to support your requirement. AUTHENTICATION_BACKENDS support multiple backend as list. For normal user you have to write custom backend and Add that in AUTHENTICATION_BACKENDS.
This link will help you.
I'm developing a mobile app which will allow users to browse without signing up. I would like to have all my endpoints secured via token.
How would we go about allowing anonymous browsing? i.e. provide a token to anonymous users.
Not sure to understand your case, why do you need a token if your users aren't registered and your API opens to everyone?
The authentication system of Strapi has been built to only send token to registered users. However, the easiest way to make it work for you is to register every visitor coming in your app based on their IP or something unique as a username and set the same password for each one of them. Then, every time the user comes back, you can call the /auth/local URL to sign-in the user and get the token or use the token stored in the local storage.
I'm currently implementing this library ember-simple-auth to manage authentication in the emberjs application (shopping cart) that I am currently building.
The difficulty that I encounter is that the library manages authentication rules after logging in very well but not before logging in.
So here is the scenario:
The application must talk to the backend server to retrieve a session token for every user. This is necessary so that the user can save their items temporarily in the server side using session data. Something that you would expect for a shopping cart.
Then when the user is ready to move forward the application will then display the login screen and the user can authenticate themselves to checkout their items.
However, I can't seems to figure out yet how to do this using simple-auth. If I create a custom authenticator that just fetches token id from the server, it will mark the session as authenticated and will not ask for login on the authenticatedRoute.
In general what I'm trying to do are:
Customer visit the website
The application fetches session token from the server
Customer clicks around and saves item into the shopping cart. The data is synced with the server using the session token
Customer ready to checkout and navigates to checkout page
The application intercepts the route and redirect the customer to login route, where the customer can login and resume checkout.
I hope the above information is clear enough. Any hints and help will be much appreciated. Thanks.
I would probably only use Ember Simple Auth from the point on where the user actually logs in. Before that instead of using a session token to identify the basket, I'd probably explicitly create a basket on the server side (POST /basket) and then add to that via a REST interface (PUT /baskets/:id/items or so). That way you're not sharing state between the client and the server and have a clear interface. You also don't need to "abuse" Ember Simple Auth which probably only leads to other problems later on. When the user logs in then, you simply assign the previously created basket to that user and go on.
I use two different applications in my CI installation. The first is called "admin"... obviously an admin panel. The second is "frontend" where everything else is. I use the same database for each of the apps and the same member tables, both for admin authentication and member auth. The problem is, since the CI session class doesn't use native PHP sessions, the session only works in the application that it is set in(which makes sense)... for example, if a user that is indeed an admin logs into the system through the frontend app and then clicks the link to the admin app, they are required to login again. If they have the "Remember Me" option selected across when they login to both apps, this obviously isn't a problem.
How would I fix this? Or do you guys think it's better to have them login to the admin app again, just to validate their admin status again?
Thanks for your time.
You could use the native php session instead. There's a class which you can just copy paste, and you'll not have to change any of the rest of your code.
I currently have three websites all running from the same DB
example websites:
www.mysite.com
admin.mysite.com
members.mysite.com
now because this all runs from a single DB they all use the same .net Membership tables.
All members are in a role: Member
All Admins are in a role: Admin
So the admins can log into the admin site and access all their admin functions etc, but the members if they tried to log into the admin area are bounced back to the login screen without any message, what I want to happen is to redirect them to the site: members.mysite.com and have them logged in.
As I could send them to a page in the admin site that does a response.redirect('http://members.mysite.com'); but then they have to login again.
So is there any good way to do this, or am I left doing something unsecure and hacky with querystring?
Querystring is fine as long as you use a unique 'one time token' that gets deleted after it's used to perform the login (this is how Google does it).
EDIT - Basic procedure is
Generate a cryptographically secure token
Store token/username combo in database
Redirect to new site with ?token=XXXXXXXXXXXXXXXX
New site sees token, looks up matching username in database and deletes token
Perform login procedure as that user