Any idea on how i can test my authentication routes in authorization code grant:
- GET: '/oauth/authorize/?' . $query
- POST: 'oauth/token'
The problem is that according to the docs you need to provide a redirect_uri field in your query and i don't know how you suppose to have one in tests and then get the response from your laravel app.
i don't want to test this api with my frontend app.(if possible)
i haven't showed any code bc i just need a general idea of the testing process of such APIs that are working with clients and redirect_uris
on google i found tests around password grant authentication which doesn't need a redirect_uri field
this is what i tryed and it failed.
test:
$user = User::orderBy('id', 'asc')->first();
$token = $user->createToken('personal_access');
Passport::actingAs($user, [], 'api');
(new AuthController)->logout();
if (($user = Auth::user()->toArray()) !== null) {
dd(1, $user);
} else {
dd(0);
}
Auth::user() returns the $user
AuthController:
public function logout(): Response
{
$tokenId = $this->getTokenId();
$tokenRepository = app(TokenRepository::class);
$tokenRepository->revokeAccessToken($tokenId);
$refreshTokenRepository = app(RefreshTokenRepository::class);
$refreshTokenRepository->revokeRefreshTokensByAccessTokenId($tokenId);
Artisan::call('passport:purge');
return response('Successfully loged you out.', 200);
}
private function getTokenId(): int
{
return (new CheckAuthentication)->getAuthenticated()->token()->id;
}
$tokenId is always zero.
Related
I'm a beginner. I have a pin field in my user database. I want users to verify the pin before they can access there profile. how can I do this any logic?
in livewire components
public function verify (){
$user = User::select('id')->where('pin',$pin)->first();
Auth::loginUsingId($user->id);
return redirect()->intended('/user');
}
in my livewire blade I will call the verify method in the form will this work
laravel login using pincode :check the following code example may be you get the hint how to implement that, in this example code pin authentication is done using JWT and then user is allowed to access to those specific routes.
$user = User::find($uid);
try {
if (!$token = JWTAuth::fromUser($user)) {
return $this->onUnauthorized();
}
} catch (JWTException $e) {
return $this->onJwtGenerationError();
}
For somereason if you dont want to use the above JWT method you can use this one. i'm sharing the code for an example from by program which may help you
$user = User::select('id')->where('pin',$pin)->first();
Auth::loginUsingId($user->id);
return redirect()->intended('/user');
I would like to add HTTP basic authentication to my Yii2 application in which the username/password is stored in the Yii configuration file - for exactly one user, no DB authentication.
I have enabled authentication for my controller by adding behaviors function:
public function behaviors()
{
return [
'basicAuth' => [
'class' => \yii\filters\auth\HttpBasicAuth::className(),
'auth' => function ($username, $password) {
if ($username=='api') {
return new SimpleApiUser();
} else {
return null;
}
},
],
];
}
And I was required to create class, that implements IdentityInterface, that is why I have class:
class SimpleApiUser implements IdentityInterface {
public static function findIdentity($id)
{
return null;
}
public static function findIdentityByAccessToken($token, $type = null)
{
return null;
}
public function getId()
{
return 1;
}
public function getAuthKey()
{
return 1;
}
public function validateAuthKey($authKey)
{
return true;
}
}
That is fine, the application asks for username/password in the case of the first request, but then it managed to store the authentication somehow in some internal session and it does not required repeated authentication for each new request be it made from the browser (which my add sessions) or be it from Postman (which certainly does not keep sessions). Is it possibly to modify user class to require to provide username and password with each new request?
I've tried to play around a bit with your code.
First, your code is enough to require the basic auth to be part of every request. If the Authorization header is not present in request the yii will return 401 Unauthorized. So your implementation is already doing what you need.
There are reasons why user is not required to enter username/password each time.
For web browsers:
The credentials are saved for session and the browser will send them automatically in each subsequent request without prompting them again from user.
For postman: The authorization is stored for request as long as you don't manually remove the authorization settings it will be sent as part of each request.
If you want to force users to manually enter username/password with each request you can extend the HttpBasicAuth component to pretend that the authorization was not part of request for every other request like this
use Yii;
use yii\filters\auth\HttpBasicAuth;
class MyHttpBasicAuth extends HttpBasicAuth
{
const SESSION_KEY = 'authForced';
private $session;
public function __construct($config = [])
{
parent::__construct($config);
$this->session = Yii::$app->session;
}
public function authenticate($user, $request, $response)
{
if ($this->session->has(self::SESSION_KEY)) {
$this->session->remove(self::SESSION_KEY);
return parent::authenticate($user, $request, $response);
}
$this->session->set(self::SESSION_KEY, true);
return null;
}
}
But this will require sessions to work so it can only be used with browsers. It won't work well for API. For postman this implementation would make every other request fail with 401 Unauthorized. It would fail same way for api that will work with cookies and it would fail each request for api that wouldn't work with cookies.
Side note: The postman does keep/send cookies so sessions works with postman.
I am slightly confused about the correct flow to Register and Login a user with cordova-plugin-facebook4 and Laravel Socialite + tymondesigns/jwt-auth. My front end is in Ionic 2 and the backend is in Laravel 5.4
My flow: (heavily borrowed from this blog post)
Using the cordova-plugin-facebook4 , perform a FB.login(). This returns the following json
{
status: "connected",
authResponse: {
session_key: true,
accessToken: "EAACgZAhHOaPsBAIjUUASeKSLnbEkashdkashdkhakdhakdh",
expiresIn: 5183979,
sig: "...",
secret: "...",
userID: "634565435"
}
}
Post the "accessToken" to http:///auth/facebook
Retrieve the user profile using the Socialite "userFromToken" method.
$profile = Socialite::driver('facebook')->userFromToken($token);
Check if the user exists in the DB.
IF it does create and return a new access token using JWTAuth
ELSE create a new user in the DB and return a new access token using JWTAuth
$provider = "facebook"
try{
$profile = Socialite::driver($provider)->userFromToken($token);
}
catch(Exception $exception)
{
return response()->json([
'error'=>'User retrieval failed from provider'
],401);
}
//Check if the user registered earlier with this provider.
try{
$existingUser = User::where('provider','=',$provider)
->where('provider_id','=',$profile->getId())
->firstOrFail();
//If user is found and no exception was raised
if ($existingUser)
{
return response()->json([
'token'=>JWTAuth::fromUser($existingUser),
'user'=>$existingUser
]);
}
}
catch (ModelNotFoundException $exception)
{
$user=new User();
$user->email=$profile->getEmail();
$user->name=$profile->getName();
$user->password=$this->random_password();
$user->provider=$provider;
$user->provider_id=$profile->getId();
$user->save();
return response()->json([
'token'=>JWTAuth::fromUser($user),
'user'=>$user
]);
}
My Confusion:
Are the "Login with Facebook" and "Register/Signup with Facebook" two exclusive functions? How would subsequent logins work for a mobile app after the user registers on Laravel the first time?
In Step 4 when I check if the user exists in the backend I'm querying the table on the "provider_id" returned by Socialite::driver($provider)->userFromToken($token)->getId(). I don't understand how this value is unique to a particular user.
In both cases for step 2 - a new JWT Auth token is created from the user and returned to the front end. I plan to save this token on the front end and use it for protected resource access. However, I'm not sure if I need to store the FB Access_Token in the DB and share it with the front end to be cached as well.
How will the login process work when the app is reopened. The user should be auto logged in but would this happen via Facebook, via Laravel Social or just the locally stored JWT?
Thanks
Sam
I am using tymon/jwt-auth liibrary for JWT authentication in my project which is built using laravel.
In my mysql users table I am having a role_id column. I want to include that in my generated JWT token's claim on login so that I can implement role based ACL using my JWT token on subsquent requests.
Below is what I have tried to get it working
$credentials = $request->only('email', 'password');
$userModel = User::where('email',$request->input('email'))->get()->first();
$role = $userModel->roles_id;
$customClaim = ['role' => $role];
try
{
// attempt to verify the credentials and create a token for the user
if (! $token = JWTAuth::attempt($credentials, $customClaim))
{
//return 401 error
}
}
catch (JWTException $e)
{
//return 500 error
}
return response()->json(compact('token'));
}
Above code is working fine as expected but problem with above code is on login I have to hit my database twice once for getting role and one for authenticating user. That would be great if someone can suggest a better way to do it in a single database hit.
I seem to be running into an issue with my login test with conditions. My login handler checks that the email and password are valid as well as the user being confirmed. The following test cases pass:
public function test_redirect_to_login_if_login_fails()
{
// enable filters to test login
Route::enableFilters();
// some fake credentials to use
$credentials = [
'email'=>'user#domain.com',
'password'=>'badpassword',
'confirmed'=>1
];
// mock the Auth class
Auth::shouldReceive('attempt')
->once()
->with($credentials)
->andReturn(false);
// call the login post with the credentials
$this->call('POST','login',$credentials);
// assert that we are redirected back to the entry page
$this->assertRedirectedToRoute('entry');
}
public function test_redirect_if_login_success()
{
// enable filtere to test login
Route::enableFilters();
// some fake credentials to use
$credentials = [
'email'=>'user#domain.com',
'password'=>'Pa55w0rd',
'confirmed'=>1
];
// mock the Auth class
Auth::shouldReceive('attempt')
->once()
->with($credentials)
->andReturn(true);
// call the login post with the proper credentials
$response = $this->call('POST','login',$credentials);
// assert the response is good
$this->assertTrue($response->isRedirection());
}
This one however, gives me an error - though it's very similar to the first test case above:
public function test_redirect_if_user_is_not_confirmed()
{
// enable filters to test login
Route::enableFilters();
// some fake credentials to use
$credentials = [
'email'=>'user#domain.com',
'password'=>'badpassword',
'confirmed'=>0
];
// mock the Auth class
Auth::shouldReceive('attempt')
->once()
->with($credentials)
->andReturn(false);
// call the login post with the credentials
$this->call('POST','login',$credentials);
// assert that we are redirected back to the entry page
$this->assertRedirectedToRoute('entry');
}
The error:
Mockery\Exception\NoMatchingExpecationException: No matching handler
found for
Mockery_0_Illumnate_Auth_AuthManager::attempt(array('email'=>'user#domain.com','password'=>'badpassword','confirmed'=>1,)).
Either the method was unexpected or its arguments matched no expected
argument list for this method.
My controller method:
public function store()
{
if (Auth::attempt(array("email"=>Input::get('email'),"password"=>Input::get('password'),'confirmed'=>1)))
{
return Redirect::intended('home');
}
return Redirect::route("entry")->with("danger",Lang::get('orientation.invalid'))->withInput();
}
Your test is failing correctly - because your supplying the wrong data to the test.
You have the mock of Auth to receive:
Auth::shouldReceive('attempt')
->once()
->with($credentials)
->andReturn(false);
Specifically that it should receive ->with($credentials). But you have defined $credentials as having confirmed => 0 when your controller is always going to be sending confirmed => 1 because that is what is hard coded.
Instead - you should still be expecting to receive confirmed => 1 in your test - but mocking a false return because no matching record is found.
This should work:
// some fake credentials to use
$credentials = [
'email'=>'user#domain.com',
'password'=>'badpassword',
'confirmed'=>1
];