We have this PlainAuth function:
func PlainAuth(identity, username, password, host string) Auth
The documentation states the following:
PlainAuth returns an Auth that implements the PLAIN authentication
mechanism as defined in RFC 4616. The returned Auth uses the given
username and password to authenticate to host and act as identity.
Usually identity should be the empty string, to act as username.
For me, this is pretty confusing. What is actually the identity
and what acts as username?
What is really happening when we put an empty string as the first
parameter and what other options can we put there?
Related
#PostMapping("/api/v1.0/{username}/forgot")
public void forgotPassword(#PathVariable String username,#RequestBody String enteredPassword,#RequestBody String reenterPassword) {
userServiceImpl.forgotPassword(username, enteredPassword, reenterPassword);
}
Here if the user wants to perform forgot password action he need to enter the password so how can i request user values from postman
Resolved [org.springframework.web.bind.MissingPathVariableException: Required URI template variable 'email' for method parameter type String is not present]
I am getting this error
RequestBody Annotation is generally used when you are not sure of the size of the data you will be sending to backend, for example : large JSON objects.
In your case I see you want to pass the username and password so will recommend you to go with Request Headers (preferably with some authentication methods to encrypt and decrypt the password, just to avoid plaintext password getting passed) instead of Request Body. There is a tab in postman from where you can pass the headers in key and value pairs. I would recommend you to check this link illustrating the use of Request headers.
How Can I Bind userType with jwt token??
because in the frontend needs to do some operations with type of user(hide some menus if userType is different)
in laravel.. Does it possible?
The way Laravel (and you most likely using https://github.com/tymondesigns/jwt-auth), is that the JWT should probably not carry user types or really other kind of user information than maybe a name or an id. After the token is generated, you are supposed to query another endpoint that will return the user information that you are looking for.
So essentially, what you want is 2 routes, let's say:
POST /auth/login
POST /auth/me
To the first route, you are supposed to provide the username and password, to which you'll get a token if credentials are correct. Then, you take the token you were just given, and call the second endpoint, which will return all user information you might want or need. You don't specify which kind of frontend you are using, but here's an example with Nuxt.js's Auth module: https://auth.nuxtjs.org/providers/laravel-jwt/
I have some different requirement, i don't want to decode the password, but i am building some other app based on SAME DATABASE for LOGIN so what i can do to "encrypt the password value so that it matches the backend password encrypted code".
I want to provide LOGIN from CODEIGNITOR app where data base is created by admin app in LARAVEL ... this is the issue...
So through CodeIgnitor if someone is LOGIN the password will be encrypted equivalent hash encrypted laravel application code.
The Encrypted Password is
$2y$10$cwd15HRgON0ytqkkV5F9zupfUOkqaii7fpbB9Kjd9I7W46LRYY0Km
And the real PASSWOORD is
123456
Please help...
Caddy DZ's answer is right, but to better answer your question you should know that every time you generate a new password with bcrypt function, a new random salt is used.
This leads you to end up getting a different hash for the same password each time you generate one.
The only way you have to verify the correctness of the password, is to use a built-in php function called password_verify.
That function will hash your password (that you provide as a second argument) with the same salt that has been used to generate the stored password (the salt to use is stored in the password hash) you already have in the database:
$password = '123456';
$saved = 'your stored hash';
if (password_verify($password, $saved)) {
echo 'Correct password.';
}
You can check the documentation about password_verify
This is not standard encryption that can be decrypted, this is hashing which is only one (1) way encryption..
To make this work in, you need to use the same hashing algorithm between the two apps (Laravel and CodeIgniter)
For instance laravel uses bcrypt by default to hash the password, so you need to configure CodeIgniter to use the same or vice versa.
bcrypt for codeigniter
I use the mentions software stack above and I need to encrypt password before save into database. I also need to decrypt password because when someone will change password he she needs to give in the old password and then the new onw twice and I need to check the old password.
I have searched a lot but I still not sure what is the right way to do this.
I have found this link Encrypting but are there other hints to do this?
I also not sure if maybe MongoDB provides something to protect passwords.
First read Steven CarlsonĀ“s answer about password hashing.
The good thing is that Spring Security will do this for you. Spring Security 3.2 introduced the new org.springframework.security.crypto.password.PasswordEncoder interface and some implementations: BCryptPasswordEncoder, StandardPasswordEncoder (and NoOpPasswordEncoder).
Important: Do not confuse org.springframework.security.crypto.password.PasswordEncoder with the old deprecated org.springframework.security.authentication.encoding.PasswordEncoder
The interface (and therefore the implementations) has the two methods you need:
public String encode(CharSequence rawPassword)
public boolean matches(CharSequence rawPassword, String encodedPassword)
I recommend to use org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder.
The BCryptPasswordEncoder (in contrast to the StandardPasswordEncoder) use an salt that is different for each password (but not global like the one from StandardPasswordEncoder). When you encode a raw password (public String encode(CharSequence rawPassword)) then the returned encoded password is not just the encoded password, it also contains some meta information about the used hash-algorithm, the used salt and of course the encoded password.
You should not be "encrypting" the password at all. I know this sounds counter-intuitive. But there is zero reason your system should need to decrypt the password. To do so would open your database to a hacker, because if you store your decryption password in your codes/server a hacker can steal that information.
The correct process is to hash the password. A hash is a one-way (cannot be decypted back to the original text) process. The current standard would be to use SHA256 to hash your password. Here is a basic flow-chart:
Take user submitted password. Example password "mypass" would hash out to ea71c25a7a602246b4c39824b855678894a96f43bb9b71319c39700a1e045222
Store this hash (ea71c25a7a602246b4c39824b855678894a96f43bb9b71319c39700a1e045222) in your database.
When a user logs in you take the password he just submitted and hash it. If he enters the same password it will hash out to the same value in your database.
When a user goes to change passwords you hash the "enter your old password" to verify the old password still matches, if it does you hash the "enter your new password" and save it.
One thing I did not mention in my example is salt. This is something you must use in your system as it protects your data from rainbow table exploits. But that is for another discussion.
Hope this helps :)
How to use token guard to create API? I tried it to implement it and I am getting error
call_user_func_array() expects parameter 1 to be a valid callback,
class 'Illuminate\Auth\TokenGuard' does not have a method 'attempt'
After dig into the source code of laravel, I found that the token guard is useless for now. All auth are passed to auth middleware, from there, you can see that it called Auth::guard($name)->guest() to check whether the user is logged in. The \Auth::guard will get the proper guard that you specified in route. Let's say here is the TokenGuard. In \Illuminate\Auth\TokenGuard, check the user function to see how TokenGuard get a user. First, it will get the input parameter named api_token. Then it will let the provider which may be eloquent as the default configuration to search a value in the database. If any value is found, a new user instance is created. If there is not a input value named api_token, then some other choices will be tried:
bearerToken, which the Authorization HTTP header value that starts with: bearer.
password, which passed through HTTP header: PHP_AUTH_PW.
which key to match in the model is specified by the protected property storageKey.
So the token guard is used to implemented third-party API access token, not a temporary access token that is stored in the session.