I'm building an app where each subdomain has its own database.
For example:
"example1.app.dev" uses "example1_dbo" database
"example2.app.dev" uses "example2_dbo" database
Each subdomain has its own users, meaning that for example:
user_ex1 can only login on example1.app.dev because he is set in example1_dbo
user_ex2 can only login on example2.app.dev because he is set in example2_dbo
How do I achieve this with Laravel Auth?
Basicaly I have set subdomain routing:
Route::domain('{account}.myapp.dev')->group(function () {})
And i have set up database connections in config/database.php and env file.
I have used this concept on Eloquent models with Model->setConnection($account)
But this method is exhausting while app is growing...
I'm looking for Middleware solution where i can change default DB connection for request globally and for Auth as well while i was not able to get authentication to work.
Have you tried this package:
https://github.com/stancl/tenancy
It provide that out of the box.
hope it is helpful.
Related
I want to use Nuxt.js for my frontend and laravel sanctum as my backend authentication provider. How should I set the SESSION_DOMAIN key in the .env file in my laravel project.
Also should I edit anything in the server object part in the nuxt.config.js file to make this work?
When you use Sanctum with SPA, such as Nuxt, you've the option to use either API or cookies/sessions. If your application is a first-party application on same top level domain, Laravel recommends to use cookie based approach so you can take advantage of CSRF protection. Axios and Angular Http libraries handles CSRF out of the box, so you don't have to worry too much about handling the requests headers [1].
In your case, I assume your application is first party and is on same top level domain. So your SESSION_DOMAIN value would be for example .domain.com. Also you'll need to set SANCTUM_STATEFUL_DOMAINS=domain.com as well. Usually your SESSION_DOMAIN will have just the main domain your application uses on, while SANCTUM_STATEFUL_DOMAINS will have all the subdomains (if any), that your frontend uses.
To work with Sanctum, we should be familiar with a few things first. We must use our SPA and API backend on the same domain, like frontend on domain.com and API on api.domain.com. We can not set frontend on domain.com and backend (API) on another-domain.com. The client must be able to include cookies with each request being sent to the backend.
session domain is the front-end domain name without protocol and port.
When you are working on local you must set it to localhost and when you are working on server you must set the domain name.
please follow this example of nuxt-laravel-sanctum-auth
There is a central web app 'AppsManager' that stores users and database credentials for all other web apps. This has an api to validate the login in other web apps and also serves database credentials.
So in a different laravel app -that has it's own database- I am asked to implement a different way of using database credentials.
The request is forLaravel to read it's database credentials from the 'AppsManager' api instead of the default .env file.
Is this a good practice ? How can be done in Laravel ?
I am not sure if this is a good practice or not, personnally I dont think it is a good idea to have credentials sent between apps.
Nonetheless, what I would do, in your situation, is create a new configuration in config/database.php to explicitly tell Laravel what connection it should use to have this distant database.
Inside the models that use this database you can specify :
<?php
class MyModel extends Model {
protected $connection = 'name-of-the-connection-you-gave-in-the-config-file';
}
Or if you use the DB facade, you can just call DB::connection('name-of-the-connection-you-gave-in-the-config-file') as explained here in the docs.
I have a react app that fetch datas from laravel api defined like so in routes/api.php:
// this is default route provided by laravel out of the box
Route::middleware('auth:api')->get('/user', function (Request $request) {
return $request->user();
});
// ItemController provides an index methods that list items with json
Route::resource('items', 'Api\ItemController', array('except' => array('create','edit')));
// this is to store new users
Route::resource('users', 'Api\UserController', array('only' => array('store')));
for example http://example.com/api/items returns the data as intended but it's really insecure since anyone could access it through postman.
How to make those routes only accessible inside the app?
As I'm new to it I don't understand if I need to set up api_token and how?
Do I need to setup Passport?
Is is related to auth:api middleware?
It may sounds really basic but any help or tutorial suggestions would be greatly appreciated
EDIT
End up with a classic session auth. Moved routes inside web.php. Pass csrf token in ajax request. Actually i didn't need a RESTful API. You only need token auth when your API is stateless.
As you are using Laravel 5.4 you can use Passport, but I haven't implemented yet, but i implemented lucadegasperi/oauth2-server-laravel for one of my laravel projects and it was developed in Laravel 5.1
Here is the link to github repository
lucadegasperi/oauth2-server-laravel
Here is the link to the documentation Exrensive Documentation
Just add the package to the composer json and run composer update,the package will get installed to your application , once installed add the providers array class and aliases array class as mentioned in the Laravel 5 installation part of the documentation,
you have to do a small tweak in order to work perfectly cut csrf from $middleware array and paste it into $routeMiddleware array and again run php artisan vendor:publish after publishing the migrations will be created and run the migration php artisan migrate
if you only want to secure api routes for each client like ios, android and web you can implement Client Credentials Grant, or if you need to every user with oauth the you can implement Authorization Server with the Password Grant or some other.,
Never use the client id or other credentials, generating access token in the form, but add it some where in helper and attach it in the request to the api,
Hope this answer helps you.
You could use JWT it's pretty easy to get it to work. You basically generate a token by requesting Username/Password and passing that token in every request that requires authentication, your URL would look like http://example.com/api/items?token=SOME-TOKEN. without a proper token, he doesn't have access do this endpoint.
As for
How to make those routes only accessible inside the app?
If you mean only your app can use these requests, you can't. Basically the API doesn't know who is sending these requests, he can only check if what you are giving is correct and proceed with it if everything is in order. I'd suggest you to have a look at this question
How do I enable login throttling in Laravel 5.3?
Should it be enabled by default?
Where can it be configured?
I could not find anything in the config files. I use ldap auth with adldap library.
Simple.
In .env, If CACHE_DRIVER is set to array, it won't work.
Set CACHE_DRIVER to file for example.
According to the documentation:
If you are using Laravel's built-in LoginController class, the Illuminate\Foundation\Auth\ThrottlesLogins trait will already be included in your controller. By default, the user will not be able to login for one minute if they fail to provide the correct credentials after several attempts
I am new to Laravel. I have created a domain and subdomain with a specific domain group.
domain.com
admin.domain.com
On my domain.com a user can login. And in the subdomain admin.domain.com an admin can login. The problem Im having is when a user is logged in the root domain the admin subdomain is also logged in. I want the root domain and subdomain to be of different sessions. Please help!
This problem is not on framework, I got this problem when I worked with Yii 2.0 too, the issue because sessions general from application key, the solution is make key different between root and subdomain.
The solution here is you have to general another Laravel Application key on your subdomain follow the document:
php artisan key:generate
Application key [Idgz1PE3zO9iNc0E3oeH3CHDPX9MzZe3] set successfully.
2 keys in root and subdomain have to different.
Hope this help.
Laravel by default uses a single cookie to keep session data and manage its authentication system, thats why your user keeps logged across your subdomains, because your cookie is still there.
In this case I think you have 2 options:
1st: Create a different auth system using middlewares for each subdomain group to manage sessions (lets say you create/read a different cookie for each subdomain, but this could be a little bit tricky if the same user want to use the app across different subdomains at the "same time").
2nd: Use a different session driver (lets say database e.g.)