I wondering if it’s possible to use the SPA login(from Vue) using Laravel Sanctum to also authorise for Laravel Horizon?
I’ve done much googling and can’t find an answer to this. So far I’ve just had to make do with creating a custom middleware for Horizon that uses Auth.basic, which isn’t as user friendly as it would be to login via Sanctum and use the abilities to determine who can view Horizon dashboard.
Thank you.
According to this GitHub Issue Comment:
https://github.com/laravel/horizon/issues/65#issuecomment-412128134
Author: #francislavoie
So this is kinda hilarious. I found out that Horizon has an
undocumented feature to solve this.
https://github.com/laravel/horizon/blob/1.0/src/HorizonServiceProvider.php#L54
Horizon does try to grab its list of middlewares from config. This
isn't documented anywhere unfortunately.
You can simply add 'middleware' => ['web', 'auth'], to your
config/horizon.php.
So in my case, this became:
'middleware' => ['web','assign.guard:web','auth:sanctum'],
assign.guard is my own middleware because I have multiple auth guards going on.
Related
To be honest, I don't understand the concept of Laravel Sanctum. Before there was Sanctum, people used JWT. That always worked very well. In other frameworks in the Node context, I only use JWT. I am very confused by the paragraph about the SPA Auth (https://laravel.com/docs/9.x/sanctum#how-it-works-spa-authentication). It talks about Sanactum also using the web auth. Does that mean that if I log in via the web route (auth), I can also use the api route (auth:sanctum)?
Thanks! Max
I have a website that uses SAML2 for authentication. I don't manage the SSO at all, rather my site is part of a portal that requires SSO authentication for entry. I currently have middleware that gets the SAML attributes from the request->server object, and then does a variety of tasks, like check to see if they have affiliations, if those affiliations are allowed, etc...
This middleware was added to the kernel so that it runs for every HTTP request. I want to revamp this middleware to make it cleaner, and to also use Laravel's native Auth facade (we're checking to see if a session variable for a user has been set to determine if the user has already logged in, versus auth->check(), for example).
I've read several tutorials on how to bypass the authentication that comes with the Laravel Breeze starter kit and make your own. None quite matches what I need to do, but the concepts are the same:
Create a model (using the User model that was already there, with a few tweaks)
Create a Service provider (created anew provider that implements the UserProvider interface)
Create a Guard (created a new guard that implements the Guard interface)
I can understand those three things and did them, but I am unsure of how to put it all together.
I updated my config/auth.php file to include the new guard and provider:
I then updated the boot method of App\Providers\AuthServiceProvider to include the provider and guard that I created:
But now what? I guess this is the part I am missing.
Can someone more knowledgeable help me fit in the missing pieces? I am using Laravel Framework 8.73.1.
Now you just need to protect your routes using the auth laravel middleware (assuming your guard and provider implementations are correct)
You have two options:
Replace the default guard. Open config/auth.php and look for the lines:
'defaults' => [
'guard' => 'web', // --> Replace with saml
'passwords' => 'users',
],
Now, add the auth middleware to your routes and you are good to go. You can use the Auth facade as described in the laravel documentation.
Keep the laravel one as the default, and use your guard separately. You just need to specificy which guard to use whenever you use the Auth facade or middleware.
The middleware you need to use is auth:saml, and the facade calls must be prefixed with guard('saml'). E.g. Auth::guard('saml')->user().
For the sake of making my use-case more understandable, I'll classify services like Figma, WhatsApp, etc as SPAs. I've never received a page-expired error from those "SPAs".
So it is 2020, and we now also have Laravel 8: is it appropriate to use Sanctum to achieve such never-expiring SPA just by placing all routes in api.php, assuming that the SPA is in the same domain/subdomain with the Laravel app?
Btw, according to the Sanctum docs, this implies the use of API tokens for those API routes, but this kind of usage for first-party SPA is clearly not the intended use of Laravel Sanctum.
Maybe not the best way to achieve that but if it works you'll get your job done and I don't see the problem of making that even if it was intended for another use
It seems Sanctum cannot handle this case, because if request is from the frontend, it applies session based auth checks.
I have however proposed a possible update that can make this possible. Hopefully, it will be considered for implementation.
In the meantime, a sane workaround that does not pose any serious security threat for my use-case is to increase the session timeout
I am doing a project in which I have implemented private chat in Laravel. But for the third party, we use OAuth but i have already used auth() in my project. Can I use both? OAuth is getting token, then communicate with Vue.js. So, I don't want to remove auth() functions in my project. Can you please guide me what to do?
Real time chat system in laravel project. I'm using separate Vue.js with Laravel.
Yes. You can use both OAuth and default Laravel Auth at the same time. In default, Laravel provides routes as web.php and api.php.
web.php: This route uses default Laravel Auth functionality
api.php: Routes defined here uses OAuth functionality
Make sure you use default driver as web in config/auth.php
'defaults' => [
'guard' => 'web',
'passwords' => 'users',
],
I have a react app that fetch datas from laravel api defined like so in routes/api.php:
// this is default route provided by laravel out of the box
Route::middleware('auth:api')->get('/user', function (Request $request) {
return $request->user();
});
// ItemController provides an index methods that list items with json
Route::resource('items', 'Api\ItemController', array('except' => array('create','edit')));
// this is to store new users
Route::resource('users', 'Api\UserController', array('only' => array('store')));
for example http://example.com/api/items returns the data as intended but it's really insecure since anyone could access it through postman.
How to make those routes only accessible inside the app?
As I'm new to it I don't understand if I need to set up api_token and how?
Do I need to setup Passport?
Is is related to auth:api middleware?
It may sounds really basic but any help or tutorial suggestions would be greatly appreciated
EDIT
End up with a classic session auth. Moved routes inside web.php. Pass csrf token in ajax request. Actually i didn't need a RESTful API. You only need token auth when your API is stateless.
As you are using Laravel 5.4 you can use Passport, but I haven't implemented yet, but i implemented lucadegasperi/oauth2-server-laravel for one of my laravel projects and it was developed in Laravel 5.1
Here is the link to github repository
lucadegasperi/oauth2-server-laravel
Here is the link to the documentation Exrensive Documentation
Just add the package to the composer json and run composer update,the package will get installed to your application , once installed add the providers array class and aliases array class as mentioned in the Laravel 5 installation part of the documentation,
you have to do a small tweak in order to work perfectly cut csrf from $middleware array and paste it into $routeMiddleware array and again run php artisan vendor:publish after publishing the migrations will be created and run the migration php artisan migrate
if you only want to secure api routes for each client like ios, android and web you can implement Client Credentials Grant, or if you need to every user with oauth the you can implement Authorization Server with the Password Grant or some other.,
Never use the client id or other credentials, generating access token in the form, but add it some where in helper and attach it in the request to the api,
Hope this answer helps you.
You could use JWT it's pretty easy to get it to work. You basically generate a token by requesting Username/Password and passing that token in every request that requires authentication, your URL would look like http://example.com/api/items?token=SOME-TOKEN. without a proper token, he doesn't have access do this endpoint.
As for
How to make those routes only accessible inside the app?
If you mean only your app can use these requests, you can't. Basically the API doesn't know who is sending these requests, he can only check if what you are giving is correct and proceed with it if everything is in order. I'd suggest you to have a look at this question