I am designing a custom authentication scheme (based on public keys) alongside a stateless API, and decided Passport would fulfill the need for post-authentication requests.
Assuming the authentication succeeds, and the user is authenticated, they would receive a Personal Access Token, and use the token for all further requests. The trouble I'm experiencing (still after much searching through various forums and Stack Overflow) is that when using Laravel's built in testing suite, on the createToken() method, it generates an (admittedly common) exception:
"ErrorException : Trying to get property 'id' of non-object".
I am able to manually create a user through Tinker, and create a token through Tinker. However I'm experiencing problems when attempting to automate this process after authenticating.
Here is the relevant code snippet post-authentication:
Auth::login($user);
$user = Auth::user();
$tokenResult = $user->createToken('Personal Access Token');
$token = $tokenResult->token;
$token->expires_at = Carbon::now()->addWeeks(1);
$token->save();
return response()->json([
"access_token" => $tokenResult->accessToken,
"token_type" => "Bearer",
"expires_at" => Carbon::parse(
$tokenResult->token->expires_at)->toDateTimeString()
],
200);
I've manually called Auth::login on the user, to ensure the user is logged in, and Auth::user() returns the user (not null). Upon executing the third line of code, the exception is thrown with the following mini stack-trace (I can provide a full stack-trace if requested).
laravel\passport\src\PersonalAccessTokenFactory.php:100
laravel\passport\src\PersonalAccessTokenFactory.php:71
laravel\passport\src\HasApiTokens.php:67
app\Http\Controllers\Auth\LoginController.php:97
laravel\framework\src\Illuminate\Routing\Controller.php:54
laravel\framework\src\Illuminate\Routing\ControllerDispatcher.php:45
From running this through debug a few times- even though the class is called and loaded, and it appears the Client is found through ControllerDispatcher -> Client::find(id) and found in ClientRepository, when it gets to PersonalAccessTokenFactory, the $client passed in is null (which explains why the $client->id can't be found, though I have no idea why the $client is null at this point).
protected function createRequest($client, $userId, array $scopes)
{
$secret = Passport::$hashesClientSecrets ? Passport::$personalAccessClientSecret : $client->secret;
return (new ServerRequest)->withParsedBody([
'grant_type' => 'personal_access',
'client_id' => $client->id,
...
}
Things I have done/tried with some guidance from the documentation and other posts:
Manually created a user in Tinker, and created the token through Tinker- this does work.
Ensured the user is logged in before attempting to generate token.
passport:install (and adding the --force option)
Ensured Personal Access Client is generated with passport:client --personal
Ensured the AuthServiceProvider::boot() contains the ClientID and Client Secret (in the .env).
migrate:refresh followed by passport:install --force
Complete removal of Passport, removing all files, keys, migrations, and DB entries, followed with a migrate:refresh and reinstallation of Passport, along with generating an additional personal access client (even though one is generated during passport:install).
I'm not sure where else to look/what else to try at this point, so any help or guidance would be much appreciated!
I eventually discovered the solution. The problem is multi-layered, in part having to do with outdated Laravel documentation in regards to testing and Passport Personal Access Clients.
The first part of the problem had to do with using the trait RefreshDatabase on my unit test. Since this creates a mock database with empty datasets, although the clients themselves exist in the real database and the .env file, when the test is run, the test does not see those clients as existing in the mock database. To solve this problem, you must create a client in the setup function before the test is run.
public function setUp() : void
{
parent::setUp();
$this->createClient(); //Private method->Full code below
}
This solves the issue about having a null client during testing, but starting in Laravel 7, Laravel added a requirement for Personal Access Clients that the id and the client secret has to be kept inside the .env file. When running the test, the test will see the actual client id and secret in the .env, and fail to validate these with the client that was created and stored in the mock database, returning another exception: "Client Authentication Failed".
The solution to this problem is to create a .env.testing file in your main project directory, copying your .env file contents to it and ensuring that the keys below exist with values for either your main created Personal Access Client, or copying the secret from a client generated just for testing (I would advise the latter).
PASSPORT_PERSONAL_ACCESS_CLIENT_ID=1
PASSPORT_PERSONAL_ACCESS_CLIENT_SECRET=unhashed-client-secret-value
Then using the code below, make sure the $clientSecret value is the same as the key value in your .env.testing file.
private function createClient() : void
{
$clientRepository = new ClientRepository();
$client = $clientRepository->createPersonalAccessClient(
null, 'Test Personal Access Client', 'http://localhost'
);
DB::table('oauth_personal_access_clients')->insert([
'client_id' => $client->id,
'created_at' => new DateTime,
'updated_at' => new DateTime,
]);
$clientSecret = 'unhashed-client-secret-value';
$client->setSecretAttribute($clientSecret);
$client->save();
}
This will create a new client, set the attribute secret to the value in the variable and update the mock database secret to contain the same value. Hopefully this helps anyone with the same issue.
Another way to prevent copy/paste source code is to just call artisan command in the setup method.
public function setUp() {
parent::setUp();
$this->artisan('passport:install');
}
original here
Just use the facade
public function setUp() {
parent::setUp();
Artisan::call('passport:install');}
Related
I am trying to set up SSO from my Laravel 8.13 site to my related Freshdesk support portal.
What I want is for a user, who is logged into my site, then to be able to click a button and get seamlessly signed into my Freshdesk support portal so they can view the non-public documentation there and raise tickets if required.
Using Laravel Passport 10.1 I can create a token (tested using Postman) but get an error from Freshdesk when trying to authenticate.
An error occurred while attempting to retrieve the userinfo resource: could not extract response: no
suitable httpmessageconverter found for response type [java.util.map<java.lang.string,
java.lang.object>] and content type [text/html;charset=utf-8]
I have not used OAuth before and am having issues. It may of course be that my understanding of OAuth is just completely wrong but I am finding available documentation on Laravel Passport / Freshdesk OAuth connectivity hard to come by.
I have been through as many related SO questions as I have found but nothing so far seems to exactly fit my issue.
I have also got open tickets with Freshdesk and have had an online support session with a Freshdesk support member but they told me the issue was on my side and they couldn't help further.
I would have thought the client type to use was a Personal Access Client but I have tried that as well as a Password Grant Client and get the same message (as above) for both client types.
As far as the "User info URL*" field on Freshdesk goes,
I have tried
http://testsite.ngrok.io/oauth/tokens
and
http://testsite.ngrok.io/oauth/personal-access-tokens
and
http://testsite.ngrok.io/api/user
But no luck - same message regarding not finding userinfo resource as above.
If I browse directly to
http://testsite.ngrok.io/oauth/personal-access-tokens
I get the following returned:
[{"id":"e595f342722c1045e061f2f026fa7f07181b3d5c69016e9999c5640f1e65928ff6fe2621565ff666c5",
"user_id":43128,"client_id":7,"name":null,"scopes":"openid","email","profile"],"revoked":false,
"created_at":"2021-01-26 10:16:12","updated_at":"2021-01-26 10:16:12",
"expires_at":"2022-01-26T10:16:12.000000Z","client":
{"id":7,"user_id":null,"name":"freshworksPersonalAccessClient",
"provider":null,
"redirect":"https:\/\/testsite.freshworks.com\/sp\/OAUTH\/27402945223480041\/callback",
"personal_access_client":true,"password_client":false,"revoked":false,
"created_at":"2021-01-19T23:19:39.000000Z","updated_at":"2021-01-19T23:19:39.000000Z"}}]
so something is returned but I am not sure if that is in any way near what Freshdesk is looking for. The support documentation for Freshdesk states :
But I do not know where to create that info or in what format it needs to be sent to Freshdesk.
I have looked at this question and believe that (even though it is for older versions) there might be something in the code for "getUserEntityByUserCredentials" in the UserRepository.php file but I have put logger calls in that function and it doesn't seem to be called.
Any assistance would be absolutely great. If any further information is required please let me know.
Although I would prefer to keep it within the Laravel ecosystem, I am also open to any other way to set up SSO to Freshdesk without using a third party Identity Provider like ADFS, OneLogin, Okta, Azure and suchlike. I just need to get this done.
Solved it. Basically my issue was the format and content returned by the User info URL.
I set up a route for
/userinfo
to a function in a TestController. In that function I decoded the Bearer token to get the user_id and then used that to retrieve the user details.
Then I created an array and response as below:
$thisDecodedUser = User::query()->findOrFail($thisDecodedUserId);
if ($thisDecodedUser) {
$thisDecodedUserFirstName = $thisDecodedUser->first_name;
$thisDecodedUserLastName = $thisDecodedUser->last_name;
$thisDecodedUserEmail = $thisDecodedUser->email;
}
$user_info = array();
$user_info['sub'] = "$thisDecodedUserId";
$user_info['id'] = "$thisDecodedUserId";
$user_info['email'] = "$thisDecodedUserEmail";
$user_info['.id'] = "$thisDecodedUserId";
$user_info['.email'] = "$thisDecodedUserEmail";
$user_info['email_verified'] = "true";
return response(json_encode($user_info))
->withHeaders([
'Content-Type' => 'application/json',
]);
The code needs refactoring but at least it works for now.
Thank you for pointing me in the right direction in this answer : https://stackoverflow.com/a/65929987/920598
Even if the array you use contains unused keys.
Actually, the available fields and their format are described here https://support.freshdesk.com/en/support/solutions/articles/50000002088-configuring-custom-sso-policies-under-org
For example, if you want to sync the firstname, the lastname and the language, here's the keys you need to set :
<?php
$user_info = [
'sub' => (string)$user->id,
'unique_id' => (string)$user->id,
'email' => $user->email,
'FirstName' => (string)$user->firstname,
'LastName' => (string)$user->lastname,
'language' => $user->default_ln === 1 ? 'fr' : 'en'
];
I removed the database connection information from the env file and database.php file.
And I set the database dynamically with each request from the client.
I do this in main middleware
$origin = $request->header('Origin');
\Config::set(['database.default' => 'mysql']);
\Config::set(['database.connections.mysql.host' => '127.0.0.1']);
\Config::set(['database.connections.mysql.database' => $origin]);
\Config::set(['database.connections.mysql.username' => 'root']);
\Config::set(['database.connections.mysql.port' => '3306']);
I have no problem with the login and the token is created. But in other actions, I get a 401 error
In fact, the passport calls the connection information to the database from the env file or database.php. But we want to do this through middleware, or we can set the database information for it before checking auth: api.
By default, Passport access default DB. If you would like to use dynamic database add below code in the boot method of your app/Providers/AppServiceProvider.php:
public function boot()
{
Config::set('database.connections.pgsql.database', 'newdatabase');
DB::purge('pgsql');
DB::reconnect('pgsql');
}
I implemented the email verification that Laravel offers out of the box but currently have an issue when one click on the verification link sent on email. It brings the error: Data Missing
This error is throw by Carbon at the point when the column email_verified_at is being updated, and this was only on the SQLSRV implementation. I switched to a test MySQL database and this worked, although I need it to work with SQLSRV. I have not checked to see if any other database implementation encounters this problem.
Add it into app\Http\Controller\Auth\VerificationController.php
protected function getDateFormat()
{
return 'Y-m-d H:i:s';
}
I'm writing an app at the moment which makes use of web-sockets and therefore needs to keep track of its users somehow.
I don't really want my users to register. Before using the app they should choose a name and will get a JWT-Token for it. I don't want to save anything in a database. As these names can be non-unique I will probaply add an Id.
I'm trying to use tymon/jwt-auth": "^1.0.0-rc.3.
public function login()
{
$token = auth()->tokenById(1234));
return $this->respondWithToken($token);
}
For some reason the tokenById-Function seems to not be available.
Postman says: BadMethodCallException: Method Illuminate\Auth\SessionGuard::tokenById does not exist.
In my case i have clear the cache. Then its working fine
I implemented email verification in a Laravel 5.7 project I'm working on. I get the email, but whenever I click on the confirm button or even the url provided in the email, I get a 403 forbidden error.
I have searched for several solutions, but haven't been able to find one to this problem. The only reasonable pointers to this error is this github issue https://github.com/laravel/framework/issues/25716 which has been merged and closed by Taylor Otwell by still this problem persists.
Here's the email I get:
Here's the error it throws when I click on the button or the actionUrl at the email footer: and here's the url shown when the 403 page is displayed https://www.mywebsite.com/email/verify/1?expires=1540140119&signature=fd7dc72b05da6f387b2f52a27bceee533b2256436f211930c1319c7a544067da
Please help me. Thank you
Edits: This problem occurs only in production app. On local, this email verification works but throws 403 on production(live) server. My email service is mailgun, and I can access every other email contents relating to the app except completing email verification.
I need help please. Thanks in anticipation
One of the reasons that was in my case can be that you are already logged in with a normal verified user, and you have clicked on the verification email link. In that case it will shoot 403 . Which is not normal in my opinion, but whatever.
For me because manually create verification route. which in laravel 6.x or 7.x The route path for verifying emails has changed. from /email/verify/{id} to /email/verify/{id}/{hash} This probably only happens because I use the rules manually, and not Auth::routes(['verify' => true])
for more information laravel upgrade guide upgrade#email-verification-route-change
This typically occurs if your application is running behind some proxies and probably doesn't handle SSL termination itself.
The solution is to add
protected $proxies = '*';
to the TrustProxies middleware.
Reference: https://laracasts.com/discuss/channels/laravel/hitting-403-page-when-clicking-verify-link-in-email-using-new-laravel-verification-57?page=1
Turns out, this often happens when you have your laravel app running behind a proxy (apache, nginx etc.) We therefore end up replacing laravel's default 'signed' middleware with our own middleware that checks for https:// links. This StackOverFlow answer here was able to fix this problem for me:
Signed route for email verification does not pass signature validation
To use Laravel email verification you must first add the proper routes.
If you take a look at Illuminate/Routing/Router.php you'll see that by default the verify route is disabled.
if($options['verify'] ?? false)
{
$this->emailVerification();
}
To enable your verification routes add the following to your web.php
Auth::routes(['verify'=>true]);
Then run
php artisan route:list
to make sure that it's working.
Check the verify method inside the VerifiesEmails trait,
there they have:
if (! hash_equals((string) $request->route('hash'), sha1($request->user()->getEmailForVerification()))) {
throw new AuthorizationException;
}
I have dumped this variable $request->route('hash') and it was null, so I overrided it in the VerificationController:
/**
* Mark the authenticated user's email address as verified.
*
* #param \Illuminate\Http\Request $request
* #return \Illuminate\Http\Response
* #throws \Illuminate\Auth\Access\AuthorizationException
*/
public function verify(Request $request)
{
if (! hash_equals((string) $request->route('id'), (string) $request->user()->getKey())) {
throw new AuthorizationException;
}
if (! hash_equals((string) $request->query('hash'), sha1($request->user()->getEmailForVerification()))) {
throw new AuthorizationException;
}
if ($request->user()->hasVerifiedEmail()) {
return redirect($this->redirectPath());
}
if ($request->user()->markEmailAsVerified()) {
event(new Verified($request->user()));
}
return redirect($this->redirectPath())->with('verified', true);
}
And now it works!
The problem for me was my APP_URL had a protocol of http and when I clicked on the verification link NGINX automatically redirected the url from http to https that's why the signature validation failed. I updated the APP_URL to have a protocol of https and that resolved my problem.
My personal experience with this problem was that I set MAIL_DRIVER to log in the .env file, and Laravel escaped special characters (such as &) when it stored the activation link in the log.
So NEVER use the log for MAIL_DRIVER when you have verification email.
(my Laravel version was 5.8).