Together with #spawnia and #lorado we are creating some examples for Laravel Lighthouse and we have some different opinions on sanctum role-based security practices.
Can you please review my following statement and tell me if I am wrong on what is the best way to move forward.
My idea:
Now for the tricky part, once I create a login mutation, I need to verify that the user has the corresponding role and generate a token ability based on that check, also when the app goes offline or enters PWA mode.
I need to revoke any tokens with:
create
delete
update
I couldn't find in the docs any solutions to this problem, that is a real-world necessity.
I can only leave the show and index abilities active.
What I am thinking:
Create a custom arg resolver for the mutation somehow bring the middleware and generate a token based on roles
Bad idea: To store the role within the token.
Thanks for any insight into this.
Aren't those tokens cryptographically signed in order to be tamper-proof?
Related
I am new to laravel and creating a REST API. The client of the API will be mobile app only. There is no front end view to be shown in browser. I have created the routes and the controllers to handle API requests. Furthermore I deleted the Users table (created by laravel) because I do not need an Web interface etc.
I just want simple token based authentication at this stage ( I am aware there is passport authentication) but I can not even understand that at this stage.
There is only one table in the project.
Candidates
(id (PK), name, phone, details)
mobile app users are candidates also, should I create a token column in this table ? and manually create token at the time of register API and return it back as response ?
Please any simple guide or directions will help, I have search quite a bit online and there seems to be quite a lot many topics that show up such as guards, providers, passport which I am struggling to get.
Thanks,
Elliot.
First of all, you didn’t need to delete the users table. You can use it for api auth too. You just need to create a seperate token table.
However, if you want to implementit manually you need to do a lot of things manually.
This is a huge thing to impelement manually and it's not possible to describe it in a single answer. I will try my best to explain it as simply as I can.
You have to create a authentication system yourself that is for login. Define a middleware to check the authorization of the token sent from client to check the validity of every request (this is the guard part).
Also keep track of the token expiry time. Refreshing the token after each expiry needs to be done too (this is the provider part).
Now there are a lot things inside. Like keeping track of the device the request is coming from, providing different tokens for differenet devices for a single user etc.
If you are into learning how everything works then you can try to build one yourself. But if you plan on deploying it to a professional website, I would suggest try to get accustomed with passport. Reinventing the wheel is really not necessary. I hope it gives you a basic idea. If you have any more questions feel free to comment.
I start building a new app and wonder what will be the best way to implement auth - security wise.
What are the cons, pros, and differences between the Laravel make:auth and using jwt-auth.
Is Laravel's default auth will be enough?
This description is pragmatic approach so you can do something else if you want.
I think while developing an API you should use JWT based authentication mechanism.
The Json Web Token(JWT) tokens includes user information in itself. So it giving so much important benefit to manage session. First and most important of the benefits is you can be manage sessions without storing them at server. I would like to explaint it just to avoid misunderstanding, you can have store it at server but it's not necessary except a few scenario. These scenarios depend on how you could designed your authentication.
I able to do a lot of more explains about of it but in summary if you are developing an API I propose you would use JWT-Token.
I am developing a web system in php using the laravel framework, I arrived at the part of authentication of users, where it is not allowed the type of user x access to page y. What is the best way to do this with laravel? I thought about creating a session and saving the id of the user, so every time he accesses a certain controller I check if he has access to the id or not. so I had some doubts.
Is this a good way to perform this authentication?
Is this really safe?
is there any way for the client to change my session?
What would be a better method for authenticating user access?
Laravel provides a very good authentication system out of the box. Even though Hacking is inevitable it provides very good protection and since Laravel is pretty popular framework you don't have to worry about the security part. if there is any security bug, patches will be available almost immediately.
And your second concern can a client can change the session ? the answer is NO, if you code it properly. session resides in the server unlike cookies, so there is no direct way for a user to change the session. if you follow good coding practices you are good to go.
And how do you limit userA from accessing pageB. This is a pretty common feature needed in almost all the applications. As of now Laravel does not provide an out of the box solution for this. but this is pretty simple, you can add a role column to the users table, and check whether user have appropriate permission in each page. Laravel keeps the user object in the session, and it is avilable via the auth() helper or Auth Facade. if you want a little sophisticated solution there is a package out there [entrust][1]. it seems a good choice.
You may want to read about
Authorization
Csrf Protection
Authentication
I hope I have addressed all your concerns
Laravel provides a simple way to authorize action thats purpose built for what you need:
https://laravel.com/docs/5.5/authorization
I am trying to figure out how to handle the Password Grant Tokens in Passport package. Should i store the client_id and client_secret in .env file or fetch the values direct from the database while requesting for a the token?
It depends on what you are finally trying to achieve.
Passport tokens are always stored in DB, and this is the right place to retrieve them (unless you are optimizing your production app, to gain less db load).
So, if you want to build an api endpoint, you can safely store PASSPORT_CLIENT_ID in your .env.
And then, in your controller, you can easily retrieve all data that you may need.
How to do it? Please read my post, on how you can embed this in your laravel controller.
Passport is built on top of oauth2 server which has loads of features.
Most likely you won't need them all, so you can stick to the basic jwt authorization as in this case.
This approach would enable you to test your code against different CI environments, while not sharing any specific keys/tokens in your VCS, which is definitely a good practice.
Final note... Passport makes packages like dingo, tymon jwt, etc.. useless, cause it has almost everything packed in, and what really important is, this is the official Laravel package.
While you certainly can store the values inside your .env file, you should think these tokens as secrets you grant to other developers who want to use your API. What if everyday 50 developers want to register to use your API, will you add them by hand to your .env file? If it's only you / your company this kan be "ok", but I would store them in the database for scalability.
I'm working on a web application that uses the ASP.NET 2.0 Membership and Roles providers with Forms Authentication. There are various roles in the system. I need to have a user role that is essentially a super-user that can "login" as any user account (in effect impersonating the user).
Does anyone know if this is possible using the providers? Any ideas?
One approach I was thinking of was to logout the super-user and sign them in as the desired user with
FormsAuthentication.SetAuthCookie(username, false);
And adding a variable to their Session to flag them as a super-user. I think this would work, but I was just wondering if there's a smarter way to do it without directly using the Session object?
Asp.net approach doesn't support the concept, so you are right on trying to find an alternate way.
Something that you can do is add the IsSuperUser info to the authentication ticket UserData property.
Why don't you have a SuperUser role that can do anything? Then the user can be just part of that role.
If what you really need to have is an ability for an administrator to impersonate someone else, I don't know what is the additional flag for? If it marks the currently logged in user giving him super powers the same will be achieved by setting up a role. If you, however, need to just impersonate someone else (e.g. this is help desk and you need to see exactly the same as the end user sees) - I would just check the credentials normally, then check if a superuser is logging in and who they want to impersonate and based on that just authenticate the logging in user as the one that he's willing to impersonate.
I hope what I wrote makes sense...
Here is what I would do. Sorry no graphics, on ipad here in bed...
1) use claims based architecture. Its easy to implement, see my project.
2) essentially impersonated user will have a second identity on the claims principal object, but will have different realm (realm may be wrong word, the string you use to create the identity)
3) You can construct the identity of the impersonated user and manually build their claims.... They should get written to the token immediately. I would look at a generic Claims Transformer class to do this.
4) You may need to adjust the way the site behaves, based on the presence of a impersonated identity, but thats the fun part.
Working WIF implementation
https://github.com/wcpro/scaffr-generated