I want to know how can I force user to re-enter his password on certain route action?
Let say if user wants to edit product before save process happens he has to input his password and if it was correct then saving is allowed.
Is there any default middleware for password in laravel 7? or should i make myself?
What do you suggest?
Update
I've found this but it's only work on web routes, i need same thing to work on API routes.
Problem with this middleware is that it except sessions which is only available on web middlewares. I tried to add \Illuminate\Session\Middleware\StartSession::class, into api middleware but still getting this error
RuntimeException: Session store not set on request.
Why not just rewrite shouldConfirmPassword() method?
Session is only used to check when was the password confirmed at. If you are requiring password confirmation every time, just rewrite the method to return true:
/**
* Determine if the confirmation timeout has expired.
*
* #param \Illuminate\Http\Request $request
* #return bool
*/
protected function shouldConfirmPassword($request)
{
return true;
//$confirmedAt = time() - $request->session()->get('auth.password_confirmed_at', 0);
//return $confirmedAt > config('auth.password_timeout', 10800);
}
For those who stumble on this, the solution is setting config('password_timeout') to 1 i.e 1 second.
'password_timeout' => 1,
You might think that setting it to 0 should work but it doesn't and that's because of this line in the constructor of the Illuminate\Auth\Middleware\RequirePassword class
$this->passwordTimeout = $passwordTimeout ?: 10800;
which defaults $this->passwordTimeout to 3 hours when config('password_timeout') is not set (null) or 0.
The RequirePassword middleware is being bound to the application container in the registerRequirePassword method of the Illuminate\Auth\AuthServiceProvider class
Related
I'm having a problem related to 429 TOO MANY REQUESTS. I have used Laravel fortify and my web route is like
Route::get('/', function () {
return view('welcome');
});
Route::get('/dashboard','DashboardController#dashboardView')
->name('dashboard')->middleware('auth');
The problem is coming intermittently, after successful login I redirected to dashboard if immediately I hit logout and instantly try to log-in it is giving 429 TOO MANY REQUESTS and in the address bar the URL is http://127.0.0.1:8000/login. Now if I wait there for a sec and refresh the page it redirects to the dashboard page.
I have searched the web, everyone is saying about throttle and I'm not seeing this as the solution. Please help me.
Thanks.
I stumbled upon the same problem today and did some debugging. When registering the /login route, Fortify applies the Illuminate\Routing\Middleware\ThrottleRequests:login middleware to it. This means, for every request to that route, the ThrottleRequests middleware will call the RateLimiter instance for that specified key. Apparently, Fortify doesn't register a RateLimiter for the login key.
Due to the missing key in the $limiters property of the RateLimiter instance, the ThrottleRequests middleware uses its default fallback, which doesn't handle the edge case "there SHOULD be a rate limiter for that key, but there isn't." really well. The $maxAttempts variable is set to 0 and will result in flaky rate limiting behaviour.
I feel like this is a bug in Fortify, because rate limiting is also happening in the \Laravel\Fortify\Actions\EnsureLoginIsNotThrottled action, which is invoked in the \Laravel\Fortify\Http\Controllers\AuthenticatedSessionController controller. I didn't check this on a fresh Laravel installation, though, so I don't want to jump to conclusions here.
Anyway, long story short: As a workaround, you can simply register a rate limiter for the "login" key in some of your providers, e. g. AppServiceProvider or AuthServiceProvider:
public function boot()
{
RateLimiter::for("login", function () {
Limit::perMinute(5);
});
}
Edit:
I just realized that the rate limiter for the "login" key is indeed provided by Fortify within the FortifyServiceProvider class. If you happen to have a problem similar to the one discussed above, make sure that you added the FortifyServiceProvider class to your providers array in the config/app.php.
I tried everything including the Best Answer but it just didn't work.
Therefore, not even changing the RateLimiter in the FortifyServiceProvider class.
I'd try to log in and get a 429 error after just one login attempt.
Here what was the issue for me, it was the the config/fortify.php file.
I had to change:
/*
|--------------------------------------------------------------------------
| Rate Limiting
|--------------------------------------------------------------------------
|
| By default, Fortify will throttle logins to five requests per minute for
| every email and IP address combination. However, if you would like to
| specify a custom rate limiter to call then you may specify it here.
|
*/
'limiters' => [
'login' => 'login',
'two-factor' => 'two-factor',
],
to
/*
|--------------------------------------------------------------------------
| Rate Limiting
|--------------------------------------------------------------------------
|
| By default, Fortify will throttle logins to five requests per minute for
| every email and IP address combination. However, if you would like to
| specify a custom rate limiter to call then you may specify it here.
|
*/
'limiters' => [
'login' => 5,
'two-factor' => 5,
],
And funny enough the problem is inherent in the Fortify package itself when you run:
php artisan vendor:publish --provider="Laravel\Fortify\FortifyServiceProvider" as per their documentation instructions.
This fundamental reason being that code within vendor/laravel/framework/src/Illuminate/Routing/Middleware/ThrottleRequests.php is not able to correctly parse the limit:
/**
* Resolve the number of attempts if the user is authenticated or not.
*
* #param \Illuminate\Http\Request $request
* #param int|string $maxAttempts
* #return int
*/
protected function resolveMaxAttempts($request, $maxAttempts)
{
if (Str::contains($maxAttempts, '|')) {
$maxAttempts = explode('|', $maxAttempts, 2)[$request->user() ? 1 : 0];
}
if (! is_numeric($maxAttempts) && $request->user()) {
$maxAttempts = $request->user()->{$maxAttempts};
}
return (int) $maxAttempts;
}
, which means, 'login' is just parsed as 0 and that's what it returns.
Now I don't have to run php artisan cache:clear just to test.
go to
app/http/kernel.php
and remove from routeMiddleware list the line
'cache.headers' => \Illuminate\Http\Middleware\SetCacheHeaders::class,
Just run
php artisan cache:clear
I'd like to customize the forgotten password form in Laravel.
When asking to reset the password, the user will have to answer a simple question (the name your first pet, the name of your childhood best friend, etc) besides inserting his/her email. This is to avoid other people asking password reset if they know the account's email, but are not the owner of the account.
I also would like to custom the errors messages to, actually, not show errors. For example, if an invalid email is inserted, it would not show the error message "We can't find a user with that e-mail address." I don't like it because someone may guess the email of a user by trying different emails until she/he stops getting the error message. Instead, I would like to show the message "If the information provided is correct, you will receive an email with the link to reset your password."
How to add these functionalities to Laravel auth?
I am looking for a solution that I don't have to create an entire login system from scratch (I think that if I try to design everything from scratch I'd probably miss something and create security vulnerabilities). I'd like to keep the Laravel auth system and just add these two features.
Feel free to suggest other ways to achieve the desired result and to make my question clearer. I'll appreciate that.
The good news is you don't need to rewrite everything.
The bad news is, you need to understand traits and how to extend/override them, which can be a little confusing.
The default controller that Laravel creates ForgotPasswordController doesn't do much. Everything it does is in the trait. The trait SendsPasswordResetEmails contains a few methods, most importantly for the validation in validateEmail method.
You can override this validateEmail method with one that checks for an answered question. You override traits by altering the 'use' statement.
For example change;
use SendsPasswordResetEmails
to:
use SendsPasswordResetEmails {
validateEmail as originValidateEmail
}
This will tell the code to re-name the original method validateEmail to originValidateEmail allowing you to create a new validateEmail in your own ForgotPasswordController.
You can then, inside ForgotPasswordController add a replacement which will be called by the default reset password code:
protected function validateEmail(Request $request)
{
// add in your own validation rules, etc.
$request->validate(['email' => 'required|email', 'questionfield' => 'required']);
}
To alter the error message, you can simply edit the language file found in resources/lang/en/passwords.php
Hope that helps.
Thanks to the user #Darryl E. Clarke, I managed to solve the problem. Here is what I did:
Add this line at the top of the file ForgotPasswordController, after namespace:
use App\User;
Add these 3 methods in the same file:
/**
* Send a reset link to the given user.
*
* #param \Illuminate\Http\Request $request
* #return \Illuminate\Http\RedirectResponse|\Illuminate\Http\JsonResponse
*/
public function sendResetLinkEmail(Request $request)
{
$this->validateRequest($request);
// We will send the password reset link to this user. Regardless if that
// worked, we will send the same response. We won't display error messages
// That is because we do not want people guessing the users' email. If we
// send an error message telling that the email is wrong, then a malicious
// person may guess a user' email by trying until he/she stops getting that
// error message.
$user = User::whereEmail($request->email)->first();
if ($user == null) {
return $this->sendResponse();
}
if ($user->secrete_question != $request->secrete_question) {
return $this->sendResponse();
}
$this->broker()->sendResetLink(
$this->credentials($request)
);
return $this->sendResponse();
}
/**
* Validate the given request.
*
* #param \Illuminate\Http\Request $request
* #return void
*/
protected function validateRequest(Request $request)
{
$request->validate(['email' => 'required|email', 'secrete_question' => 'required|string']);
}
/**
* Get the response for a password reset link.
*
* #return \Illuminate\Http\RedirectResponse|\Illuminate\Http\JsonResponse
*/
protected function sendResponse()
{
$response = 'If the information provided is correct, you will receive an email with a link to reset your password.';
return back()->with('status', $response);
}
Customize it the way you want.
Hope that it will helps others!!
I am creating a Laravel (v5.4) app in which a user can create several 'organisations' and each organisation can have several 'projects'. But at any given time, the user will be working on one organisation only. The user can select the current working organisation by selecting from the list of organisations displayed in the top-menu along with the user`s name. Now, I want that when a project create page is displayed, rather than providing a dropdown to select the organisation, the system should know the selected organisation and create the project under this organisation only. There are many other things to be created like, surveys, tasks etc. and the system must select the default organisation instead of getting it from a dropdown list.
Till now, I have tried to accomplish it by setting the 'organisation_id' in session and retrieving it from session on all the create forms but I was wondering if there is any better way of achieving this?
The session is a very appropriate place to store this information. You could add a layer using a middleware to check that the organization_id is stored in session between requests and also as a security against user's somehow accessing organizations they don't belong to by checking that the user's id does belong to it. For example:
class CanAccessOrganization
{
/**
* Handle an incoming request.
*
* #param \Illuminate\Http\Request $request
* #param \Closure $next
* #return mixed
*/
public function handle($request, Closure $next)
{
if (!session('organization_id')) {
// default to the user's first organization.
session(['organization_id', Auth::user()->organizations->first()->id]);
} else {
// does this user belong to the organization?
$organization = Organization::find(session('organization_id'));
if (!in_array($organization->id, Auth::user()->organizations->pluck('id')->all()) {
// unauthorized! stop the request
abort(403);
}
// set (or reset) the session
session(['organization_id', $organization->id]);
}
return $next($request);
}
}
I have successfully implemented the onUserAuthenticate event to implement my custom authentication API inside the Joomla! site that I am working on.
Now I want to also have some custom code run on the onUserLogout event.
I have added the following code to the custom authentication plugin file.
But this method is not getting fired/invoked while the previous one(onUserAuthenticate) is working just fine.
/**
* Method to handle the SSO logout
*
* #param array $user Holds the user data.
* #param array $options Array holding options (client, ...).
*
* #return boolean Always returns true.
*
* #since 1.6
*/
public function onUserLogout($user, $options = array()) {
if (JFactory::getApplication()->isSite()) {
// Set the cookie to expired date.
setcookie('customAuth', '123', time() - (60 * 60 * 24 * 365), '/', '.customdomain.org');
}
return true;
}
Okay so I was getting it all wrong.
So I was adding the aforementioned method inside the same plugin file that handled the onUserAuthenticate.
For Joomla! the login is a separate process which has its respective events like onUserAuthenticate.
But it seems like the event onUserLogout has to be inside the plugin with the type of user.
So I created a separate plugin inside the user plugin type directory, installed it, and enabled it....And voila!! it worked.
This had me scratching my head for quite a while.
I would like to integrate Socialite in a Laravel based CMS and I try to figure out how would I initiate Socialite to send requests if client_id and client secret are saved in database?
from the docs basic usage
return Socialize::with('github')->redirect();
and credentials are saved in config/services.php
/**
* Create an instance of the specified driver.
*
* #return \Laravel\Socialite\Two\AbstractProvider
*/
protected function createGithubDriver()
{
$config = $this->app['config']['services.github'];
return $this->buildProvider(
'Laravel\Socialite\Two\GithubProvider', $config
);
}
I would like to define $this->app['config'] on Factory calling
can you not just create a middleware class, apply it to the relevant route then just set the Config using:
$v = Auth::user()->github // or however you work it out, not sure how you've got it stored
Config::set('services.github', $v);
Setting config like this sets it for the current request only