I'm working on adding Google 2FA to my Laravel 5.5 app that is using the Laravel generated authentication methods.
I have the 2FA portions figured out, but I cannot for the life of me find where to inject the code to add the 2FA check to the login process.
I have already modified the form to show the 2FA field on the login form, but where do I put that check? I see the options to add it as middleware and apply that to certain pages, but I don't want to require 2FA on multiple pages, just on login.
I did finally find the controller file that handles authentication (vendor\laravel\framework\src\Illuminate\Foundation\Auth\AuthenticatesUsers.php), but I don't see anywhere in there that I could add the 2FA check (obviously I would overwrite the method in my own file, not modify the vendor file).
Any help would be greatly appreciated.
Related
Hi I would like to ask about laravel passport oauth confirmation page
This is the page when we are asked for authorization, I would like to customize this page, or even possible to skip this page to always authorize anyway since the requestor will be just an internal application
I tried to google this but no luck. Is that possible? if so please tell me how to, or any link will be greatly appreciated
If you want to change the UI you can actually export the view and edit it
https://laravel.com/docs/5.5/passport#requesting-tokens
For the auto redirection, actually it can be done using laravel passport version ^7.30
Code:
https://github.com/laravel/passport/pull/1022
Documentation:
https://github.com/laravel/docs/pull/5226
But since I was using laravel version that dont support passport ^7.30, I need to create the override
reference:
https://github.com/laravel/passport/issues/243
What I did was, I copied this snippets
https://paste.laravel.io/6LN6q
Creating a new class extending the passport AuthorizationController and overriding the authorize function only
Hi I'm building an app with Larval and vue.js. This app is not a fully single page application but is a combination of vue and blade.
For example, the dashboard or login page and some other pages are SPA-based and are fully implemented with vue. But the landing page and some other pages have been created by blades that may have used vue components in some of them.
My question is about authentication in such cases. Is laravel passport appropriate for such cases? Or should I use jwt or something else? Because I need authentication on both types of pages (Vue-based, Blade-based). And it's done on almost every page.
On the other hand, I used laravel-permission - Spatie to control permissions and roles. Is it possible for passports to define roles and permissions and control based on them? I mean displaying or hiding elements and links, accessing certain sections, or doing some work with permissions checking.
What resources do you offer to start learning how to develop authentication and authorization in such apps?
Edit:
Maybe there was some ambiguity in my question, so I'll explain a little more. Suppose our website has three parts:
The first part that includes landing page, display of a post, display of all posts and more. This section is implemented by blade and may also use vue components.
The second part is the user profile page of the site where users can edit their own information, view their posts and edit them, view registered comments and more. This section is SPA and is fully implemented with Vue and only logged in users can see it.
The third part is the admin dashboard page, which is needed to manage different sections, apply settings and more. This section is also SPA and fully implemented with Vue. In this section, only users with the Administrator role are allowed, and each one can perform certain tasks based on the permissions given to them. This means, it must be checked whether the user is allowed to see a section or perform a specific task, or not.
Routing is also performed by vue on the user profile and admin dashboard pages, and actions are performed by axios and sending requests to apis written in laravel. And all three parts are in the same application.
So the question is, how should Authentication and Authorization be done in this scenario? Is laravel-passport appropriate for this task? Is it possible to do both in laravel-passport? For example, Authorization is going to be done in the front-end section by vue, how should this be done? Is it possible to combine laravel-passport and laravel-permission - Spatie? Or do we need it at all? Perhaps the more general question: Is this scenario reasonable?
You can use the intermediate approach, blade login/register and the Laravel passport middleware https://laravel.com/docs/6.x/passport#consuming-your-api-with-javascript.
This Passport middleware will attach a laravel_token cookie to your outgoing responses. This cookie contains an encrypted JWT that Passport will use to authenticate API requests from your JavaScript application. Now, you may make requests to your application's API without explicitly passing an access token
Spatie permission is great for managing permissions and roles. You can protect your api routes with middleware or checks in your controller.
You making it too complicated. if you are calling your vue components in blade file you don't need passport at all but if your front end is separate from back end then you need to use passport because you don't have access to session...
On the other hand, I used laravel-permission - Spatie to control permissions and roles. Is it possible for passports to define roles and permissions and control based on them?
Passport doesn't care what kinda permission and role system you want to use you can use anything that you want
After reading a lot of answers here on what is the best authentication out there for codeigniter, I decided to use tank_auth.
It seems to be the best authentication for codeigniter.
However, I have some few questions regarding on how I can integrate it successfully on my site. I am currently building a hotel reservation system. So some functionality of tank_auth needs to be modified to suit my needs.
So how can I, after registration, login the user automatically without requiring him/her to activate his/her account. Is there a configuration to disable the "activation process". If yes, where can I find it? If no, is it a big modification to the code if I remove the activation process?
On the auth.php code I tried to comment the following code to remove the activation process but seems it does not work:
} elseif ($this->tank_auth->is_logged_in(FALSE)) { // logged in, not activated
redirect('/auth/send_again/');
That code only works when the user account exists but is not activated. it then resends an activation email...
Look at the register part of the library and set the login session parameters to be true ie parameters that sets login to be true and then direct to the protected area!
I'm using DNN 5. When a user logs in, I want to load some data into the session. Where should I add my code? Should I intervene into the login.aspx's code behind?
The solutions seems to be writing a custom authentication provider.
One option would be to set the page the users sees upon login and add a custom module to that page. That would get you out of writing an authentication provider.
We've created a highly customized Joomla 1.5 based site and want our super administrator to be able to log into registered user accounts so we can provide better phone support and help them configure their accounts remotely.
This will obviously take some coding. Ideally we want a link from the admin side that will take us to the front end and automatically log us in as the registered user. We'll lock it down by IP address and also have some sort of password as well.
Where does the login get processed? It looks like /components/com_user/controller.php calls a function called $mainframe -> login(); Where does that function reside?
Our thought is to send a mock login form along with an additional super-user password field. Then we'll modify the login code to authorize the login if the password is present and the IP address is correct.
Any words of wisdom or caution with this approach?
There is actually a plugin that will do just this:
http://extensions.joomla.org/extensions/access-a-security/authentication/4806
You'll want to build an authentication plugin to handle this. You can enable as many authentication plugins as you like (the core plugin, OpenID, your own plugin, etc...). Joomla will run down the list of enabled plugins until one of them sets the status variable of the $response object to JAUTHENTICATE_STATUS_SUCCESS. The $response object gets passed in to your plugin's onAuthenticate method. Take a look at plugins/authentication/example.php for a clear example. You will probably end up cloning plugins/authentication/joomla.php and repurposing it for your needs.
I would publish your custom plugin after the core Joomla authentication plugin so that normal users will be able to log in faster.
Also, if you do want to go with a form as well, you will need to build a small component so that you can get the username and super-user password into the request.