Acessing auth user attribute - laravel

I am in the guzzle controller making a request to an external api.
I wanna use an id from the user who is logged in.
I have been doing the request with a static id, but now i want it dynamically.
I tried like this:
$science = Auth::user()->science_id;
$client = new Client(['headers' => ['Accept' => 'application/json']]);
$request = $client->get(
'https://url_to_the_api/'.$science.'/degree',
[
'auth' => ['client', 'secret'],
]
);
$data = $request->getBody()->getContents();
return $data;
And i have the error
500(internal server error)
and this message:
"Trying to get property 'science_id' of non-object"
What am i missing?
Thanks for your time

If you are using it in web app then make sure you first check if user is already authenticated by using auth middleware or manually by using Auth::check() function.
Or
If you are trying to hit this by api that will not work here because session will not be maintained in that case. That's why JWT tokens were introduced to maintain the state of an application.

I've solved it like this:
$science = auth('api')->user()->science_id;
Thanks for the help!

Related

Laravel HTTP tests and request attributes

On my app I add attributes to the HTTP request so I can use it later. My app is a multi domain app (.co.uk, .dk, .de). I findout the domain in the RouteServiceProvider and add the detected language to the HTTP request so I can load the data according to the language and some other things.
I findout and add the website directly in the RouteServiceProvider:
$website = Website::where('domain', '=', request()->getHttpHost())->first();
request()->attributes->add(['website' => $website]);
Then in my controller or anywere else I just have to query the request
if (!$request->attributes->has('website')) {
\Log::error('Abort HTTP request: invalid website: ' . request()->getHttpHost());
abort('500');
}
$language = $request->attributes->get('website')->language();
When testing my app the code execute normally (website is found in the RouteServiceProvider) but then it break in the controller:
testing.ERROR: Abort HTTP request: invalid website
When looking at the attribute, the data are empty in controller but not in the RouteServiceProvider:
dump($request->attributes); // in RouteServiceProvider.php
Symfony\Component\HttpFoundation\ParameterBag {
#parameters: array:1 [
"website" => ...
dump($request->attributes); // in controller
Symfony\Component\HttpFoundation\ParameterBag {
#parameters: []
}
It looks like the request object in the controller is no longer the same. When dumping :
dump(['RouteServiceProvider' => request()]);
I get:
"RouteServiceProvider" => Illuminate\Http\Request {#385
And in controller:
dump(['Controller' => request()]);
"Controller" => Illuminate\Http\Request {#9379
How can I fix this?
First of all, I agree that this code should be in a middleware instead of the RouteServiceProvider.
If the language is you only concern here, I would suggest to just use app()->setLocale() instead of saving the website in your request. If you need other informations contained in the website object, I would suggest to store it in the session instead of the request because I think that this kind of information is more under the responsability of the session than the request, which is more designed to handle inputs, http verbs, headers, ...
This could solve your problem, if it is not the case, let us see more of your code and of the new dd() results

How to find referer of redirect to oauth client's callback

I am having trouble setting up a generic oauth client (and can't find good material on google).
I have this as my route to receive the callback from the oauth process:
Route::get('/oauth/callback', function (Request $request) {
$http = new GuzzleHttp\Client;
$response = $http->post('https://www.wunderlist.com/oauth/access_token', [
'client_id' => 'xxxxxxxxxxxxxxx',
'client_secret' => 'xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx',
'code' => $request->code
]);
});
but in order to make it generic, I must be able to identify where the redirect came from.
something in the lines of
$service = App\Service::where(<field>, $request-><information about the referer>);
does Request contain any kind of information that can help me identify the source of the redirect? I looked at the object with dd() and couldn't find anything
You should use request()->headers->get('referer') to check the referrer url.
I managed to work around the problem by defining the callback url so that it contains a query parameter identifying the service.
This means that I tell the service to callback to /oauth/callback?service=XXX
and I find it in my services table like this:
$service = Service::where('slug', Input::get('service'))->firstOrFail();

Is this a proper Laravel Passport use case?

So think of my application as a CMS (laravel 5.7). I'm slowly adding in more javascript to make it more reactive. So I had the usual validation logic that makes sure the user is logged in and all that. But now when I use Vue to submit a comment payload it looks a little like this:
So looking at this, anyone could just change/mock the this.user.id to any number, I would like to also send a login token with the payload which then gets validated in the backend once the server receives the post request.
In the backend, ideally I'd want to have some kind of safe guard that it checks whether the api_token of the user matches with this.user.id to ensure the user.id wasn't mocked on the front end.
I read this portion: https://laravel.com/docs/5.7/passport#consuming-your-api-with-javascript
Part of it says:
This Passport middleware will attach a laravel_token cookie to your outgoing responses. This cookie contains an encrypted JWT that Passport will use to authenticate API requests from your JavaScript application. Now, you may make requests to your application's API without explicitly passing an access token:
But I'm still a bit unsure how that JWT gets generated in the first place. I don't have the vue components for the create token crud added because I want it to be done automatically. I think I'm slightly overthinking this..
Is this a good use case for Laravel Passport? I was looking through the tutorial and right now I don't have a need for custom oauth token creations and all the crud. I just want a unique token to be saved on the user side, that can expire, but also be used to validate requests. Am I on the right track here with Passport or should I use a different approach?
postComment(){
axios.post('/api/view/' + this.query.id+'/comment',{
id: this.user.id,
body: this.commentBox
})
.then((response) =>{
//Unshift places data to top of array, shifts everything else down.
this.comments.unshift(response.data);
this.commentBox = '';
document.getElementById("commentBox").value = "";
flash
('Comment posted successfully');
})
.catch((error) => {
console.log(error);
})
},
Update - Reply to Jeff
Hi! Thanks for your answer. It's not an SPA (might be in the future), but the comment box and the comment section is also integrated with websockets and there's a laravel Echo instance on it.
I guess where I'm feeling uncertain is the security of it.
I pass a user prop with :user="{{Auth::check() ? Auth::user()->toJson() : 'null'}}" into the vue component that contains the postComment() function.
This is where the id: this.user.id comes from. The route is defined in the api.php in a route middleware group for ['api'] like so:
Route::group(['middleware' => ['api']], function(){
Route::post('/view/{query}/comment','CommentController#store');
});
In my controller which calls a service to create the comment, the $request
public function makejson(createNewCommentRequest $request, Query $query){
$comment = $query->comments()->create([
'body' => $request->get('body'),
])->user()->associate(User::find($request->id));
$id = $comment->id;
$comment->save();
}
The createNewCommentRequest is a FormRequest class.
For now the authorize() function just checks whether the request()->id is an int:
public function authorize()
{
if(is_int(request()->id)){
return true;
}
return false;
}
From within there if I log the request(), all it outputs is:
array ( 'id' => 1, 'body' => 'gg', )
I thought I would need to add logic to authorize the request based on whether the user token and the request() yield the same user id? I'd want to avoid the scenario where someone can modify the post request and comment using another users id.
In the Network section of devtools, in the Request headers, i see it pushed a laravel_token cookie. I'm assuming that laravel_token is what stores the user session? If so, how would one validate based on that token?
I was playing around and added the route:
Route::get('/token', function() {
return Auth::user()->createToken('test');
});
When I went to it i got the following:
{
"accessToken": "eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiIsImp0aSI6ImE4NDE2NGVkM2NkODc5NDY3MzAxYzUyNmVkN2MyMGViZTllNzJlMGMzMjRiMmExNWYzZDgwZGNmMzEzMDk1MTRmNTY1NGMxYWUwMTE2ZGRkIn0.eyJhdWQiOiIxIiwianRpIjoiYTg0MTY0ZWQzY2Q4Nzk0NjczMDFjNTI2ZWQ3YzIwZWJlOWU3MmUwYzMyNGIyYTE1ZjNkODBkY2YzMTMwOTUxNGY1NjU0YzFhZTAxMTZkZGQiLCJpYXQiOjE1NDY1NTQzNDEsIm5iZiI6MTU0NjU1NDM0MSwiZXhwIjoxNTc4MDkwMzQwLCJzdWIiOiIxIiwic2NvcGVzIjpbXX0.NMETCBkOrMQGUsXlcas6CvTFJ0xRC8v4AJzC5GtWANdl8YsPBGlyCozMe1OGc8Fnq8GC_GZFkKmMT27umeVcSyaWriZB139kvtWzY6ylZ300vfa5iI-4XC_tJKoyuwDEofqMLDA4nyrtMrp_9YGqPcg6ddR61BLqdvfr0y3Nm5WWkyMqBzjKV-HFyuR0PyPQbnLtQGCzRFUQWbV4XWvH2rDgeI71S6EwmjP7J1aDA2UBVprGqNXdTbxWpSINMkZcgrDvl4hdqNzet-OwB2lu2453R-xKiJkl8ezwEqkURwMj70G-t9NjQGIBInoZ-d3gM2C3J9mEWMB5lyfSMaKzhrsnObgEHcotORw6jWNsDgRUxIipJrSJJ0OLx29LHBjkZWIWIrtsMClCGtLXURBzkP-Oc-O9Xa38m8m6O9z-P8i6craikAIckv9YutmYHIXCAFQN2cAe2mmKp7ds1--HWN_P5qqw6ytuR268_MbexxGDTyq8KzUYRBjtkgVyhuVsS7lDgUHgXvJfHNmdCulpiPhmbtviPfWaZM19likSjKHLTpIn2PpfTflddfhB9Eb4X24wGH7Y5hwxASe7gDs_R707LphS1EH4cTE8p2XW_lLv0jo89ep9IUPUO27pWLsqabt8uTr5OoKQeNZmXT6XiJ9tK3HhRgvIt7DYt8vqlRw",
"token": {
"id": "a84164ed3cd879467301c526ed7c20ebe9e72e0c324b2a15f3d80dcf31309514f5654c1ae0116ddd",
"user_id": 1,
"client_id": 1,
"name": "lol",
"scopes": [],
"revoked": false,
"created_at": "2019-01-03 22:25:40",
"updated_at": "2019-01-03 22:25:40",
"expires_at": "2020-01-03 22:25:40"
}
}
Now in Postman, when I send a get request to:
Route::middleware('auth:api')->get('/user', function (Request $request){return $request->user();});
I added a authorization header of type Bearer Token for the string captured in the variable: accessToken. In return I get the user, no issue. However where and how is the accessToken generated? It's not saved in the database?
Take the user ID that Laravel gives you from the token, rather than sending it from the front end. You can also check the scopes assigned to the token:
Route::post('/api/view/{query}/comment', function (Request $request, Query $query) {
if ($request->user()->tokenCan('comment-on-queries')) {
$query->comments()->create([
'body' => $request->get('body'),
'user_id' => $request->user()->id,
]);
}
});
If this isn't a single page app, and only the comment box is handled by ajax, the default Laravel scaffolding should handle this by adding a CSRF token to axios config. In that case you don't need Passport, because the user is stored in the session. Still though, don't take the user ID from the front end, get it from \Auth::id()
Here's the key difference: If they login using PHP, your server has a session stored and knows who is logged in.
If you are creating a single-page app separate from your Laravel app, you have to rely on Passport and tokens to ensure the user has the authority to do what they're trying to do.
Figured it out, was overthinking it. Basically didn't need a whole lot to get it working.
Added the CreateFreshApiToken middleware to the web group in app\Http\Kernel.php.
The axios responses attach that cookie on the outgoing responses
The api middleware group had to be 'auth:api'.
The user instance can be then called via request()->user() which is awesome.

Authentication check for non auth url in laravel passport api

i am using passport authentication for my Laravel 5.4 API.here i have a api for company details and it is a non auth api.i need to check logined user liked this company using auth in this url ...how i can do this.
This is my route
Route::get('/company/{company}','Api\V1\CompanyController#show');
Route::group(['middleware' => 'auth:api','prefix'=>'v1'], function(){
//auth urls
}
and this is my controller
class CompanyController extends Controller
{
public function show(Company $company,Request $request)
{
$data = array();
$flag = 0;
$data['status'] = 1;
$data['message'] = 'success';
$data['baseUrl'] = url('/');
$data['is_login'] = Auth::check();
Here is_login always return false,if i added autherization token in headers of api.
What is your default guard set as?
Auth::check() is Auth::guard(null)->check() which uses the current default guard.
If you want to check for an api you probably want to use the api guard just like your auth middleware is using when you use auth:api.
Auth::guard('api')->check() tells it to explicitly use the api guard instead of what the default is, which could be anything since we don't know what you have set.
When the auth middleware is ran it actually will set the default guard for you depending upon what guards are passed to it and which one it can resolve a user from. Which is why you can just call Auth::user() and get the correct user from the correct guard, because the middleware sets the current to the one that resolved the user. (When calling routes that have this middleware)

accessing session from the web middleware to the api middleware in laravel 5.3

I want to set a session in the server and have it available anytime. I'm using Laravel 5.3, I have the following code on one of my controllers:
Session::set('csrf_token', str_random(72));
return view('index', [
'session' => $session,
'csrf_token' => Session::get('csrf_token')
]);
then I made an Ajax request using a package called axios
axios.post('to-that-route', 'some-data')
.then(response => console.log(response))
.catch(err => console.log(err));
My problem is with the controller that handle this ajax request, it seems that it doesn't know the session that I just set, in fact this:
return response()->json(var_dump(Session::get('csrf_token')));
would give me null, that means it doesn't know about the session csrf_token. How do I handle this?
EDIT:
I tried doing this:
public function handler(Request $request) {
// set the session
$request->session()->put('csrf_token', str_rand(72));
}
// the controller that handles the ajax request
public function handler(Request $request) {
return response()->json(var_dump($request->session->get('csrf_token')));
}
it gave me an error saying Session store not set on request.
EDIT:
Sorry about this, I wasn't looking closely, the reason is because the session was set on the web.php which is under web middleware, and the controller that handles the ajax request is in the api.php is under the api middleware.
So I would like to revise the question, is there a way to access the session from the web middleware to the api middleware?
Sorry, my bad.
Sorry about this, I wasn't looking closely, the reason is because the session was set on the web.php which is under web middleware, and the controller that handles the ajax request is in the api.php is under the api middleware.
So I would like to revise the question, is there a way to access the session from the web middleware to the api middleware?
Sorry, my bad.

Resources