Trying to set up CAS with my Laravel project - laravel

I am using subfission/cas for my application. I have followed all installation steps. I am using windows, if that matters. More precisely, I have configured the following:
I ran the following in my terminal
composer require "subfission/cas" "dev-master"
I configured my Kernel.php accordingly, adding the following:
'cas.auth' => 'Subfission\Cas\Middleware\CASAuth',
'cas.guest' => 'Subfission\Cas\Middleware\RedirectCASAuthenticated',
I ran the following command:
php artisan vendor:publish
I also set up my cas server in my cas.php config file:
'cas_hostname' => env('CAS_HOSTNAME', 'cas.myserver.me'),
'cas_real_hosts' => env('CAS_REAL_HOSTS', 'cas.myserver.me'),
What I want is a middleware for all my routes, so I added the following route rule in my routes:
Route::middleware(['cas.auth'])->group(function ()
{
Route::get('/', function ()
{
return view('welcome');
});
});
Basically, I want to redirect everyone who is not logged in to the login page whenever I access the main page (for now, I will add more routes in the future). What happens is that the users are redirected to the login page when they are not logged in, but after the login I receive the following error:
ErrorException (E_WARNING)
DOMDocument::loadXML(): Opening and ending tag mismatch: hr line 1 and body in Entity, line: 1
No matter what view I'm redirecting the user to. I tried the default welcome page as well as an empty view, but I still get the same error.
EDIT: I have used the dev-master branch from subfission/cas for the above error and after switching to 2.1.1, I get a different error:
session_name(): Cannot change session name when headers already sent
EDIT 2: I did some more digging and I enabled internal errors in my cas client class with:
libxml_use_internal_errors(true);
And now I get the following:
Authentication failure: SA not validated Reason: bad response from the CAS server
And the cas response is:
The thing is that I use the same cas server for another 2 projects and it works well for those (but those aren't laravel projects.

I know it's been a while, but for anyone else having issues like this, the issue is the protocol selected for which your web service communicates with your CAS(Central Authentication Service) provider. There are two main protocols used for SSO/CAS in this package:
SAML(Security Assertion Markup Language) version 1.1 & 2
CAS Protocol v3.0
[Confusingly enough, CAS protocol shares the same namespace as the service.]
The idea is to match the protocol and version with your identity provider. It sounds like your provider is using CASv3.0, which is why disabling SAML worked.
Also, if you enable debug mode, you will see further error details in your log file to help your troubleshoot.
Best of luck!

I managed to solve the issue by disabling the SAML in the cas configure file:
'cas_enable_saml' => env('CAS_ENABLE_SAML', true),
change to
'cas_enable_saml' => env('CAS_ENABLE_SAML', false),

Related

cy.origin() and multiple origins in the same domain

I am trying to add login flow to my cypress tests.
I want to get it running on my machine, in the following environment:
both app and OAuth server are running in docker containers
both containers have their ports mapped to localhost:
app is available at baseUrl: 'https://localhost:8888'
OAuth Server is available at 'http://localhost:9081'
As you can see, there are 2 origins on the localhost.
If I try the simple code:
cy.visit('/mysecuredpage'); // this redirects to http://localhost:9081
cy.contains('Please log in');
cy.get('input#username').type('user1');
cy.get('input#password').type('password1');
cy.get('button#password-submit').click();
I get an error about conflicting origins:
The command was expected to run against origin `http://localhost:9081` but the application is at origin `https://localhost:8888`.
I was trying to follow SSO login custom command
cy.visit('/mysecuredpage'); // this redirects to http://localhost:9081
cy.origin('http://localhost:9081', () => {
cy.contains('Please log in');
cy.get('input#username').type('user1');
cy.get('input#password').type('password1');
cy.get('button#password-submit').click();
});
Unfortunately, this fails with an error about wrong domain:
CypressError: `cy.origin()` requires the first argument to be a different domain than top. You passed `http://localhost:9081` to the origin command, while top is at `http://localhost:9081`.
Either the intended page was not visited prior to running the cy.origin block or the cy.origin block may not be needed at all.
Am I running against some known limitation or doing sth wrong?
I am not even sure if multiple origins in the same domain is the root cause of the problem, or is it caused by some usage pattern of my app (all pages are private and redirect immediately to Oauth - there is no login button on the app side)
Cypress: 11.0.1
Browser: Chrome 107 (headless)
Node Version: v18.6.0

Google Authentification Laravel Socialite gives 403 Error when asking for 'profile' scope

As the title says, I'm getting a 403 Forbidden Error when asking for the 'profile' scope.
Here's my code
// routes/web.php
Route::get('google', 'Auth\GoogleAuth#auth')->name('google-signup');
Route::get('googlecallback', 'Auth\GoogleAuth#callback');
// Auth/GoogleAuth.php methods
public function auth()
{
return Socialite::driver('facebook')->redirect();
}
public function callback()
{
$socialUser = Socialite::driver('facebook')->user();
dd($socialUser);
}
The reason I know it's the 'profile' scope is because when I tried
public function auth()
{
return Socialite::driver('facebook')->setScopes(['email','openid'])->redirect();
}
Everything worked, prefectly, I get the email and the id, only I don't get user info without the 'profile' scope. and I need said information (name, first name, last name ..etc).
I tried the stateless() solution but I kept getting the same 403 Error.
I saw some similar questions here and in github but the solutions didn't work for me either.
Laravel version 7.x
Laravel Socialite version 4.4
I'd appreciate any help.
Okay... This question is out there a lot with few (or wrong) answers. I happened to run into this on 2 different Amazon Lightspeed instances with the exact same code installed and on one server Google login/callback worked fine and on the other 403.
This is MOD SECURITY issue. It's blocking the use of .profile which is in the Laravel code apparently or perhaps required to pull down the Google user data. What you need to be able to do to fix this is turn off the ID for this rule in mod-sec. For me that was 210580.
Message: Access denied with code 403 (phase 2). Matched phrase
".profile" at ARGS:scope. [file
"/etc/apache2/modsecurity.d/rules/comodo_free/08_Global_Other.conf"]
[line "57"] [id "210580"] [rev "2"] [msg "COMODO WAF: OS File Access
Attempt||aeroscale.net|F|2"] [data "Matched Data: .profile found
within ARGS:scope: email profile openid
https:/www.googleapis.com/auth/userinfo.profile
https:/www.googleapis.com/auth/userinfo.email"] [severity "CRITICAL"]
[tag "CWAF"] [tag "Other"] Apache-Error: [file "apache2_util.c"] [line
273] [level 3] [client 73.238.35.209] ModSecurity: Access denied with
code 403 (phase 2). Matched phrase ".profile" at ARGS:scope. [file
"/etc/apache2/modsecurity.d/rules/comodo_free/08_Global_Other.conf"]
I added that to my Plesk exception list in Mod Security and it started working on this server. Ironically I don't have that rule installed on the other server and it works fine. It's a slightly lower end server though so perhaps Amazon runs a different rule set on them.

Laravel Socialite InvalidStateException in AbstractProvider.php line 200

I'm building a web app in my local system (Ubuntu-14.04 64Bit) using laravel 5.3. I used Socialite to signin from social networks. I configured G+, Facebook, GitHug. I'm using Chromium as my default browser. Finally the problem is i'm getting
InvalidStateException in AbstractProvider.php line 200
frequently. i tried
php artisan cache:clear
php artisan config:clear
composer dump-autoload
these are helping to solve the issue temporarily, again the problem raising.
please help me in this issue..
I have the same issue and I've read a lot about this, that depend if the URL where you are at the moment of the login request has www. at the beginning or not.
Into config\services.php, if you have the redirect set as http://sitename.tld/callback/facebook the oauth works if you send the login request from sitename.tld, while if you try from www.sitename.tld you get the exception.
I haven't yet understood how to have it working with and without www at the beginning.
If the AbstractProvider.php line 200 fires the exception when the state of the user is not present means that the User cannot be created.
First check your code when you get the details from the provider(facebook, github) if you create a user and you return it.
If you have managed and logged in your app and you deleted the user from the user table remember to delete also the data from the socialite account table.
I was getting that exception because 'state' wasn't saved in session. But I was using asPopup method - Socialite::driver('facebook')->asPopup()->redirect(); so I saved session then - $request->session()->save();. So I solved this issue.
or try
session()->put('state', $request->input('state'));
$user = Socialite::driver('facebook')->user();
it works
I have same issue and solved in 3 steps;
add request on the top
use Illuminate\Http\Request;
Pass request object to function
public function handleProviderCallback(Request $request)
{
try {
$user = Socialite::driver('facebook')->user();
} catch (Exception $e) {
throw new Exception;
}
}
Clear cache.
php artisan cache:clear
I had the same error but my solution was a little different. I am posting here just in case someone else keeps hitting this post like I did for a possible answer.
I develop on Ubuntu 18.04 desktop since it is a server with a GUI. Socialite works great locally but as soon as I pushed/pulled the changes through git to the server, it quit.
I was running traces by recording what was sent to and from google. I "dd($_GET)" to get a raw dump before Socialite had a chance to get the info so I knew what was stored and ready for use. All info was there but Socialite didn't seem to "see" it. That is when I reasoned it was my apache2 header configuration interfering with the cookies/session data.
I had set header security in my apache2 configs. One of the settings was
Header always edit Set-Cookie ^(.*) "$1;HttpOnly;Secure;SameSite=Strict"
This setting was interfering with the cookie information that socialite needed. I removed that setting from my apache2 header config(by commenting out) and restarted Apache. Finally I removed all sessions in storage/framework/session/* and cleared them from my browser just to be sure. That worked for me.
After I got it working, one by one enabled and tested each of the following settings to have the framework secure what header info it can:
SESSION_SECURE_COOKIE=true
in my .env file
'http_only' => true, and
'same_site' => 'lax'(setting to "strict" did not seem to work)
in my config/session.php file.
Now it is back to testing security and tweaking things back if need be.

Laravel Object not found Error 404

The laravel project runs at another system with a fixed ip.
If I access the project on another computer via this line:
http://61.211.45.158/appi/public/auth/login
(changed to original ip for privacy)
it works so far but if I login the url does change to this:
http://61.211.45.158/auth/login
and I get the error
Object not found ... 404
The laravel project works if I call it locally via localhost....
I do not know why this is happening really big thanks for any help.
EDIT:
I removed the authentification and somehow it show the page now just without the login and register, does anyone know why?
I commented this line:
Route::group(['middleware' => 'auth'], function ()
{
You have wrong web server configuration on the remote machine. Web server should be pointed to a public directory, for example /home/someuser/appi/public, but not to /home/someuser/. Edit Apache config file (do not edit .htaccess), you should have similar lines in it:
DocumentRoot "/path_to_appi/appi/public"
<Directory "/path_to_appi/appi/public">
Then restart Apache to make everything work.

Bitbucket - Webhook keep returning error 500

Would like to check, I am fairly new to Bitbucket's new introduced webhook where previously i was using services where Bitbucket will execute a link to my site thus triggering a deployment script.
So since the old service is going to be depreciated soon, we all migrated to webhook instead. With the same implementation, I keep getting an error 500 upon commit/push/merge and there is no way for us to see the details for the error given. At first I thought it was my server giving problem but when i call the link manually via browsers and everything was fine. The deployment script can be executed successfully so then why bitbucket's webhook keeps telling me error 500?
Subsequently I find the guide given by Bitbucket was not helpful. There is no specified call method to the url stated so is the webhook initiates a GET or POST request? previously using services initiates a POST request. Then, are there any necessary payloads i need to include into the webhook URL? None is stated. Then, if there is an error at least let me see the error so I can fix it instead of telling me error 500.
I hope someone here can help me with this issue. Below are some specification of the site.
Server : Ubuntu LEMP 14.04 x64 Laravel framework 5.0
Webhook Url: bot.example.com/bitbucket/deploy/{Site API}
Method : GET
And when the abode link is call, it reaches a controller that does
public function attemptDeploy($site_api)
{
$script = 'nohup setsid php ~/scripts/deploy.php ' . $site_api. ' > /dev/null 2>&1 &';
exec($script);
return response('Deploy running.', 200);
}
Note that when i call this link manually either form browser or console everything works perfectly except from bitbucket's webhook. How can i solve this issue?
I was in the same situation. Bitbucket trims the body of the response and I couldn't see the error given by my server.
I've looked into the logs storage/logs/laravel.log and saw TokenMismatchException. Webhooks being API calls they don't store cookies or sessions so CSRF from Laravel breaks.
You need to add an exception from CSRF for the bitbucket deploy route. You can add this exception in app/Http/Middleware/VerifyCsrfToken.php. For example if your link is www.your_site.com/bit_deploy you will have:
<?php
namespace App\Http\Middleware;
use Illuminate\Foundation\Http\Middleware\VerifyCsrfToken as BaseVerifier;
class VerifyCsrfToken extends BaseVerifier
{
/**
* The URIs that should be excluded from CSRF verification.
*
* #var array
*/
protected $except = [
'bit_deploy'
];
}
Hope that this helps you ... as I've lost 3 hours on this.
PS: at the time of writing this answer, bitbucket webhooks performs POST calls (not GET)

Resources