Revoking signature on Laravel temporarysignedroute at the time it accessed - laravel

So i was searching about sending a link to allow user login by using that, which is sent to their emails. I tried passport but have no idea how to use it after reading its doc for hours. So i have an idea to allow the user login by signedroute, but i want to revoke its signature on the first time it has been accessed like code below. Is that possible? Any suggestion for this login via link is welcomed , desperate af ::))
return URL::temporarySignedRoute(
'unsubscribe', whenAccessedfortheFirstTime() , ['user' => 1]);

Related

How to login a user at backend without CSRF in Laravel?

I'm trying to make a user logged in at back-end who is already a user of another website of mine. For now I'm able to fetch the user's data from previous website's database using an API and make user registration during the login process. Same time I want this user to be logged in when data is just inserted because now user is existing. I tried to reuse same method $this->processLogin(); but this method takes request function processLogin(Request $request) I can't feel passing email & pass to utilize this same method. I have tried guzzle self request with 3 parms 'email, password, _token' using POST request which didn't work. I don't want to exclude this route as well because it is being used for normal login. How can i make this user logged in right after inserting the required data? Please advise. Thanks in advance.
// if $id is your user that you want to login, then:
auth()->loginUsingId($id);

Unable to get authenticated user using Laravel 5.8 and Auth0

I have a Laravel 5.8 API that I want to secure using Auth0. So far I've followed every step of this tutorial:
On the front side, Login/logout links are currently implemented in Blade, and this works fine, though the rendered content on the page is done using Vue Router, making AJAX requests to the API for the data.
The default User model in Laravel has been modified to store name, sub, and email per the tutorial, and this populates as well.
The API endpoint is secured using the jwt middleware created during the tutorial, and I can successfully submit a GET along with a hard-coded Bearer auth token in Postman and get a good response.
However, at some point I'd like to be able to pass an access token off to Vue so it can do its thing, but I'm unable to get the current authenticated user. After hitting Auth0, it redirects back to my callback route with auth gobbledlygook in the URL. The route in turn loads a controller method, and everything even looks good there:
// Get the user related to the profile
$auth0User = $this->userRepository->getUserByUserInfo($profile); // returns good user
if ($auth0User) {
// If we have a user, we are going to log them in, but if
// there is an onLogin defined we need to allow the Laravel developer
// to implement the user as they want an also let them store it.
if ($service->hasOnLogin()) { // returns false
$user = $service->callOnLogin($auth0User);
} else {
// If not, the user will be fine
$user = $auth0User;
}
\Auth::login($user, $service->rememberUser()); // "normal" Laravel login flow?
}
I'm not an expert on the framework, but the last line above seems to start the "normal" Laravel user login flow. Given that, shouldn't I see something other than null when I do auth()->user(), or even app('auth0')->getUser()?
Try using a simple tutorial if you're a beginner, I would recommend this
It uses a simple JWT package to create a jwt token which you can get when the user authenticates.
JWTAuth::attempt(['email'=>$email,'password'=>$password]);

Laravel passport: Manually create access token

I'm building an SPA using VueJS and Laravel.
I'm using Laravel passport for logins which works fine.
However I would like the ability to send users magic links to log in with. However I'm not sure how to create an access token without sending a request with the password to the oauth route.
It seems like it should be really easy to do, just inserting the right rows into oauth_access_tokens and oauth_refresh_tokens.
But i've been trawling through the code in the Passport repo and Google results and everything seems way more complicated.
What I would like is be able to do something like this:
$user = User::findFromMagicLink($link);
$token = $user->createAccessToken();
return response()->json(['access_token' => $token->token, 'refresh_token' => $token->refresh_token])
I'm guessing that's not possible otherwise it would be documented somewhere. But if it's something more complicated than that I can't figure it out.
Can anyone point me in the right direction?
Try this You can create access token like
$user = User::findFromMagicLink($link)
$token = $user->createToken('UserToken', ['*']);
//or directly access
$token = $user->createToken('UserToken', ['*'])->accessToken;
For more info Read: Manage personal access token

Laravel Social OAuth Authentication - Password?

I am using Laravel Socialite to register a user via an outside website. That works just fine, but I'm confused the best way to make sure the user is authenticated each time they come to my website.
Normally, a user will register with a username/email address and password. Then, we check the database against their inputted credentials and log that user in. But authenticating with an outside website, I don't have access to that user's password, just other credentials that are available (i.e. email address obtained from the 3rd party website).
So, if they register/login through an outside website, once the user is redirected back to my website, should I just authenticate like this? This is where I get confused because normally I include a 2nd key/value pair which is the password for the user.
if (Auth::attempt(['email' => $user['email']))
{
return redirect()->route('route');
}
UPDATE:
Shouldn't this simple Laravel authentication be sufficient? The 3rd party website I'm using to login handles the authentication workload. It seems that I'm just needing to authenticate through Laravel to be able to utilize the Auth facade for the current user.
The way I solved this was simple. The 3rd party website handles their authentication and once the user is redirected back to my website, they're good to go. So, I just push a session cookie to them and they're all set.
Auth::login($user, true);

Google Contacts API in Javascript and PHP

I am making an ajax controlled website, in which I use the Javascript SDK for Google to authenticate my users, and gain access to their google contacts. What I intend to do, is the following:
Authenticate the user in the browser, withour redirecting and ask for access to their Contact list, and access to manage their Contacts.
Store the user id in my database if he/she granted me the access, together with a refresh token, which if I am not mistaking, I can only get via server side.
Sometime later, if the user wants to see their google contacts via my website, send an ajax request to my server, which ASKS for an access_token from the user, retrieves the data and shows it to the user, or stores it in my own database if the user asks to.
I've managed to complete the first step from these three, I can authenticate a user, and get access to a single access token which is valid for 3600 hours, but I can't figure out how to authenticate a user server side, without redirecting him anywhere. I tried using the Google PHP SDK too, but can't seem to figure out how to do this. I am certain that this is possible somehow, because it is stated in the Google PHP SDK guide:
If we have authenticated on an Android or Javascript web client, we may have aquired a code via a different means. In this case, we just need to exchange it. If it was retrieved via the gapi Javascript client, we need to set the redirect URI postmessage.
$client->setRedirectUri($redirect_uri);
The only problem is I don't understand how to do this. What is $redirect_uri? I don't have a redirect url, becase when I implemented the Javascript SDK, there it said, that I don't have to use a redirect uri, because Javascript authentification is done in the same window, without redirects(just as I want it).
How could I proceed to solve the second and the third step mentioned above? Where could I find a non-hacky or not-very-much-hacky tutorial, to achieve my desired result?
EDIT:
What I basically want to achieve is the following things:
ask for permission to access Google Contacts from the user, WITHOUT redirecting him from my site(via a popup window)
Achieved this with the Javascript SDK
get an access token for this permission, and a refresh token, and STORE these in a database
Javascript SDK only grants an access token, and I don't want to pass this via an ajax call, because I feel this is unsecure
with the refresh token, generate access tokens server side for the user, and process data, and send the data back.
Here is how my PHP file looks at the moment:
$client = new Google_Client();
$client->setClientId($client_id);
$client->setClientSecret($client_secret);
$client->setScopes('https://www.googleapis.com/auth/plus.me');
$client->setRedirectUri($PHP_SELF);
$client->setState('offline');
$authUrl = $client->createAuthUrl();
if (isset($_GET['code'])) {
$client->authenticate($_GET['code']);
$_SESSION['access_token'] = $client->getAccessToken();
$result=$client->getAccessToken();
} else {
header("Location: ".$authUrl);
exit;
}
To achieve what I want, I should get the $_GET['code'] parameter somehow through the Javascript SDK, but I don't know how:|
After a few days of headache I figured this one out too... thanks Google for nothing, your documentation SUCKS.
$client->setRedirectUri($redirect_uri);
The $redirect_uri parameter should be a string: "postmessage", and when authenticating via javascript, you should ask for a CODE instead of a TOKEN, which you then send to your server side script, to authenticate and exchange for a token.
gapi.auth.authorize({client_id: googleApi.clientId, scope: googleApi.scopes, response_type: 'code', immediate: true}, g_handleAuthResult);

Resources