I am trying to auto-login user on step-2 of registration steps. After successful insert into db i am using Auth::loginUsingId($user_id) to auto-login user using ajax.
I am always submitting CSRF token on each steps.
Now the problem is after successful login CSRF token get generated and Auth::user() gets blank on step 3
Also before and after login CSRF is different.
First of all, csrf token is required when using non-GET request, so if in your case using GET request seems reasonable you can use it.
Otherwise, in step 2 you should return new CSRF token for example like this:
Auth::loginUsingId($user_id);
return response()->json(['csrf_token' => csrf_token()];
and then in step 3 use this new token you got from Step 2 response.
You may try this method Auth::User()->id;
You can try Auth::id() to get the current user's id.
If you want all the details about logged in user then you can use Auth::user().
By Auth::user() you can access all details about the user.
You can also log in from the controller by passing user id Auth::login($user_id)
And if you user Auth::loginUsingId() then you have to pass user id and true status for remember the details.
Like :Auth:loginUsingId(user_id, true)
For Example :
Get User's Id : Auth::id()
Get User's Name : Auth::user()->name
Get User's email : Auth::user()->email
etc....
Seems like its not an issue of CSRF at all.
When you create a new user, Like
$user = new App\User;
$user->username = $request->username;
...
...
$user->save();
Auth::loginUsingId($user->id);
Then place dd(Auth::user()->id); to check that user is logged in or not.
Let us know.
Related
I am developing a Laravel application. I am now customising the password reset feature. There is an issue with retrieving the password reset token back from the database because the token string is changed when it is saved in the database from when it is generated.
I explicitly generate the password reset token like this
$token = app('auth.password.broker')->createToken($user)
Then, I tried to retrieve the password reset by using that token like this.
$password_reset = DB::table('password_resets')
->where('token', request('token'))
->first();
I cannot retrieve it. It always return null. Because the token value is different from when it was generated as in the screenshots below.
Why is that happening and how can I fix it?
The token gets hashed before it's stored in the database. It gets hashed in the DatabaseTokenRepository on line 110: 'token' => $this->hasher->make($token).
You won't be able to query by token. You would only be able to check a plain token value against a hashed value with the check method in the HashManager class, for example.
Base on Passport
your code should be something like this
$token = app('auth.password.broker')->createToken($user)->accessToken
I would like to manually send a password reset request to a specific user (not the one currently logged in) from within a controller. I did some digging around in the Laravel code and it seems like I should be calling postEmail(Request $request) in ResetsPasswords, but I can't seem to figure out how to get access to the right PasswordController instance to call it.
Seems like you are admin, so from your end, you can set a column in database (is_active), and change that to 0, and check when user logged in if is_active == 0. If it's 0, allow him to set a new password, then make a hash of new password and change is_active to 1
The token generated by soft-deleted user not working, Is there any way to use the token of soft-deleted users ?
If you want to get the user that has been softDeleted. You must use the withTrashed method. So if you want to find the softDeleted user with a token you must write something like this code below:
$user = User::whereToken($token)->withTrashed()->first();
I use Laravel 5.4 and need to login user in my system. I have next login.blade.php
where i have email and password field. In my controller I have next
protected function log() {
$email=Input::get('email');
$pass=Input::get('password');
$user = DB::select("SELECT * FROM users where email = '".$email."' and password = '".$pass."'");
foreach($user as $users){
if(Input::get('email') == $users->email){
return redirect('/');
}else{
return view('site.warning');
}
}
}
How can I return logged user in my redirect('/') and show them in my site.
Any idea?
Use the attempt() method:
if (Auth::attempt(['email' => $request->email, 'password' => $request->password])) {
From the docs:
The attempt method accepts an array of key / value pairs as its first argument. The values in the array will be used to find the user in your database table. So, in the example above, the user will be retrieved by the value of the email column. If the user is found, the hashed password stored in the database will be compared with the password value passed to the method via the array.
This method will work for you if you're using bcrypt() or Hash::make() to generate password hash.
Please do not create your own login system!
Now that's out of the way the explanation.
There is (almost) no good reason to create your own login system, as your code already showed. Your current code is very VERY insecure due to storing passwords in plain text. Please read up on resent security advice.
The even better option is using Laravels build-in auth.
https://laravel.com/docs/5.4/authentication
If you do try to use this build-in authentication methods you will be able to get the current authenticated user by using Auth::user() this can be used in your blade files as well as in your controllers.
You cannot (maybe you can) but you certainly should't store user's password unhashed. Laravel has build artisan command: php artisan make:auth. You may use it, and retrieve him in the show method for example (thro the URL, passing id). Or just retrieve him via Auth::user(). Planty of choices.
I'm building an app where a logged in user can edit their own profile and of course unable to edit another user's profile.
I have this following route :
http://2mark.dev/profile/derp22/edit
The problem with that route is that the route is accessible by another users and and will finally allow the other users to the edit "derp22" profile data. My question is how to protect this route so that the other users can't access it ?
Thanks for the help!
You can check this in the method in your profile controller.
Here is the methodology:
1. Get the current user.
2. Get the user you want to edit.
3. Check against those Id's.
4. Throw/return error message or proceed in method.
Example:
$currentUser = \Auth::user();
$user = User::findOrFail($id);
if ($user->id != $currentUser->id) {
abort(403);
}
// Then have the save method.
https://github.com/jeremykenedy/laravel-auth/blob/master/app/Http/Controllers/ProfilesController.php
Check this https://laravel.com/docs/5.4/authorization#via-the-user-model
or
You can compare if the authenticated user id is equal the id