I want to authenticate normal users (users-table) with login form and laravel auth.
Additionally I want to authenticate students (students-table) with API-request like:
mylaravelsite.com/?studentkey=XXXXXXXXXXXXXXXXXX&studentname=YYYYY
How can I do this? I think with a middleware?
How can I use the Auth class to check if the logged in person is user or student or guest?
I like to build applications in the following way:
A route having a single purpose, meaning, one route is for authenticating users and another route is for authenticating students
Validating data on the middleware before performing ANY operation
Now to your question:
If you really need, you can create different routes linked to the same authentication method, and create a middleware to each where you 'manipulate' run-type which class the Auth is going to be used
auth()->getProvider()->setModel(App\Student::class);
There are other ways to do this, depending on the way you wish to authenticate. If you want a more detailed explanation, give us a scenario to work on:
How the user authenticates vs how the student authenticates
What is going to differ from these 2 authentications and how its handled
Note: You're authenticating users with a HTTP request to a certain route, which is the same as your example link, except that you're giving an HTTPGET example and default is POST on authentication
Related
All the request comes after wsso authentication now in my api i don't want to authenticate the request but i want to implement preauthorization on controller method.
In request header I am getting the user ID only nothing else.
I have one method which gives all the authority based on user ID.
Could any one guide how to approach this task in a spring boot application.
So in request header only user ID coming and I want to implement #preAuthorize("hasAnyAuthority('Admin')")in a controller method.
We don't have passwords access in our application.
I have a difficulty in understanding Spring Security and any tutorial I found was not tailored to my needs. So maybe I'll explain what I think and what I want to accomplish.
I want to create a website with Kotlin/Java backend and frontend in React. This website would need to have users with different roles (user, admin).
And (I think) the thing I need is some kind of backend that has 2 endpoints:
register (to create users in database)
login (to, based on username and password, fetch user info and role) - as some kind of token? This returned token would be then used by frontend to display specific options (i.e. do not display "ban user" for regular users) and it also would be sent to backend for checking if the person who requests for specific endpoint really should be able to call this endpoint (i.e. it should be forbidden for regular users to use "ban user" endpoint)
What should I read about, what keywords should I look into to achieve this?
For purely the Spring Boot part of the implementation, the following should do
(/register) Signup/Register endpoint taking all required parameters for your business logic. e.g Username , Password , Full Name as well the roles
(/login) For logging in , you need a token forwarded to the front end, which will then use this token in the header for the session. JWT tokens seems like what you need(sample below). For the other part of your requirement, you can keep the user object (with roles) in the session as well as check user role on the backend in the "ban user" endpoint and process accordingly.
JWT Authentication with Spring Boot
I found a good starting point in the following sample
https://github.com/bezkoder/spring-boot-spring-security-jwt-authentication
For a more complete example
https://www.bezkoder.com/spring-boot-react-jwt-auth/
Credits to
https://www.bezkoder.com/
I have come a cross Youtube Video that covers all the scenarios that your looking for and extra, with Email verification links as well. i hope this will definitely help you
Java Tutorial - Complete User Login and Registration Backend + Email Verification
I have more conteptual question, how exactly should I handle social login in my project.
The use case is that I would like to allow user to login with Facebook, and keep on my backend information about this user (email, firstname, lastname)
I have some proposal Flow, but I'm not sure if it's a proper approach.
Let's say that I have application architecture as above. Now I would like to explain step-by-step full success flow.
Client (Vue application) make a call to AuthProvider (Facebook)
AuthProvider returns access_token
Client after reciving access_token make a call to backend endpoint like /fb_profile with access_token and userID (?)
Backend make a call to AuthProvider to check if given by client access_token is valid or not.
AuthProvider returns information about user. Backend after getting information about user, save it to database and generate new JWT token
Backend returns generated token to user
Now my question is - Is this good approach? Or should i handle it in other way? Like keep more logic to backend part? Instead of make a call to Facebook from Client, maybe should I make a call to backend, and backend make a call to Facebook?
You seem to be on right track. There could me many ways to do the same thing, here is the way which is working for me using vue/laravel/passport/socialite/github.
Trigger redirect in controller from frontend,
Provider(here github app) is triggered in browser with its url using client id/app name saved in back end config/env. Fill out your login details
It will redirect as created in provider and configured in backend-> show it on frontend, in my case its
http://localhost:8080/authorize/github/callback
From frontend now trigger callback in controller, it will check if user details already exist and will insert if its first time user as per logic. Then it will send back access_token to frontend which can be used in frontend for all the operations
DB
The above will be the sequence of the request flow ( same as yours ).
This would be the standard practice we used to integrate with Facebook. In this case, I strictly advise you to use the JavaScript SDK for Facebook.
Refer below link in case if you run into the following issue:
Vuejs component wait for facebook sdk to load
im using first time Passport laravel, but i still didnt understand quite is the difference between midlewareare auth:api and client:credentials (CheckClientCredentials ), doesnt these 2 types of middlware restrict routes? What is the difference between them?
The auth:api middle-ware is used for authentication. Whenever user will call an api, the user has to provide the authentication token with it. It depends on you which api you are restricting. From that token we can recognize the user or get the user object from request. Following is the way to get the user from token.
$user = $request->user();
for more information you can read the passport documentation at here
Client Credentials Grant Tokens
The client credentials grant is suitable for machine-to-machine authentication. For example, you might use this grant in a scheduled job which is performing maintenance tasks over an API.You can go through the doc at here
My webapp has means of abuse, users can access things they're not supposed to, such as 127.0.0.1/users/1 & 127.0.0.1/users/2 & 127.0.0.1/users/3 and so on, within these it reveals the user's registration email, ip, etc (via JSON, so the web server can return customized messages, greetings, and allow users to edit account data within profile settings)
This is what my route looks like:
forum.GET("/users/:user_id", routeFunc(UsersGET))
I'm using Gin-Gonic HTTP framework to create a dummy forum, can someone tell me how to stop users from accessing the /users/ route whilst allowing the actual web server to use freely? and maybe link me to the correct direction. Thanks!
(The server uses it to return things like, Welcome Back, USERNAME).
You need to add authentication and authorization to your server.
Authentication is where a user will prove their identity to you by means of a shared secret (like a password hash) and authorization is where you check if that authenticated user is allowed to take the action they are trying to make.
There are many third party services that might help you with this (e.g. Auth0) where they can handle authentication for you and provide you with libraries for authorization.
Usually people bind authentication into their Gin-Gonic server by means of middleware (e.g. gin-jwt) which is run in front of every http request. Once that middleware authenticates the user, you can add some logic to your handle that states only users can only view themselves.
Hope this helps. Good luck.