I use Laravel 5.7 with Passport and Vue component.
I have a Vue component with method to change Auth of user, this method call API by POST.
My API is protected by auth:api middleware.
The connexion to site is with PHP session. I don't want use JWT.
How I can change the account connected ?
public function switchAccount(Request $request, Team $team, User $user)
{
Auth::guard('web')->login($user);
}
Related
I'm using Laravel 8 / VueJs / Sanctum. And I found a small issue I'm not sure if its a security issue or not but I'm thinking its an exploit in Sanctum
I'm calling my Vue components in my blade files
And I can send and receive the response to all routes that I have in api.php without sending the token.
Also : All my routes are in sanctum middleware as you can see
all my routes are working fine but the one /user it redirect me to home
is that possible to receive a response without sending a token, after I logged in ?
if Yes why I can receive a response from all my routes but /user it redirect me to /home
Route::middleware(['auth:sanctum'])->group(function () {
Route::get('/user', function(Request $request){
return $request->user();
});
// Chat routes
Route::prefix('/chat')->group(function(){
Route::post('/messages', [App\Http\Controllers\Api\ApiChatController::class, 'store'])->name('api/send-message');
Route::get('/messages', [App\Http\Controllers\Api\ApiChatController::class, 'show'])->name('api/recent-chat');
Route::get('/messages/{user}', [App\Http\Controllers\Api\ApiChatController::class, 'show'])->name('api/open-chat');
Route::get('/threads', [App\Http\Controllers\Api\ApiChatController::class, 'index'])->name('api/all-chat-threads');
});
// dating routes
Route::prefix('/dating')->group(function(){
Route::get('/search', [App\Http\Controllers\DatingController::class, 'search'])->name('api/search');
});
});
Sanctum using token and cookie too for user auth. If you are calling over the browser a page which is guarded by sanctum then laravel use cookie auth. if you make a api calling by javascript then laravel needs the token.
So i think everything is right.
I am using laravel sanctum SPA authentication in my Vue project.Everything is working well but even after logout
Auth::logout()
I am still able to get datas from api route inside middleware
Route::middleware('auth:sanctum')->get('/user', function (Request $request) {
return $request->user();
});
I should not be able to get datas after logout.It should show 401 unauthenticated but its not the case.
How to solve this problem.I have been stuck here for 3 days.I followed laravel documentation and other tutorial as well but every one logged out same like I did.
Kindly use Auth::guard('web')->logout(); instead of Auth::logout(). look into SPA Log out issue
To Logout, a user simply do this in you logout function to delete all the user tokens
public function logout(Request $request) {
auth()->user()->tokens()->delete();
}
Or user this to remove only the active token
$request->user()->currentAccessToken()->delete();
What worked for me now is :
auth('sanctum')->user()->tokens()->delete();
In order to logout the specific user, You need to specify the user.
// Revoke a specific user token
Auth::user()->tokens()->where('id', $id)->delete();
// Get user who requested the logout
$user = request()->user(); //or Auth::user()
// Revoke current user token
$user->tokens()->where('id', $user->currentAccessToken()->id)->delete()
How can I get auth user details in api controller in laravel
I am using laravel version 5.8
This is my apiResources route
Route::apiResources([
'employeeapi' => 'API\EmployeeController',
]);
and my controller is
class EmployeeController extends Controller {
public function store(Request $request)
{
}
}
How can I access Auth::user() inside the store function?
You could use the following middleware on your api routes to use laravel sessions if the user was logged in to a session in one of your web routes.
\Illuminate\Session\Middleware\StartSession::class,
\Illuminate\Session\Middleware\AuthenticateSession::class,
However you probably want your api to use some kind of token based authentication. laravel passport has great tools for that. Because using sessions in an api might become messy.
I'm trying to understand how an authentication request is handled by laravel in order to be able to write my own authentication method that allows me to check data from multiple tables before authenticating (basically there are some columns that I need to check to understand if a user is able to login).
I'm actually quietly confused about the relation between guards, middleware, provider and driver.
Can someone please explain me the lifecycle of a login request?
Thank you
EDIT: i'm working with laravel 5.7, standard Auth scaffolding that is available using make:auth
To make a custom authentication follow this steps
1.go to routes/web.php and make a get route to handle login view and post login route to handle login logic
Route::get('login','LoginController#show')
Route::post('login','LoginController#login')
2. Make a controller called LoginController
php artisan make:controller LoginController
4.inside LoginController make a function called login to handle login logic like this
public function login(){
$input = $this->validate(request(),['username'=>'required','password'=>'required']);
$model = CustomUsersModel::where('username',$input['username'])
->where('password',bcrypt($input['password']))->first();
if($model){
//user exist and valid login information
auth()->login($model);//login user via model
//now user loggedin
}
//handle wrong login information
}
I am developing a card for Laravel nova.
As part of this, I want an API route that can be posted, but I don't want to have to authenticate against it.
I have registered my route in the card's api.php
Route::post('/endpoint/{id}', function (Request $request, $id) {)
This works if I call it with an already authenticated session.
But if I try to call it from postman I get
HTTP 419 Sorry, your session has expired. Please refresh and try again.
I can see that the card service provider is registering the route as so
Route::middleware(['nova'])
->prefix('nova-vendor/NovaPusherCard')
->group(__DIR__.'/../routes/api.php');
So I guess that Nova is putting some authenticated in front of the route.
Is there a way I can register the route without adding authentication?
ok so I worked it out.
I just needed to update the middleware to api instead of nova.