kernel.php
protected $routeMiddleware = [
'auth' => \Illuminate\Auth\Middleware\Authenticate::class,
'auth.basic' => \Illuminate\Auth\Middleware\AuthenticateWithBasicAuth::class,
'bindings' => \Illuminate\Routing\Middleware\SubstituteBindings::class,
'cache.headers' => \Illuminate\Http\Middleware\SetCacheHeaders::class,
'can' => \Illuminate\Auth\Middleware\Authorize::class,
'guest' => \App\Http\Middleware\RedirectIfAuthenticated::class,
'signed' => \Illuminate\Routing\Middleware\ValidateSignature::class,
'throttle' => \Illuminate\Routing\Middleware\ThrottleRequests::class,
'adminauth' => \App\Http\Middleware\AdminAuth::class,
];
web.php
Route::group(['middleware' => 'adminauth'], function() {
//route for admin dashboard
Route::get('/admin', [
'uses' => 'AdminController#dashboard',
'as' => 'dashboard'
]);
//route for admin setting
Route::get('/admin/setting', [
'uses' => 'AdminController#setting'
]);
});
AdminAuth.php
public function handle($request, Closure $next)
{
return redirect('/admin/setting');
//return $next($request);
}
AdminController.php
public function setting() {
$admin = $this->admin;
$notification = $this->notification;
return view('admin/setting')->with(compact(
'admin',
'notification'
));
}
I'm facing this problem i.e., The page isn’t redirecting properly
Firefox has detected that the server is redirecting the request for this address in a way that will never complete.
This problem can sometimes be caused by disabling or refusing to accept cookies.
I read these posts link1, link2, link3 but nothing solves my problem.
The problem is that your admin/setting route uses the adminauth middleware, however your adminauth middleware will redirect to admin/setting if it does not pass.
Just an informative note:
A redirect response is a response with codes between 300-399 and these responses are sent to the browser telling the browser what to do next. Browsers will by default follow redirects and create a new request to the said location.
In your case the browser creates a request to admin/setting the middleware fails and tells the browser to redirect to admin/setting which will do the exact same thing again. Browsers like Firefox have a built-in mechanism to detect this and instead of flooding your server with requests will just stop this loop and let the user know there's a problem.
To solve this you either need to redirect somewhere else or exclude the /admin/setting from the adminauth middleware.
The solution will depend on your application.
A bit more detail as to why Firefox correctly opts to stop the redirects:
According to section 9.1.2 of the HTTP/1.1 protocol the GET request is idempotent i.e.
the side-effects of N > 0 identical requests is the same as for a single request
This is the assumption that browsers use to claim that since a request to X causes a redirect to the same X then this is an infinite redirect and should be stopped.
Related
Background
I have developed a React app that uses Laravel as an API. I have added logins via Passport and have been using the Personal Access Client approach quite successfully. I can add new users and tokens, I can revoke tokens, I can reset passwords... All API calls (except login and register) are guarded by the API middleware and it works. If I remove the Bearer ${token} from the header on any of these calls it returns 401 unauthenticated due to the ->middleware('auth:api') wrapper.
The Problem
Everything works completely as expected... until I move everything to my Raspberry Pi server. As soon as I moved everything, the problem began. I can login and I can register, but as soon as I use the new bearer token (that I received from my login or register call(s)) on any of the endpoint calls that follow in my flow, it fails with 401 unauthenticated, immediately. I ran the php artisan passport:client --personal command and successfully entered the id and secret into my .env file as usual. I installed all the composer and vendor packages. I installed all passport package(s) and CLI commands.
It only fails on calls that use the auth middleware.
I have done some digging and it seems the only change I can find (significantly) is that the Pi runs a 32 bit PHP where my localhost runs a 64 bit PHP. Other than that its the same code, DB, versions of Laravel and PHP, everything.
I have tried using the command php artisan passport:client --personal --name="app-name" --redirect_uri="http://192.168.1.1/" which puts a record in the "oauth_clients" table but shows the redirect as http://localhost/. I then try to use SQL to change the value of the column named "redirect" to http://localhost/, manually... but again the change does nothing. Calls still return 401 unauthenticated.
The only other things I can find that might be an issue are:
The fact that all tokens in the database table "oauth_access_tokens", under the column called "redirect", are created with the redirect_uri of http://localhost. No matter what I do it's always localhost and not my servers domain or IP address (which is concerning). Manually changing SQL as I said does nothing but I know Laravel uses a few "read-only" columns for auth so I wonder if this is one of them... perhaps personal access tokens only work on localhost?
My email_verified_at column in my "users" table (generated by passport commands) is null because I was not able to setup the "forgot my password" flow of Passport on localhost since emails won't send out on localhost.
What I have setup is this:
public function boot()
{
$this->registerPolicies();
Passport::pruneRevokedTokens();
Passport::tokensExpireIn(Carbon::now()->addDays(1));
Passport::refreshTokensExpireIn(Carbon::now()->addDays(14));
Passport::personalAccessTokensExpireIn(Carbon::now()->addDays(1));
}
AuthServiceProvider Class
public function register(Request $request) {
$validatedData = $request->validate([
'image_url' => 'required',
'last_name' => 'required|max:55',
'image_url' => 'required|max:250',
'first_name' => 'required|max:55',
'password' => 'required|confirmed',
'email' => 'email|required|unique:users',
]);
$validatedData['password'] = bcrypt($request->password);
if ($request->hasFile('image_url')) {
$imageFile = $request->file('image_url');
$imageExtension = $imageFile->extension();
if (strtolower($imageExtension) === 'png' || strtolower($imageExtension) === 'jpg') {
$validatedData['image_url'] = Storage::url( $request->file('image_url')->store('user_pics', 'public') );
}
$user = User::create($validatedData);
date_default_timezone_set('UTC');
$date = new \DateTime( date('Y-m-d H:i:s') );
$user->email_verified_at = $date->format('c');
$accessToken = $user->createToken('authToken-'.$user->id, ['*'])->accessToken;
return response([ 'user' => $user, 'access_token' => $accessToken ]);
} else {
abort(404, 'Cannot register user without a user image!');
}
}
public function login(Request $request) {
$loginData = $request->validate([
'email' => 'email|required',
'password' => 'required'
]);
if (!auth()->attempt($loginData)) {
return response()->json(['statusText' => 'Unauthorized'], 401);
}
$user = auth()->user();
$accessToken = auth()->user()->createToken('authToken-'.$user->id, ['*'])->accessToken;
return response([ 'user' => $user, 'access_token' => $accessToken ]);
}
public function logout(Request $request) {
if (auth()->guard('api')->check()) {
auth()->guard('api')->user()->OauthAcessToken()->delete();
return response()->json([ 'msg' => 'Successfully logged out!' ]);
} else {
return abort(404, 'Must be logged in to log a user out');
}
}
public function refreshToken(Request $request) {
if (auth()->guard('api')->check()) {
$user = auth()->user();
$accessToken = auth()->user()->createToken('authToken-'.$user->id, ['*'])->accessToken;
return response([ 'user' => $user, 'access_token' => $accessToken ]);
} else {
return abort(404, 'Must be logged in to refresh a token!');
}
}
AuthController Class
'defaults' => [
'guard' => 'web',
'passwords' => 'users',
],
'guards' => [
'web' => [
'driver' => 'session',
'provider' => 'users',
],
'api' => [
'driver' => 'passport',
'provider' => 'users'
],
],
config/Auth.php
APP_NAME=MyName
APP_ENV=dev
APP_DEBUG=true
APP_URL=http://192.168.1.1
PASSPORT_PERSONAL_ACCESS_CLIENT_ID="1"
PASSPORT_PERSONAL_ACCESS_CLIENT_SECRET="[SOME LONG HASH]"
.env File
Finally solved it!!
Turns out it was Apache on the Raspberry Pi server blocking the Authorization header. This finally unblocked me and solved my issues.
For anyone else coming from a Google search, you can go into your /etc/apache2/apache2.conf file and at the very bottom, paste:
SetEnvIf Authorization "(.*)" HTTP_AUTHORIZATION=$1
I am using a Raspberry Pi 4 with 32 bit PHP and Apache2.
Also, I didn't mention in my post that I have been using the following for my apache server root htaccess:
# Handle Authorization Header
RewriteCond %{HTTP:Authorization} .
RewriteRule .* - [E=HTTP_AUTHORIZATION:%{HTTP:Authorization}]
.htaccess file, server root
I have situation about returning users from DB. In my controller I am trying it like below:
UPDATED:
NOTE: for clear misunderstanding. Actually I am logged in as a user. No problem with that part. But it looks like auth:: doesn't understand that and when I try to retrieve users. it's redirecting me to login's endpoint...
use Illuminate\Http\Request;
use App\Http\Controllers\Controller;
use Auth;
class UsersController extends Controller
{
public function getUser(){
$users = Auth::user();
dd($users);
}
}
And about the api route:
Route::group(['middleware' => 'auth:api'], function() {
Route::post("logout", "Api\AuthController#logout");
/* User */
Route::get('/user', 'Api\UsersController#getUser');
});
Route::group(["prefix" => "v1"], function(){
/* Auth */
Route::post("login", "Api\AuthController#login")->name("login");
Route::post("register", "Api\AuthController#register");
});
Here is the thing. If I use my UserController route outside the middleware:api then endpoint is returns null. And if use it inside the middleware it redirects me to my login's endpoint. Because of the "->name('login')"
In the end I can't return the users. Additionally this is what config/auth looks like.
'defaults' => [
'guard' => 'web',
'passwords' => 'users',
],
By the way before asked. I tried to change guard's web to api but nothing is changed.
'guards' => [
'web' => [
'driver' => 'session',
'provider' => 'users',
],
'api' => [
'driver' => 'passport',
'provider' => 'users',
],
],
Is there anyone have better understanding on this situation. How can I return users with using passport? Do I missing something here?
Apparently, the problem is with the request header. Only a logged in user can call /api/user endpoint with an access_token in the request header.
Request header will have this pair
Authorization: Bearer eyJ0eXAiOiJKV1..........
Nothing to do in laravel part, as it's working as expected.
If you are using Laravel Passport. Let's read and make your step same in document: https://laravel.com/docs/5.8/passport
From your API request, need to pass the access_token to backend.
Hoping you can resolve that issue!
I have an Laravel-base API which handles both client and admin endpoints (there are two sites like domain.com and admin.domain.com).
My auth is based on cookie, which domain is <.domain.com>. As you can see, this cookie is acceptable for both domains.
I use Eloquent Api Resources for transformation data layer. Is my when() route check here safe and right?
public function toArray($request)
{
return [
'name' => $this->name,
'created_at' => (string)$this->created_at,
'status' => $this->when($request->route()->getName() === 'api.admin.users.index', $this->status)
];
}
Before I used $this->when(Auth::check(), ...), but because my auth cookie is acceptable for client site too, unneeded data might be fetched.
My route:
Route::group(['prefix' => 'admin', 'as' => 'api.admin.', 'middleware' => 'auth:api'], function () {
Route::resource('users', ...);
});
If user is not authorized, he wouldn't get data because of middleware. At the same time, authorized used (who has non-expired cookie) wouldn't get unneded data while being on client site.
Thank you!
I think your approach is fine. The route name is something internal and the user cannot tinker with it. You could improve it by using \Route::is('api.admin.*') though. It would then work for all of your admin API routes.
I have a question that might sound silly to you so please forgive me.
I am not sure when do I use the routes/api.php file.
If I want to delete a record from a datatable with ajax, do I need to create a separate controller and put the route in api.php or can I use the same controller I use for everything else and put the route in web.php?
I'm not sure if you read the Laravel documentation or how much familiar you are with Laravel, but in Laravel 5.3 you have web routes and api routes in separate files.
You use api routes only for registering your api (ie if you are building a rest api service), and all routes placed there will be prefixed by default with /api. So ie if you define a route /user inside the api file, it will be automatically prefixed with /api, so your end point would be www.yourapplication.com/api/user.
If you are not building a rest api service or anything similar dont use this file at all, use the web file for defining all of your application routes.
Also consider visiting Laracast website, as they have a nice introduction to new changes in Laravel 5.3 including web and api routes. Hope this helps you.
All that routes placed in api.php will be prefixed by /api, which was also mentioned by bernadd, there are other differences:
in this link(https://mattstauffer.co/blog/routing-changes-in-laravel-5-3) you can find the difference between api and web in laravel code:
in App\Providers\RouteServiceProvider:
public function map()
{
$this->mapApiRoutes();
$this->mapWebRoutes();
//
}
protected function mapApiRoutes()
{
Route::group([
'middleware' => ['api', 'auth:api'],
'namespace' => $this->namespace,
'prefix' => 'api',
], function ($router) {
require base_path('routes/api.php');
});
}
protected function mapWebRoutes()
{
Route::group([
'namespace' => $this->namespace, 'middleware' => 'web',
], function ($router) {
require base_path('routes/web.php');
});
}
in App\Http\Kernel.php in "protected $middlewareGroups" you can see this:
'web' => [
\App\Http\Middleware\EncryptCookies::class,
\Illuminate\Cookie\Middleware\AddQueuedCookiesToResponse::class,
\Illuminate\Session\Middleware\StartSession::class,
\Illuminate\View\Middleware\ShareErrorsFromSession::class,
\App\Http\Middleware\VerifyCsrfToken::class,
\Illuminate\Routing\Middleware\SubstituteBindings::class,
],
'api' => [
'throttle:60,1',
'bindings',
],
And:
in config\auth.php : In this file's Comments you can clearly find out the difference between default "auth"('guard' => 'web') vs "auth:api"
I am building a site which loads all pages and content via javascript while also manipulating the browser address bar (giving the illusion of a normal, navigable site with each page at its own URL). As a fallback, and for the benefit of search engines, the pages must also be able to be loaded normally at their respective URLs.
To do this, I need to let Laravel know if the page data is being requested via an ajax call or normal HTTP request. This- I presume- would be a situation where I would use Middleware. I want to be able to process the pages using two different controllers; one for ajax, one for HTTP.
ie:
if (Request::ajax()){
forward request to ajax page controller
}else {
forward request to standard page controller
}
Is this possible to handle with middleware? All examples I can find seem to assume that the controller is already a given.
I use the routes.php file instead of middleware. I believe middleware is after the route has been determined.
if(Request::ajax() || Request::json()){
Route::get('items', [
'as' => 'api.posts.index' ,
'uses' => 'Api\ItemsController#index'
]);
} else {
Route::get('items', [
'as' => 'posts.index' ,
'uses' => 'ItemsController#index'
]);
}
I do it this way because I like to separate out the urls for json versus web.
Route::get('items', [
'as' => 'posts.index' ,
'uses' => 'ItemsController#index'
]);
/**
* JSON API
*
*/
Route::group([
'prefix' => 'api/v1',
'as' => 'api.',
'namespace' => 'Api'
], function () {
Route::get('items', [
'as' => 'posts.index' ,
'uses' => 'ItemsController#index'
]);
}
Either way your controllers would live here.
App/Http/Controllers/Api/ItemsController.php
App/Http/Controllers/ItemsController.php
EDIT
I read the comment form GONG and the RouteServiceProvider would also work for this, but you would still have two distinct urls. You would have to manage another routes file, but whatever works for you.