I'm about to create a single-sign-on interface for my app. The other app sends an AJAX POST request and I authenticate the user and return a response. A session cookie is beeing set, but it is not encrypted.
The relevant Code
$user = User::where('email', $email)->first();
if ($user) {
Auth::login($user);
return response("OK", 200);
}
My 'api' part in Kernel.php
'api' => [
'throttle:60,1',
'bindings',
\Illuminate\Session\Middleware\StartSession::class,
\Illuminate\Cookie\Middleware\AddQueuedCookiesToResponse::class,
\App\Http\Middleware\EncryptCookies::class,
],
My route (no additional Middleware)
Route::post(
'/auth-request', [
'uses' => 'UserController#post_authenticateRequest',
'as' => 'authrequest'
]);
The EncryptCookies class in Kernel.php doesn't seem to have any effect in the AJAX post request - but only for the session part. When I manually add a cookie like
response("OK", 200)->cookie("mysession", Session::getId(), 60);
it is encrypted!
When I completely remove EncryptCookies in Kernel.php for both "api" and "web" the created session from the AJAX request is loaded correctly - but without encryption anymore.
How do I get the AJAX session cookie beeing encrypted? Do I need any other Middleware?
Thanks for your help.
After reading the comment from lagbox, I've tried several places for the EncryptCookies::class definition in my "api" part. I need to place it not only before StartSession but as the first element. And now it works!
My complete $middlewareGroups part in Kernel.php now looks like this:
protected $middlewareGroups = [
'web' => [
\App\Http\Middleware\EncryptCookies::class,
\Illuminate\Cookie\Middleware\AddQueuedCookiesToResponse::class,
\Illuminate\Session\Middleware\StartSession::class,
\Illuminate\Session\Middleware\AuthenticateSession::class,
\Illuminate\View\Middleware\ShareErrorsFromSession::class,
\App\Http\Middleware\VerifyCsrfToken::class,
\Illuminate\Routing\Middleware\SubstituteBindings::class,
\App\Http\Middleware\App::class,
],
'api' => [
\App\Http\Middleware\EncryptCookies::class,
'throttle:60,1',
'bindings',
\Illuminate\Session\Middleware\StartSession::class,
\Illuminate\Cookie\Middleware\AddQueuedCookiesToResponse::class,
],
];
Hope this is helpfull.
Related
I'm working on Laravel 5.8 and php 7.1.3. using csrf_token() return value in controller function but not return any value in controllers/api controller. how to used csrf_token in api controller function.
Api controller :- Http/Controllers/Api/TestConroller.php
class TestConroller extends Controller
{
public function __construct()
{
}
public function getToken(Request $request){
echo csrf_token();
}
}
Routes:- routes/api.php
Route::get('getToken', 'Api\TestConroller#getToken');
url:-
http://localhost/laravel/api/getToken
if csrf token() not work in api controller then how to used token for verification in api.
Csrf token only works in web.php not in api.php .Api's are stateless
if you check kernal.php
protected $middlewareGroups = [
'web' => [
\App\Http\Middleware\EncryptCookies::class,
\Illuminate\Cookie\Middleware\AddQueuedCookiesToResponse::class,
\Illuminate\Session\Middleware\StartSession::class,
\Laravel\Jetstream\Http\Middleware\AuthenticateSession::class,
\Illuminate\View\Middleware\ShareErrorsFromSession::class,
\App\Http\Middleware\VerifyCsrfToken::class,
\Illuminate\Routing\Middleware\SubstituteBindings::class,
\App\Http\Middleware\HandleInertiaRequests::class,
],
'api' => [
'throttle:api',
\Illuminate\Routing\Middleware\SubstituteBindings::class,
],
];
web middleware uses session .So For testing purpose if you comment below middleware
\Illuminate\Session\Middleware\StartSession::class,
\Illuminate\View\Middleware\ShareErrorsFromSession::class,
then it will return null on web.php
if you want to use in api.php just add these 2 lines in kernel.php
\Illuminate\Session\Middleware\StartSession::class,
\App\Http\Middleware\VerifyCsrfToken::class,
in
'api' => [
'throttle:api',
\Illuminate\Routing\Middleware\SubstituteBindings::class,
],
section
I wish to disable request throttling for users that are authenticated through the API.
Kernel:
protected $middlewareGroups = [
'web' => [
\App\Http\Middleware\EncryptCookies::class,
\Illuminate\Cookie\Middleware\AddQueuedCookiesToResponse::class,
\Illuminate\Session\Middleware\StartSession::class,
// \Illuminate\Session\Middleware\AuthenticateSession::class,
\Illuminate\View\Middleware\ShareErrorsFromSession::class,
\App\Http\Middleware\VerifyCsrfToken::class,
\Illuminate\Routing\Middleware\SubstituteBindings::class,
],
'api' => [
'throttle:240,1'
],
];
Throttle here will limit the requests to 240 per minute regardless of whether or not a user is authenticated.
How would it be possible to do this so it only throttles unauthenticated users?
For the latest version of Laravel 8.x. We can use RateLimiter with the following steps:
In your app/Providers/RouteServiceProvider.php find below configureRateLimiting:
protected function configureRateLimiting()
{
RateLimiter::for('api', function (Request $request) {
return Limit::perMinute(60)->by(optional($request->user())->id ?: $request->ip());
});
// Add this for no limit throttle
RateLimiter::for('none', function (Request $request) {
return Limit::none();
});
}
In your app/web.php add 'throttle:none':
Route::group([
'middleware' => ['auth', 'throttle:none'],
], function ($router) {
Route::post('test', 'TestController#test');
});
This step is optional, If you are using other middleware you can group them up in your app/Http/Kernel.php:
protected $middlewareGroups = [
'web' => [
\App\Http\Middleware\EncryptCookies::class,
\Illuminate\Cookie\Middleware\AddQueuedCookiesToResponse::class,
\Illuminate\Session\Middleware\StartSession::class,
// \Illuminate\Session\Middleware\AuthenticateSession::class,
\Illuminate\View\Middleware\ShareErrorsFromSession::class,
\App\Http\Middleware\VerifyCsrfToken::class,
\Illuminate\Routing\Middleware\SubstituteBindings::class,
],
'api' => [
'throttle:api',
\Illuminate\Routing\Middleware\SubstituteBindings::class,
],
'no_throttle' => [
'throttle:none',
\Illuminate\Routing\Middleware\SubstituteBindings::class,
],
];
Route::group([
'middleware' => ['auth', 'no_throttle'],
], function ($router) {
Route::post('test', 'TestController#test');
});
You could pack all auth routes to one group and set throttle to unlimited or in your controller class constructor you can disable ThrottleRequests middleware.
Please check this thread:
Disable rate limiter in Laravel?
want edit my Kernel.php file and disabled some Middleware in on place in aplication (I want my header response was shortly, here is my stack subject)
I have some idea but i don't know what is the next step:
class Kernel extends HttpKernel
{
public function __construct(Application $app, Router $router)
{
$url = \Illuminate\Http\Request::capture()->url();
if($url == 'http://autoservie.test/save'){
//HERE i want set protected $middlewareGroup and remove session
middleware from 'web'
}else{
// HERE set another protected $middlewareGroup
}
parent::__construct($app, $router);
}
protected $middlewareGroups = [
'web' => [
\App\Http\Middleware\EncryptCookies::class,
\Illuminate\Cookie\Middleware\AddQueuedCookiesToResponse::class,
\Illuminate\Session\Middleware\StartSession::class,
// \Illuminate\Session\Middleware\AuthenticateSession::class,
\Illuminate\View\Middleware\ShareErrorsFromSession::class,
\App\Http\Middleware\VerifyCsrfToken::class,
\Illuminate\Routing\Middleware\SubstituteBindings::class,
],
'api' => [
'throttle:60,1',
'bindings',
],
];
The question is, how set dynamic protected $middlewareGroups array in constructor? Or is there any other solution ?
You can do something like
$index = array_search(\Illuminate\Session\Middleware\StartSession::class, $middlewareGroups['web']);
unset($middlewareGroups['web'][$index]);
I have laravel 5.0 . and set sessions drivers to database . I have some link that no require to insert new row in sessions table . how i can disable inserting new row only for www.site.com/download .
Create a new route/middleware type for sessionless access. Do this by adding a new middleware group in your Http/Kernel that doesn't include the StartSession middleware, then adding a new route file to hold all your download links, and then registering your new route file in your RouteServiceProvider.
Edit the $middlewareGroups array in app/Http/Kernel.php to look like the following:
protected $middlewareGroups = [
'web' => [
\App\Http\Middleware\EncryptCookies::class,
\Illuminate\Cookie\Middleware\AddQueuedCookiesToResponse::class,
\Illuminate\Session\Middleware\StartSession::class,
\Illuminate\View\Middleware\ShareErrorsFromSession::class,
\App\Http\Middleware\VerifyCsrfToken::class,
\Illuminate\Routing\Middleware\SubstituteBindings::class,
],
'api' => [
'throttle:60,1',
'bindings',
],
'sessionless' => [
\App\Http\Middleware\EncryptCookies::class,
\Illuminate\Routing\Middleware\SubstituteBindings::class,
],
];
Then edit your app/Providers/RouteServiceProvider to map your newly-created route file:
Route::group([
'middleware' => 'sessionless',
'namespace' => $this->namespace,
'prefix' => 'download',
], function ($router) {
require base_path('routes/downloads.php');
});
Now add a file in your /routes directory named downloads.php, and add your downloadable routes there. If you want to use a wildcard to parse what file they're looking for, you can, or you can explicitly list what routes will trigger a download:
Route::get('test', function(){
$file = '/path/to/test/file';
return response()->download($file);
});
Route::get('{fileName}', function($fileName){
$file = '/path/to/' . $fileName;
return response()->download($file);
});
This doesn't address using headless authorization, which you would need if you didn't want unauthorized access to all of your sessionless routes.
this solution is good for laravel 5.0
first must define two middleware in app/http/kernel.php .first middleware is lesssession . lesssession is for route that do not need session .and second is hasssession middleware .hassession is good for route that need session :
<?php namespace App\Http;
use Illuminate\Foundation\Http\Kernel as HttpKernel;
class Kernel extends HttpKernel {
/**
* The application's global HTTP middleware stack.
*
* #var array
*/
/**
* The application's route middleware.
*
* #var array
*/
protected $routeMiddleware = [
'auth' => 'App\Http\Middleware\Authenticate',
'hassession' => [
'Illuminate\Foundation\Http\Middleware\CheckForMaintenanceMode',
'Illuminate\Cookie\Middleware\EncryptCookies',
'Illuminate\Cookie\Middleware\AddQueuedCookiesToResponse',
'Illuminate\Session\Middleware\StartSession',
'Illuminate\View\Middleware\ShareErrorsFromSession',
'App\Http\Middleware\VerifyCsrfToken',
],
'lesssession' => [] ,
'auth.basic' => 'Illuminate\Auth\Middleware\AuthenticateWithBasicAuth',
'guest' => 'App\Http\Middleware\RedirectIfAuthenticated',
];
}
step 2:
put route in two group by edit app/http/route.php:
<?php
Route::group(['middleware' => ['lesssession']], function()
{
Route::get('download', function(){
// do some stuff for download file
});
});
Route::group(['middleware' => ['hassession']], function()
{
// all other route that need session
});
?>
This is about Laravel 5.3.6
I am able to login successfully and I can check Auth User after login. I can show the exact location where Auth::guard() has current user object. Below are the details.
Go to Login Controller
Go to AuthenticatesUsers Trait
Go to sendLoginResponse method. User reaches here successfully because user is authenticated successfully.
here I can check $this->guard()->user() has current user value. But when control reaches to Role controller....I tried to access it like this dd(Auth::guard()); and value was null. I also added reference below in Role Controller.
use Illuminate\Support\Facades\Auth;
Below is my route for Role Controller.
Route::group(['middleware' => ['auth']], function () {
Route::get('/Roles',
array (
'uses' => 'Website\Role\RoleController#index',
'as' => 'Roles'
)
);
});
Did you face this kind of issue in Laravel 5.3.6?
Output of \Auth::guard() is below.
SessionGuard {#162 ▼
#name: "web"
#lastAttempted: null
#viaRemember: false
#session: Store {#165 ▶}
#cookie: CookieJar {#167 ▶}
#request: Request {#40 ▶}
#events: Dispatcher {#5 ▶}
#loggedOut: false
#tokenRetrievalAttempted: false
#user: null
#provider: EloquentUserProvider {#158 ▶}
}
Kernel.php file was like below
protected $middleware = [
\Illuminate\Foundation\Http\Middleware\CheckForMaintenanceMode::class,
];
protected $middlewareGroups = [
'web' => [
\App\Http\Middleware\EncryptCookies::class,
\Illuminate\Cookie\Middleware\AddQueuedCookiesToResponse::class,
\Illuminate\Session\Middleware\StartSession::class,
\Illuminate\View\Middleware\ShareErrorsFromSession::class,
\App\Http\Middleware\VerifyCsrfToken::class,
\Illuminate\Routing\Middleware\SubstituteBindings::class,
],
'api' => [
'throttle:60,1',
'bindings',
],
];
I changed it to like below.
protected $middleware = [
\Illuminate\Foundation\Http\Middleware\CheckForMaintenanceMode::class,
\App\Http\Middleware\EncryptCookies::class,
\Illuminate\Cookie\Middleware\AddQueuedCookiesToResponse::class,
\Illuminate\Session\Middleware\StartSession::class,
\Illuminate\View\Middleware\ShareErrorsFromSession::class,
\App\Http\Middleware\VerifyCsrfToken::class,
];
protected $middlewareGroups = [
'web' => [
\Illuminate\Routing\Middleware\SubstituteBindings::class,
],
'api' => [
'throttle:60,1',
'bindings',
],
];