In my system users can't register. Admin adding all users in the admin panel and telling them your password is "xxx". Right now i need to send mail to users. Which contains users email and users password. System is working great. But there is one exception. In the mail, passwords is bcrypted. How can i solve? I don't any clue. I am using observers. In the model:
public static function boot()
{
parent::boot();
self::created(function () {
$customer = Customer::latest()->get()->first();
Mail::send('emails.user_login_informations', ['customer' => $customer], function($message) use($customer) {
$message->to($customer->email, $customer->name, $customer->password)
->subject('Login Information');
});
});
}
ps: this is working. In my mail:
Your email: xxx#example.com
Your Password: $2y$10$/GW5XNH9KGU.Nz05PZHFJuKb2ldhwYhS8oMX9e7HJIuFNJ
But this looks like:
Your email: xxx#example.com
Your Password: 123
You can create a temporary password field and delete it upon user activation. I needed this for a real world example. For instance:
Event::listen('rainlab.user.activate', function($user) {
$user->temp_password = null;
$user->save();
});
User::saving(function ($user) {
$password = post('User.password');
if ($password && ! $user->attributes['is_activated']) {
$user->temp_password = $password;
}
});
As mentioned above though, this includes a big security risk.
You hash user passwords to increase the security. The Hashing functionality is a one way hashing, so it can't be reversed.
A better way would be to create a password reset token und send it to the user. So the user can set a new password with the email address / token combination. To increase this method you could let the token expire after 30 minutes or so.
Related
The objective here is not to know the actual password of an user, but to know if the user has a password set or not in the database. I can distinguish the users who have passwords set, i.e. password != null, versus users who don't have passwords set, i.e. password == null, inside my Laravel controller, but when I try to pass the user list to my Vue app using an axios.get request, all passwords come up as 'undefined' even though there are users with hashed passwords in the database. The following is a sample of my Vue code:
axios.get('/admin/user')
.then(function (response) {
self.users = response.data;
for(var i=0; i<self.users.length; i++) {
console.log(self.users[i].password) // outputs 'undefined' for all user passwords instead of the hashed database passwords
}
})
.catch(function (error) {
// handle error
console.log(error);
});
and /admin/user from above is defined in my routes directory in web.php as:
Route::get('/admin/user', 'UserController#get');
and for the purpose of this example, my UserController#get function is defined as:
public function get()
{
$user = User::get();
return response($user, 200);
}
Any advice on how to distinguish users who have passwords set and not set would be appreciated.
As #matiaslauriti mentioned in the comment, User model deletes password field during serialization. As such you should avoid sending out passwords from your server even if they're hashed. In your particular usecase there is no need to send passwords out. You can simply check if the password is set in the backend and attach this info to the response object.
public function get()
{
$user = User::get();
if (empty($user->password)) {
$user->isPasswordSet = false;
} else {
$user->isPasswordSet = true;
return response($user, 200);
}
CPF is a Brazilian code like US Social Secure Number.
I´ve changed my login page to it and it is working fine. The trick now is the following:
Clients and employers will use the same login page with different roles. So far, so good.
The matter is that employers are on the database and clients I need to search via WS, a task that I am already doing ok.
So I need to check if the login user is an employer and send him to his home, or if he is a client, how do I send him to the SoapController to make the call to the WS? I can´t figure where is the "query" to the 'users' table.
In time: A client for me, is a user with a different role, so I put them all on the same data table.
Any hints, please?
OK, I found the solution:
At the LoginController I wrote a new login function that had subscribed Laravel´s original login.
Let´s see some code:
public function username()
{
return 'cpfCnpj';
}
public function login(Request $request)
{
$credentials = $this->credentials($request);
$login = $credentials[$this->username()];
if (User::where($this->username(), $login)->count() > 0) {
return 'Login exists';
} else {
return 'vai pro SoapController';
}
}
Now I can check on another database and then do whatever I need with the answer.
Hope this can help who needs!
I am developing a sales system where every user has an account. To authenticate users I store passwords with bcrypt and use the Laravel Auth library as follows:
$data = $request->only('user', 'password');
if (\Auth::attempt($data)){
#redirect dashboard
}
In the Point Of Sale screen, user can add special products that require a PIN (The PIN is the password of some users with privileges).
When i call a button click to save the sale, in my Request class i add this validation (i only need to check if there are some special products, and if, check the PIN that have to match in the DB), i use this code:
$allowed_pin = true;
foreach (Request::get('products') as $product) {
if($product["special_perm"] === "1"){
$pin = $product["pin"];
$user = User::where('password', '=', bcrypt($pin))->first();
if ($user) {
$allowed_pin = true;
} else {
$allowed_pin = false;
}
}
}
The problem is when i compare password in Request class, if i use dd() it show me "$2y$10$AasS5/FTWv28PmYuABfqve4Ao6m1U9zxdUE6ZoHJWcfpn19sd4wcG" and real password hashed in database is "$2y$10$DmefHppecIjuanjRbcj82OPyjhi.L0/4YGd62LYCvkDTGjXxL25fG"
and they not matching.
Does Auth class use some internal encryption different to bcrypt?
To compare the plain text password with the encrypted one, use Hash::check('plain-text', $hashedPassword)
Check out the Laravel docs: https://laravel.com/docs/5.4/hashing
I'm trying to build a function where a user can delete their own account while they are logged in. I'm struggling to find any example or logic/best practices.
The controller looks like this:
public function postDestroy() {
$user = User::find(Auth::user()->id);
$user = DB::delete('delete from users')->user(id);
return Redirect::route('site-home')->with('global', 'Your account has been deleted!');
}
I'm trying to grab the current Auth (logged in) user and use their id to delete them from the database. Then send them to the home page with a message.
Also, do I need to make sure the session is properly closed during this process, such as Auth::logout(); ?
I'm pretty new to Laravel, so any help would be appreciated.
Not sure how your routing looks like, but this should do the job.
$user = \User::find(Auth::user()->id);
Auth::logout();
if ($user->delete()) {
return Redirect::route('site-home')->with('global', 'Your account has been deleted!');
}
You should logout user before delete.
You merely gotta do like this:
$user=auth()->user();
$user->delete();
I'm just working on the user management-component of our new project.
The plan is:
User registers on the page with minimal amount of account data (username, pass, email)
User gets an email with an activation link to activate the account
User clicks on the link and activates his account
The system logs in the user after automatically after activation and redirects him to kind of a dashboard with account information (last login, hi "username", etc.)
But there are some problems with the auto login. this is the part of the code i use:
<?php
...
// set userstatus to "active" and delete meta information "activation_key"
// then automatically login
$this->User->id = $id;
$this->User->saveField('modified', date('Y-m-d H:i:s') );
$this->User->saveField('status', 1 );
// $this->User->deleteActivationKey ....
$this->Auth->login($this->User->read());
$this->Session->setFlash(__('Successfully activated account. You are now logged in.'));
$this->User->saveField('last_login', date('Y-m-d H:i:s') );
$this->redirect(array('controller' => 'pages'));
...
This works so far, until you want to get information about the logged in user with the user() function of the Auth Component.
We're using this in AppController->beforeRender, to have user information application wide:
$this->set('auth', $this->Auth->user());
but after that auto login action, i'm getting undefined index notices. (e.g. by accessing $auth['id'] in a view). print_r() shows me only the username and hashed password of the current user.
If you login manually, everything works fine. it must be something with the automatic login after the account activation.
Seems to be a problem with the session? What am i doing wrong?
Found a solution after testing many variations.
Works now with:
$user = $this->User->findById($id);
$user = $user['User'];
$this->Auth->login($user);
Don't know why, i thought i tried this way already and that did not work.
Have you tried this? (CakePHP 2.x)
public function signup() {
if (!empty($this->request->data)) {
// Registration stuff
// Auto login
if ($this->Auth->login()) {
$this->redirect('/');
}
}
}
That simple!