I want to open the default authentication provided by Laravel to my REST API. For this I am creating POST http://localhost:8080/api/login:
// In api.php
Route::post('/login', 'Auth\LoginController#login');
However, sending a POST request to this address gives me a runtime error in /media/Data/workspaces/git/mahlzeit/api/vendor/laravel/framework/src/Illuminate/Http/Request.php:
RuntimeException
Session store not set on request.
The payload I am sending is
{"name": "test", "password": "123456", "email": "test#test.com"}
although I don't think that's important here.
So.. the standard login for laravel is working - I don't see what I'm missing here.
Related
My user account can use the Google Classroom web UI to see all the announcements for a given course. Trying to pull them programmatically using the Google Classroom API.
I've set up an app with Oauth consent screen covering (for test purposes) ALL the scopes listed under the Google Classroom API, and can run the consent flow with my user account to get an access token.
I can successfully GET course details by curl'ing https://classroom.googleapis.com/v1/courses/<my course ID> using the access token obtained from the oauth flow. However, when I GET https://classroom.googleapis.com/v1/courses/<my course ID>/announcements with the same token, I get the following:
{
"error": {
"code": 403,
"message": "Request had insufficient authentication scopes.",
"status": "PERMISSION_DENIED",
"details": [
{
"#type": "type.googleapis.com/google.rpc.ErrorInfo",
"reason": "ACCESS_TOKEN_SCOPE_INSUFFICIENT",
"domain": "googleapis.com",
"metadata": {
"method": "google.classroom.v1.Work.ListAnnouncements",
"service": "classroom.googleapis.com"
}
}
]
}
}
Behaviour is same in using both client libraries as well as raw REST calls.
Am I missing an auth scope (I switched them all on), am I just not allowed to do this since I'm not the course owner, or am I doing something else wrong? Advice please!
You apear to be using the courses.get method
In order to access this method your application needs to be authorized with one of the following scopes.
You also appear to be using the courses.announcements.list method
This method requires that your application be authorized with one of the following scopes.
The error message "Request had insufficient authentication scopes." means exactly what it says. The access token you are using was not authorized with one of the scopes needed for the courses.announcements.list endpoint there for you can not use it.
You need to delete the access token you have now and request authorization of the user using the proper scope for this method. Always make sure to delete your old token. When changing scopes in code your app does not always request authorization again if you just change the scopes in the code. You need to force it to request authorization again.
All the scopes
you should not be requesting all of the scopes of the user only the scopes that you need. If you only need readonly access make sure not to request write.
I had forgotten that my code explicitly defines the scopes when configuring the client that then builds the oauth request URL:
config, err = google.ConfigFromJSON(b, classroom.ClassroomCoursesReadonlyScope)
Changed to
config, err = google.ConfigFromJSON(b, classroom.ClassroomCoursesReadonlyScope, **classroom.ClassroomAnnouncementsReadonlyScope**)
and it works fine.
Somebody has created a system which use Google API. It happens that I have been using this system for several months to upload files to G Drive and it worked very well.
However today I realized in the following string that there was an expiry date (not updated until today) which prevent from uploading files. My understanding is that a token is generated every time my code is requesting API access, but this shows the same access_token and refresh token with expiry date. I tried to read official doc without clear understanding. Can you explain simply what I should think about it and hint at how I should re generate the needed token please.
{"access_token": "xxx", "client_id": "yyy", "client_secret": "nnn", "refresh_token": "bbb", "token_expiry": "2021-02-24T05:33:24Z", "token_uri": "https://accounts.google.com/o/oauth2/token", "user_agent": null, "revoke_uri": "https://oauth2.googleapis.com/revoke", "id_token": null, "id_token_jwt": null, "token_response": {"access_token": "xxx", "expires_in": 3599, "scope": "https://www.googleapis.com/auth/drive", "token_type": "Bearer"}, "scopes": ["https://www.googleapis.com/auth/drive"], "token_info_uri": "https://oauth2.googleapis.com/tokeninfo", "invalid": true, "_class": "OAuth2Credentials", "_module": "oauth2client.client"}
How much i understood it is that as we need multiple parameters to access a Google API which include authentication etc. As there are multiple steps to validate an API call, if they succeed, we are provided with an access_token which now represents that all the processes (or authentication etc) was successfull and now the access_token is a proof for that. So after that, only the token will be checked (until its expiry date) and the process will repeat after the expiration.
The authorization sequence begins when your application redirects a browser to a Google URL; the URL includes query parameters that indicate the type of access being requested. Google handles the user authentication, session selection, and user consent. The result is an authorization code, which the application can exchange for an access token and a refresh token.
The application should store the refresh token for future use and use the access token to access a Google API. Once the access token expires, the application uses the refresh token to obtain a new one.
More details Here
I have a SPA website built over Laravel and Vue.
I am using axios to get the responses and all working fine.
The most of the data is vendor, categories and products and nothing sensitive in it however products has some data which I need to use in frontend however I don't want my competitors to get hold on to that data.
How to do I go about that? so I get the data but it's hidden as well?
So I thought may be I encrypt it and then decrypt it but not sure if that's the right approach
{
"Products": [
{
"ID": 9950,
"VID": 114,
"Name": "TBH Special Burger ",
"Category": 224,
"Description": "",
"Image": "",
"Price": "250",
"DisplayPrice": 0,
"DealPrice": 0,
"Percentage": "15",
"Cust_Percentage": "0.00",
"DateTime": "2018-10-08 19:03:40",
},
],
}
In above response only percentage related data is I am trying to secure.
You are looking for Laravel Passport.
Laravel makes API authentication a breeze using Laravel Passport, which provides a full OAuth2 server implementation for your Laravel application in a matter of minutes.
With Passport, only authenticated users can access your data via API.
Read the documentation in the link above and give it a try.
If non authenticated users access your api by typing the url in his browser, this is the response that he will get:
{
"message": "Unauthenticated"
}
Consuming Your API With JavaScript
Laravel provides a middleware that allow you to consume your api from your JS app. From the docs:
Typically, if you want to consume your API from your JavaScript application, you would need to manually send an access token to the application and pass it with each request to your application. However, Passport includes a middleware that can handle this for you. All you need to do is add the CreateFreshApiToken middleware to your web middleware group in your app/Http/Kernel.php file:
'web' => [
// Other middleware...
\Laravel\Passport\Http\Middleware\CreateFreshApiToken::class,
],
Hope it helps.
You can use API Resources to specify witch fields you would like to show in response
take look to docs:
https://laravel.com/docs/5.8/eloquent-resources
I have following client secret
{
"web": {
"client_id": "testid",
"project_id": "testproj",
"auth_uri": "https://accounts.google.com/o/oauth2/auth",
"token_uri": "https://www.googleapis.com/oauth2/v3/token",
"auth_provider_x509_cert_url": "https://www.googleapis.com/oauth2/v1/certs",
"client_secret": "test-sec",
"redirect_uris": [
"https://localhost:8080/oauth2callback"
]
}
}
and I am getting
"Error: redirect_uri_mismatch
The redirect URI in the request, http://127.0.0.1:8414/authorize/, does not match the ones authorized for the OAuth client.
To update the authorized redirect URIs, visit:". Could you please suggest, how to fix it.
I am using C#. I have created credentials with this -
GoogleWebAuthorizationBroker.AuthorizeAsync( GoogleClientSecrets.Load(stream).Secrets, scopes,
"user",
CancellationToken.None,
new FileDataStore(Directory.GetCurrentDirectory() + "\\AccessToken\\" ,
true)).Result;
But for first time , it popped up with login and once I logged in , it has created Google.Apis.Auth.OAuth2.Responses.TokenResponse-user file in the folder. Is there a way to bypass first time login ?
Thanks.
When you are creating your credentials in https://console.developers.google.com:
After cliking on Create credentials by choosing OAuth client ID:
Choose Other as Aplication type:
.
You should have this format of credentials:
{
"installed": {
"client_id": "...",
"project_id": "...",
"auth_uri": "https://accounts.google.com/o/oauth2/auth",
"token_uri": "https://oauth2.googleapis.com/token",
"auth_provider_x509_cert_url": "https://www.googleapis.com/oauth2/v1/certs",
"client_secret": "...",
"redirect_uris": [
"urn:ietf:wg:oauth:2.0:oob",
"http://localhost"
]
}
}
Now your OAuth2 link should works whatever your port in redirection_uri paramater as http://localhost:8414 for example (with 8414 as random port). And you are no more this error:
Error: redirect_uri_mismatch The redirect URI in the request, http://localhost:8414/authorize/, does not match the ones authorized for the OAuth client.
I just ignored the port in the error message when adding as an Authorized redirect URL.
http://127.0.0.1/authorize/
The redirect uri is the URL where you want Google to return the authencation to. This should be the file that you have set up to handle the Oauth response.
When you created your project in Google Developer console you should have supplied a redirect uri to google that states where you will be sending from and where you would like the response to be returned to.
"Error: redirect_uri_mismatch The redirect URI in the request, http://127.0.0.1:8414/authorize/, does not match the ones authorized for the OAuth client.
means that you are sending from http://127.0.0.1:8414/authorize/ however this is not one of the redirect uris that you have added in Google developer console. Go back to the developer console and add this http://127.0.0.1:8414/authorize/ or http://localhost:8414/authorize/ you may or may not need the ending / as well
Bypass Login
What you need to understand is that most of Googles api data is private user data. In order to access private user data you must have the consent of the user who owns that. We use Oauth2 to request from the user consent for our application to access their data. There is no way to by pass an oauth2 consent.
Unfortunately there is no other way to access the YouTube api. If you want to access private user data you will always have to ask the user for consent at least once and then save the credentials as you are doing now using file data store.
If you're using container apps or web apps contained over Linux, refer this answer. It could be caused by authentication redirecting to provider handle that's not served over HTTPS. See the error for redirect_uri and if the link is over http, follow the same.
My question is how do I use laravel 4 with sentry 2 to authenticate users that is calling my API? What are the proper ways in doing this?
Example: a user in native iOS app calls my Laravel Web service (returns JSON response), how can laravel+sentry authenticate the user?
Thanks in advance and comment if you need more info.
Like mentioned by Antonio, if the client is able to persist cookies you should be set to go.
But,I will tell you my research on this topic. I looked for API Token Implementation with Laravel. One I could find was by Terry Appleby and his implementation is a composer package with name tappleby/laravel-auth-token. I implemented a much simpler version of the package using Sentry 2 at http://rjv.im/post/78940780589/api-token-authentication-with-laravel-and-sentry.
I called it a dirty one because I didn't consider much about security, expiration of tokens etc., but to answer your question, the above version does work and it is not secure unless you are in https environment.
To help you more I suggest github.com/kippt/api-documentation. It is the API Documentation for an app called kippt.com. I picked this one because it is really simple and could be a starting point if you are new to developing APIs. See how they support different kinds of authentication. To summarize on what Kippt supports: Browser Session (I am guessing iOS does support cookies), HTTP Basic Auth (Pass username and password every time in the header) and Token (Pass a token in header of every request). On Token implementation of Kippt, it just returns a token to the client after a successful authentication and one can save and use that token. That token never changes. In my blog post, I create a new token every time user logs in.
Hope I could help.
If the client is able to persist cookies, you just login with Sentry and it should work. Otherwise, after a common Sentry authentication, create and store an authentication token in your users table:
$table->string('api_token',96)->nullable();
Then use it in all other calls:
{
"token": "a358dafd256cb5b26a944eacc1c7428a97f6d1e079c3f1972696f1bea7fff099",
"user": {
"id": "3",
"email": "joe#doe.com",
"permissions": [],
"activated": true,
"activated_at": null,
"last_login": "2014-03-08 11:17:48",
"first_name": null,
"last_name": null,
"created_at": "2014-03-08 10:29:08",
"updated_at": "2014-03-08 11:17:48",
"api_token": "a358dafd256cb5b26a944eacc1c7428a97f6d1e079c3f1972696f1bea7fff099"
}
}
An article about this: http://rjv.im/post/78940780589/api-token-authentication-with-laravel-and-sentry