Override login Authentication in laravel - laravel

my laravel version is 5.3. I'm using built-in Authentication in laravel to login users.
there is a column name in user table as status. when it is 0 it means the user cannot login.
now I don't know how to check this column before login method/user.
I don't want user can login when the status column is 0.

You can override authenticated() function:
protected function authenticated()
{
if (auth()->user()->status==0) {
auth()->logout();
return redirect('/');
}
}
You can also Manually authenticate users by overriding authenticate() function:
public function authenticate()
{
if (Auth::attempt(['email' => $email, 'password' => $password, 'status' => 1]))
{
// Authentication passed...
}
}

Related

disable login from inactive user using Laravel Breeze

I want to disable inactive user from login, and logout the user if already logged in,
using breeze pack:
breeze pack
i"m having a boolean column: "active"
in users table.
i understand that i should edit
app\Http\Requests\Auth\LoginRequest.php
i understand that i should edit the current code:
public function authenticate(): void
{
$this->ensureIsNotRateLimited();
if (! Auth::attempt($this->only('email', 'password'), $this->boolean('remember'))) {
RateLimiter::hit($this->throttleKey());
throw ValidationException::withMessages([
'email' => trans('auth.failed'),
]);
}
RateLimiter::clear($this->throttleKey());
}
1.What and how should i edit that (or other) code ?
2.Is it possible to show a message "only active users allowed to login" to inactive user, without make it complecated ?
For this I would turn to registering global middleware that can be checked on each route. You can generate middleware via the php artisan make:middleware YourMiddlewareName command.
Within the generated middleware file:
public function handle(Request $request, Closure $next)
{
if (Auth::check()) {
$user = Auth::user();
if ($user->active === 0) {
//Log them out
//Redirect them somewhere with a message
}
}
return $next($request);
}
In this code we can see that we first check that there is a user logged in, then checking if that logged in user is active. From there you can do whatever steps you need to take.
The problem with performing this action within the login request is that the user would not be affected until they log in again. Registering global middleware will make this fire on every request they make.
To disable inactive users from logging in, you need to add a condition in the code to check the active status of the user, and to show a message to inactive users, you can add another condition and throw a custom exception with a message.
public function authenticate(): void
{
$this->ensureIsNotRateLimited();
$credentials = $this->only('email', 'password');
$user = User::where('email', $credentials['email'])->first();
if (!$user) {
RateLimiter::hit($this->throttleKey());
throw ValidationException::withMessages([
'email' => trans('auth.failed'),
]);
}
if (!$user->active) {
throw ValidationException::withMessages([
'email' => 'Only active users are allowed to login',
]);
}
if (! Auth::attempt($credentials, $this->boolean('remember'))) {
RateLimiter::hit($this->throttleKey());
throw ValidationException::withMessages([
'email' => trans('auth.failed'),
]);
}
RateLimiter::clear($this->throttleKey());
}

How do I check User Role before Logging in A user with Spatie's Laravel-Permission?

I'm using Spatie's "Laravel Permission" Package for the ACL. Everything is working perfectly. I now want to allow only the User roles 2 and 3 to Login.
Previously, before using "Laravel Permission" package I had only this "role" column on my table and I could easily Log In a user with this line of code on Login Controller's credentials method.
protected function credentials(Request $request)
{
$credentials = $request->only($this->username(), 'password');
//$credentials['role'] = '1';
return $credentials;
}
$credentials = $request->only($this->username(), 'password');
$credentials['role'] = '1';
How do I allow Login only for the 2 and 3 User Roles?
You can override authenticated() in LoginController and check user role. Pretty simple.
protected function authenticated(Request $request, $user)
{
//Check user role, if it is not admin then logout
if(!$user->hasRole(['Admin', 'Super-Admin']))
{
$this->guard()->logout();
$request->session()->invalidate();
return redirect('/login')->withErrors('You are unauthorized to login');
}
}
You could go with the workaround as follow:
If you're using the default LoginController from the App\Http\Controllers\Auth folder, then override its attemptLogin() method that comes from the Trait used.
protected function attemptLogin(Request $request)
{
if( $this->guard()->attempt(
$this->credentials($request), $request->filled('remember')
) ) { // Credential auth was successful
// Get user model
$user = Auth::user();
return $user->hasRole([2, 3]); // Check if user has role ids 2 or 3
}
return false;
}
hasRoles() method comes from the HasRoles trait used for the User model.
Or you could override the Laravel credentials during login. In your default LoginController from the App\Http\Controllers\Auth folder, then override its credentials(Request $request) method that comes from the Trait used.
Override it to look something similar to this
protected function credentials(Request $request)
{
return [ 'email' => $request-> { this-> username() }, 'password' -> $request -> password, 'role_id' => [ '1', '2' ] ];
This is presuming you have a role_id in your user model. Worked for me.return

Laravel authentication using mobile number

I'm currently using Laravel 5.5, as you know Laravel by default offers authentication by email, but in my case I want to change its behaviour and allow the user to login using the mobile number. so Where would I have to do the modifications?
From the docs:
By default, Laravel uses the email field for authentication. If you would like to customize this, you may define a username method on your LoginController:
public function username()
{
return 'mobile_number';
}
https://laravel.com/docs/5.5/authentication#included-authenticating
LoginController
public function username()
{
return 'mobile';
}
also can validate
protected function validateLogin(Request $request)
{
$this->validate($request, [
$this->username() => 'required|string',
'password' => 'required|string',
]);
}

How to logout a user from API using laravel Passport

I'm currently using 2 projects. 1 front end (with laravel backend to communicate with API) and another laravel project (the API).
Now I use Laravel Passport to authenticate users and to make sure every API call is an authorized call.
Now when I want to log out my user, I send a post request to my API (with Bearer token) and try to log him out of the API (and clear session, cookies,...)
Then on the client I also refresh my session so the token is no longer known. Now when I go back to the login page, it automatically logs in my user. (Or my user is just still logged in).
Can someone explain me how to properly log out a user with Laravel passport?
Make sure that in User model, you have this imported
use Laravel\Passport\HasApiTokens;
and you're using the trait HasApiTokens in the User model class using
use HasApiTokens
inside the user class.
Now you create the log out route and in the controller,
do this
$user = Auth::user()->token();
$user->revoke();
return 'logged out'; // modify as per your need
This will log the user out from the current device where he requested to log out. If you want to log out from all the devices where he's logged in. Then do this instead
$tokens = $user->tokens->pluck('id');
Token::whereIn('id', $tokens)
->update(['revoked'=> true]);
RefreshToken::whereIn('access_token_id', $tokens)->update(['revoked' => true]);
Make sure to import these two at the top
use Laravel\Passport\RefreshToken;
use Laravel\Passport\Token;
This will revoke all the access and refresh tokens issued to that user. This will log the user out from everywhere. This really comes into help when the user changes his password using reset password or forget password option and you have to log the user out from everywhere.
You need to delete the token from the database table oauth_access_tokens
you can do that by creating a new model like OauthAccessToken
Run the command php artisan make:model OauthAccessToken to create the model.
Then create a relation between the User model and the new created OauthAccessToken Model , in User.php add :
public function AauthAcessToken(){
return $this->hasMany('\App\OauthAccessToken');
}
in UserController.php , create a new function for logout:
public function logoutApi()
{
if (Auth::check()) {
Auth::user()->AauthAcessToken()->delete();
}
}
In api.php router , create new route :
Route::post('logout','UserController#logoutApi');
Now you can logout by calling posting to URL /api/logout
This is sample code i'm used for log out
public function logout(Request $request)
{
$request->user()->token()->revoke();
return response()->json([
'message' => 'Successfully logged out'
]);
}
Create a route for logout:
$router->group(['middleware' => 'auth:api'], function () use ($router) {
Route::get('me/logout', 'UserController#logout');
});
Create a logout function in userController ( or as mentioned in your route)
public function logout() {
$accessToken = Auth::user()->token();
DB::table('oauth_refresh_tokens')
->where('access_token_id', $accessToken->id)
->update([
'revoked' => true
]);
$accessToken->revoke();
return response()->json(null, 204);
}
I am using Laravel 6.12.0, below function is working for me.
public function logout(Request $request){
$accessToken = Auth::user()->token();
$token= $request->user()->tokens->find($accessToken);
$token->revoke();
$response=array();
$response['status']=1;
$response['statuscode']=200;
$response['msg']="Successfully logout";
return response()->json($response)->header('Content-Type', 'application/json');
}
This is my first post.. and i find a clean solution (Laravel last Version)
/**
* Logout api
*
* #return \Illuminate\Http\Response
*/
public function logout(Request $request)
{
if (Auth::check()) {
$token = Auth::user()->token();
$token->revoke();
return $this->sendResponse(null, 'User is logout');
}
else{
return $this->sendError('Unauthorised.', ['error'=>'Unauthorised'] , Response::HTTP_UNAUTHORIZED);
}
}
Below is the simplest way I found to do it.
1. USE database SESSION INSTEAD OF file SESSION
Official documention
php artisan session:table
php artisan migrate
Replace SESSION_DRIVER=file by SESSION_DRIVER=database in your .env file.
2. DELETE USER SESSION RIGHT AFTER LOGIN
After a user is redirected to your frontend and logs in to finally get a token, you probably call a route in api/routes.php to get the user information, that's where I'm closing the user backend session before sending back user information to the frontend:
Route::middleware('auth:api')->get('/user', function (Request $request) {
// Close user session here
Illuminate\Support\Facades\DB::table('sessions')
->whereUserId($request->user()->id)
->delete();
return $request->user();
});
3. REVOKE TOKENS AT LOGOUT
Then, to "log out" (actually, revoke tokens) the user from the frontend, you just need to call another route to revoke the token and refresh_token:
Route::middleware('auth:api')->post('/logout', function (Request $request) {
// Revoke access token
// => Set oauth_access_tokens.revoked to TRUE (t)
$request->user()->token()->revoke();
// Revoke all of the token's refresh tokens
// => Set oauth_refresh_tokens.revoked to TRUE (t)
$refreshTokenRepository = app('Laravel\Passport\RefreshTokenRepository');
$refreshTokenRepository->revokeRefreshTokensByAccessTokenId($request->user()->token()->id);
return;
});
You may prefer to put these two closures in the UserController.
Hope help someone:
if (Auth::check()) {
$request->user()->tokens->each(function ($token, $key) {
$token->delete();
});
}
Good Luck.
I use this in my project to logout from multiple device.
public function logout(Request $request, $devices = FALSE)
{
$this->logoutMultiple(\Auth::user(), $devices);
return response()->json([], 204);
}
private function logoutMultiple(\App\Models\User $user, $devices = FALSE)
{
$accessTokens = $user->tokens();
if ($devices == 'all') {
} else if ($devices == 'other') {
$accessTokens->where('id', '!=', $user->token()->id);
} else {
$accessTokens->where('id', '=', $user->token()->id);
}
$accessTokens = $accessTokens->get();
foreach ($accessTokens as $accessToken) {
$refreshToken = \DB::table('oauth_refresh_tokens')
->where('access_token_id', $accessToken->id)
->update(['revoked' => TRUE]);
$accessToken->revoke();
}
}
Try this code to help you to logout from passport authentication.
Route::post('/logout', function(){
if (Auth::check()) {
Auth::user()->AauthAcessToken()->delete();
}
return response()->json([
'status' => 1,
'message' => 'User Logout',
], 200);
});
check whether your model contains OauthAccessToken which needs to connect with the database oauth_access_tokens. The access token is stored in the database table oauth_access_tokens. and makes a relation from users to oauth_access_tokens.
public function AauthAcessToken(){
return $this->hasMany(OauthAccessToken::class);
}
You can use following code to remove to token for logged in user.
$request->user()->token()->revoke();
If you want to learn about this in-depth then watch this tutorial:
https://www.youtube.com/watch?v=UKSQdg1uPbQ
public function logout(Request $request)
{
$request->user()->token()->revoke();
if ($request->everywhere) {
foreach ($request->user()->tokens()->whereRevoked(0)->get() as $token) {
$token->revoke();
}
}
return response()->json(['message' => 'success']);
}

Laravel 5.2 - Auth::login not preserve when using new \App\User

I've used these code to authenticate username from external source without using database, but laravel 5.2 not save the authentication, and request the external source every time.
class Authenticate
{
public function handle($request, Closure $next, $guard = null)
{
if (Auth::guard($guard)->guest()) {
if ($request->ajax()) {
return response('Unauthorized.', 401);
} else {
$username = getFromExternalSource();
if($username==null){ redirect()->guest('auth/login'); }
$user = new \App\User(['username'=>'admin']);
Auth::login($user);
}
}
return $next($request);
}
}
But when I change Auth::login using $user model get from database it work, I don't know why:
$userDB = \App\User::where('username','=','admin')->first();
Auth::login($userDB);
My route (for example I want to access http://myApp/api)
Route::group(['middleware' => ['web']], function () {
Route::group(['middleware' => 'auth'], function () {
Route::get('api/', 'ApiController#index');
});
Route::group(['middleware' => ['csrf']], function () {
Route::controllers([
'auth' => 'Auth\AuthController',
'password' => 'Auth\PasswordController'
]);
});
});
As far as I know for default authenticate method, you need to pass model that exists in database. In your example you created just object and assigned to it username property.
If you need to authenticate selected user, you should use:
Auth::loginUsingId($id);
(where in place of $id you should pass id of user you want to authenticate - in your case id of user with username admin)

Resources