When I perform a login via FosUserBundle on my Symfony3 project I want to return an Ajax response instead of the html of the3 lgoin form.
As fas I searched I found that there is a fos_user_security_check that uses the FOSUserBundle:Security:check that checks if the user is loged in or not but I could not find either the source code of controller that performs the login or any sort of custom trigger in order to do that.
I also looked into: http://symfony.com/doc/current/bundles/FOSUserBundle/index.html but I cannot find a clue.
The problem that you are facing is that Symfony's build-in authentication handler performs a redirect after a successful login or redirects back to the login form on failure. To handle AJAX logins you have to write your own authentication handler. This article explains it:
http://www.webtipblog.com/adding-an-ajax-login-form-to-a-symfony-project/
Related
Currently, I’m developing a web app with server-side rendering using the Gin framework and I’m having a problem with login intercepting. When an HTTP GET request hits an endpoint, middleware is used to check the browser cookie and redirect the traffic to the login page. This works fine and after successful login, the user is always redirected to the dashboard page. My question is how I should redirect the user back to the originally requested URI instead of the dashboard page?
Also, a bit more complex scenario is on HTTP POST. It looks like the HTTP POST method doesn’t work quite well with a redirect. Also, how would I resume the request with the same post request after the user successfully login?
Thanks for the help!
For the HTTP GET scenario, this one is easy, you need to remember the original URL somewhere. The are a few ways you could go about this:
Store the URL in session information(if any is available, you do need sessions for non-authenticated users)
Store it in a query string, for example, redirect to example.com/login?original=https%3A%2F%2Fexample.com%2Fanother-page. Your login page can look for the query parameter and include it in the login form or make sure that the action of the login form matches the given URI. On a successful login attempt you can get the original URL form the query param and set it as the Location.
Store the original URL in a cookie, upon successful login you can just check the cookie value and use that.
As for the HTTP POST scenario. If you just want to redirect the same POST request to a different URL you can use a 307 Temporary redirect. A 307 will preserve the request body and method and not turn it into a GET request like a 303 See Other or 302 Found.
Resuming the original POST after showing the login screen and after a successful login is a little more complex. When you redirect to the login page you interrupt the flow of the user, maybe it is better to let the user re-post their request after logging in, instead of doing it for them.
Having said that, it is technically possible. We require two steps, first is storing all the data to recreate the request. Then after login completion we can render a form with this saved data and use javascript to submit the form. By adding:
<script>document.getElementById("myForm").submit();</script>
After your form, the browser will submit the form after loading the javascript, thus recreating the original POST.
The storage part can be done via the server side session or a cookie.
I am new to Laravel. I am using Laravel's auth controllers for login/register on my website. After login/register, it will redirect to a dashboard. This is fine.
The problem is when the user (not logged in) submits a particular form. The form submission will take the user to a protected page. The auth system will intercept this (if not logged in) and ask for the user to login and the user can sign in. But after the sign in it won't get redirected to the actual destination. Instead, it goes back to the previous page. I tried the redirectto->intended() way in the middleware. It still does not work.
Found the solution. Use HTTP session. I am not sure if this is the best method.
POST the form to a route which doesn't need authentication
Validate and store the form data in the session using the controller
Redirect to the protected route where the auth will intercept and ask the user to login
After successful login, redirect to the original destination page using return redirect()->intended('defaultPage');
Access the form data from session inside the blade view
I am not storing any sensitive data in session. I have no idea how secure this method is.
If you have any suggestions please post.
I am trying to add ‘keep me logged in’ functionality to my auth0 v9.3.0 authentication flow in my SPA. I have an embedded page at app.domain.io/login where the user enters their credentials. When they hit the sign-in button, the app calls the login() method from auth.js, passing in the username and password. If they checked the box, a permission cookie is set to true.
When the user launches the page later, after the token expires, a router guard calls auth0.js’s checkSession() method to get a new token. At this point, checkSession returns a login_required error even after the user logged in with auth0.js’s login() method. If I instead call the authorize() method and have the user log in on the hosted page, checkSession succeeds and does not return a login_required error.
Why does calling the login() method from the embedded page not fulfill the login_required requirement that authorize() fulfills? I want to get this working without ever redirecting the user to the hosted auth0 page.
Update: 03/28/18
I am currently using auth0 v9.3.0.
Instead of calling the login() method, I am now using axios to make a request to the co/authenticate endpoint. This succeeds and returns a login_ticket, co_id, and co_verifier.
When I call authorize() from auth0.js and pass in the login_ticket as mentioned in the documentation (https://raw.githubusercontent.com/jaredhanson/draft-openid-connect-cross-origin-authentication/master/Draft-1.0.txt), I get a ‘No verifier returned from client’ error. I have the co_verifier, but I’m not sure what to do with it.
Here is a fully working sample to follow (SPA using plain JavaScript). The sample illustrates both embedded login and universal login (auth0 hosted login page) approaches.
If you have a codebase on Github and don't mind sharing, then I can take a look for you. Please also update your question to indicate version of auth0.js you are using (or put in comment section below). Do you know (you can check using web browser developer tools) whether you are using co/authenticate endpoint when authenticating using auth0.js embedded login? If so, then you would have a Single Sign On session. However, if you are using oauth/token endpoint then this would not create a single sign on session. the checkSession() function calls authorize?prompt=none under the covers, which detects whether a SSO session is present as part of the authentication process.
Finally, and just for the record, the strong recommendation is to use Auth0 Hosted Login Page (Universal Login). It is a superior approach from security standpoint, and offers other benefits like easy opt-in to services like MFA out of the box. Finally, you could also enable Custom Domains so that your website and the Auth0 Hosted Login Page share the same URL base origin (domain) - end users of your site would not recognise they have been redirected to Auth0 for the authentication. So it is pretty seamless from a UX perspective too.
This issue was solved by calling auth.crossOriginAuthentication.login() instead of auth.client.login(). auth.crossOriginAuthentication.login() goes through co/authenticate, auth.client.login() goes through oauth/token.
I'm having trouble authenticating users via Vue 2.0.
In Vue I have a form in which the user enters all his data and submits it via POST to a Laravel (web route) endpoint.
Then the user is created in the UserController method with the supplied data and I'm stuck at this point as I don't manage to authenticate my user after creation and redirecting him to some route (other page).
User creation goes fine...
Can someone explain me rapidly how it should work? (as I understood that I can't redirect from the controller as the data is POSTed via an ajax call).
What's the "right" way to do this as I'm afraid I'm completely mistaken :)
Thanks in advance for your help.
You would have to perform the redirection at the front end script after receiving the response from the controller method.
This is my thought as a possible solution for you:-
The authentication can be done in the controller following the creation. The controller method then need to return a JSON response indicating success.
Note: Laravel 5.3 ships with pre-built authentication controllers. RegisterController handles user registration.
The Vue script need to process the response i.e. if success, redirect to somewhere or if failed, prompt a message.
Cheers!
Iam using custom Authorize filter to on my action method to check if user has an access to it.
If user does not have an access then user is redirected to Unauthorize page.
The problem iam facing here is iam using Jquery Ajax request to call that action method. Everything works well if the user has an access. But if the user does not have an access the code is not able to bind the View("Unauthorize") and it display the existing view on the browsers screen;
Any suggestions would be helpful.
Thanks.
The thing is that ajax requests can not send a redirect response. You can instead either return a status code that tells the calling javascript to redirect or simply change the Response.ContentType to application/javascript and use window.location = "newUri" as the response body.