How to logout a user from API using laravel Passport - laravel

I'm currently using 2 projects. 1 front end (with laravel backend to communicate with API) and another laravel project (the API).
Now I use Laravel Passport to authenticate users and to make sure every API call is an authorized call.
Now when I want to log out my user, I send a post request to my API (with Bearer token) and try to log him out of the API (and clear session, cookies,...)
Then on the client I also refresh my session so the token is no longer known. Now when I go back to the login page, it automatically logs in my user. (Or my user is just still logged in).
Can someone explain me how to properly log out a user with Laravel passport?

Make sure that in User model, you have this imported
use Laravel\Passport\HasApiTokens;
and you're using the trait HasApiTokens in the User model class using
use HasApiTokens
inside the user class.
Now you create the log out route and in the controller,
do this
$user = Auth::user()->token();
$user->revoke();
return 'logged out'; // modify as per your need
This will log the user out from the current device where he requested to log out. If you want to log out from all the devices where he's logged in. Then do this instead
$tokens = $user->tokens->pluck('id');
Token::whereIn('id', $tokens)
->update(['revoked'=> true]);
RefreshToken::whereIn('access_token_id', $tokens)->update(['revoked' => true]);
Make sure to import these two at the top
use Laravel\Passport\RefreshToken;
use Laravel\Passport\Token;
This will revoke all the access and refresh tokens issued to that user. This will log the user out from everywhere. This really comes into help when the user changes his password using reset password or forget password option and you have to log the user out from everywhere.

You need to delete the token from the database table oauth_access_tokens
you can do that by creating a new model like OauthAccessToken
Run the command php artisan make:model OauthAccessToken to create the model.
Then create a relation between the User model and the new created OauthAccessToken Model , in User.php add :
public function AauthAcessToken(){
return $this->hasMany('\App\OauthAccessToken');
}
in UserController.php , create a new function for logout:
public function logoutApi()
{
if (Auth::check()) {
Auth::user()->AauthAcessToken()->delete();
}
}
In api.php router , create new route :
Route::post('logout','UserController#logoutApi');
Now you can logout by calling posting to URL /api/logout

This is sample code i'm used for log out
public function logout(Request $request)
{
$request->user()->token()->revoke();
return response()->json([
'message' => 'Successfully logged out'
]);
}

Create a route for logout:
$router->group(['middleware' => 'auth:api'], function () use ($router) {
Route::get('me/logout', 'UserController#logout');
});
Create a logout function in userController ( or as mentioned in your route)
public function logout() {
$accessToken = Auth::user()->token();
DB::table('oauth_refresh_tokens')
->where('access_token_id', $accessToken->id)
->update([
'revoked' => true
]);
$accessToken->revoke();
return response()->json(null, 204);
}

I am using Laravel 6.12.0, below function is working for me.
public function logout(Request $request){
$accessToken = Auth::user()->token();
$token= $request->user()->tokens->find($accessToken);
$token->revoke();
$response=array();
$response['status']=1;
$response['statuscode']=200;
$response['msg']="Successfully logout";
return response()->json($response)->header('Content-Type', 'application/json');
}

This is my first post.. and i find a clean solution (Laravel last Version)
/**
* Logout api
*
* #return \Illuminate\Http\Response
*/
public function logout(Request $request)
{
if (Auth::check()) {
$token = Auth::user()->token();
$token->revoke();
return $this->sendResponse(null, 'User is logout');
}
else{
return $this->sendError('Unauthorised.', ['error'=>'Unauthorised'] , Response::HTTP_UNAUTHORIZED);
}
}

Below is the simplest way I found to do it.
1. USE database SESSION INSTEAD OF file SESSION
Official documention
php artisan session:table
php artisan migrate
Replace SESSION_DRIVER=file by SESSION_DRIVER=database in your .env file.
2. DELETE USER SESSION RIGHT AFTER LOGIN
After a user is redirected to your frontend and logs in to finally get a token, you probably call a route in api/routes.php to get the user information, that's where I'm closing the user backend session before sending back user information to the frontend:
Route::middleware('auth:api')->get('/user', function (Request $request) {
// Close user session here
Illuminate\Support\Facades\DB::table('sessions')
->whereUserId($request->user()->id)
->delete();
return $request->user();
});
3. REVOKE TOKENS AT LOGOUT
Then, to "log out" (actually, revoke tokens) the user from the frontend, you just need to call another route to revoke the token and refresh_token:
Route::middleware('auth:api')->post('/logout', function (Request $request) {
// Revoke access token
// => Set oauth_access_tokens.revoked to TRUE (t)
$request->user()->token()->revoke();
// Revoke all of the token's refresh tokens
// => Set oauth_refresh_tokens.revoked to TRUE (t)
$refreshTokenRepository = app('Laravel\Passport\RefreshTokenRepository');
$refreshTokenRepository->revokeRefreshTokensByAccessTokenId($request->user()->token()->id);
return;
});
You may prefer to put these two closures in the UserController.

Hope help someone:
if (Auth::check()) {
$request->user()->tokens->each(function ($token, $key) {
$token->delete();
});
}
Good Luck.

I use this in my project to logout from multiple device.
public function logout(Request $request, $devices = FALSE)
{
$this->logoutMultiple(\Auth::user(), $devices);
return response()->json([], 204);
}
private function logoutMultiple(\App\Models\User $user, $devices = FALSE)
{
$accessTokens = $user->tokens();
if ($devices == 'all') {
} else if ($devices == 'other') {
$accessTokens->where('id', '!=', $user->token()->id);
} else {
$accessTokens->where('id', '=', $user->token()->id);
}
$accessTokens = $accessTokens->get();
foreach ($accessTokens as $accessToken) {
$refreshToken = \DB::table('oauth_refresh_tokens')
->where('access_token_id', $accessToken->id)
->update(['revoked' => TRUE]);
$accessToken->revoke();
}
}

Try this code to help you to logout from passport authentication.
Route::post('/logout', function(){
if (Auth::check()) {
Auth::user()->AauthAcessToken()->delete();
}
return response()->json([
'status' => 1,
'message' => 'User Logout',
], 200);
});
check whether your model contains OauthAccessToken which needs to connect with the database oauth_access_tokens. The access token is stored in the database table oauth_access_tokens. and makes a relation from users to oauth_access_tokens.
public function AauthAcessToken(){
return $this->hasMany(OauthAccessToken::class);
}

You can use following code to remove to token for logged in user.
$request->user()->token()->revoke();
If you want to learn about this in-depth then watch this tutorial:
https://www.youtube.com/watch?v=UKSQdg1uPbQ

public function logout(Request $request)
{
$request->user()->token()->revoke();
if ($request->everywhere) {
foreach ($request->user()->tokens()->whereRevoked(0)->get() as $token) {
$token->revoke();
}
}
return response()->json(['message' => 'success']);
}

Related

How can I logout and revoke all oauth tokens in laravel 8 api?

The api I built with passport and laravel 8 does not logout by default.
I found a script, but it does not remove the entries in the oauth-access-tokens table
I added a function to the AuthController:
public function logout(Request $request){
$accessToken = auth()->user()->token();
$token= $request->user()->tokens->find($accessToken);
$token->revoke();
return response(['message'=> 'Je bent uitgelogd'], 200);
}
And added a path in api.php:
Route::post( 'logout', 'App\Http\Controllers\API\AuthController#logout')->middleware('auth:api');
When I try to logout with Postman, I get a success message, but the entry in the oauth-access-token table is not removed.
I intend to remove all tokens for the user, to log out from all devices
Can anyone tell me what I am doing wrong?
Change the logout function to be like:
public function logout(Request $request){
$user = Auth::user()->token();
$user->revoke();
return response(['message'=> 'Je bent uitgelogd'], 200);
}
This will log the user out from the current device where he requested to log out. If you want to log out from all the devices where he's logged in. Then do this instead:
use Laravel\Passport\RefreshToken;
use Laravel\Passport\Token;
public function logout(Request $request){
$tokens = $user->tokens->pluck('id');
Token::whereIn('id', $tokens)->update(['revoked', true]);
RefreshToken::whereIn('access_token_id', $tokens)->update(['revoked' => true]);
}
This will revoke all the access and refresh tokens issued to that user.
SOLVED:
I used the following code:
use App\Http\Controllers\Controller;
use Illuminate\Http\Request;
use App\Models\User;
use Illuminate\Support\Facades\Auth;
and the function:
public function logout(Request $request){
Auth::user()->tokens->each(function($token, $key) {
$token->delete();
});
return response(['message'=> 'Je bent uitgelogd'], 200);
}
So nothing is revoked, but all the tokens are just deleted..
If your are using passport,
Auth::user()->AauthAcessToken()->delete();
will remove all the tokens of the user.
In the AuthController i use this code
public function logout(Request $request) {
$request->user()->token()->revoke();
return response([
"message" => 'Session finished',
],200);
}

I can only access my auth()->user() in the method where I auth()->login() and not the other methods in the same Controller

I'm trying to implement my own login/logout with passport in a new Controller.
class AuthController extends AccessTokenController
{
use AuthenticatesUsers;
.
.
My login methods works fine:
public function login(ServerRequestInterface $request)
{
if (!auth()->attempt([
'email' => $request->getParsedBody()['email'],
'password' => $request->getParsedBody()['password']
])) {
return response()->json('failed attempt...');
}
auth()->login(User::where('id', Auth::user()->id)->first());
.
.
// I can access auth()->user() here just fine ..
}
But I can't access the authenticated user in the logout method so I can get his tokens and delete them.
public function logout()
{
//I can't access the authenticated user here
return auth()->user();
//return response()->json('Logged out successfully', 200);
}
What am I doing wrong?
Note: I left out anything in the login method that is related to issuing a token because it's not related to the question ..
Update: my routes/api.php
Route::post('register', 'Auth\RegisterController#register');
Route::post('login', 'Auth\AuthController#login');
Route::post('logout', 'Auth\AuthController#logout');
if you are using api then you should send authorization header else it should work for session based authentication
Then you can access the authenticated user using the request
public function logout(Request $request)
{
return $request->user(); //the user that made the request (the authenticated user)
}
Or:
public function logout(Request $request)
{
return Auth::user(); //the user that made the request (the authenticated user)
}

Problem getting authenticated user with Laravel Lumen + Passport

I am using LumenPassport (https://github.com/dusterio/lumen-passport) and I followed a few tutorials listed here.
I used a combination of these tutorials as well as a heck of google and stackoverflow searches to achieve what I have thus far:
http://esbenp.github.io/2017/03/19/modern-rest-api-laravel-part-4/
http://esbenp.github.io/2015/05/26/lumen-web-api-oauth-2-authentication/
https://blog.pusher.com/make-an-oauth2-server-using-laravel-passport/
What I achieved so far
1. Using password grant to get an access & refresh token
2. Storing these tokens in a secure http only cookie
3. Retrieving these tokens in Lumen's AuthServiceProvider
What I am unable to do
1. Getting the authenticated user with the AccessToken
I am trying to access either of these endpoints:
$router->group(['middleware' => 'auth:api'], function () use ($router) {
$router->get('/', function () use ($router) {return $router->app->version();});
$router->post('/logout', '\App\Auth\LoginController#logout');
});
I will immediately get an unauthorized error.. After some deep diving, the error comes from Authenticate.php which I know is called after AuthServiceProvider. I took a look at AuthServiceProvider and according to Lumen's documentation, this is how the boot method should looks like. Of course it is using the "api" driver and I had to switch it to "passport" for it to work.
AuthServiceProvider.php
public function boot()
{
$this->app['auth']->viaRequest('passport', function ($request) {
// dd("test") // this works
// dd(Auth::user());
// dd($request->user());
// dd(Auth::guard('api')->user());
});
}
Authenticate.php
public function handle($request, Closure $next, $guard = null)
{
if ($this->auth->guard($guard)->guest()) {
$status = Response::HTTP_UNAUTHORIZED;
return response()->json(['success' => false, 'status' => $status, 'message' => 'HTTP_UNAUTHORIZED'], $status);
}
return $next($request);
}
From here, I am still unable to get any of the authenticated user's information. I have made sure to access these endpoints with Postman with the appropriate Authorization headers.
The reason why I need to retrieve the user is because I hope that in my logout method, I will be able to then retrieve the accessToken of that authenticated user and revoke the token and clear the cookies.
LoginController.php
public function logout()
{
// Get the accessToken from Auth
// Need to fix AuthServiceProvider first
$accessToken = $this->auth->user()->token();
$refreshToken = $this->db
->table('oauth_refresh_tokens')
->where('access_token_id', $accessToken->id)
->update([
'revoked' => true,
]);
$accessToken->revoke();
$this->cookie->queue($this->cookie->forget(self::REFRESH_TOKEN));
}
At that point you cannot use Auth::user() since that function is the functionality for resolving that. So what you need to do is extract the bearer token with $request->bearerToken() and use that to retrieve your user.
Update
I took a look at your code and I would recommend the following:
An API is recommended to be 'stateless' meaning that it should not persist any state (i.e. cookies). It is far better to pass the access token with each request and let the application that accesses your API handle the tokens. Therefore I would recommend to remove the log-out functionality. Then you can do the following in your AuthServiceProvider:
if ($token_exists) {
$user = User::find($token->user_id);
return $user;
}

redirect to different views in laravel logged in users based on role mentioned by using if condition in laravel controller

In laravel i have student,parent ,employee(Teacher,Librarian,warden) roles with different permissions...based on user role it should redirect to different blade files when user logged in..my problem is if user parent or student it is redirecting to different dashboards but whenever user is teacher or other it does not logged in but in users table already user exist.
below is my LoginController code
LoginController.php:
public function login(Request $request){
if(Auth::attempt([
'email'=>$request->email,
'username'=>$request->username,
'password'=>$request->password,
]))
{
$user=User::where('username',$request->username)->first();
$usertype=$user->user_type;
$username=$user->username;
$roles=DB::table('roles')->where('id','=',$usertype)->first();
$rolename=$roles->role_name;
if($rolename=="student"){
$student=DB::table('students')->where('stud_adm_id','=',$username)->first();
$classid=$student->class_id;
$sectionid=$student->section_id;
$class=DB::table('classtables')->where('id',$classid)->first();
$section=DB::table('sections')->where('id',$sectionid)->first();
return view('studentdashboard',compact('student','class','section'));
}elseif($rolename=="Teacher"){
$employeedetails=DB::table('employees')->where('employee_fname','=',$username)->first();
return view('teacherdashboard',compact('employeedetails'));
}
elseif($rolename=="parent"){
$parentdetails=DB::table('parents')->where('mother_phone','=',$username)->first();
$stateid=$parentdetails->state;
$state=DB::table('states')->where('state_id','=',$stateid)->first();
return view('parentdashboard',compact('parentdetails','state'));
}
}else{
return redirect()->back();
}
}
my roles are mentioned in role table and that id stored in users table
Thanks in advance...
You better create a middleware to check user role, and based on the role redirect user to different pages!
Run the command below to create a middleware that checks user's role.
php artisan make:middleware CheckRoleMiddleware
The command will create a file under App\Http\Middleware named CheckRoleMiddleware this class will come a predefined method handle() there you can place the logic that checks user's role and redirects them to different pages example:
<?php namespace App\Http\Middleware;
use Closure;
class CheckRoleMiddleware {
public function handle($request, Closure $next)
{
//User role is admin
if ( Auth::check() && Auth::user()->isAdmin() )
{
return $next($request);
}
//If user role is student
if(Auth::check() && auth()->user()->role === 'student')
{
return view('studentDashboard');
or route('routeName');
}
//If user role is teacher
if(Auth::check() && auth()->user()->role ==='teacher')
{
return view('teacherDashboard');
or route('routeName');
}
//default redirect
return redirect('home');
}
}
And don't forget to add CheckRoleMiddleware to App\Http\Kernel.php
protected $routeMiddleware = [
'auth' => 'App\Http\Middleware\Authenticate',
'auth.basic' => 'Illuminate\Auth\Middleware\AuthenticateWithBasicAuth',
'guest' => 'App\Http\Middleware\RedirectIfAuthenticated',
'user-role' => 'App\Http\Middleware\CheckRoleMiddleware', // this line right here
];
Lets just ignore everything about how this stuff should work and how it does by default and take what you have.
Do you see a problem here:
if ($rolename == "student")
elseif ($rolename == "Teacher")
elseif ($rolename == "parent")
If not, lets try it this way:
student
Teacher
parent
Which one is not like the others? And which one was the one that "was not working" correctly?
I would like to assume you have these roles named in a consistent fashion, so Teacher should be teacher.
You can do all of what you want to do with the default LoginController by overriding a method or two.
You should not be returning views from processing routes. POST REDIRECT GET. POST comes in, return a REDIRECT, that causes a GET request (which most likely is going to return a view).
For validating the login credentials:
protected function validateLogin(Request $request)
{
$this->validate($request, [
'email' => '...',
'username' => '...',
'password' => '...',
]);
}
For what credentials should be used from the request:
protected function credentials(Request $request)
{
return $request->only('email', 'username', 'password');
}
The response to return after successful authentication:
protected function authenticated(Request $request, $user)
{
// do your role checking here
// return a redirect response to where you want that particular user type to go
// return redirect()->route(...);
}
Everything related to building the views and gathering that data is its own route. All you have to do is return a redirect for the login flow. Where you redirect to is responsible for gathering the data needed to display a view.

Laravel redirect back to original destination after login

This seems like a pretty basic flow, and Laravel has so many nice solutions for basic things, I feel like I'm missing something.
A user clicks a link that requires authentication. Laravel's auth filter kicks in and routes them to a login page. User logs in, then goes to the original page they were trying to get to before the 'auth' filter kicked in.
Is there a good way to know what page they were trying to get to originally? Since Laravel is the one intercepting the request, I didn't know if it keeps track somewhere for easy routing after the user logs in.
If not, I'd be curious to hear how some of you have implemented this manually.
For Laravel 5.3 and above
Check Scott's answer below.
For Laravel 5 up to 5.2
Simply put,
On auth middleware:
// redirect the user to "/login"
// and stores the url being accessed on session
if (Auth::guest()) {
return redirect()->guest('login');
}
return $next($request);
On login action:
// redirect the user back to the intended page
// or defaultpage if there isn't one
if (Auth::attempt(['email' => $email, 'password' => $password])) {
return redirect()->intended('defaultpage');
}
For Laravel 4 (old answer)
At the time of this answer there was no official support from the framework itself. Nowadays you can use the method pointed out by bgdrl below this method: (I've tried updating his answer, but it seems he won't accept)
On auth filter:
// redirect the user to "/login"
// and stores the url being accessed on session
Route::filter('auth', function() {
if (Auth::guest()) {
return Redirect::guest('login');
}
});
On login action:
// redirect the user back to the intended page
// or defaultpage if there isn't one
if (Auth::attempt(['email' => $email, 'password' => $password])) {
return Redirect::intended('defaultpage');
}
For Laravel 3 (even older answer)
You could implement it like this:
Route::filter('auth', function() {
// If there's no user authenticated session
if (Auth::guest()) {
// Stores current url on session and redirect to login page
Session::put('redirect', URL::full());
return Redirect::to('/login');
}
if ($redirect = Session::get('redirect')) {
Session::forget('redirect');
return Redirect::to($redirect);
}
});
// on controller
public function get_login()
{
$this->layout->nest('content', 'auth.login');
}
public function post_login()
{
$credentials = [
'username' => Input::get('email'),
'password' => Input::get('password')
];
if (Auth::attempt($credentials)) {
return Redirect::to('logged_in_homepage_here');
}
return Redirect::to('login')->with_input();
}
Storing the redirection on Session has the benefit of persisting it even if the user miss typed his credentials or he doesn't have an account and has to signup.
This also allows for anything else besides Auth to set a redirect on session and it will work magically.
Laravel >= 5.3
The Auth changes in 5.3 make implementation of this a little easier, and slightly different than 5.2 since the Auth Middleware has been moved to the service container.
Modify the new Middleware auth redirector
/app/Http/Middleware/RedirectIfAuthenticated.php
Change the handle function slightly, so it looks like:
public function handle($request, Closure $next, $guard = null)
{
if (Auth::guard($guard)->check()) {
return redirect()->intended('/home');
}
return $next($request);
}
TL;DR explanation
The only difference is in the 4th line; by default it looks like this:
return redirect("/home");
Since Laravel >= 5.3 automatically saves the last "intended" route when checking the Auth Guard, it changes to:
return redirect()->intended('/home');
That tells Laravel to redirect to the last intended page before login, otherwise go to "/home" or wherever you'd like to send them by default.
There's not much out there on the differences between 5.2 and 5.3, and in this area in particular there are quite a few.
I found those two great methods that might be extremely helpful to you.
Redirect::guest();
Redirect::intended();
You can apply this filter to the routes that need authentication.
Route::filter('auth', function()
{
if (Auth::guest()) {
return Redirect::guest('login');
}
});
What this method basically does it's to store the page you were trying to visit and it is redirects you to the login page.
When the user is authenticated you can call
return Redirect::intended();
and it's redirects you to the page you were trying to reach at first.
It's a great way to do it although I usually use the below method.
Redirect::back()
You can check this awesome blog.
You may use Redirect::intended function. It will redirect the user to the URL they were trying to access before being caught by the authenticaton filter. A fallback URI may be given to this
method in case the intended destinaton is not available.
In post login/register:
return Redirect::intended('defaultpageafterlogin');
Change your LoginControllers constructor to:
public function __construct()
{
session(['url.intended' => url()->previous()]);
$this->redirectTo = session()->get('url.intended');
$this->middleware('guest')->except('logout');
}
It will redirect you back to the page BEFORE the login page (2 pages back).
I have been using this for a while on my language selector code. As long as you only need to go back by just 1 page it works fine:
return Redirect::to(URL::previous());
It ain't the most powerful solution out there but it is super-easy and can help solve a few puzzles. :)
For Laravel 8
Following approach works for me for Laravel 8.
Controller based approach
/app/Http/Controllers/Auth/AuthenticatedSessionController.php
Pre-login
The intended url will be stored in the session at create :
/**
* Display the login view.
*
* #return \Illuminate\View\View
*/
public function create()
{
session(['url.intended' => url()->previous()]);
return view('auth.login');
}
Post-login
Upon successful login, in case a intended url is available in session then redirect to it otherwise redirect to the default one :
/**
* Handle an incoming authentication request.
*
* #param \App\Http\Requests\Auth\LoginRequest $request
* #return \Illuminate\Http\RedirectResponse
*/
public function store(LoginRequest $request)
{
$request->authenticate();
//in case intended url is available
if (session()->has('url.intended')) {
$redirectTo = session()->get('url.intended');
session()->forget('url.intended');
}
$request->session()->regenerate();
if ($redirectTo) {
return redirect($redirectTo);
}
return redirect(RouteServiceProvider::HOME);
}
return Redirect::intended('/');
this will redirect you to default page of your project i.e. start page.
For laravel 5.* try these.
return redirect()->intended('/');
or
return Redirect::intended('/');
Laravel 3
I tweaked your (Vinícius Fragoso Pinheiro) code slightly, and placed the following in filters.php
Route::filter('auth', function()
{
// If there's no user authenticated session
if (Auth::guest()) {
// Flash current url to session and redirect to login page
Session::flash('redirect', URL::full());
return Redirect::guest('login');
}
});
And then within the my AuthController.php:
// Try to log the user in.
if (Auth::attempt($userdata)) {
if ($redirect = Session::get('redirect')) {
return Redirect::to($redirect);
} else {
// Redirect to homepage
return Redirect::to('your_default_logged_in_page')->with('success', 'You have logged in successfully');
}
} else {
// Reflash the session data in case we are in the middle of a redirect
Session::reflash('redirect');
// Redirect to the login page.
return Redirect::to('login')->withErrors(['password' => 'Password invalid'])->withInput(Input::except('password'));
}
Notice that the 'redirect' session data is reflashed if there is a authentication issue. This keeps the redirect intact during any login mishaps, but should the user click away at any point, the next login process is not disrupted by the session data.
You also need to reflash the data at the point of showing the login form in your AuthController, otherwise the chain is broken:
public function showLogin()
{
// Reflash the session data in case we are in the middle of a redirect
Session::reflash('redirect');
// Show the login page
return View::make('auth/login');
}
Use Redirect;
Then use this:
return Redirect::back();
In Laravel 5.8
in App\Http\Controllers\Auth\LoginController add the following method
public function showLoginForm()
{
if(!session()->has('url.intended'))
{
session(['url.intended' => url()->previous()]);
}
return view('auth.login');
}
in App\Http\Middleware\RedirectIfAuthenticated replace " return redirect('/home'); " with the following
if (Auth::guard($guard)->check())
{
return redirect()->intended();
}
Its September 2022 now, and I would like to share what I did for the OP's questions. Please be easy on me, still noob here.
My problem : After I implement MustVerifyEmail, the above solutions did not work. I use Laravel 6.x.
So after getting headache overnight, countless mugs of coffe, finally its working now. It isn't new solution because it is a modification from previous answers.
Step 1.
Do realize that : session with name 'url.intended' is already been taken by : vendor\laravel\framework\src\Illuminate\Routing\Redirector.php
So I choose to use different name for the session which is : 'url_intended'
Step 2.
Add this line:
session(['url_intended' => url()->previous()]);
In app\Http\Middleware\Authenticate.php something like below:
<?php
namespace App\Http\Middleware;
use Illuminate\Auth\Middleware\Authenticate as Middleware;
class Authenticate extends Middleware
{
/**
* Get the path the user should be redirected to when they are not authenticated.
*
* #param \Illuminate\Http\Request $request
* #return string
*/
protected function redirectTo($request)
{
session(['url_intended' => url()->previous()]);
if (! $request->expectsJson()) {
return route('login');
}
}
}
Now, here comes the key solution. Instead modifying the app\Http\Controllers\Auth\LoginController or app\Http\Middleware\RedirectIfAuthenticated.php
which did not work for me, I modify the vendor\laravel\framework\src\Illuminate\Auth\Middleware\EnsureEmailIsVerified.php
by adding the following (copy paste and slight modification from above previous answers)
if (session()->has('url_intended')) {
$redirectURL = session()->get('url_intended');
session()->forget('url_intended');
return redirect($redirectURL);
}
with full code as below :
<?php
namespace Illuminate\Auth\Middleware;
use Closure;
use Illuminate\Contracts\Auth\MustVerifyEmail;
use Illuminate\Support\Facades\Redirect;
class EnsureEmailIsVerified
{
/**
* Handle an incoming request.
*
* #param \Illuminate\Http\Request $request
* #param \Closure $next
* #param string|null $redirectToRoute
* #return \Illuminate\Http\Response|\Illuminate\Http\RedirectResponse
*/
public function handle($request, Closure $next, $redirectToRoute = null)
{
if (! $request->user() ||
($request->user() instanceof MustVerifyEmail &&
! $request->user()->hasVerifiedEmail())) {
return $request->expectsJson()
? abort(403, 'Your email address is not verified.')
: Redirect::route($redirectToRoute ?: 'verification.notice');
}
if (session()->has('url_intended')) {
$redirectURL = session()->get('url_intended');
session()->forget('url_intended');
return redirect($redirectURL);
}
return $next($request);
}
}
its working like charm.
Update: simply create new middleware based on existing EnsureEmailIsVerified middleware, and attach it to Kernel.php :
protected $routeMiddleware = [
//other middlewares here..
'verified' => \App\Http\Middleware\EnsureEmailIsVerified::class,
];
Here is my solution for 5.1. I needed someone to click a "Like" button on a post, get redirected to login, then return to the original page. If they were already logged in, the href of the "Like" button was intercepted with JavaScript and turned into an AJAX request.
The button is something like Like This Post!. /like/931 is handled by a LikeController that requires the auth middleware.
In the Authenticate middleware (the handle() function), add something like this at the start:
if(!str_contains($request->session()->previousUrl(), "/auth/login")) {
$request->session()->put('redirectURL', $request->session()->previousUrl());
$request->session()->save();
}
Change /auth/login to whatever your URL is for logging in. This code saves the original page's URL in the session unless the URL is the login URL. This is required because it appears as though this middleware gets called twice. I am not sure why or if that's true. But if you don't check for that conditional, it will be equal to the correct original page, and then somehow get chanced to /auth/login. There is probably a more elegant way to do this.
Then, in the LikeController or whatever controller you have that handles the URL for the button pushed on the original page:
//some code here that adds a like to the database
//...
return redirect($request->session()->get('redirectURL'));
This method is super simple, doesn't require overriding any existing functions, and works great. It is possible there is some easier way for Laravel to do this, but I am not sure what it is. Using the intended() function doesn't work in my case because the LikeController needed to also know what the previous URL was to redirect back to it. Essentially two levels of redirection backwards.
For Laravel 5.5 and probably 5.4
In App\Http\Middleware\RedirectIfAuthenticated change redirect('/home') to redirect()->intended('/home') in the handle function:
public function handle($request, Closure $next, $guard = null)
{
if (Auth::guard($guard)->check()) {
return redirect()->intended('/home');
}
return $next($request);
}
in App\Http\Controllers\Auth\LoginController create the showLoginForm() function as follows:
public function showLoginForm()
{
if(!session()->has('url.intended'))
{
session(['url.intended' => url()->previous()]);
}
return view('auth.login');
}
This way if there was an intent for another page it will redirect there otherwise it will redirect home.
Laravel now supports this feature out-of-the-box!
(I believe since 5.5 or earlier).
Add a __construct() method to your Controller as shown below:
public function __construct()
{
$this->middleware('auth');
}
After login, your users will then be redirected to the page they intended to visit initially.
You can also add Laravel's email verification feature as required by your application logic:
public function __construct()
{
$this->middleware(['auth', 'verified']);
}
The documentation contains a very brief example:
https://laravel.com/docs/5.8/authentication#protecting-routes
It's also possible to choose which controller's methods the middleware applies to by using except or only options.
Example with except:
public function __construct()
{
$this->middleware('auth', ['except' => ['index', 'show']]);
}
Example with only:
public function __construct()
{
$this->middleware('auth', ['only' => ['index', 'show']]);
}
More information about except and only middleware options:
https://laravel.com/api/5.8/Illuminate/Routing/ControllerMiddlewareOptions.html#method_except
if you are using axios or other AJAX javascript library you may want to retrive the url and pass to the front end
you can do that with the code below
$default = '/';
$location = $request->session()->pull('url.intended', $default);
return ['status' => 200, 'location' => $location];
This will return a json formatted string
If the filter is handled at the routes level, then its so simple since you just need to attach an auth middleware to your original link. When a user successfully pass through the middleware check (means they login), they are automatically redirected to the intended destination. For example, you can do this instead of checking authentication in the controller
Route::get('/appointments',[AppointmentsController::class,'appointments'])->middleware(['auth'])->name('appointments');
Did you try this in your routes.php ?
Route::group(['middleware' => ['web']], function () {
//
Route::get('/','HomeController#index');
});
// Also place this code into base controller in contract function, because ever controller extends base controller
if(Auth::id) {
//here redirect your code or function
}
if (Auth::guest()) {
return Redirect::guest('login');
}
For Laravel 5.2 (previous versions I did not use)
Paste the code into the file app\Http\Controllers\Auth\AurhController.php
/**
* Overrides method in class 'AuthenticatesUsers'
*
* #return \Illuminate\Contracts\View\Factory|\Illuminate\View\View
*/
public function showLoginForm()
{
$view = property_exists($this, 'loginView')
? $this->loginView : 'auth.authenticate';
if (view()->exists($view)) {
return view($view);
}
/**
* seve the previous page in the session
*/
$previous_url = Session::get('_previous.url');
$ref = isset($_SERVER['HTTP_REFERER']) ? $_SERVER['HTTP_REFERER'] : '';
$ref = rtrim($ref, '/');
if ($previous_url != url('login')) {
Session::put('referrer', $ref);
if ($previous_url == $ref) {
Session::put('url.intended', $ref);
}
}
/**
* seve the previous page in the session
* end
*/
return view('auth.login');
}
/**
* Overrides method in class 'AuthenticatesUsers'
*
* #param Request $request
* #param $throttles
*
* #return \Illuminate\Http\RedirectResponse
*/
protected function handleUserWasAuthenticated(Request $request, $throttles)
{
if ($throttles) {
$this->clearLoginAttempts($request);
}
if (method_exists($this, 'authenticated')) {
return $this->authenticated($request, Auth::guard($this->getGuard())->user());
}
/*return to the previous page*/
return redirect()->intended(Session::pull('referrer'));
/*return redirect()->intended($this->redirectPath()); /*Larevel default*/
}
And import namespace: use Session;
If you have not made any changes to the file app\Http\Controllers\Auth\AurhController.php, you can just replace it with the file from the GitHub
Laravel 5.2
If you are using a another Middleware like Admin middleware you can set a session for url.intended by using this following:
Basically we need to set manually \Session::put('url.intended', \URL::full()); for redirect.
Example
if (\Auth::guard($guard)->guest()) {
if ($request->ajax() || $request->wantsJson()) {
return response('Unauthorized.', 401);
} else {
\Session::put('url.intended', \URL::full());
return redirect('login');
}
}
On login attempt
Make sure on login attempt use return \Redirect::intended('default_path');
Larvel 5.3 this actually worked for me by just updating LoginController.php
use Illuminate\Support\Facades\Session;
use Illuminate\Support\Facades\URL;
public function __construct()
{
$this->middleware('guest', ['except' => 'logout']);
Session::set('backUrl', URL::previous());
}
public function redirectTo()
{
return Session::get('backUrl') ? Session::get('backUrl') : $this->redirectTo;
}
ref: https://laracasts.com/discuss/channels/laravel/redirect-to-previous-page-after-login
I am using the following approach with a custom login controller and middleware for Laravel 5.7, but I hope that works in any of laravel 5 versions
inside middleware
if (Auth::check()){
return $next($request);
}
else{
return redirect()->guest(route('login'));
}
inside controller login method
if (Auth::attempt(['email' => $email, 'password' => $password])) {
return redirect()->intended('/default');
}
If you need to pass the intented url to client side, you can try the following
if (Auth::attempt(['username' => $request->username, 'password' => $request->password])) {
$intended_url= redirect()->intended('/default')->getTargetUrl();
$response = array(
'status' => 'success',
'redirectUrl' => $intended_url,
'message' => 'Login successful.you will be redirected to home..', );
return response()->json($response);
} else {
$response = array(
'status' => 'failed',
'message' => 'username or password is incorrect', );
return response()->json($response);
}
First, you should know, how you redirect user to 'login' route:
return redirect()->guest('/signin');
Not like this:
return redirect()->intended('/signin');
For Laravel 5.7, You need to make change into:
Middleware>RedirectIfAuthenticated.php
Change this:
public function handle($request, Closure $next, $guard = null)
{
if (Auth::guard($guard)->check()) {
return redirect('/admin');
}
return $next($request);
}
To this:
public function handle($request, Closure $next, $guard = null)
{
if (Auth::guard($guard)->check()) {
return redirect('/yourpath');
}
return $next($request);
}
return redirect('/yourpath');

Resources