I just upgraded my app from Laravel 5.2 to 5.3 and followed all the steps.
The one that seems to be the cause of the issue I'm facing is Auth Middleware. I did change the class that should be executed.
But for some reason, all the routes are returning "Unauthenticated" error.
I'm not fetching logged in user in the constructor of any controller class.
In fact, none of my controller class have a constructor.
What can be causing this problem?
Adding "web" middleware wherever I've "auth" middleware solved the problem.
The two default authentication controllers provided with the framework have been split into four smaller controllers. This change provides cleaner, more focused authentication controllers by default. The easiest way to upgrade your application to the new authentication controllers is to grab a fresh copy of each controller from GitHub and place them into your application.
You should also make sure that you are calling the Auth::routes() method in your routes/web.php file. This method will register the proper routes for the new authentication controllers.
Once these controllers have been placed into your application, you may need to re-implement any customizations you made to these controllers. For example, if you are customizing the authentication guard that is used for authentication, you may need to override the controller's guard method. You can examine each authentication controller's trait to determine which methods to override.
From laravel 5.2 to 5.3
Related
I have a website that uses SAML2 for authentication. I don't manage the SSO at all, rather my site is part of a portal that requires SSO authentication for entry. I currently have middleware that gets the SAML attributes from the request->server object, and then does a variety of tasks, like check to see if they have affiliations, if those affiliations are allowed, etc...
This middleware was added to the kernel so that it runs for every HTTP request. I want to revamp this middleware to make it cleaner, and to also use Laravel's native Auth facade (we're checking to see if a session variable for a user has been set to determine if the user has already logged in, versus auth->check(), for example).
I've read several tutorials on how to bypass the authentication that comes with the Laravel Breeze starter kit and make your own. None quite matches what I need to do, but the concepts are the same:
Create a model (using the User model that was already there, with a few tweaks)
Create a Service provider (created anew provider that implements the UserProvider interface)
Create a Guard (created a new guard that implements the Guard interface)
I can understand those three things and did them, but I am unsure of how to put it all together.
I updated my config/auth.php file to include the new guard and provider:
I then updated the boot method of App\Providers\AuthServiceProvider to include the provider and guard that I created:
But now what? I guess this is the part I am missing.
Can someone more knowledgeable help me fit in the missing pieces? I am using Laravel Framework 8.73.1.
Now you just need to protect your routes using the auth laravel middleware (assuming your guard and provider implementations are correct)
You have two options:
Replace the default guard. Open config/auth.php and look for the lines:
'defaults' => [
'guard' => 'web', // --> Replace with saml
'passwords' => 'users',
],
Now, add the auth middleware to your routes and you are good to go. You can use the Auth facade as described in the laravel documentation.
Keep the laravel one as the default, and use your guard separately. You just need to specificy which guard to use whenever you use the Auth facade or middleware.
The middleware you need to use is auth:saml, and the facade calls must be prefixed with guard('saml'). E.g. Auth::guard('saml')->user().
First step: I am posting data via Postman on the api/reg
Second step: I am getting perfectly all the sent data
Third step: nothing lol, I can't get to this 3rd step, what to do to send this data to database how Jetstream does?
Somehow I found this CreateNewUser.php and via dd() I found out that my regular blade register information is coming to this point, but from where is it coming, and where is it going after is a mystery, There is no any information on the internet, so I am getting the register data (name,email...) in my Laravel project, somewhere AGAIN in my Laravel project there is some mechanism that upgrades (adds tokens etc...) and sends my data to database, how to connect that two things to each other? Thanks in advance
Jetstream is not intended to be used in this manner, if you want to expose an API you should use something like Laravel Sanctum or Laravel Passport. Sanctum is more lgihtwieght and has simpler workflow, Passport is heavier and provides a full oauth workflow which might be overkill in some scenarios. Both of these solutions use token authentication with Jetstream does not provide out of the box.
That said, to answer you question of how this all works.
Jetstream uses Laravel Fortify as its web authentication provider. It comes with a bunch of routes predefined, all of which you can see using php artisan route:list --compact. The route you're interested in is the POST /register route which is mapped to Laravel\Fortify\Http\Controllers\RegisteredUserController#store. When the registration form is submitted, the data is sent to that controller/method. The method expects two parameters, a Request object and a CreatesNewUsers object, both of which are injected by Laravels IoC service container.
The CreatesNewUsers object that is passed to the store method, is an instance of the CreateNewUser class you've found in App\Actions\Fortify which then performs the action of registering a new user. If you were to modify the structure of your User class, such as adding a phone number for example, you would need to edit CreateNewUser to include that new requirement if it was required when a user registers.
Here is a nice tutorial on how to Build a Restful API in PHP with Laravel Sanctum.
I'm building the backend with laravel and then using Vue as front-end. Data is accessed over api calls using axios. Now I have this relatively simple task but I can't seem to find the proper solution. I want one of the routes to be easily consumable by Vue compoenents without the need to log in, however I don't want that route to be publicly available for anyone to use.
Things I have tried:
Using passport to protect my routes and then use passport's CreateFreshApiToken middleware. Protection works fine, unauthorized users are not able to access the routes, however I don't get laravel_token in my cookies and therefore I can't get access to that route if I'm not logged in.
Use passport's client credentials grant access. Works fine and the way I want it to work but doesn't really make sense because if I hardcode the client_secret - anyone can access it and then use it to access protected routes. If I make a proxy-like solution, to call a controller method, which would issue a valid token and thus not exposing client_secret to front-end but then anyone could just call that route which issues the token and it would be pointless once again.
Apparently the answer is pretty simple and I was overcomplicating things. I don't know if this is the right/elegant way to do this but basically. If you don't need your api to be accessible from other applications (which I didn't) we can just put routes in web.php instead of api.php. This will ensure that web middleware is used and so it will use the basic csrf token validation, which is totally sufficient for protection against outside requests. You can also leave the route in api.php and just use web middleware on that route. The outcome is exactly what I needed - application is getting data over a route without any need to login AND that route is not available over postman or anything else.
I'm using Laravel Hesto Multi Auth package to create multiple auth. I have not used the default auth, but created user, admin, support, professionals guards with laravel hesto
Now im trying to implement Laravel email confirmation using this package
This send me a activation link to my email. However when that routes to http://localhost:8000/confirmation/2/jOVjV2xkfRZqAM4nwjAKdwTwn2 it shows an error
Method App\Http\Controllers\Auth\RegisterController::confirm does not exist.
It should check in App\Http\Controllers\UserAuth\RegisterController::confirm
How to change this? Also would like to know how to implement the same for other guards
If you check https://github.com/bestmomo/laravel-email-confirmation/blob/master/routes/web.php you will note they have defined routes for this. You can override this by doing the following:
1) Disable auto-discover for the package on the dont-discover portion of your compopser.json file.
2) Register the package's service provider before App\Providers\RouteServiceProvider::class so you can override the registered routes on your application.
3) Go ahead and register the routes you want, which will probably be like this:
Route::get('confirmation/resend', 'UserAuth\RegisterController#resend');
Route::get('confirmation/{id}/{token}', 'UserAuth\RegisterController#confirm');
That should do it or at least get you in the right track.
Also ensure you use the package Traits on your UserAuth controllers.
I have a react app that fetch datas from laravel api defined like so in routes/api.php:
// this is default route provided by laravel out of the box
Route::middleware('auth:api')->get('/user', function (Request $request) {
return $request->user();
});
// ItemController provides an index methods that list items with json
Route::resource('items', 'Api\ItemController', array('except' => array('create','edit')));
// this is to store new users
Route::resource('users', 'Api\UserController', array('only' => array('store')));
for example http://example.com/api/items returns the data as intended but it's really insecure since anyone could access it through postman.
How to make those routes only accessible inside the app?
As I'm new to it I don't understand if I need to set up api_token and how?
Do I need to setup Passport?
Is is related to auth:api middleware?
It may sounds really basic but any help or tutorial suggestions would be greatly appreciated
EDIT
End up with a classic session auth. Moved routes inside web.php. Pass csrf token in ajax request. Actually i didn't need a RESTful API. You only need token auth when your API is stateless.
As you are using Laravel 5.4 you can use Passport, but I haven't implemented yet, but i implemented lucadegasperi/oauth2-server-laravel for one of my laravel projects and it was developed in Laravel 5.1
Here is the link to github repository
lucadegasperi/oauth2-server-laravel
Here is the link to the documentation Exrensive Documentation
Just add the package to the composer json and run composer update,the package will get installed to your application , once installed add the providers array class and aliases array class as mentioned in the Laravel 5 installation part of the documentation,
you have to do a small tweak in order to work perfectly cut csrf from $middleware array and paste it into $routeMiddleware array and again run php artisan vendor:publish after publishing the migrations will be created and run the migration php artisan migrate
if you only want to secure api routes for each client like ios, android and web you can implement Client Credentials Grant, or if you need to every user with oauth the you can implement Authorization Server with the Password Grant or some other.,
Never use the client id or other credentials, generating access token in the form, but add it some where in helper and attach it in the request to the api,
Hope this answer helps you.
You could use JWT it's pretty easy to get it to work. You basically generate a token by requesting Username/Password and passing that token in every request that requires authentication, your URL would look like http://example.com/api/items?token=SOME-TOKEN. without a proper token, he doesn't have access do this endpoint.
As for
How to make those routes only accessible inside the app?
If you mean only your app can use these requests, you can't. Basically the API doesn't know who is sending these requests, he can only check if what you are giving is correct and proceed with it if everything is in order. I'd suggest you to have a look at this question