I am developing a sales system where every user has an account. To authenticate users I store passwords with bcrypt and use the Laravel Auth library as follows:
$data = $request->only('user', 'password');
if (\Auth::attempt($data)){
#redirect dashboard
}
In the Point Of Sale screen, user can add special products that require a PIN (The PIN is the password of some users with privileges).
When i call a button click to save the sale, in my Request class i add this validation (i only need to check if there are some special products, and if, check the PIN that have to match in the DB), i use this code:
$allowed_pin = true;
foreach (Request::get('products') as $product) {
if($product["special_perm"] === "1"){
$pin = $product["pin"];
$user = User::where('password', '=', bcrypt($pin))->first();
if ($user) {
$allowed_pin = true;
} else {
$allowed_pin = false;
}
}
}
The problem is when i compare password in Request class, if i use dd() it show me "$2y$10$AasS5/FTWv28PmYuABfqve4Ao6m1U9zxdUE6ZoHJWcfpn19sd4wcG" and real password hashed in database is "$2y$10$DmefHppecIjuanjRbcj82OPyjhi.L0/4YGd62LYCvkDTGjXxL25fG"
and they not matching.
Does Auth class use some internal encryption different to bcrypt?
To compare the plain text password with the encrypted one, use Hash::check('plain-text', $hashedPassword)
Check out the Laravel docs: https://laravel.com/docs/5.4/hashing
Related
I have created a few forms in laravel. I want to restrict access to one of them only to a specific user.
I want to create a user and password myself.
This is my routes excerpt. This is the route I want to protect from access
Route::get('/tabledata_id_title', 'KedivimController#appearanceiddata');
This is my controller excerpt:
public function appearanceiddata()
{
//$magic = DB::table('prog_title')->select('pr_id', 'pr_title')->get();
$magic = DB::table('prog_title')->select('pr_id', 'pr_title')-> where('pr_index', '=', 1)->get();
return view ('takealook', ['magical' => $magic]);
}
This is a short fix for your problem.
public function appearanceiddata()
{
if (!Auth::guard('web')->check()) //check if someone is logged in
{
//redirect to login page.
}
else {
/*Check if the logged in user is your desired user.
Maybe try matching the logged in id with your desired id.
If you find that a user is logged in but they are not your desired user
then you may redirect them in some other place or show them a message. */
}
//$magic = DB::table('prog_title')->select('pr_id', 'pr_title')->get();
$magic = DB::table('prog_title')->select('pr_id', 'pr_title')-> where('pr_index', '=', 1)->get();
return view ('takealook', ['magical' => $magic]);
}
However, this practice is ok if you have one or two restricted field. But if you have more than that then you should read about middleware.
In my system users can't register. Admin adding all users in the admin panel and telling them your password is "xxx". Right now i need to send mail to users. Which contains users email and users password. System is working great. But there is one exception. In the mail, passwords is bcrypted. How can i solve? I don't any clue. I am using observers. In the model:
public static function boot()
{
parent::boot();
self::created(function () {
$customer = Customer::latest()->get()->first();
Mail::send('emails.user_login_informations', ['customer' => $customer], function($message) use($customer) {
$message->to($customer->email, $customer->name, $customer->password)
->subject('Login Information');
});
});
}
ps: this is working. In my mail:
Your email: xxx#example.com
Your Password: $2y$10$/GW5XNH9KGU.Nz05PZHFJuKb2ldhwYhS8oMX9e7HJIuFNJ
But this looks like:
Your email: xxx#example.com
Your Password: 123
You can create a temporary password field and delete it upon user activation. I needed this for a real world example. For instance:
Event::listen('rainlab.user.activate', function($user) {
$user->temp_password = null;
$user->save();
});
User::saving(function ($user) {
$password = post('User.password');
if ($password && ! $user->attributes['is_activated']) {
$user->temp_password = $password;
}
});
As mentioned above though, this includes a big security risk.
You hash user passwords to increase the security. The Hashing functionality is a one way hashing, so it can't be reversed.
A better way would be to create a password reset token und send it to the user. So the user can set a new password with the email address / token combination. To increase this method you could let the token expire after 30 minutes or so.
how to get facebook friendlist in laravel when user login by facebook login. Already I get the name, email. But I want frienlist also. Here is my existing code.
public function redirectToProvider()
{
return Socialite::driver('facebook')->redirect();
}
public function handleProviderCallback()
{
$socialize_user = Socialite::driver('facebook')->user();
$facebook_user_id = $socialize_user->getId(); // unique facebook user id
$facebook_name = $socialize_user->getName();
$facebook_email = $socialize_user->getEmail();
$facebook_image = $socialize_user->getAvatar();
$user = Register::where('facebook_id', $facebook_user_id)->first();
if ($user) {
Session::put('id',$user->id);
Session::put('name',$user->name);
return redirect::to('welcome');
}
// register (if no user)
if (!$user) {
$user = new Register;
$user->facebook_id = $facebook_user_id;
$user->name = $facebook_name;
$user->email = $facebook_email;
$user->image = $facebook_image;
$user->save();
return redirect('welcome');
}
}
Before anything you will need the user permission, even if they have already signed in
Short version:
You can't with only socialite or without adding few classes.
Long version:
You need to extend FacebookProvider and implement the user interface.
This is the user interface of the user so you can add the friend list method.
And this is the FacebookProvider which includes the required authentication for accessing the facebook state and token, you can read on the loginFlow process on facebook.
To get access to the user friend list, you need to get the user permission, hence you need to initiate the full process again and add the user permission or add it at the start of the process.
Quick version:
If it is only for the friend list, better to use JavaScript and add friend list permission, and then use the response that you get, facebook graph api JS.
Laravel version:
check this package from sammyK it gives you great control on FacebookPHPSDK if you want more functions.
Hello guys I want to make the remember me checkbox and I want to save the user info into cookies so next time when try to login he find the user name and password in their fields I try to use :
$rememberMe = false;
if(isset($req->remember_me)) {
$rememberMe = true;
}
if(Sentinel::authenticate($req->all(), $rememberMe)) {
$slug = Sentinel::getUser()->roles()->first()->slug();
}
The cookies was set, I see it in the chrome settings but it does not do as I expect
I'm using laravel 5.2
You can use Cookies
cookie, is a small piece of data sent from a website and stored in a user's web browser while the user is browsing that website. Every time the user loads the website, the browser sends the cookie back to the server to notify the website of the user's previous activity
To create:
$response->withCookie(Cookie::make('name', 'value', $minutes));
To retrieve
$value = Cookie::get('name');
Your question is not to remember the user login.. The question is how to fill the inputs based on saved auth information. You can do that if you print the authentication values in the input value attribute while loading the page.
larval Cookies Docs
Also Laravel has it's own implementation of "Remember Me"
if (Auth::attempt(array('email' => $email, 'password' => $password), true))
{
// The user is being remembered...
}
if (Auth::viaRemember())
{
//
}
More information about https://laravel.com/docs/5.4/authentication#remembering-users
There is two main thing need to taken care:
1) You must pass a bool value as second parameter to the method, make sure you cast it before passing it to the method. - In your code, it's perfect
$credentials = $req->only('LOGINNAME', 'PASSNAME')
if(Sentinel::authenticate($credentials , $req->has('remember_me'))){
//Other stuff
}
2) you can verify it works by ensuring a cookie is set with the key cartalyst_sentinel?
So first change as per 1) option and then check the 2) option, may be this is your answer.
I have multiple symfony2 applications which share common entities, but use different database settings. Each of these databases has tables user, user_role and role.
Here's the catch: I would like that user to be able to login to app1 by visiting www.myproject.com/app1/login and after changing URL to /app2/ to use existing token ONLY if identical user exists in app2's database (same username, password and salt). Currently it checks only for same username which is, you must agree, quite inconvenient...
I can't really see when refreshUser() is being called... :-/
All apps use same User and Role entities and UserRepository.
Any help would be much appreciated!
UserRepository:
class UserRepository extends EntityRepository implements \Symfony\Component\Security\Core\User\UserProviderInterface{
/** #var User */
private $user;
public function loadUserByUsername($username) {
/** #var $Q \Doctrine\ORM\Query */
$Q = $this->getEntityManager()
->createQuery('SELECT u FROM CommonsBundle:User u WHERE u.username = :username')
->setParameters(array(
'username' => $username
));
$user = $Q->getOneOrNullResult();
if ( $user == null ){
throw new UsernameNotFoundException("");
}
return $this->user = $user;
}
public function refreshUser(UserInterface $user) {
return $this->loadUserByUsername($user->getUsername());
}
public function supportsClass($class) {
return $class === 'CommonsBundle\Entity\User';
}
public function findById($id){
return $this->getEntityManager()
->createQuery('SELECT u FROM CommonsBundle:User u WHERE u.id = :id')
->setParameters(array(
'id' => $id
))
->getOneOrNullResult();
}
}
User#equals(UserInterface):
I know there is a prettier way to write this method but I will rewrite it after see this working :)
public function equals(UserInterface $user)
{
if (!$user instanceof User) {
return false;
}
if ($this->password !== $user->getPassword()) {
return false;
}
if ($this->getSalt() !== $user->getSalt()) {
return false;
}
if ($this->username !== $user->getUsername()) {
return false;
}
return true;
}
Your question made me think. When using symfony2 security, you got one problem: Either a session is valid, meaning the user is authenticated as either anonymous or real user, or the session is invalid.
So, with this in mind, I don't see your approach working as you would like it, because let's say user1 logs in and is using app1. Now he switches to app2 and is not in the database, meaning he should not have access. What to do now? Invalidate the session? This would mean he has to log in again in app1.
If you would use subdomains, you could tie your session to that subdomain, but this would mean the user has to log in again for each application.
There is another problem: It seems like symfony2 stores the id of the user into the session, so without access to the app1 database, you cannot know what the password and the roles of the user in the app1 database are and cannot check for it.
I guess the security of symfony2 was simply not made for such behaviour. It expects the session to relate to the same user within your whole application.
I don't think that symfony2 is the big problem here but the overall handling with php. Let's think for one moment what I would suggest without symfony2:
When a user logs in, store user and roles into a specific array in the session, like:
user.app1 = array('username','password',array('role1','role2'))
Now, on each request to app1 I would check if user.app1 is in the session and read the roles from there. If not, I would check for user.app2, user.app3 and so on. If I find none, redirect to login. If I find one, I would query the database to find the user with the same username and compare the other values. If match, store everything into the database. If not, check next user from session.
I looked up the symfony security reference, and you got some extension points, so maybe you can work from there on. The form_login got a success_handler, so adding the array to the session as suggested above should be done there. The firewall itself has some parameters like request_matcher and entry_point which could be used to add additional checks like the ones I mentioned above. All are defined as services, so injecting the entity manager and the security context should be no problem.
I personally think the design itself is not optimal here and you might be better of refactoring your code to either use one user for all apps and different roles (remember that you can define many entity managers and use different databases) or even consolidating all databases and storing everything into one database, using acl to prevent users from viewing the "wrong" content.