How do I enable login throttling in Laravel 5.3?
Should it be enabled by default?
Where can it be configured?
I could not find anything in the config files. I use ldap auth with adldap library.
Simple.
In .env, If CACHE_DRIVER is set to array, it won't work.
Set CACHE_DRIVER to file for example.
According to the documentation:
If you are using Laravel's built-in LoginController class, the Illuminate\Foundation\Auth\ThrottlesLogins trait will already be included in your controller. By default, the user will not be able to login for one minute if they fail to provide the correct credentials after several attempts
Related
I'm building an app where each subdomain has its own database.
For example:
"example1.app.dev" uses "example1_dbo" database
"example2.app.dev" uses "example2_dbo" database
Each subdomain has its own users, meaning that for example:
user_ex1 can only login on example1.app.dev because he is set in example1_dbo
user_ex2 can only login on example2.app.dev because he is set in example2_dbo
How do I achieve this with Laravel Auth?
Basicaly I have set subdomain routing:
Route::domain('{account}.myapp.dev')->group(function () {})
And i have set up database connections in config/database.php and env file.
I have used this concept on Eloquent models with Model->setConnection($account)
But this method is exhausting while app is growing...
I'm looking for Middleware solution where i can change default DB connection for request globally and for Auth as well while i was not able to get authentication to work.
Have you tried this package:
https://github.com/stancl/tenancy
It provide that out of the box.
hope it is helpful.
I'm using Laravel Hesto Multi Auth package to create multiple auth. I have not used the default auth, but created user, admin, support, professionals guards with laravel hesto
Now im trying to implement Laravel email confirmation using this package
This send me a activation link to my email. However when that routes to http://localhost:8000/confirmation/2/jOVjV2xkfRZqAM4nwjAKdwTwn2 it shows an error
Method App\Http\Controllers\Auth\RegisterController::confirm does not exist.
It should check in App\Http\Controllers\UserAuth\RegisterController::confirm
How to change this? Also would like to know how to implement the same for other guards
If you check https://github.com/bestmomo/laravel-email-confirmation/blob/master/routes/web.php you will note they have defined routes for this. You can override this by doing the following:
1) Disable auto-discover for the package on the dont-discover portion of your compopser.json file.
2) Register the package's service provider before App\Providers\RouteServiceProvider::class so you can override the registered routes on your application.
3) Go ahead and register the routes you want, which will probably be like this:
Route::get('confirmation/resend', 'UserAuth\RegisterController#resend');
Route::get('confirmation/{id}/{token}', 'UserAuth\RegisterController#confirm');
That should do it or at least get you in the right track.
Also ensure you use the package Traits on your UserAuth controllers.
I have a react app that fetch datas from laravel api defined like so in routes/api.php:
// this is default route provided by laravel out of the box
Route::middleware('auth:api')->get('/user', function (Request $request) {
return $request->user();
});
// ItemController provides an index methods that list items with json
Route::resource('items', 'Api\ItemController', array('except' => array('create','edit')));
// this is to store new users
Route::resource('users', 'Api\UserController', array('only' => array('store')));
for example http://example.com/api/items returns the data as intended but it's really insecure since anyone could access it through postman.
How to make those routes only accessible inside the app?
As I'm new to it I don't understand if I need to set up api_token and how?
Do I need to setup Passport?
Is is related to auth:api middleware?
It may sounds really basic but any help or tutorial suggestions would be greatly appreciated
EDIT
End up with a classic session auth. Moved routes inside web.php. Pass csrf token in ajax request. Actually i didn't need a RESTful API. You only need token auth when your API is stateless.
As you are using Laravel 5.4 you can use Passport, but I haven't implemented yet, but i implemented lucadegasperi/oauth2-server-laravel for one of my laravel projects and it was developed in Laravel 5.1
Here is the link to github repository
lucadegasperi/oauth2-server-laravel
Here is the link to the documentation Exrensive Documentation
Just add the package to the composer json and run composer update,the package will get installed to your application , once installed add the providers array class and aliases array class as mentioned in the Laravel 5 installation part of the documentation,
you have to do a small tweak in order to work perfectly cut csrf from $middleware array and paste it into $routeMiddleware array and again run php artisan vendor:publish after publishing the migrations will be created and run the migration php artisan migrate
if you only want to secure api routes for each client like ios, android and web you can implement Client Credentials Grant, or if you need to every user with oauth the you can implement Authorization Server with the Password Grant or some other.,
Never use the client id or other credentials, generating access token in the form, but add it some where in helper and attach it in the request to the api,
Hope this answer helps you.
You could use JWT it's pretty easy to get it to work. You basically generate a token by requesting Username/Password and passing that token in every request that requires authentication, your URL would look like http://example.com/api/items?token=SOME-TOKEN. without a proper token, he doesn't have access do this endpoint.
As for
How to make those routes only accessible inside the app?
If you mean only your app can use these requests, you can't. Basically the API doesn't know who is sending these requests, he can only check if what you are giving is correct and proceed with it if everything is in order. I'd suggest you to have a look at this question
I have an API and I'm not sure if other services are using it too. I don't want other people to use my server resources and I would like to check that.
Assuming I have a method in a controller, how I can check who accesses this method where the request is not from my domain?
How I can allow connections only from my website/app and refuse from any other source?
Each request has a Host header you can use that to know which domain is using your service.
if you want to only allow your domain to access the service then edit the CORS settings. I'm assuming you are using barryvdh package
in config/cors.php
change the value of
'allowedOrigins' => ['*'],
to your domain instead of * wildcard
You can also use extended library (like so: https://github.com/chrisbjr/api-guard) to add API key to your app so only those who know it can make requests to API.
i want to set permissions only from on IP, because i use this app only for API and not want others peoples have permissions for that application.
There is a simple way to do it , using middleware you will able to check in every request the ip requesting.
Laravel middleware