Codeigniter Restserver basic autentication always valid - codeigniter

I've a problem with Codeigniter Restserver (https://github.com/chriskacerguis/codeigniter-restserver) because I've enabled basic autentication but it returns always results even if credentials are wrong.
See details below:
Into rest.php file I modified the value:
$config['rest_auth'] = '';
to
$config['rest_auth'] = 'basic';
then
$config['auth_source'] = 'ldap';
to
$config['auth_source'] = '';
Credentials are stored in $config['rest_valid_logins'] = ['admin' => '1234'];
But if I try to call my webservice, it answers with results even if credentials are wrong or missed.
Why?
Thanks.

Related

YouTube DATA API V3 does not return refresh token

I have almost looked through all the answers to this question and have not been able to solve my problem. I tried different options but can't get refresh token. Here's an example of my code.
$googleClient = new \Google_Client();
$redirectUrl = url('***');
$googleClient->setClientId(config('services.google_api_key.client_id'));
$googleClient->setClientSecret(config('services.google_api_key.client_secret'));
$googleClient->setScopes(config('services.google_api_key.scopes'));
$redirect = filter_var($redirectUrl);
$googleClient->setRedirectUri($redirect);
$googleClient->setAccessType('offline');
$googleClient->setApprovalPrompt('force');
if ($request->has('code')) {
$googleClient->authenticate($request->get('code'));
$token = $googleClient->getAccessToken();
dd($token);
}
And it returned only these data
[
"access_token" => "***"
"expires_in" => 3599
"scope" => "https://www.googleapis.com/auth/youtube"
"token_type" => "Bearer"
"created" => 1613189613
]
I know that the refresh token is provided only on the first call, and so I tried to use this method $googleClient->revokeToken($token); to get it again, but it didn't help, and I already spent a whole day trying to solve this problem and could not. Please help me solve this problem. I understand that I am making a mistake somewhere, but I cannot understand where. Thanks in advance.
I finally found the problem and would like to explain in detail what was the reason, maybe someone else will come in handy. And so I created everything as it was described in the official documentation https://developers.google.com/youtube/v3/guides/auth/server-side-web-apps#obtainingaccesstokens.
I used this code and was unable to get the refresh token.
$googleClient = new \Google_Client();
$redirectUrl = url('***');
$googleClient->setClientId(config('services.google_api_key.client_id'));
$googleClient->setClientSecret(config('services.google_api_key.client_secret'));
$googleClient->setScopes(config('services.google_api_key.scopes'));
$redirect = filter_var($redirectUrl);
$googleClient->setRedirectUri($redirect);
$googleClient->setAccessType('offline');
$googleClient->setApprovalPrompt('force');
if ($request->has('code')) {
$googleClient->authenticate($request->get('code'));
$token = $googleClient->getAccessToken();
dd($token);
}
The official documentation says this:
$client = new Google_Client();
$client->setAuthConfig('client_secret.json');
$client->addScope(GOOGLE_SERVICE_YOUTUBE::YOUTUBE_FORCE_SSL);
$client->setRedirectUri('http://' . $_SERVER['HTTP_HOST'] . '/oauth2callback.php');
// offline access will give you both an access and refresh token so that
// your app can refresh the access token without user interaction.
$client->setAccessType('offline');
// Using "consent" ensures that your application always receives a refresh token.
// If you are not using offline access, you can omit this.
$client->setApprovalPrompt("consent");
$client->setIncludeGrantedScopes(true); // incremental auth
Pay attention to this part:
// Using "consent" ensures that your application always receives a refresh token.
// If you are not using offline access, you can omit this.
$client->setApprovalPrompt("consent");
And this is what I managed to find out
$client->setApprovalPrompt('force'); // works
$client->setApprovalPrompt('consent'); // doesn't work
$client->setPrompt('consent'); // works
For 'consent' setApprovalPrompt() doesn't work, but I could not find about it in the official documentation. And found this error from here https://github.com/googleapis/google-api-php-client/issues/1795.
My final code looks like this which works fine and returns me a refresh token:
$redirectUrl = url('my_callback_url');
$client = new \Google_Client();
$client->setClientId(config('services.google_api_key.client_id'));
$client->setClientSecret(config('services.google_api_key.client_secret'));
$client->addScope(config('services.google_api_key.scopes'));
$client->setState(substr(md5(time()), 0, 15));
$client->setRedirectUri($redirectUrl);
$client->setAccessType('offline');
$client->setPrompt('consent');
$client->setIncludeGrantedScopes(true);
return $client->createAuthUrl();
Thank you stvar for your answer, after that I started to read the documentation all over again and look for the reason.
adding consent prompt fixed the issue. for js library it will look like this:
const authorizationUrl = oauth2Client.generateAuthUrl({
// 'offline' will get refresh_token
access_type: 'offline',
scope: scopes,
prompt: 'consent',
state: stateName,
});

To make URL for User Profile and products id in codeigniter

I created the URL in route.php like
www.domainname/companyname - Its Work properly
And i also created the URL like
www.domainname/events - Its also works good.
But I created the URL like
www.domainname/category/1 - Its shows error
$route["(.*)"] = 'controller/productsname/$1';
$route['Admin'] = 'Admin/login';
$route["category/:num"] = 'controller/category/$1';
$route["(.*)"] = 'controller/productsname/$1';
Thanks
I haven't tried it yet, but you will probably need to simply point all urls to it, naturally after the rules you've already added.
So something like:
$route['Admin'] = 'Admin/login';
$route["category/:num"] = 'controller/category/$1';
$route["(:any)/(:num)"] = 'controller/$1/$2';
//or
$route["(:any)/(:num)"] = 'controller/products/$1/$2';

Dynamic callback url laravel

I tried to make my callback url dynamic because I'm configuring socialite in a multi auth system. I tried to use the socialiteproviders/manager as below:
$clientId = env($provider."_client_id");
$clientSecret = env($provider."_client_secret");
$redirectUrl = "the url i want";
$config = new \SocialiteProviders\Manager\Config($clientId,$clientSecret,$redirectUrl);
return Socialite::with($provider)->setConfig($config)->redirect();
but it says:
Call to undefined method Laravel\Socialite\Two\FacebookProvider::setConfig()
when trying to login with facebook.
Can someone please help me? Thank you.
I could reproduce and found a solution. The code you provided was outdated, and I found other instances of it here: https://laravel.io/forum/07-28-2016-dynamic-callback-url-laravel-socialite
By default, Socialite will get the provider config in services.php by passing the $providerName = facebook
So your code now becomes:
// The services.php config will return null, fix it by using: strtoupper()
$clientId = env(strtoupper($provider . "_client_id"));
$clientSecret = env(strtoupper($provider . "_client_secret"));
$redirectUrl = "/the-url-i-want";
// ->redirect() acts as a closure, without it, you'll get an error like:
// "Serialization of 'Closure' is not allowed"
$user = Socialite::with($provider)->redirect();
return redirect()->to($redirectUrl)->with(['user', $user]);
More info on redirecting with session data:
https://laravel.com/docs/6.x/redirects#redirecting-with-flashed-session-data

What to do when lucadegasperi oauth2 server for laravel gets caught by auth middleware?

So currently building an oauth2 server with:
https://github.com/lucadegasperi/oauth2-server-laravel/blob/master/docs/authorization-server/auth-code.md
Auth Grant
laravel 5.2
Now no where in the instructions does it address what to do when the user is not logged in. (which most times will be the case)
So in that scenario - the user hits the auth middleware kicking them to the login screen... but what to do after that? There is nothing passed to the login page? so how do i know where to redirect the user back to?
Now yes of course I can just do this on my own, but before I do that I just want to make sure I am not missing anything? again it was not address in the documentation, so I can only assume this was thought through?
Let me know your thoughts.
Steve
So just ended up doing a work around in my Authenticate.php file. Incase anyone else is curious I did this:
$params = [];
if($request->has('client_id'))
$params['client_id'] = $request->client_id;
if($request->has('redirect_uri'))
$params['redirect_uri'] = $request->redirect_uri;
if($request->has('response_type'))
$params['response_type'] = $request->response_type;
if($request->has('scope'))
$params['scope'] = $request->scope;
if($request->has('state'))
$params['state'] = $request->state;
return redirect()->route('login', $params);
//return redirect()->guest('login');
Passed this to my loginController. Then in loginController:
$params = [];
if($this->request->has('redirect_uri'))
$params['redirect_uri'] = $this->request->redirect_uri;
if($this->request->has('response_type'))
$params['response_type'] = $this->request->response_type;
if($this->request->has('scope'))
$params['scope'] = $this->request->scope;
if($this->request->has('state'))
$params['state'] = $this->request->state;
if($this->request->has('client_id'))
{
$params['client_id'] = $this->request->client_id;
//dd($params);
return redirect()->route('oauth.authorize.get', $params);
}
Let me know if you see any issues.
Cheers
Citti

Angular2 + Web API + token based authentication

I am trying to learn Angular2
and I am trying to create a simple blog with authentication.
this here is my add a new post method:
[Authorize]
// POST: api/Post
public PostModel Post([FromBody]PostViewModel model)
{
var post = new PostModel
{
Body = model.Body,
Title = model.Title,
AuthorId = IdentityExtensions.GetUserId(User.Identity),
};
var res = blogRepo.AddPost(post);
return res;
}
everything works fine, but IdentityExtension.GetUserId() do not return the most current logged in user but the first user since the app started.
basically I am looking for a way to make sure that the current user logs out on the server as well as on the client (the client side is just a simple removal of the localStorage.removeItem("jwt");)
also there is a good chance that what I am doing is totally wrong, but I can't access the ApplicationUserManager in this controller.
ok I have found the problem, although I haven't managed to solve it yet but I will update this when i do, and I am writing this as an answer since the problem is totally different from what I asked and thought to be.
the problem is related to sending the authentication hints as Thierry Templier suggested. I have a file that exports headers like this:
export const authHeaders = new Headers();
authHeaders.append('Accept', 'application/json');
authHeaders.append('Content-Type', 'application/json');
authHeaders.append('Authorization', 'Bearer ' + localStorage.getItem('jwt'));
And I Import this header where ever I need it. but I am not sure why it always sends a cached value (i.e the first value stored on the client and it has nothing to do with the server side as my question implies).
to solve this issue I just have to make sure the latest access-token stored on localstorage is sent to the server.
EDIT: for now I am constructing the headings in the constructor.

Resources