laravel 5.2 session not persist after route change,
I have not used any middleware. session returns all values in controller when i put session but it forgets when redirect to another route.
here is my routes
Route::auth();
Route::get('login','LoginController#login');
Route::post('login','LoginController#check');
Route::get('/','HomeController#index');
Route::post('school/store','HomeController#store');
In Laravel 5.2, everything need to be given a web middleware in order to use cookies or sessions. It is not mentioned in Laravel upgrade guide though.
https://mattstauffer.co/blog/middleware-groups-in-laravel-5-2
https://github.com/laravel/framework/issues/13000
Related
I have 3 apps and those 2 are laravel apps and 1 is vuejs
I've tried setting up session to store session data in to the database so that I can have a shared sessions between my apps.
Things work between laravel apps, however, I have trouble when it comes to my vuejs app.
Btw, in order to proceed to any of my vue routes, I have to check first if token exists and is correct.
But since I am using laravel sessions now, I guess I need to check for cookie session id now?
and if so, where do I set the cookie session id?
Better use Laravel passport (OAuth) as a token generation for you Vue application.
I am newbie with laravel.
I understand that in order to protect routes, you have to first check if a user is authenticated and a session is made. thus, we apply auth middleware in the web routes.
However, I am trying to implement laravel passport and now I am not able to proceed to my routes anymore since I have been authenticated using the passport.
My question is that is it possible to secure the web routes with passport token instead of laravel session? and if so, how one should do it?
Thanks, sorry for english, not native speaker.
Laravel passport is for API routes not for web routes you can use laravel session for web
for more details read it's documentation
https://laravel.com/docs/8.x/passport
I'm trying to implement a domain wide authentication (DWA) on top of the usual user authentication. The use case is prevent a work-in-progress site from leaking to google/public.
Created scaffolding code using php artisan make:auth
Log in via /login and is redirect to /home which shows the default You are logged in!
When I reload /home, I see that $this->session->id in SessionGuard.php has an ID value which I will refer to as A, the session also has 5 attributes.
Next, I insert the auth middleware into the route /product/{id} and load it
I see that $this->session->id in SessionGuard.php has a brand new ID with 0 attributes
This causes authenticate() in Authenticate.php middleware to throw an Unauthenticated exception and redirect me to /login
As the browser loads /login, $this->session->id in SessionGuard.php now shows the ID of A with the earlier 5 attributes
/login results in RedirectIfAuthenticated.php middleware running and redirecting to /home
As a result of the DWA, I'm unable to load /product/{id}, it just keeps redirecting me to /home
My question is, why does #5 show a new session ID instead of A?
Where and how is this ID derived in the first place?
Thanks!
I found the solution Problems of routes in own package- Laravel 5.6
It was due to my controller having only the auth but lacking the web middleware. Hope it helps someone.
I have a react app that fetch datas from laravel api defined like so in routes/api.php:
// this is default route provided by laravel out of the box
Route::middleware('auth:api')->get('/user', function (Request $request) {
return $request->user();
});
// ItemController provides an index methods that list items with json
Route::resource('items', 'Api\ItemController', array('except' => array('create','edit')));
// this is to store new users
Route::resource('users', 'Api\UserController', array('only' => array('store')));
for example http://example.com/api/items returns the data as intended but it's really insecure since anyone could access it through postman.
How to make those routes only accessible inside the app?
As I'm new to it I don't understand if I need to set up api_token and how?
Do I need to setup Passport?
Is is related to auth:api middleware?
It may sounds really basic but any help or tutorial suggestions would be greatly appreciated
EDIT
End up with a classic session auth. Moved routes inside web.php. Pass csrf token in ajax request. Actually i didn't need a RESTful API. You only need token auth when your API is stateless.
As you are using Laravel 5.4 you can use Passport, but I haven't implemented yet, but i implemented lucadegasperi/oauth2-server-laravel for one of my laravel projects and it was developed in Laravel 5.1
Here is the link to github repository
lucadegasperi/oauth2-server-laravel
Here is the link to the documentation Exrensive Documentation
Just add the package to the composer json and run composer update,the package will get installed to your application , once installed add the providers array class and aliases array class as mentioned in the Laravel 5 installation part of the documentation,
you have to do a small tweak in order to work perfectly cut csrf from $middleware array and paste it into $routeMiddleware array and again run php artisan vendor:publish after publishing the migrations will be created and run the migration php artisan migrate
if you only want to secure api routes for each client like ios, android and web you can implement Client Credentials Grant, or if you need to every user with oauth the you can implement Authorization Server with the Password Grant or some other.,
Never use the client id or other credentials, generating access token in the form, but add it some where in helper and attach it in the request to the api,
Hope this answer helps you.
You could use JWT it's pretty easy to get it to work. You basically generate a token by requesting Username/Password and passing that token in every request that requires authentication, your URL would look like http://example.com/api/items?token=SOME-TOKEN. without a proper token, he doesn't have access do this endpoint.
As for
How to make those routes only accessible inside the app?
If you mean only your app can use these requests, you can't. Basically the API doesn't know who is sending these requests, he can only check if what you are giving is correct and proceed with it if everything is in order. I'd suggest you to have a look at this question
I just upgraded my app from Laravel 5.2 to 5.3 and followed all the steps.
The one that seems to be the cause of the issue I'm facing is Auth Middleware. I did change the class that should be executed.
But for some reason, all the routes are returning "Unauthenticated" error.
I'm not fetching logged in user in the constructor of any controller class.
In fact, none of my controller class have a constructor.
What can be causing this problem?
Adding "web" middleware wherever I've "auth" middleware solved the problem.
The two default authentication controllers provided with the framework have been split into four smaller controllers. This change provides cleaner, more focused authentication controllers by default. The easiest way to upgrade your application to the new authentication controllers is to grab a fresh copy of each controller from GitHub and place them into your application.
You should also make sure that you are calling the Auth::routes() method in your routes/web.php file. This method will register the proper routes for the new authentication controllers.
Once these controllers have been placed into your application, you may need to re-implement any customizations you made to these controllers. For example, if you are customizing the authentication guard that is used for authentication, you may need to override the controller's guard method. You can examine each authentication controller's trait to determine which methods to override.
From laravel 5.2 to 5.3