I am doing the security of my website and I'm using the Auth module that Laravel provides, as you know there are a lot of ways to perform security, you can use the middleware Auth to protect Routes, you can protect your controllers and views with the same module, that is what I'm doing right now.
I want to know from someone has experience hacking this system if just protecting my the routes where I want more security is more than enough, or I should keep protecting controllers and views that I don't want other people have access.
It is a simple question and I don't know if I should better put this question in the meta stack overflow.
Well, as far as i know, you can just protect routes. Routes are the way that people is going to access your application, they cant have access to the plain controller code. Using the auth you are going to create an "authentication" session, this is, you are going to protect the specific routes and give access just to an authorized person, this person is going to have an user/password to have access to your route. This is enough as route wise, but you (laravel takes care of it for you) have to be aware of sql injection and other stuff, thats the way that hackers will be able to have access to your information.
Related
I'm using Password Grant flow in my Laravel api but i find that the tokens generated to the user may be abused.
I have the api running in a domain and a web app in another domain consuming it. I want to make sure that even if someone copy the token from the Localstorage inside my app, it will be useless outside of my consuming domain.
The only solution i find to this problem is by checking the domain with a middleware or inside the Api methods. Is there any secure way to do this? Should i use middlewares as i just mentioned?
To be honest, I don't think there is a way that you can prevent this.
I assume that the web app is using clientside code to get your API, and so the IP address will always be the clients, and so you cannot limit your API to specific IPs.
Additionally, the calling domain is useless as you could fake this in postman or any other API sending tool.
This is a fight you won't easily win.
I'd ask the question of what ways can a user really abuse my API. If they want to use their token to perform actions on their account inside your application, then what does it matter if this happens within your application or outside of it?
How can they abuse your platform if they have the token? If there are ways to abuse it then you are better treating the root cause that allows the abuse to take place, rather than trying to limit how the token can be used.
Okay so I know there are a ton of tutorials out there talking about changing the authentication to your liking, but I couldn't find one for my specific case. So here it goes:
In one of my projects I've been using the standard authentication system that comes with Laravel. I have a user model, and each user has an email and a password. They also have roles and permissions and everything works as expected.
I also have a client model. There are projects and each project belongs to a client. Now there is a new requirement for the app, where clients should be able to login and see all of their projects.
Clients should login with a username (not email) and a password.
My question is: What steps are necessary to completely get this going. All I can find online are some pieces of the puzzle, but unfortunately I'm not able to put this together on my own. I know it involves creating a user provider, but that is only part of it. How do I hook up routes/controllers for this, how do I use the custom user provider, how can I use the Auth facade in addition to the standard "user" authentication (I will need to use both side by side)?
If someone knows of a comprehensive tutorial I will be happy to read that and apologize for this question ;-) Otherwise I will be very thankful for a little checklist of all the things I have to consider.
PS: There a many reasons why I can't just use my user model with a special role or something like that. I need to use the client model for authentication.
I found this tutorial which contains the gist of what you're looking for. The basics come down to something along these lines:
Create a new Authenticatable model
Adjust auth.php with new guards and providers
Adjust routing to take both models in account
I'm not sure how the Auth facades plays its role in this, but it might require some additional configuration.
I start building a new app and wonder what will be the best way to implement auth - security wise.
What are the cons, pros, and differences between the Laravel make:auth and using jwt-auth.
Is Laravel's default auth will be enough?
This description is pragmatic approach so you can do something else if you want.
I think while developing an API you should use JWT based authentication mechanism.
The Json Web Token(JWT) tokens includes user information in itself. So it giving so much important benefit to manage session. First and most important of the benefits is you can be manage sessions without storing them at server. I would like to explaint it just to avoid misunderstanding, you can have store it at server but it's not necessary except a few scenario. These scenarios depend on how you could designed your authentication.
I able to do a lot of more explains about of it but in summary if you are developing an API I propose you would use JWT-Token.
I am developing a web system in php using the laravel framework, I arrived at the part of authentication of users, where it is not allowed the type of user x access to page y. What is the best way to do this with laravel? I thought about creating a session and saving the id of the user, so every time he accesses a certain controller I check if he has access to the id or not. so I had some doubts.
Is this a good way to perform this authentication?
Is this really safe?
is there any way for the client to change my session?
What would be a better method for authenticating user access?
Laravel provides a very good authentication system out of the box. Even though Hacking is inevitable it provides very good protection and since Laravel is pretty popular framework you don't have to worry about the security part. if there is any security bug, patches will be available almost immediately.
And your second concern can a client can change the session ? the answer is NO, if you code it properly. session resides in the server unlike cookies, so there is no direct way for a user to change the session. if you follow good coding practices you are good to go.
And how do you limit userA from accessing pageB. This is a pretty common feature needed in almost all the applications. As of now Laravel does not provide an out of the box solution for this. but this is pretty simple, you can add a role column to the users table, and check whether user have appropriate permission in each page. Laravel keeps the user object in the session, and it is avilable via the auth() helper or Auth Facade. if you want a little sophisticated solution there is a package out there [entrust][1]. it seems a good choice.
You may want to read about
Authorization
Csrf Protection
Authentication
I hope I have addressed all your concerns
Laravel provides a simple way to authorize action thats purpose built for what you need:
https://laravel.com/docs/5.5/authorization
I am using the ION Auth library for Codeigniter. For security purposes, should I change the default URL/Controller from "/auth" to something that's unknown and more difficult to guess?
The "default controller exists purely as an example, you should not assume it is perfect.
That said changing it would be pointless. As soon as you provide a "login" link you would be telling people where it is...
The salts and encryption should be strong enough to keep people out. If you are REALLY worried about security, set up HTTPS.
You beat me to this Phil ;)
One other thing to add, I recommend creating routes for better URLs. So I map standard functions like login and logout; for example, auth/login maps to just /login.