So I need that every user would use session only once? If you loged in on one pc, I need to log out user from other. Also if IP or User-Agent changed also logout user from it.
Is there any built in options for this kind of task in laravel or I need to check each request?
When login request generate a token which is include client_ip+random number and any other.
encrypt and url encode the token and send as the response.
each and every request check that token, if not match log out the user.
Related
I am trying to create a restricted area where logged in users would need to input a code to access it.
I'm using laravel sanctum and nuxt(ssr) with nuxt-auth module. I'm trying to understand how nuxt-auth module is checking the backend if a user is logged in or not so I can replicate this in my own restricted area access.
So far I noticed that if I invalidate the user session on the backend (FLUSHALL redis sessions) when I refresh the frontend, somehow nuxt-auth knows that the user is logged out and logs the user out on frontend too.
Same if I remove the /api/user route, nuxt thinks that the user is logged out. But when the route is active I don't see the route being accessed in the dev network tab.
I am new to nuxt and I cannot understand where in the nuxt-module source code is it doing the backend check. Is it in the middleware or storage? I'm confused.
So far in the backend I'm checking the user code and save an ID in the session similar with a user log in situation. Now I'm trying to make a nuxt middleware that would verify this.
Nuxt-auth will store a JWT token in cookies usually (it depends on which configuration you're doing of course!) and all of this is checked by reaching your backend's route.
If you refresh your SPA and flush the DB or break the route, the module wipes the client storage + set the loggedIn state to false.
Usually, you do have a JWT token for a specific amount of time (maybe 1 hour or so), if it is not expired, you will not get any network request. If you delete the JWT token, you should see a network request.
Otherwise, a global auth middleware is also available, out of the box with the module. But you could add another global one if you want to have something homemade.
I am using Laravel as my backend together with Sanctum which generates personal access token for mobile users. For my mobile application I am using flutter.
To authenticate users they login with their username/password and get a personal access token in return. This works but requires a user to login every time they open the application again so I did what most tutorials suggest which is saving the token on the mobile device using shared preferences/secure storage.
Now comes the question how do you invalidate a user when you remove their token from the backend? On initial login it appears everything is still fine because like in most tutorial I check for the existence of a token. After that whenever I want to make a request which uses the token I obviously run into problems because it not longer exists on the backend.
Most tutorials/guide suggest saving the token and using that a reference to see if the user is logged in or not but this seems flawed because it gives the false impression you actually have a valid token.
My guess is this can be solved by always performing a heartbeat/ping action to check if the current token is valid and if not send them to the login screen instead of simply checking for the existence of the token.
Thoughts on this?
I can suggest a hack or trick here in every launch of the app you can send a request to an API to check if the user's token is valid or not and if it is valid then you can continue the app otherwise force the user to login and generate new token this way your app will be secure via server / API.
For this, you can store the user's secret token in the database and check it via HTTP API call and send a response from the API accordingly and check the response in app and do the next operation according to the response you get.
I don't know if this is a great way of doing this job but it is a kind of hack/trick to achieve what is needed.
Thanks
Before adding, yes it works when I give the entire url like http://localhost:8080/onedrive/oauth2/success/1 in the list of uri in azure uris. I am using code flow to authroize these tokens.
But as per the docs, it should work with me just mentioning the domain name there, like http://localhost:8080. Which it doesn't.
I want to do something like send the user id along with every request for me to keep track of which user I should link this accees token to, and have no idea to do so, if this issue is there. My current application logic is, when my application sends the user details and calls my spring API, I want to handle all these transfer of tokens in the server side, so I want to transfer this userId as my path variable. How do I go about doing this? Has anyone done this, can they explain to me any other different solution?
You can't add custom details to OAuth redirects and it is best practice to always register the full redirect uri.
In terms of tracking the user, after login the token has a user id and you can also get fields such as user name and email - so both the UI and API will know which user each token is for. I can provide further details on mechanics if needed.
The user id in a token is often a generated value, whereas the user id you want to use in API path segments is maybe a user id from your app's back end database - if so you will need to map between token details and database details.
If you provide redirect uri as http://localhost:8080/ then it means you are handling the api response in
/
endpoint and not
/onedrive/oauth2/success/1
To get to know the user to whom you are linking, few ideas which you can use are
1) Use security to obtain the logged in user credentials (Ex: Principal if you're using Spring security in java)
2) After successful authentication, use the user id you have and send one more request to backend and store it database with userid as a key
I'm looking into an "authenticated URL" type middleware for my Laravel application where a token is generated and that token relates to an authenticated user ID and the hash of a single URL. In other words, a way of viewing a session page from an e-mail without being initially signed-in, using a high-entropy token.
When the user visits the URL, for example https://www.example.com/some/url?authtoken=WDu4UQ5SQr4WGlfMYErxRy3hjdFMs02f2NqbQ7PA, the AuthenticatedUrl middleware looks up the authtoken in the database, verifies the hash of the request's URL and the stored URL match, then logs in the appropriate user ID (Auth::guard('user')->login($token->getUser())) so the page's controller can respond as normal.
That being said, I would prefer to only allow this middleware to authenticate the request itself, not the entire session. Is this possible without causing issues with an existing normal Laravel session?
I discovered the Guard::onceUsingId($id) function which does exactly this. It logs in the request without setting any related session values or cookies.
I do not mean how is it implemented, but rather what steps should user pass?
I'm working with Photobucket now and I found in its docs that I should generate a new token for every request, because the token can expire in a certain (but secret) period of time.
How does this generation work? Do I need a separate request for generating a token?
You can have a log in button, and when a user clicks on it you would make an ajax request to get a new oauth access token and then generate the oauth url based on that token.
Then after the user authenticates they will be redirected to a callback URL that you must specify from within your account settings.