I am building an API with stateless HTTP basic authentication in Laravel 5.2, as per documentation Stateless HTTP Basic Authentication , I have created following Middleware
app/Http/Middleware/AuthenticateOnceWithBasicAuth.php
<?php
namespace Illuminate\Auth\Middleware;
use Auth;
use Closure;
class AuthenticateOnceWithBasicAuth
{
/**
* Handle an incoming request.
*
* #param \Illuminate\Http\Request $request
* #param \Closure $next
* #return mixed
*/
public function handle($request, Closure $next)
{
return Auth::onceBasic() ?: $next($request);
}
}
And then registered it in Kernel.php
app/Http/kernel.php
protected $routeMiddleware = [
'auth' => \App\Http\Middleware\Authenticate::class,
'auth.basic' => \Illuminate\Auth\Middleware\AuthenticateWithBasicAuth::class,
'can' => \Illuminate\Foundation\Http\Middleware\Authorize::class,
'guest' => \App\Http\Middleware\RedirectIfAuthenticated::class,
'throttle' => \Illuminate\Routing\Middleware\ThrottleRequests::class,
'auth.basic.once' => \App\Http\Middleware\AuthenticateOnceWithBasicAuth::class,
];
I am using it in route as follows
Route::group(['prefix' => 'admin', 'middleware' => 'auth.basic.once'], function () {
Route::get('service/create', function () {
return response()->json(['name' => 'Abigail', 'state' => 'CA'], 200);
});
});
But it is giving me
ReflectionException in Container.php line 734:
Class App\Http\Middleware\AuthenticateOnceWithBasicAuth does not exist
I have run following commands but with no success
composer dump-autoload
php artisan clear-compiled
php artisan optimize
Any help would be much appreciated. Thanks in advance.
Well first of all look at the namespaces:
namespace Illuminate\Auth\Middleware;
you should rename it to:
namespace App\Http\Middleware;
in the middleware you need to do something like this:
public function handle($request, Closure $next) {
if (!Auth::onceBasic()) {
if ($request->ajax() || $request->wantsJson()) {
return response('Unauthorized.', 401);
} else {
return redirect()->guest('login');
}
}
return $next($request);
}
Related
I was wondering if there is a way to restrict access to routes-blades at certain hours or minutes within a day ?
Any documentation about this topic ?
Create a middleware
php artisan make:middleware TimeBasedRestriction
Return a different response or redirect if time isn't appropriate
<?php
namespace App\Http\Middleware;
use Closure;
class TimeBasedRestriction
{
/**
* Handle an incoming request.
*
* #param \Illuminate\Http\Request $request
* #param \Closure $next
* #return mixed
*/
public function handle($request, Closure $next)
{
// if not working hours, access forbidden
if (!now()->isBetween('09:00:00', '16:00:00')) {
return response()->json([
'message' => 'Day is over, come back tomorrow'
], 403); // Status forbidden
}
return $next($request);
}
}
Add the middleware to your route middleware in app\Http\Kernel.php
protected $routeMiddleware = [
'auth' => \App\Http\Middleware\Authenticate::class,
'auth.basic' => \Illuminate\Auth\Middleware\AuthenticateWithBasicAuth::class,
'bindings' => \Illuminate\Routing\Middleware\SubstituteBindings::class,
'cache.headers' => \Illuminate\Http\Middleware\SetCacheHeaders::class,
'can' => \Illuminate\Auth\Middleware\Authorize::class,
'guest' => \App\Http\Middleware\RedirectIfAuthenticated::class,
'signed' => \Illuminate\Routing\Middleware\ValidateSignature::class,
'throttle' => \Illuminate\Routing\Middleware\ThrottleRequests::class,
'verified' => \Illuminate\Auth\Middleware\EnsureEmailIsVerified::class,
'restrictedToDayLight' => \App\Http\Middleware\TimeBasedRestriction::class,
];
And add it to your restricted routes in web.php for example
Route::get('/', function () {
return view('welcome');
})->middleware('restrictedToDayLight');
in my laravel project, I have two users (Admins and Users).
I got started admins' authentification.
Now when I go to a create page (http://127.0.0.1:8000/admin/posts/create) in my CRUD application, it redirects to http://127.0.0.1:8000/login.
I am glad if someone gives me a solution to go back to http://127.0.0.1:8000/admin/login page which is admin side login page.
Here is my codes.
web.php
Route::prefix('admin')->group(function(){
Route::get('/login', 'Auth\AdminLoginController#showLoginForm')->name('admin.login');
Route::post('/login', 'Auth\AdminLoginController#login')->name('admin.login.submit');
Route::get('/', 'AdminController#index')->name('admin.dashboard');
Route::resource('categories','CategoriesController');
Route::resource('posts', 'PostsController')->middleware('auth');
Route::get('trashed-posts', 'PostsController#trashed')->name('trashed-posts.index');
Route::PUT('restore-post/{post}', 'PostsController#restore')->name('restore-posts');
});
VerifyCategoriesCount.php in my middleware folder
public function handle($request, Closure $next)
{
if (Auth::check()) {
if (Auth::user()->role == 'Admin') {
return $next($request);
}
}
return redirect('/admin/');
}
kernel.php
protected $routeMiddleware = [
'auth' => \App\Http\Middleware\Authenticate::class,
'auth.basic' => \Illuminate\Auth\Middleware\AuthenticateWithBasicAuth::class,
'bindings' => \Illuminate\Routing\Middleware\SubstituteBindings::class,
'cache.headers' => \Illuminate\Http\Middleware\SetCacheHeaders::class,
'can' => \Illuminate\Auth\Middleware\Authorize::class,
'guest' => \App\Http\Middleware\RedirectIfAuthenticated::class,
'signed' => \Illuminate\Routing\Middleware\ValidateSignature::class,
'throttle' => \Illuminate\Routing\Middleware\ThrottleRequests::class,
'verified' => \Illuminate\Auth\Middleware\EnsureEmailIsVerified::class,
'verifyCategoriesCount' => VerifyCategoriesCount::class
];
postsController.php
public function __construct()
{
$this->middleware('VerifyCategoriesCount')->only('store');
$this->middleware('admin')->except('index');
}
Add an admin guard in auth.php
'admin' => [
'driver' => 'session',
'provider' => 'admins', //table name
],
And add providers array
'admins' => [
'driver' => 'eloquent',
'model' => App\Admin::class, //Bind your Admin Model
],
Add two middleware,
class AdminRedirectIfAuthenticated
{
/**
* Handle an incoming request.
*
* #param \Illuminate\Http\Request $request
* #param \Closure $next
* #return mixed
*/
public function handle($request, Closure $next)
{
if (Auth::guard('admin')->check()) {
return redirect('/admin/home');
}
return $next($request);
}
}
And
class AdminRedirectIfNotAuthenticated
{
/**
* Handle an incoming request.
*
* #param \Illuminate\Http\Request $request
* #param \Closure $next
* #return mixed
*/
public function handle($request, Closure $next)
{
if (!Auth::guard('admin')->check()) {
return redirect('/admin/login');
}
return $next($request);
}
}
Register your middlewares in kernel.php
'admin.auth' => \App\Http\Middleware\AdminRedirectIfNotAuthenticated::class,
'admin.guest' => \App\Http\Middleware\AdminRedirectIfAuthenticated::class,
In your AdminController.php add,
public function __construct()
{
$this->middleware('admin.auth');
}
And,
In your LoginController.php add,
public function __construct()
{
$this->middleware('admin.guest');
}
In web.php
Route::get('/admin/login', 'Admin\LoginController#showLoginForm')->name('admin.login');
Route::get('/admin/home', 'Admin\AdminController#home')->name('home');
I have configured Jwt/tymon API authentication and use custom model, what I want is controller function should not be accessed without the token generated by JWT on login,
Route
Route::group([
'middleware' => 'api'
// 'prefix' => 'auth'
], function ($router) {
Route::post('auth/mpalogin', 'MpaLoginController#mpaLogin')->name('login');
Route::post('auth/mpalogout', 'MpaLoginController#logout');
Route::post('auth/mparefresh', 'MpaLoginController#refresh');
Route::post('auth/mpame', 'MpaLoginController#myinfo');
Route::post('auth/mpag', 'MpaLoginController#awain');
});
CONTROLLER -> The awain method at the last is accessed without sending the token, which I don't want, I want every method that I create in this controller should be accessed only by token
<?php
namespace App\Http\Controllers;
use Illuminate\Http\Request;
use App\Http\Controllers\Controller;
use App\Http\Requests;
use Config;
use JWTAuth;
use JWTAuthException;
use App\Mpa;
class MpaLoginController extends Controller
{
public function __construct()
{
Config::set('jwt.user', Mpa::class);
Config::set('auth.providers', ['users' => [
'driver' => 'eloquent',
'model' => Mpa::class,
]]);
$this->middleware('auth', ['except' => ['mpaLogin']]);
}
public function mpaLogin(Request $request){
$credentials = $request->only('email', 'password');
$token = null;
try {
if (!$token = auth()->attempt($credentials)) {
return response()->json([
'response' => 'error',
'message' => 'invalid_email_or_password',
]);
}
} catch (JWTAuthException $e) {
return response()->json([
'response' => 'error',
'message' => 'failed_to_create_token',
]);
}
return response()->json([
'response' => 'success',
'result' => [
'token' => $token,
'message' => 'I am front mpa',
],
]);
}
/**
* Get the authenticated User.
*
* #return \Illuminate\Http\JsonResponse
*/
public function myinfo()
{
return response()->json(auth()->user());
}
/**
* Log the user out (Invalidate the token).
*
* #return \Illuminate\Http\JsonResponse
*/
public function logout()
{
auth()->logout();
return response()->json(['message' => 'Mpa Successfully logged out']);
}
/**
* Refresh a token.
*
* #return \Illuminate\Http\JsonResponse
*/
public function refresh()
{
return $this->respondWithToken(auth()->refresh());
}
/**
* Get the token array structure.
*
* #param string $token
*
* #return \Illuminate\Http\JsonResponse
*/
protected function respondWithToken($token)
{
return response()->json([
'access_token' => $token,
'token_type' => 'bearer',
'expires_in' => auth()->factory()->getTTL() * 60
]);
}
public function awain()
{
return response()->json("xyz");
}
}
You can try this way.
Add this middleware file in your App\Http\Middleware folder.
Filename must be JWTMiddleware.php
<?php
namespace App\Http\Middleware;
use Closure;
use App\Models\Authentication\Auth;
use Tymon\JWTAuth\Facades\JWTAuth;
use Tymon\JWTAuth\Exceptions\TokenExpiredException;
use Tymon\JWTAuth\Exceptions\TokenInvalidException;
use Tymon\JWTAuth\Exceptions\JWTException;
class JWTMiddleware
{
/**
* Handle an incoming request.
*
* #param \Illuminate\Http\Request $request
* #param \Closure $next
* #return mixed
*/
public function handle($request, Closure $next)
{
if (is_null($request->bearerToken())) {
return response()->json(['error' => 'Token required.'], 401);
}
try {
// attempt to verify the credentials and create a token for the user
$token = JWTAuth::getToken();
$apy = JWTAuth::getPayload($token)->toArray();
} catch (TokenExpiredException $e) {
return response()->json(['error' => 'Session Expired.', 'status_code' => 401], 401);
} catch (TokenInvalidException $e) {
return response()->json(['error' => 'Token invalid.', 'status_code' => 401], 401);
} catch (JWTException $e) {
return response()->json(['token_absent' => $e->getMessage()], 401);
}
return $next($request);
}
}
register this middleware in $routeMiddleware of App\Http\kernel.php file.
protected $routeMiddleware = [
....
....
'jwt' => \App\Http\Middleware\JWTMiddleware::class,
];
Add this middleware to your Route group.
Route::group(['middleware' => [ 'jwt', 'jwt.auth']], function () {
....
....
});
Working example Repo:
https://github.com/kennethtomagan/laravel-5-api-boilerplate/
Replace
$this->middleware('auth', ['except' => ['mpaLogin']]);
With this
$this->middleware('api', ['except' => ['mpaLogin']]);
Also remove the middleware from the route group. As you are adding the middleware code in the construct of the controller.
I have a view which should be accessed only by the users who have "role = interviewer" in the database.I have created the middleware and registered it but it doesn't seem to work as expected. It allows all the users irrespective of their role stored in the DB.
Here is my middleware
class Interviewer
{
public function handle($request, Closure $next)
{
if($request->user()->role == "interviewer"){
return $next($request);
}
}
}
I don't know if the approach is right i Have also tried
if($request->\Auth::user()->role == "interviewer")
This one also doesn't work. admin is the view it should be restricting if the user doesn't have the role interviewer. Here is my route
Route::get('/candidates', [
'uses' => 'candidateController#showProfile',
])->middleware('auth','interviewer');
My route middlewares
protected $routeMiddleware = [
'auth' => \App\Http\Middleware\Authenticate::class,
'auth.basic' => \Illuminate\Auth\Middleware\AuthenticateWithBasicAuth::class,
'can' => \Illuminate\Foundation\Http\Middleware\Authorize::class,
'guest' => \App\Http\Middleware\RedirectIfAuthenticated::class,
'throttle' => \Illuminate\Routing\Middleware\ThrottleRequests::class,
'interviewer'=> \App\Http\Middleware\Interviewer::class,
];
You need to return something in your middleware if it needs to fail, in your case an error response.
namespace App\Core\Http\Middleware;
use Tymon\JWTAuth\Middleware\BaseMiddleware;
use Tymon\JWTAuth\Exceptions\JWTException;
use Tymon\JWTAuth\Exceptions\TokenExpiredException;
class Employee extends BaseMiddleware
{
/**
* Handle an incoming request.
*
* #param \Illuminate\Http\Request $request
* #param \Closure $next
* #return mixed
*/
public function handle($request, \Closure $next, $role = null)
{
$user = $request->user();
if (! ($user->authenticable instanceof \App\Core\Entities\User)) {
return response([
'title' => 'You may not call this API as a non-employee.',
'error' => 'invalid_user_type'
], 401); // <-- See? I returned an error!
}
if ($role) {
if (strtolower($user->authenticable->role->name) !== strtolower($role)) {
return response([
'title' => "You may not call this API as a \"{$user->authenticable->role->name}\".",
'error' => 'unnecessary_permissions'
], 401); // And also here!
}
}
return $next($request);
}
}
In your middleware you always needs return to next($request)
class Interviewer {
public function handle($request, Closure $next) {
if($request->user()->role != "interviewer"){
return back();
}
return $next($request);
}
}
Also modify your routes.php. Middleware needs to be in an array:
Route::get('/candidates', [
'uses' => 'candidateController#showProfile',
])->middleware(['auth','interviewer']);
I'm starting a new app in 5.3 and want to implement the solution for the auth check as stated here
I'm using the register and login models out of the box for 5.3. I've only worked a month on Laravel so struggling to fully interpret the solution.
I moved the HomeController.php to the Auth folder under controllers and added the following use statements: use App\User;
use Illuminate\Support\Facades\Auth;
I editd the HomeController constructor as follow:
public function __construct()
{
//$this->middleware('auth');
$this->middleware(function ($request, $next) {
$this->user= Auth::user();
return $next($request);
});
}
Here's my controller screenshot.
Still get the "Session store not set on request." error when I try to register.
I read this answer as well, but need more guidance please. Just want to get 5.3 out of the box authentication to work.
Here is my Auth folder structure.
Here is my routes/web.php
RouteServiceProvider.php
<?php
namespace App\Providers;
use Illuminate\Support\Facades\Route;
use Illuminate\Foundation\Support\Providers\RouteServiceProvider as ServiceProvider;
class RouteServiceProvider extends ServiceProvider
{
protected $namespace = 'App\Http\Controllers';
/**
* Define your route model bindings, pattern filters, etc.
*
* #return void
*/
public function boot()
{
//
parent::boot();
}
/**
* Define the routes for the application.
*
* #return void
*/
public function map()
{
$this->mapApiRoutes();
$this->mapWebRoutes();
//
}
/**
* Define the "web" routes for the application.
*
* These routes all receive session state, CSRF protection, etc.
*
* #return void
*/
protected function mapWebRoutes()
{
Route::group([
'middleware' => 'web',
'namespace' => $this->namespace,
], function ($router) {
require base_path('routes/web.php');
});
}
/**
* Define the "api" routes for the application.
*
* These routes are typically stateless.
*
* #return void
*/
protected function mapApiRoutes()
{
Route::group([
'middleware' => 'api',
'namespace' => $this->namespace,
'prefix' => 'api',
], function ($router) {
require base_path('routes/api.php');
});
}
}
The Kernel:
<?php
namespace App\Http;
use Illuminate\Foundation\Http\Kernel as HttpKernel;
class Kernel extends HttpKernel
{
/**
* The application's global HTTP middleware stack.
*
* These middleware are run during every request to your application.
*
* #var array
*/
protected $middleware = [
\Illuminate\Foundation\Http\Middleware\CheckForMaintenanceMode::class,
];
/**
* The application's route middleware groups.
*
* #var array
*/
protected $middlewareGroups = [
'web' => [
\App\Http\Middleware\EncryptCookies::class,
\Illuminate\Cookie\Middleware\AddQueuedCookiesToResponse::class,
\App\Http\Middleware\VerifyCsrfToken::class,
\Illuminate\Session\Middleware\StartSession::class,
\Illuminate\View\Middleware\ShareErrorsFromSession::class,
\Illuminate\Routing\Middleware\SubstituteBindings::class,
],
'api' => [
'throttle:60,1',
'bindings',
],
];
/**
* The application's route middleware.
*
* These middleware may be assigned to groups or used individually.
*
* #var array
*/
protected $routeMiddleware = [
'auth' => \Illuminate\Auth\Middleware\Authenticate::class,
'auth.basic' => \Illuminate\Auth\Middleware\AuthenticateWithBasicAuth::class,
'bindings' => \Illuminate\Routing\Middleware\SubstituteBindings::class,
'can' => \Illuminate\Auth\Middleware\Authorize::class,
'guest' => \App\Http\Middleware\RedirectIfAuthenticated::class,
'throttle' => \Illuminate\Routing\Middleware\ThrottleRequests::class,
];
}