Develop Reference

Laravel Multihauth: To be or Not to Be?

I am building an app and will need multi auth to works well. First, users that will log as employees using table users with email and password. I´m using Voyager as backend and using roles and permissions. So far, so good. Now I have another kind of user: they are registered on an ERP and I reach then via WS using CPF (like the social-secure number) and password stored in ERP. Then I get then and record at a table all the data I need. It is working well as good. Well, was working. For those users, I used the API route, just not to make a mess on my web routes file. Yesterday I ran PHP artisan make:auth and that´s when things start to get crazy.
Every axios call now returns me an 'unauthorized' message cause, obviously, they´re not authenticated.
What would be better?
Refactory Users login to use CPF instead of email and give a new role for those others API guys and make then pass trough web.php file like everybody?
Use a multiauth package?
Or anything else?
Please, help!

To me, a user is a user. It seems to be a common thing that if an application has more than one “type” of user, that developers instantly start creating multiple Eloquent models, then guards, then controllers, then views, and so on; and then find themselves in a mess when they need a route that can be accessed by more than one type of user.
Instead, elevate “type” to its own model and add it as a relation to your User model. If a user can only be of one type, then make it a one-to-many relation. If a user can have many roles, then make it a belongs-to-many relation. You then use authorization to determine whether a user can access a route based on the role(s) they have.

Is this Laravel session handling inconsistency a bug?

I am using Laravel 5.5. I have configured a number of authentication guards that use the session driver. Each has a different user provider. The providers all use the eloquent driver, but each creates a different type of user, e.g. App\User\Staff, App\User\Customer.
In addition I have setup subdomain routing for each of my user types, e.g. staff.mydomain.com, customer.mydomain.com. Today I was delighted to find that if I log in at one sub domain, that information is not shared with the other domain (by default anyhow). This means that I can be logged in on one browser tab as a staff member, and on another browser tab as a customer.
Or at least that's what I thought.
This works fine with the file session driver, however was unpredictable when using the database driver. The database showed new session records for each sub-domain, as I would expect, and the session ID's were refreshed on login. When I checked the Auth::check() though, in one tab it showed correctly (i.e. logged in for one guard, and guest on the others). In the other tab it showed guest on all guards.
I tried this back and forth (file/database session driver), and the file driver was consistently consistent, and the database driver was consistently flaky. Is this a bug? Or is there something I am missing about session-based authentication and sub-domains?

After much debugging I finally sorted this out.
The sub-domains were unrelated to the problem. The problem was that I used the the default session tables produced by artisan session:table command. It creates a user_id field as an integer type. My user ID's are uuid.
I am pasting this here as a cautionary tale!

One login on multiple subdomain laravel

I want to create one login for my two laravel application, one on subdomain portal.mydomain.com and the other is app.mydomain.com (if not logged in, will redirect to portal.mydomain.com).
In this case, I try to use database driver, so I create table session with laravelish style.
When I login via portal.mydomain.com, I see session data on table session is updated like this :
|id|user_id|ip_address|user_agent|payload|last activity
|ec4156b47e3e527af871c7b4b688393aee631cda|9|(myipaddress)|(myuser_agent)|YTozOntzOjY6Il90b2tlbiI7czo0MDoiWnQ1OXpBNzhsZ3I4ZVJUc2tXeEtiTExkU1R6T1hHSUNBYWxrSU1obCI7czo5OiJfcHJldmlvdXMiO2E6MTp7czozOiJ1cmwiO3M6MzQ6Imh0dHA6Ly95ZHBidWRnZXQudGFuZ2tvdGEuY29tL3Rlc3QiO31zOjY6Il9mbGFzaCI7YToyOntzOjM6Im9sZCI7YTowOnt9czozOiJuZXciO2E6MDp7fX19|1503693006
And on portal application, it successful to login. But when I try to access app application, it updated column user_id set to NULL and the payload change and its force logout on portal application too.
Idk why its updated the value on session table when its should be put the value

Laravel database connections

I'm using Laravel 5. I see Laravel uses .env to connect databases for example DB_USERNAME and DB_PASSWORD, but i want to log in and use my username and password from my form to connect with those values from withim my oracle database with a table name "dba_users" which has the user and password and some others fields
i want to do that becauses each user has their own granted permissions(roles) to certain tables, thus Oracle would managed the user login permissions and not the .env DB_USERNAME.
Any ideas?
Thanks

The real term or question title for this would be "Dynamic Laravel Database Connections" on multi-tenant application. If you google about it you will find a lot of code like this: https://laracasts.com/discuss/channels/tips/set-up-dynamic-database-connection-globally

How to limit users to one session with CakePHP 3?

I have auth working fine. Users can log in and out, no problem. The thing is, if users share a login, they can all be logged in at the same time as the one user. Not good.
I need to have CakePHP know when a user is logged in, which I assume is a process started using:
'Session' => [
'defaults' => 'database'
]
As per the Sessions book page.
It's then I get lost. Unless I have missed it there is no reference to limiting users to one active session each. Has anyone come across this before and, if so, how did you work around it?
To clarity:
All sessions deleted from DB & all cookies deleted in browser = nothing set in either when visiting the /users/login page (incidentally, this has been set up as per the tutorials - nothing fancy).
Login = session set in db with id corresponding to cookie in browser. Exactly what you'd expect.
Logout (which then redirects back to login) = old session removed then replaced by another in DB and cookie. Different id. So something is picking up the expired cookie and refreshing it. Hmm.
The information held in the cookie is just the session id. In the DB it's simply:
Session id | a blob | expiry time

I assume you save users and sessions in a database (by default in cakePHP it is named sessions).
Add an active_session field, update it upon login, check it on requests to ensure that current user session id matches the last one stored in the database.
On Login action do:
UPDATE `users` SET `active_session`='$session_id';
When user goes to a page that requires login, you search that value:
SELECT * FROM `users` WHERE `active_session` = '$session_id';
If the user signs in other place, the previous session key gets overwriten, and the SELECT above returns an empty result-set.
It's possible to clean the old session token before the update, so this way old session will be destroyed on per user basis.
Be careful, if you are using AuthComponent, it might rotate sessions itself, for more information you may find in the corresponding section of CakePHP manual.
I'd definitely go AuthComponent-way, and wouldn't re-invent the wheel in CakePHP.

I tie users to their cell phone. Every day they get a new 6 digit code via twilio sms. Makes it hard to share logins, but not impossible. Ultimately, I would like to track how many different machines a users uses per day and establish some fair use limitations. If a user uses three or four machines in a day, that's fine, but when they start using the same user id on twenty or fifty machines a day, that might be a problem.