I try to build a facebook canvas app using laravel 5. I use a custom middleware class to disable crsf for specific routes. can be found here. I ended up with another error.
Class 'App\Http\Middleware\TokenMismatchException' not found
This is my middlewareclass:
<?php namespace App\Http\Middleware;
use Closure;
class VerifyCsrfMiddleware extends \Illuminate\Foundation\Http\Middleware\VerifyCsrfToken
{
/**
* Handle an incoming request.
*
* #param \Illuminate\Http\Request $request
* #param \Closure $next
* #return mixed
*/
public function handle($request, Closure $next)
{
if ($this->isReading($request) || $this->excludedRoutes($request) || $this->tokensMatch($request))
{
return $this->addCookieToResponse($request, $next($request));
}
throw new TokenMismatchException;
}
/**
* Ignore CSRF on these routes.
*
* #param \Illuminate\Http\Request $request
* #return bool
*/
private function excludedRoutes($request)
{
$routes = [
'app/canvas'
// ... insert all your canvas endpoints here
];
foreach($routes as $route){
if ($request->is($route)) {
return true;
}
}
return false;
}
}
Related
I have 2 routes that requires a person to be tagged to access the discussions.
http://localhost:8000/api/fieldReports/{fieldReport}/discussions
http://localhost:8000/api/agendas/{agenda}/discussions
Currently, I have created this middleware, but instead of pointing right to a specific model, and duplicate it for each model with the exact same functionality, I want it to be more reusable.
Middleware\ForbidUntaggedUser.php
class ForbidUntaggedUser
{
/**
* Handle an incoming request.
*
* #param \Illuminate\Http\Request $request
* #param \Closure $next
* #return mixed
*/
public function handle(Request $request, Closure $next)
{
$user = $request->user();
$report = $request->report; // <-- I hardcoded the model, I want this to be dynamic
// The `taggedUsers` remains the same (identical) for each model that has tagging system on it.
if (!$report || !$report->taggedUsers->contains($user->id)) {
return response()->json('Your action is unauthorized.', 403);
}
return $next($request);
}
}
I've tried to use Policy but it doesn't work, so I think I need a middleware for this.
Policies\FieldReportDiscussionPolicy.php
class FieldReportDiscussionPolicy
{
use HandlesAuthorization;
/**
* Determine whether the user can view any models.
*
* #param \App\Models\User $user
* #return mixed
*/
public function viewAny(User $user, FieldReport $fieldReport)
{
return $user->can('view any fieldReportDiscussion')
&& $fieldReport->taggedUsers->contains($user->id);
}
... // and so on..
}
Controllers\FieldReportDiscussionController.php
class FieldReportDiscussionController extends Controller
{
protected $model;
/**
* Create new instance.
*
* #return void
*/
public function __construct()
{
$this->authorizeResource(
FieldReportDiscussion::class,
['fieldReportDiscussion', 'fieldReport'] // This gave me error "Array to string conversion"
);
$this->model = new FieldReportDiscussion;
}
/**
* Display a listing of the resource.
*
* #return \Illuminate\Http\Response
*/
public function index(FieldReport $fieldReport)
{
$discussions = $this->model->registries($fieldReport)->paginate(100);
return response()->json($discussions);
}
}
I need the dependency injection on the controller because the route is nested with each model as the parent, like this one..
routes\api.php
Route::apiResource('fieldReports', FieldReportController::class);
Route::apiResource('fieldReports.discussions', FieldReportDiscussionController::class)->except(['update'])->parameter('discussions', 'fieldReportDiscussion');
So, what's the solution for this? Can I make it dynamic (the first request object)?
I think you're on the right track with using middleware, although you'll need some conditional checks, something along the lines like:
class ForbidUntaggedUser
{
/**
* Handle an incoming request.
*
* #param \Illuminate\Http\Request $request
* #param \Closure $next
* #return mixed
*/
public function handle(Request $request, Closure $next)
{
$instance = null;
if ($request->report !== null) {
$instance = $request->report;
} else if ($request->agenda !== null) {
$instance = $request->agenda;
}
if (!$instance || !$instance->taggedUsers->contains(auth()->id())) {
return response()->json('Your action is unauthorized.', 403);
}
return $next($request);
}
}
If you have named correctly your params in your controller i.e. in a resoruce controller
<?php
namespace App\Http\Controllers;
use App\Models\Agenda;
class AgendaController extends Controller
{
public function show(Agenda $agenda)
{
....
}
}
The first parameter of your request will be the named model, so you can get the model with the getModel() function, if you are not sure, you can search it with findModel() function.
<?php
namespace App\Http\Middleware;
use Closure;
use Illuminate\Database\Eloquent\Model;
use Illuminate\Http\Request;
class MyMiddleware
{
/**
* Handle an incoming request.
*
* #param \Illuminate\Http\Request $request
* #param \Closure(\Illuminate\Http\Request): (\Illuminate\Http\Response|\Illuminate\Http\RedirectResponse) $next
* #return \Illuminate\Http\Response|\Illuminate\Http\RedirectResponse
*/
public function handle(Request $request, Closure $next)
{
$model = $this->getModel($request);
$tryGetModel = $this->findModel($request);
}
private function getModel(Request $request) : Model|null
{
$modelParameterName = $request->route()->parameterNames()[0];
return $request->$modelParameterName ?? null;
}
private function findModel(Request $request) : Model|null
{
foreach($request->route()->parameters() as $param)
{
if($param instanceof Model)
return $param;
}
return null;
}
}
This is the only one solution for passport authentication that I have found for a week of struggles. Enjoy!
Paste code bellow in file app/Http/Middleware/Authenticate.php
<?php
namespace App\Http\Middleware;
use Closure;
use Illuminate\Auth\Middleware\Authenticate as Middleware;
use Illuminate\Auth\AuthenticationException;
use Illuminate\Contracts\Auth\Factory as Auth;
class Authenticate extends Middleware
{
/**
* The authentication factory instance.
*
* #var \Illuminate\Contracts\Auth\Factory
*/
protected $auth;
/**
* Create a new middleware instance.
*
* #param \Illuminate\Contracts\Auth\Factory $auth
* #return void
*/
public function __construct(Auth $auth)
{
$this->auth = $auth;
}
/**
* Handle an incoming request.
*
* #param \Illuminate\Http\Request $request
* #param \Closure $next
* #param string[] ...$guards
* #return mixed
*
* #throws \Illuminate\Auth\AuthenticationException
*/
public function handle($request, Closure $next, ...$guards)
{
$this->authenticate($guards);
return $next($request);
}
/**
* Determine if the user is logged in to any of the given guards.
*
* #param array $guards
* #return void
*
* #throws \Illuminate\Auth\AuthenticationException
*/
protected function authenticate(array $guards)
{
if (empty($guards)) {
return $this->auth->authenticate();
}
foreach ($guards as $guard) {
if ($this->auth->guard($guard)->check()) {
return $this->auth->shouldUse($guard);
}else{
return null;
}
}
throw new AuthenticationException('Unauthenticated.', $guards);
}
}
After this, all routes will be available for guests.
Create new middleware DenyIfNotAuthenticated. Add there code from default app/Http/Middleware/Authenticate.php. It will be like this:
<?php
namespace App\Http\Middleware;
use Illuminate\Auth\Middleware\Authenticate as Middleware;
class DenyIfNotAuthenticated extends Middleware
{
/**
* Get the path the user should be redirected to when they are not authenticated.
*
* #param \Illuminate\Http\Request $request
* #return string|null
*/
protected function redirectTo($request)
{
if (! $request->expectsJson()) {
return route('login');
}
}
}
Add to Kernel.php file line: 'auth.deny' => \App\Http\Middleware\DenyIfNotAuthenticated::class, bellow 'auth' => \App\Http\Middleware\Authenticate::class,
Routs in routes/api.php looks like this:
Route::apiResource('recipes', 'RecipesController'); // accessible for guests
Route::group(['middleware' => ['auth.deny:api']], function () {
Route::get('ingredients', 'IngredientsController#index');
}); // accessible only for authorized users
I need to return 404 instead of 403 error page when regular user try to get access for admin pages.
The Nova middleware which is responsible for this is located here /nova/src/Http/Middleware.
And looks like this:
<?php
namespace Laravel\Nova\Http\Middleware;
use Laravel\Nova\Nova;
class Authorize
{
/**
* Handle the incoming request.
*
* #param \Illuminate\Http\Request $request
* #param \Closure $next
* #return \Illuminate\Http\Response
*/
public function handle($request, $next)
{
return Nova::check($request) ? $next($request) : abort(403);
}
}
If I change here abort(403) to abort(404) -
It works fine and doing exactly what I need.
How can I extend this middleware to use it in my application. What should I do to rewrite middleware properly, in my application, so that I can do updates of Nova in future and do not rewrite this changes
What I tried:
Extend this middleware in
<?php
namespace App\Http\Middleware;
use Laravel\Nova\Nova;
class NovaAuthorize extends \Laravel\Nova\Http\Middleware\Authorize
{
/**
* Handle the incoming request.
*
* #param \Illuminate\Http\Request $request
* #param \Closure $next
* #return \Illuminate\Http\Response
*/
public function handle($request, $next)
{
return Nova::check($request) ? $next($request) : abort(404);
}
}
and add it to my middlewares
protected $middleware = [
...
\App\Http\Middleware\NovaAuthorize::class, // nova access
];
but it had no effect
in /app/Providers/NovaServiceProvider.php
protected function gate()
{
Gate::define('viewNova', function ($user) {
if( !$user->isAdmin() ){
abort(404);
}
return true;
});
}
On my laravel project when, I'm trying to authorize, shows me error exception
"Object of class Illuminate\Routing\Redirector could not be converted to string"
It indicates me to my Middleware Class
use Closure;
use Illuminate\Support\Facades\Auth;
class RedirectIfAuthenticated
{
/**
* Handle an incoming request.
*
* #param \Illuminate\Http\Request $request
* #param \Closure $next
* #param string|null $guard
* #return mixed
*/
public function handle($request, Closure $next, $guard = null)
{
if (Auth::guard($guard)->check()) {
return redirect('/dashboard');
}
return $next($request); //This row could not be converted to string
}
}
and to this file
<?php
namespace App\Http\Middleware;
use Closure;
use Illuminate\Support\Facades\Storage;
class VerifyAppInstalled
{
/**
* Handle an incoming request.
*
* #param \Illuminate\Http\Request $request
* #param \Closure $next
* #return mixed
*/
public function handle($request, Closure $next)
{
if (config('database.transfer_mode') == "1") {
if (password_verify($request->server('SERVER_NAME'), getOption('app_key', true))
&& password_verify(strrev($request->server('SERVER_NAME')), getOption('app_code', true))) {
return redirect('/transfer/restore');
}
return redirect('/transfer/ready');
}
if (config('database.installed') == '%installed%') {
return redirect('/install');
}
if (Storage::exists('images/update')) {
return redirect('/update-progress');
}
\App::setLocale(request()->session()->get('locale', getOption('language')));
return $next($request);
}
}
Please help me what is wrong here?
enter image description here
I have trouble with redirecting to an url after login.
The situation is that someone visits a blog post, and needs to login before adding a comment. So the user clicks on the login link and logs in on "auth/login", and is always redirected to "/home".
I want the user to be redirected to the blogpost when an url is set like "auth/login?redirect=url/to/blogpost"
I have the following Middleware:
app\Http\Middleware\RedirectIfAuthenticated
<?php
namespace App\Http\Middleware;
use Closure;
use Illuminate\Contracts\Auth\Guard;
class RedirectIfAuthenticated
{
/**
* The Guard implementation.
*
* #var Guard
*/
protected $auth;
/**
* Create a new filter instance.
*
* #param Guard $auth
* #return void
*/
public function __construct(Guard $auth)
{
$this->auth = $auth;
}
/**
* Handle an incoming request.
*
* #param \Illuminate\Http\Request $request
* #param \Closure $next
* #return mixed
*/
public function handle($request, Closure $next)
{
if ($this->auth->check()) {
return redirect('/home');
}
return $next($request);
}
}
app\Http\Middleware\Authenticate
<?php
namespace App\Http\Middleware;
use Closure;
use Illuminate\Contracts\Auth\Guard;
class Authenticate
{
/**
* The Guard implementation.
*
* #var Guard
*/
protected $auth;
/**
* Create a new filter instance.
*
* #param Guard $auth
* #return void
*/
public function __construct(Guard $auth)
{
$this->auth = $auth;
}
/**
* Handle an incoming request.
*
* #param \Illuminate\Http\Request $request
* #param \Closure $next
* #return mixed
*/
public function handle($request, Closure $next)
{
if ($this->auth->guest()) {
if ($request->ajax()) {
return response('Unauthorized.', 401);
} else {
return redirect()->guest('auth/login');
}
}
return $next($request);
}
}
Why don't you use the intended method on redirector? Read about this in docs
The intended method on the redirector will redirect the user to the URL they were attempting to access before being caught by the authentication filter. A fallback URI may be given to this method in case the intended destination is not available.
I've decided to copy and paste the getLogin function of the trait AuthenticatesUsers into my AuthController. I overwrite the function AND keep the trait as is.
I've just added
\Session::put('url.intended',\URL::previous());
If you're using standard authentication from Laravel 5, find a app/Http/Controllers/Auth/AuthController.php file and change $redirectPath to this:
protected $redirectPath = '/url/to/blogpost';