Is there any way to allow spaces in user names Name Givenname and characters like ščťžýáíéúô (any UTF-8 characters) in CodeIgniter Tank Auth library?
I was browse code but I do not know hot to allow it? And aloso I need to allow duplicate usernames (need only email to be unique).
EDIT:
When I trying to register new user I get this error.
http://i.stack.imgur.com/jhxEO.png
I don't think Tank Auth places any restrictions on spaces/characters in the username, it's more likely to be the collation on your users table. Tank Auth uses SQL LOWER() functions to compare usernames to input, so SQL LOWER('whatever is in the DB') must equal PHP strtolower('whatever the user entered').
If your users table is not defined with collation UTF8_GENERAL_CI, try changing it to that.
If that doesn't fix it, the code in models/tank_auth/users.php is very simple, so you can easily adapt it to meet your needs.
Related
I am working on a function that allows a user to check if their existing device contacts are using our platform, based on phone numbers.
For privacy and security, we are hashing the user's contact's phone numbers on device (salted with the user's id) before sending to our server.
Server side, we then need to hash our entire contacts table (using the user's id as a salt), which is currently being done in a for loop.
We then check this list against the request list, and return the details for any matches.
However, I'm sure there is a more efficient way of doing this, something like computing the hash in a calculated field then including the $request->hashes in a "whereIn" clause.
Could someone give me a pointer on the best approach to be taking here?
The question is, what privacy and security are you achieving by sending hashed value of contact number?
You are hasing the contact in client side(device), that means you are using a key and salt that is available in clinet side already. How can that be a security feature?
If you want to search hashed value in database then it's better to save hashed contract number in a column in the first place. So you can directly run where query in database table.
Ideally, if you really concern about user's contact number you should:
Encrypt the user's contacts in backend/databse not in frontend.
If you need to query for a field in database then you should make a hash valued column that can be matched easily. I mean searchable fields should be hashed so you can run direct query.
Nothing to worry about user's contact security in frontend if you are already passing it trhough Secure HTTP(HTTPS).
Even it a common practice in the industry, to pass a submitted plain password via HTTPS when a user submit it in frontend. It shouln't be a concern of privacy or security.
Out of the box Laravel authorizes users by matching email (default - can be overridden) and password.
Is it possible to authorize user using 3 fields, e.g:
email
password
group
... where 'group' is some additional field from 'users' database.
In other words, user can belong to group:1 and can login to group:1 resources only, but not to group:2 using his group:1 credentials.
If user belongs to group:1 and group:2, then he needs different credentials to login to either group.
Additionally, user can use same email for both groups. In such case it is group number that would act as additional identifier. And of course passwords would be different.
I am thinking setting a database multiple column index on fields 'id' and 'group' would be a good start, but I fail to grasp (yet), what would be required to make Laravel authorization process sensitive to 3 fields, instead of 2.
I would appreciate some pointers.
This sounds like you're trying to achieve a form of tenancy on data belonging to certain groups only. Have a look at this package:
https://github.com/HipsterJazzbo/Landlord
In essence, you would add a group_id field to the tables where you wish to restrict access and then using middleware, apply an additional where('group_id', Auth::user()->group_id) clause to any database queries. This works very well for retrieving subsets of data belonging to specific users by their role, for example.
I have 2 database tables consisting of 2 different user types.
Users and Players.
Players is with user data from in-game plugin where passwords are BCrypted.
Users one is empty and is intended to store the user info from the Players table.
I am comparing the usernames and passwords.
The problem is that from the user input in the website get plain text password, and from the other table the passwords are already bcrypted and the Laravel bcrypt does not match the bcrypted cipher from Players table.
What are my options to compare the passwords in order to confirm that this is the user trying to log in.
In-game plugin cipher:
$2a$10$lpVYpSJ4O6Mt03eItJeipOWR8LGHP8dgk4a09.e6BFKVoYNAgjz86
Laravel plain text bcrypted:
$2y$10$yZoq3xBsfow49pL6UyGD2.5NKlmHOmfnCFc9JD5ZjDz3pf5K1XMhG
Both passwords are the same.
Try using Hash::check() function to compare plain password and hashed password.
if (Hash::check('plain-text', $hashedPassword)) {
// The passwords match...
}
I found a solution, by using a library which helped me integrate the plugin on my website.
On top of that I had to do some minor configurations in the config file of the plugin. Changing the encryption method, so it matches the one in my Laravel application (BCrypt).
Later on I found out that I don't need to decrypt the password but just compare the hashes.
is it possible to set another table & column to store my remember tokens? I know that the framework tries to automatically find a remember_token column in my "users" model, but I want to store it separately from users. Is there a way to configure my default tokens table? Thank you
P.S - I'm using laravel 5
First, you need to create separate model for storing remember tokens and define a relationship on your User model like so
public function rememberToken() {
return $this->hasOne('RememberToken');
}
Then you need to override methods on your User model, originally defined in Authenticatable trait. Override getRememberToken() and setRememberToken() methods. You will also need to override getRememberTokenName() as it is used in where clause in EloquentUserProvider::retrieveByToken() see EloquentUserProvider line 60. In order for this to work properly you probably have to add global scope to your User model to join remember_tokens table on every query, and return 'remember_tokens.token' from getRememberTokenName() method.
Think twice as it seems more trouble than it is worth. Why would you want to store your tokens separately anyway?
I believe the way Laravel works uses a seperate column in the users table to store a single remember_me token. From my understanding it seems that logging out resets this token regardless of storing the token in a cookie (correct me if I'm wrong).
https://github.com/laravel/ideas/issues/971
If you log in with remember_me checked on your personal computer,
then again on your phone,
and maybe again with any other device,
then finally the act of signing out on any device using the remember_me token or not will reset this token in the DB.
If Laravel had a separate table, able to remember each device, it might solve the problem.
I want to register users on the basis of their emaild ids on my website, assuming that there is one to one relationship between users and their emailid strings. But gmail doesn't recongnize .s in email ids. That means juzerali#gmail.com and juzer.ali#gmail.com are the same users (or emaild ids).
My concern is not just this one use case, it could be overcome by simply stripping the string of dots. Different email providers might be having different policies regarding email aliases and notations.
My question to community is is there any de facto rules/guidelines for creating unique users based on their email ids as their unique identifiers? Or has someone implemented this successfully before?
NOTES: I have checked a few websites that registers on the basis of email id. They seem consider two gmail ids with different combinations with .s as different email ids. That means same email account holder can possess two accounts on the same site, which I want to avoid.
IMPORTANT: Oauth/OpenID is not an option.
Try facebook login and get username from the facebook API. But if you dont want to access any secondary service for auth, then you might as well ask users to choose a username, and constrain uniqueness there. As far as i know there is nothing more you can do!
Hotmail for example allows you to have any string after a +
for eg. abc#hotmail.com is same as abc+123#hotmail.com