I have used laravel fortify without jetstream.
The 2FA is always returning false.
Recovery codes are working but the 6 digit code always return false
class TwoFactorAuthenticatedSessionController extends Controller
{
...
/**
* Attempt to authenticate a new session using the two factor authentication code.
*
* #param \Laravel\Fortify\Http\Requests\TwoFactorLoginRequest $request
* #return mixed
*/
public function store(TwoFactorLoginRequest $request)
{
$user = $request->challengedUser();
if ($code = $request->validRecoveryCode()) {
$user->replaceRecoveryCode($code);
} elseif (! $request->hasValidCode()) { // This always return false
return app(FailedTwoFactorLoginResponse::class);
}
$this->guard->login($user, $request->remember());
return app(TwoFactorLoginResponse::class);
}
}
$request->hasValidCode()
public function hasValidCode()
{
return $this->code && app(TwoFactorAuthenticationProvider::class)->verify(
decrypt($this->challengedUser()->two_factor_secret), $this->code
);
}
I haven't changed the fortify backend. I have only converted the frontend with bootstrap.
I came across this post whilst searching for for an answer to the same question. I eventually found that my servers time was out by about 2 minutes. I enabled a NTP to keep the time synchronized and 2FA in Laravel started working without issues.
Related
I have tests in my Symfony 4.4 application that assert on a page that requires authentication. If my test simply hits an authenticated page and asserts on its content, it works as expected. However, if I request a page and then attempt to interact with the page — like submitting a form — I get an Access Denied error for the interaction request.
For example, this works fine:
/**
* #test
*/
public function it_allows_the_user_to_edit_their_profile()
{
$user = UserFactory::new()->createOne();
$this->auth($user);
$this->appClient->request('GET', '/profile');
$this->assertResponseIsSuccessful();
}
/**
* Simulate authentication
*
* #param $user
*/
protected function auth($user)
{
$session = self::$container->get('session');
$firewallName = 'main';
$user = $user->object();
$token = new UsernamePasswordToken($user, null, $firewallName, $user->getRoles());
$session->set('_security_'.$firewallName, serialize($token));
$session->save();
$cookie = new Cookie($session->getName(), $session->getId());
$this->appClient->getCookieJar()->set($cookie);
}
But this throws an error of Symfony\Component\Security\Core\Exception\AccessDeniedException: Access Denied. on the $this->appClient->submit($form); call:
/**
* #test
*/
public function it_allows_the_user_to_edit_their_profile()
{
$user = UserFactory::new()->createOne();
$this->auth($user);
$crawler = $this->appClient->request('GET', '/profile');
$form = $crawler->filter('[data-test="user-edit-profile"]')->form();
$form['profile_edit_form[first_name]'] = 'Foo';
$form['profile_edit_form[last_name]'] = 'Bar';
$this->appClient->submit($form);
$this->assertResponseIsSuccessful();
}
I have tried making a 2nd call to the auth() method before calling submit(), but the same error is thrown.
So it seems like the session isn't being terminated after the first appClient request which causes the 2nd request to fail.
Any ideas what might be a way around this?
I am learning Slim Framework v4 and decided to use Respect\Validation to validate inputted data and have hit a snag where I do not know how to inject the PDO into my custom rule I created.
The idea is to validate some inputs against the database if the provided data exist (or in another instances, if it was inputted correctly). In this specific case, I am tying to validate user's credentials for log in. My idea is this:
AuthController.php:
v::with('app\\Validators\\');
$userValidation = v::notBlank()->email()->length(null, 255)->EmailExists()->setName('email');
EmailExists() is my custom rule.
EmailExists.php:
namespace app\Validators;
use PDO;
use Respect\Validation\Rules\AbstractRule;
class EmailExists extends AbstractRule
{
protected $pdo;
public function __construct(PDO $pdo)
{
$this->pdo = $pdo;
}
public function validate($input, $id = null)
{
// a PDO query that checks if the email exists in database
}
}
But I get an error of Too few arguments to function app\Validators\EmailExists::__construct(), 0 passed and exactly 1 expected, which is somewhat expected since the AbstractRule does not have a PDO injected and my class extends it.
So how to inject the PDO interface so that I can use it in my custom rules?
Are you guys using another approach in validating this kind of data? Do note that I am writing an API, so the database validation is somewhat a must and after Googling for past two days, I have no solutions at hand.
I am also using a PHP-DI where I create PDO interface. This is my dependencies.php file:
declare(strict_types=1);
use DI\ContainerBuilder;
use Psr\Container\ContainerInterface;
use app\Handlers\SessionMiddleware;
return function (ContainerBuilder $containerBuilder) {
$containerBuilder->addDefinitions([
PDO::class => function (ContainerInterface $c) {
$settings = $c->get('settings')['db'];
$db = new PDO("mysql:host={$settings['host']};dbname={$settings['database']};charset={$settings['charset']},{$settings['username']},{$settings['password']}");
$db->setAttribute(PDO::ATTR_ERRMODE, PDO::ERRMODE_EXCEPTION);
$db->setAttribute(PDO::MYSQL_ATTR_INIT_COMMAND, "SET NAMES 'utf8',time_zone='{$offset}'");
$db->setAttribute(PDO::ATTR_DEFAULT_FETCH_MODE, PDO::FETCH_ASSOC);
return $db;
},
'session' => function(ContainerInterface $c) {
return new SessionMiddleware;
}
]);
};
And (part of) index.php:
declare(strict_types=1);
use DI\ContainerBuilder;
use Slim\Factory\AppFactory;
// Instantiate PHP-DI ContainerBuilder
$containerBuilder = new ContainerBuilder();
// Set up settings
$settings = require __DIR__ . '/../app/settings.php';
$settings($containerBuilder);
// Set up dependencies
$dependencies = require __DIR__ . '/../app/dependencies.php';
$dependencies($containerBuilder);
// Build PHP-DI Container instance
$container = $containerBuilder->build();
// Instantiate the app
AppFactory::setContainer($container);
$app = AppFactory::create();
// Register middleware
$middleware = require __DIR__ . '/../app/middleware.php';
$middleware($app);
// Register routes
$routes = require __DIR__ . '/../app/routes.php';
$routes($app);
// Add Routing Middleware
$app->addRoutingMiddleware();
// Run App & Emit Response
$response = $app->handle($request);
$responseEmitter = new ResponseEmitter();
$responseEmitter->emit($response);
Any help would be appreciated.
Use your user model to count the number of rows in the user table where there is a hit.
If it is not exactly 0, the check returns false, if it is exactly 0, the check passes.
So you don't have to include a PDO at this point. I use Slim 3 and that works quite well.
namespace app\Validators;
use Respect\Validation\Rules\AbstractRule;
class EmailAvailable extends AbstractRule {
/**
* #param $input
*
* #return bool
*/
public function validate ($sInput) {
return User::where('user_email', $sInput)->count() === 0;
}
}
class EmailAvailable extends AbstractRule {
/**
* #param $input
*
* #return bool
*/
public function validate ($sInput) {
return User::where('user_email', $sInput)->count() === 0;
}
}
I am trying to build a real-time notification system in an app I am working on. one of the requirements is, when an ID is expired, that particular user should be sent a notification. Since this task needs to be run on daily basis at the maximum, I developed an artisan command that is easy to run with CRON jobs i.e. Laravel Scheduler. Every thing is working fine i.e. the artisan command is run and notification is generated & stored in database & all the related stuff. but each time a notification is generated, the page needs to be reload and this is where I am stuck. I am trying to make it happen in real time but a very strange error is being thrown & I don't know what it means.
Here is the necessary code:
Artisan.file
<?php
namespace App\Console\Commands;
use Illuminate\Console\Command;
use App\User;
use Carbon\Carbon;
use App\Notifications\UserIdExpired;
class UpdateCatalog extends Command
{
/**
* The name and signature of the console command.
*
* #var string
*/
protected $signature = 'check:expiry';
/**
* The console command description.
*
* #var string
*/
protected $description = 'dummy command to check its purpose';
/**
* Create a new command instance.
*
* #return void
*/
public function __construct()
{
parent::__construct();
}
/**
* Execute the console command.
*
* #return mixed
*/
public function handle()
{
$ZERO = 0;
$MONTH = 30;
$today = Carbon::today();
$users = User::all();
foreach($users as $user){
$today = Carbon::today();
$expiryDate = $user->qidexpire_on;
if($today->diffInDays($expiryDate, false) <= $MONTH && $today->diffInDays($expiryDate, false) >= $ZERO){
$this->info($user);
$this->info($expiryDate->diffInDays($today));
$user->notify(new UserIdExpired);
} else {
}
}
}
}
}
Notification.file
<?php
namespace App\Notifications;
use Carbon\Carbon;
use Illuminate\Bus\Queueable;
use Illuminate\Notifications\Notification;
use Illuminate\Contracts\Queue\ShouldQueue;
use Illuminate\Contracts\Broadcasting\ShouldBroadcast;
use Illuminate\Notifications\Messages\MailMessage;
use Illuminate\Notifications\Messages\BroadcastMessage;
class UserIdExpired extends Notification
{
use Queueable;
public function via($notifiable)
{
return ['database', 'broadcast'];
}
public function toDatabase($notifiable)
{
return [
'user' => $notifiable,
'id_expired' => Carbon::now()
];
}
public function toBroadcast($notifiable)
{
return new BroadcastMessage([
'user' => $notifiable,
'id_expired' => Carbon::now()
]);
}
}
when I run php artisan check:expiry from console, Notification is generated & on page reload it updates number of notifications but its not happening in real time. Following is the error that is shown on console
[Illuminate\Broadcasting\BroadcastException]
Note: Whenever i reload the page, Pusher Console shows the respective log like connected private channel and host & all that stuff which means the problem is not on the client side, (yet)
just found the answer on this issue
had to encrypt false since I am developing locally
I am trying to implement a feature where, after logging in, a user gets redirected to a URL depending on their role. I have the roles part set up, but I'm having trouble testing the user's properties immediately after login.
I followed the instructions here to create a user login page. I have an AuthController that looks like this:
namespace App\Http\Controllers\Auth;
use App\User;
use Validator;
use App\Http\Controllers\Controller;
use Illuminate\Foundation\Auth\ThrottlesLogins;
use Illuminate\Foundation\Auth\AuthenticatesAndRegistersUsers;
class AuthController extends Controller {
use AuthenticatesAndRegistersUsers, ThrottlesLogins;
protected $redirectTo = '/test';
...
}
My __construct() function validates the user, but I don't know how to access the user object only immediately after login. This is what I presently have:
public function __construct() {
$this->middleware('guest', ['except' => 'getLogout']);
if ( \Auth::check() ) {
$user = \Auth::user();
if ( $user->admin() ) {
// an admin
$this->redirectTo = '/admin';
} else {
// it's a client
$this->redirectTo = '/client/dashboard';
}
}
$user = \Auth::user();
if ( is_object($user) ) {
} else {
$this->redirectTo = '/auth-not-object';
}
}
When I first attempt to log in with an administrator account, I get to the path /auth-not-object, because there isn't any authenticated user object at that point.
After having attempted to log in, but getting a bad redirect, when I revisit the /login url, I get redirected to /home, which I believe is the default $redirectTo in the traits this class uses. So that means we've passed the AuthController __construct() method without having changed the $redirectTo, even though there is an authenticated user.
I've found other questions, such as How to add extra logic on login condition in Laravel 5.2 and laravel redirect to url after login, but I don't understand how to apply those answers. For instance, the accepted answer to the second question shows new methods, getCredentials() and login(), which don't exist in the poster's original class. I am not sure in what class to add them, or where to call them from, in my codebase.
Other similar answers show a radically different way of authenticating users, such as this. It seems that, to use that solution, I would need to re-write my code, and forgo the use of the traits, which include bonus features like login throttling and so on.
Is there a way I can redirect users based on role after login, while still using these built-in traits?
Im not sure if the 5.1 auth is the same as the 5.2 auth, but if it is, remove all that from the construct and add this method:
protected function handleUserWasAuthenticated( Request $request, $throttles, $guard )
{
if ($throttles) {
$this->clearLoginAttempts( $request );
}
if ( method_exists( $this, 'authenticated' ) ) {
return $this->authenticated( $request, Auth::guard( $guard )->user() );
}
return redirect()->intended( $this->redirectTo );
}
this is the method that will determine the redirect and you have access to the user object.
EDIT
I take the above back, just add the following to your controller;
protected function authenticated( $request, $user ) {
return redirect()->intended( $user->admin() ? '/admin' : '/client/dashboard' );
}
That should work nicely
I am trying to plug in my own legacy password service into Symfony3 to passively migrate users from a legacy database table.
The legacy system has passwords hashe with the same hard-coded $salt variables used across all members (therefore my FOSUserBundle table currently has the salt column empty for all members that are to be migrated).
The legacy method uses:
sha1($salt1.$password.$salt2)
The new method is Symfony's FOSUserBundle standard bcrypt hash.
I am trying to implement it so that when a legacy user first logs in, Symfony will try to:
Log in using FOSUserBundle's standard bcrypt method.
If #1 did not succeed then try the legacy algorithm.
If #2 succeeeds the password hash and salt in the database table will be updated to comply with standard FOSUserBundle method
I have been reading around about how to plug in a service to get this working and I think the below that I have seems to be correct in theory - if not any corrections/guidance would be appreciated as I've not been able to test it!
However, I'm unsure how I should go about connecting it all into Symfony so that the normal FOSUserBundle processes will carry out steps 2 and 3 if step 1 fails
services.yml:
parameters:
custom-password-encoder:
class: AppBundle\Security\LegacyPasswordEncoder
security.yml:
security:
encoders:
#FOS\UserBundle\Model\UserInterface: bcrypt Commented out to try the following alternative to give password migrating log in
FOS\UserBundle\Model\UserInterface: { id: custom-password-encoder }
BCryptPasswordEncoder (standard FOSUserBundle):
class BCryptPasswordEncoder extends BasePasswordEncoder
{
/* .... */
/**
* {#inheritdoc}
*/
public function encodePassword($raw, $salt)
{
if ($this->isPasswordTooLong($raw)) {
throw new BadCredentialsException('Invalid password.');
}
$options = array('cost' => $this->cost);
if ($salt) {
// Ignore $salt, the auto-generated one is always the best
}
return password_hash($raw, PASSWORD_BCRYPT, $options);
}
/**
* {#inheritdoc}
*/
public function isPasswordValid($encoded, $raw, $salt)
{
return !$this->isPasswordTooLong($raw) && password_verify($raw, $encoded);
}
}
LegacyPasswordEncoder:
namespace AppBundle\Security;
use Symfony\Component\Security\Core\Encoder\BasePasswordEncoder;
use Symfony\Component\Security\Core\Exception\BadCredentialsException;
class LegacyPasswordEncoder extends BasePasswordEncoder
{
/**
* {#inheritdoc}
*/
public function encodePassword($raw,$salt)
{
if ($this->isPasswordTooLong($raw)) {
throw new BadCredentialsException('Invalid password.');
}
list($salt1,$salt2) = explode(",",$salt);
return sha1($salt1.$raw.$salt2);
}
/**
* {#inheritdoc}
*/
public function isPasswordValid($encoded, $raw, $salt)
{
list($salt1,$salt2) = explode(",",$salt);
return !$this->isPasswordTooLong($raw) && $this->comparePasswords($encoded,sha1($salt1.$raw.$salt2));
}
}
The solution to your problem is to use the Symfony feature allowing to change the password hashing algorithm dynamically based on the user: https://symfony.com/doc/current/cookbook/security/named_encoders.html
This way, you can mark any non-migrated user as using a legacy algorithm. Then, when updating the password, you would reset the algorithm being used before saving the user, so that the new password is hashed using the new stronger algorithm
Start by mapping your user class to the desired encoder:
security:
hide_user_not_found: false
encoders:
Cerad\Bundle\UserBundle\Entity\User: # Replace with your user class
id: cerad_user.user_encoder # Replace with the service id for your encoder
That should be enough to get your encoder plugged in.
Then you need to actually write your custom encoder by extending BCryptPasswordEncoder and override the isPasswordValid method. And of course create a service for it. Lots to learn.
How to call BcryptPasswordEncorder followed by LegacyPasswordEncoder? You don't. At least not directly. Symfony does not have a chain password encoder. Instead, write your own encoder and implement the chaining yourself.
class MyEncoder extends BCryptPasswordEncoder
{
function isPasswordValid($encoded,$raw,$salt)
{
// Check the bcrypt
if (parent::isPasswordValid($encoded,$raw,$salt)) return true;
// Copied from legacy
list($salt1,$salt2) = explode(",",$salt);
return
!$this->isPasswordTooLong($raw) &&
$this>comparePasswords($encoded,sha1($salt1.$raw.$salt2));
And make sure you define your encoder under services and not parameter. Also be sure to pass the cost (default is 13) as a constructor argument.