Laravel user authentication after confirmation mail - authentication

In Laravel, after registration, the user receives an email with a link with a confirmation code.
When the user clicks the link in the email, I want to login the user.
Problem: The attempt-method needs a password and I only have the hashed password I stored while registering. You can't login with an hashed password with the code below.
$credentials = [
'username' => Input::get('username'),
'password' => Input::get('password'),
'confirmed' => 1
];
Auth::attempt($credentials);
What is the best way to confirm and immediately login?

You can login directly without a password using either
Auth::loginUsingId(1);
or
Auth::login($user);
So use either of these after the confirmation code is confirmed.

Related

Login by multiple user accounts when using JSON Web Token

I am using JSON Web Token to authenticate the user in my application. Using https://jwt.io documentation, I use the jwt token to authenticate the user.
$tokenData = array(
"jti" => $tokenId,
"iat" => $issuedAt,
"exp" => $expire,
"user" => $user
);
$jwt = JWT::encode($tokenData, $secretKey, 'HS512');
But the problem is when one user can not login from multiple devices at the same time, it gives an error since the first login token get invaidated. Is there a way to handle this issue. Thanks in advance.

ember-simple-auth: only validate the password without logging in

Is it possible to only check the password with ember-simple-auth? I want the user to re-enter their password if they want to delete their account. Can this password check be done without touching the store using ember-simple-auth?
If I use code similar to this:
let loginPromise =
session.authenticate('authenticator:jwt', { identification, password })
return loginPromise.then(() => true).catch(() => false) // allow/deny to delete the account
then the session is invalidated if the password is wrong, so the user is signed out. I want, however, to only disable the "Delete Account" button if the password is wrong (without any other side effects like signing in).

Laravel Auth attempt hashing

In a login form, I have this Auth check:
$auth = Auth::attempt([
'email' => Input::get('email'),
'password' => Input::get('password'),
'active' => 1
], $remember);
Now this Auth check is taking the raw input from the input field. Yet my database of which this is Authorising against stores the password in an encrypted state using Hash::make().
This login form works perfectly fine. The user logs in with the correct password, but it uses a raw password in the Auth function against a hashed password, yet returns true.
Why is this?
The Auth class does the hashing in the background and compares the password the same way you would normally.

Devise Confirmation Resend "Login can't be blank" error & Confirmation link from email has "Confirmation token is invalid" error

ruby '1.9.3'
"rails", "3.2.13"
"devise", '~> 3.2.2'
I'm using the Devise confirmation controller without modification. I create a user and the email is sent. Then clicking on the link to confirm results in "Confirmation token is invalid". The token in the email is the same as in the database.
Also when the user is in Registrations edit I provided a link to resend the confirmation email. This brings the user to Confirmations New and you fill in the email and click the "Resend Confirmation instructions" button and receive the error "Login can't be blank." The user is logged in, otherwise they would not be able to get to users/edit or users/confirmation/new.
I have configured devise to accept a user_name or email for login.
During password reset ensure resent_password_sent_at column against user record must be set to Time.now /time when particular password change token is being sent.
raw, enc = Devise.token_generator.generate(#user.class, :reset_password_token)
#user.update_attributes(reset_password_token: enc, reset_password_sent_at: Time.now)

Laravel 4, reset password only with token (howto check it and get user)

What is the best way to reset password only with token?
Now it mades with token and email, I want to get an email by checking tocket in reminders table.
Thanks!
Update
Resolved this by:
$email = DB::table(Config::get('auth.reminder.table'))->where('token', $token)->pluck('email');
Here's how I do password resets.
User clicks Forgot Password link and is taken to a form with one field for email.
They enter their registered email address and I check the email exists in the DB. If it does, I store a random reset code for that user using Str::random(60). I then save the user and email them a link with a reset code (eg. http://domain.com/reset/CODE).
User clicks the link and is taken to the URL above which checks the CODE. If the CODE exists in the DB, the password for the matching user is reset to something random using Str::random(10) and this new password is mailed to the user.
Not sure if this is right/wrong, but it works for me.