Laravel Auth attempt hashing - authentication

In a login form, I have this Auth check:
$auth = Auth::attempt([
'email' => Input::get('email'),
'password' => Input::get('password'),
'active' => 1
], $remember);
Now this Auth check is taking the raw input from the input field. Yet my database of which this is Authorising against stores the password in an encrypted state using Hash::make().
This login form works perfectly fine. The user logs in with the correct password, but it uses a raw password in the Auth function against a hashed password, yet returns true.
Why is this?

The Auth class does the hashing in the background and compares the password the same way you would normally.

Related

Pimcore password datatype in class

I am trying to use the Pimcore password datatype. It is working fine and the password is stored as encrypted data.
Now I need to check the correct username and password. I could not match the encrypted password. I want to get the username and password using an API request. If the username and the password is correct then return value.
The password is hashed before it is stored to the database. Have a look at the password class within this path:
pimcore/models/DataObject/ClassDefinition/Data/Password.php
If you want to compare the hashed password within the database then use the functions of the password datatype. The password to compare also has to be hashed.
Have a closer look on the functions calculateHash() and verifyPassword() within the class. You should be able to compare passwords by using those functions.
Here is an example :
$user = User::GetByEmail($email, ['limit' => 1, 'unpublished' => false]);
$classDefinition = ClassDefinition::getById(User::classId());
/** #var \Pimcore\Model\DataObject\ClassDefinition\Data\Password $passwordFieldDefinition */
$passwordFieldDefinition = $classDefinition->getFieldDefinition('password');
$verified = $passwordFieldDefinition->verifyPassword($password, $user, false);

Yii2 DbSession lost after redirect, 90% of the time

My login worked perfectly with PHP sessions. I tried switching to DbSession engine but login will not work anymore, as the session is empty after the page redirection.
Here's the workflow:
User enters his user id and clicks submit to post the data
Validation works (I tested) and a new identity cookie is created with the key sess = XXXX (tested with log just before redirect).
The $_SESSION is filled with the user data (tested with log just before redirect)
The page redirects with the new response cookie.
The password page loads and the request cookie has the same XXXX value (tested with log just after redirect + in chrome developer tools).
The session now only contains
[__flash] => Array
(
)
response cookie "sess" = request cookie "sess" = id in the session table, so the same key is everywhere, yet the session is still empty on the password page, 90% of the time (because in some random cases, the session is still there, but I can't reproduce it on demand)
I already checked these questions, not the same problem:
PHP session lost after redirect
Session lost after redirect in Codeigniter
Has anyone seen something similar before? I can't figure out what's causing this.
Addendas:
Session configuration
'session' => [
'class' => 'yii\web\DbSession',
'name' => 'sess',
'timeout' => 3600,
'db' => 'session_db',
'sessionTable' => 'session',
],
Session db config
$config['components']['session_db'] = [
'class' => 'yii\db\Connection',
...
],
Login action
// authenticate() Just checks if the user is valid, etc
Yii::$app->user->authenticate();
// login() just calls parent::login(), sets some session values then returns !$this->getIsGuest()
Yii::$app->user->login(Yii::$app->user);
update!! I have just noticed that if I use the same database instead of "db" (my main db) instead of "session_db", it works perfectly, even if both tables have exactly the same schema in the 2 databases.

Login by multiple user accounts when using JSON Web Token

I am using JSON Web Token to authenticate the user in my application. Using https://jwt.io documentation, I use the jwt token to authenticate the user.
$tokenData = array(
"jti" => $tokenId,
"iat" => $issuedAt,
"exp" => $expire,
"user" => $user
);
$jwt = JWT::encode($tokenData, $secretKey, 'HS512');
But the problem is when one user can not login from multiple devices at the same time, it gives an error since the first login token get invaidated. Is there a way to handle this issue. Thanks in advance.

ember-simple-auth: only validate the password without logging in

Is it possible to only check the password with ember-simple-auth? I want the user to re-enter their password if they want to delete their account. Can this password check be done without touching the store using ember-simple-auth?
If I use code similar to this:
let loginPromise =
session.authenticate('authenticator:jwt', { identification, password })
return loginPromise.then(() => true).catch(() => false) // allow/deny to delete the account
then the session is invalidated if the password is wrong, so the user is signed out. I want, however, to only disable the "Delete Account" button if the password is wrong (without any other side effects like signing in).

Laravel user authentication after confirmation mail

In Laravel, after registration, the user receives an email with a link with a confirmation code.
When the user clicks the link in the email, I want to login the user.
Problem: The attempt-method needs a password and I only have the hashed password I stored while registering. You can't login with an hashed password with the code below.
$credentials = [
'username' => Input::get('username'),
'password' => Input::get('password'),
'confirmed' => 1
];
Auth::attempt($credentials);
What is the best way to confirm and immediately login?
You can login directly without a password using either
Auth::loginUsingId(1);
or
Auth::login($user);
So use either of these after the confirmation code is confirmed.