I have some question about yii authentication.
can yii create authentication for module and for site separated authentication. for example I have module learnings it will have it's own authentication. and also site has own authentication.
somesite/login - this will be site login
somesite/module_name/login - this will be module authentication
and then it can't access user from site login to module actions and
user from module login can't access site actions
where need authentication
let assume Admin is your module ,
Inside your admin/AdminModule.php file, add the following lines to the 'init' function
Yii::app()->setComponents(array(
'errorHandler' => array(
'errorAction' => 'admin/default/error',
),
'user' => array(
'class' => 'CWebUser',
'stateKeyPrefix' => '_admin',
'loginUrl' => Yii::app()->createUrl($this->getId() . '/default/login'),
),
));
for more info Module based login yii
Related
I read a lot of articles and watched a lot of videos about Laravel passport but still can not understand some things.
I have an application which works with Laravel 5.5 + vueJs. All requests to the back-end are sent via axios. All my routes are located in api.php
Route::middleware('api')->group(function(){
Route::get('/prepare/', 'CompgenApiController#prepareDefault');
Route::post('/replace/', 'CompgenApiController#replaceImage');
Route::get('/replaceall/', 'CompgenApiController#replaceAllImages');
Route::get('/collage/', 'CompgenApiController#collage'); //#todo переделать на POST
Route::get('/generate/', 'CompgenApiController#generate');
Route::post('/upload/', 'CompgenApiController#userUpload');
Route::post('/reupload/', 'CompgenApiController#moderationReupload');
});
Also I have a VK bot that sends requests to the same routes.
At the moment I have some difficulties. For some routes, I need to check that the user is authorized (but this is an optional condition) and if it is true I need to write user id to the database. For me it was a surprise that
Auth :: check
returned false though I was authorized. After some searches I learned that the session that starts after authorization is not connected with the API and I was recommended to use Passport. I can not understand the following things
Do I need to use a passport if requests are sent from my application from vueJs?
How to register users? Do I have to issue my token for each new user?
How can I verify that the user is authorized?
In some cases I need to check that the user is authorized but if it is not so then do not interfere with the request. How can I do that?
Maybe in my case I do not need a passport at all?
Passport is an oAuth2 server implementation, essentially, it allows you to authenticate users by passing a token with each request. If you do not want to authenticate a user, then you do not need to pass the token and passport doesn't get involved.
In terms of a Laravel app, if you are consuming your API from your own frontend, you probably just want to use the implicit grant. Here's how you set that up:
1) Install passport and add it the PassportServiceProvider to config/app.php
2) php artisan migrate to setup the passport migrations
3) php artisan passport:install - to set up your oAuth server
4) In the User model add the Laravel\Passport\HasApiTokens trait, like so:
namespace App;
use Laravel\Passport\HasApiTokens;
use Illuminate\Notifications\Notifiable;
use Illuminate\Foundation\Auth\User as Authenticatable;
class User extends Authenticatable
{
use HasApiTokens, Notifiable;
// Other model methods
}
5) Setup the passport routes by adding the following to the boot method of your app\Providers\AuthServiceProviders.php:
\Laravel\Passport\Passport::routes();
6) Change your api driver in config/auth.php to token:
'guards' => [
'web' => [
'driver' => 'session',
'provider' => 'users',
],
'api' => [
'driver' => 'passport',
'provider' => 'users',
],
],
That sets up passport, now all you need to do to allow your app to consume your api is to add the CreateFreshApiToken Middleware to web in app/Http/Kernel.php, which handles all the token logic:
'web' => [
// ..Other middleware...
\Laravel\Passport\Http\Middleware\CreateFreshApiToken::class,
],
Now all you need to do to protect a route is to use the auth:api middleware on that route:
Route::middleware('auth:api')->get('/profile','Api\UsersController#edit');
That should all work fine, but you'll also want to register a new user. All you do is add the auth routes as normal to web.php:
Route::post('/login', 'Auth\LoginController#login');
Route::post('/logout', 'Auth\LoginController#logout');
Route::post('/register', 'Auth\RegisterController#register');
You can then simply maks a post request to those routes and Laravel will handle all the token stuff for you.
That handles api routes that require authentication, however, you also mentioned that you want to check if a user is authenticated, but not necessarily lock the route, to do that you can simply use:
Auth::guard('api')->user();
Which will get the authenticated user, so you could do something like:
public function getGreeting(){
$user = Auth::guard('api')->user();
if($user !== null) {
return response()->json(["message" => "Hello {$user->name}"], 200);
}
return response()->json(["message" => "Hello Guest"], 200);
}
That's it. Hopefully, I've covered everything there.
I have a Cakephp application and Yii application running on the same server. And their session config are
Cakephp:
Configure::write('Session', array(
'defaults' => 'php',
'ini' => array(
'session.cookie_path' => '/cakephp_app',
),
'cookie' => 'PHPSESSID'
));
Yii:
'session' => array(
'autoStart' => true,
'timeout' => 5400,
'sessionName' => 'YIIAPP',
)
I supposed their session will be separated, but the result is negative.
Since the cakephp app is already in production, so what can I do to separate the Yii session from the cakephp session?
And can anyone tell me how come my Yii is still using the PHPSESSID session, rather than then 'YIIAPP' session?
I've tested this and adding:
'sessionName' => 'YiiAPP'
worked first time for me.
However, I then added
session_start()
To my index.php file - and this then shows the PHPSESSID. So I suspect somewhere in your code you are using session_start() - which Yii doesn't need. It starts its own session automatically.
I'm pretty new to drupal, so bear with me if I'm not using correct terms.
I'm trying to give a stupidly basic application access to a drupal url - this application cannot do any complicated authentication.
Otherwise, this drupal system needs authentication and all other menu hooks use 'access arguments' => array('access content')
Even before looking a solution for easy authentication method with drupal like http://user:password#server.com/awesome/member/12345, I've tried just giving anonymous access with the following code block in a drupal .module file
function awesome_module_menu() {
$items['awesome/member/%'] = array(
'title' => 'Awesome member',
'type' => MENU_NORMAL_ITEM,
'page callback' => 'aw_memberdata_fetch',
'delivery callback' => 'aw_memberdata_deliver',
'access arguments' => TRUE // this supposedly should allow anonymous access - from the web
);
return $items;
}
I have these two functions, one to fetch the data, one to show it:
function aw_memberdata_fetch(memberId)
{
//fetch array of objects from DB
...
return $items;
}
function aw_memberdata_deliver($items)
{
switch(arg(3)) //format, comes after items
{
case 'json':
drupal_json_output($items);
break;
default:
$output = makeHtml($items); //makes HTML
drupal_deliver_html_page($output);
}
}
With an authenticated browser, this works as intented. From a browser with no auth cookie I'm allowed to see the HTML, but the results are not there, it's like the page callback function doesn't run for anon users, but delivery callback does.
How do I make this work for anon users?
You are using access arguments with the default user_access function for permission verification. This will basically call user_access(true) which will return
true for authenticated user (you are probably testing with the administrator account (uid = 1)) which bypasses the verification check. Administrator has full privileges.
false for anonymous users because the string value of the first argument passed to the user_access true doesn't exist as a permission setting.
You should use either use
a custom YOURMODULE_access hook which does the permission verification
declare custom permissions for your module (YOURMODULE_permission hook)
don't use permission verification by using 'access callback' => true which gives access to anonymous and authenticated users
function awesome_module_menu() {
$items['awesome/member/%'] = array(
'title' => 'Awesome member',
'type' => MENU_NORMAL_ITEM,
'page callback' => 'aw_memberdata_fetch',
'delivery callback' => 'aw_memberdata_deliver',
'access callback' => true,
);
return $items;
}
I activated csrf protection on my project which runs on Yii framework.
Csrf token is being created when base domain runs like "www.example.com".
But it isn't being created when the subdomain runs like "admin.example.com".
The configuration:
'components'=>array(
'request' => array(
'class' => 'application.components.HttpRequest',
'enableCsrfValidation' => true,
),
...
What is the problem in my code or is it about the server?
You can configure the CSRF cookie params in the request component in your main.php configuration:
'components' => array(
'request' => array(
'csrfCookie' => array(
'domain' => '.example.com',
),
),
),
Check out the other cookie options. You may also have to tweak the cookie path. This may also be helpful:
How do browser cookie domains work?
I have some code in AppControler::beforeFilter()
$this->Auth->authorize = array('Actions' => array('actionPath' => 'controllers'));
$this->Auth->loginAction = array('controller' => 'users', 'action' => 'login');
$this->Auth->logoutRedirect = array('controller' => 'users', 'action' => 'login');
But the Auth does not redirect me to the users/login when I'm trying to load nonpublic action in browser. Instead it redirects me to the '/'. What I'm doing wrong?
It's probably because you have not granted permissions to the Login action in the users controller. Add this to the top of the users controller:
function beforeFilter(){
parent::beforeFilter();
$this->Auth->allow('login');
}
As a side note, the loginAction already defaults to /users/login. The same goes for the logoutRedirect. Try removing both as they are not really needed since you are already wanting it to go to the default location.
UPDATE
Have you included the component in the top of the AppController?
public $components = array('Auth');
The other thing to confirm is that you are not already logged in. If you are already logged in but have not granted permission to a specific action within a controller for logged in users, it can redirect as well.