I created a new application with CakePHP 4. For authentication I used CakeDC/users plugin. It’s working fine. I can login to application.
I also added REST API following this instructions: REST - 4.x
For authentication to API I use Token based and it’s working fine. For API I created a new prefix:
$routes->prefix('Api', function (RouteBuilder $routes) {
$routes->setExtensions(['json']);
$routes->fallbacks(DashedRoute::class);
});
This is config in users.php:
'Auth.Authenticators.Token' => [
'className' => 'Authentication.Token',
'skipTwoFactorVerify' => true,
'header' => 'authorization',
'queryParam' => 'api_token',
'tokenPrefix' => 'Token',
'unauthenticatedRedirect' => null
],
Problem happen when I enter wrong Token. API returns HTML login form. I would like that returns 401.
Is there any good tutorial or any hint, how can solve this issue?
Tnx
I created custom unauthorizedHandler class and it's working fine.
in config/users.php I added this line:
'Auth.AuthorizationMiddleware.unauthorizedHandler.className' => 'CustomRedirect',
And created a new file CustomRedirectHandler.php in src/Middleware/UnauthorizedHandler directory.
Also I was missing the accept: application/json header.
Related
I developed a CakePHP 3 plugin that has to handle POST requests without a CSRF token.
In the application where I use the plugin I apply the middleware to the root scope.
Router::scope('/', function (RouteBuilder $routes) {
$routes->registerMiddleware('csrf', new CsrfProtectionMiddleware([
'httpOnly' => true
]));
$routes->applyMiddleware('csrf');
...
How can I disable the middleware for the plugin?
I tried $this->addPlugin(\My\Plugin::class, ['middleware' => false]) but that didn't work.
Or is the Plugin responsible to disable the CSRF middleware?
You can try below code:
// In Application::bootstrap()
use ContactManager\Plugin as ContactManagerPlugin;
// Use the disable/enable to configure hooks.
$plugin = new ContactManagerPlugin();
$plugin->disable('middleware');
$this->addPlugin($plugin);
The problem was that I forgot to load the plugin routes in Application::bootstrap().
$this->addPlugin(\My\Plugin::class, ['routes' => true]);
According to the cake book routes, bootstrap, middleware and console hooks are disabled by default.
Here's what I have
Cakephp 3.7.2; in my routes.php:
<?php
use Cake\Core\Plugin;
use Cake\Routing\RouteBuilder;
use Cake\Routing\Router;
use Cake\Routing\Route\DashedRoute;
use Cake\Http\Middleware\CsrfProtectionMiddleware;
Router::defaultRouteClass(DashedRoute::class);
Router::scope('/', function (RouteBuilder $routes) {
$routes->registerMiddleware('csrf', new CsrfProtectionMiddleware());
$routes->applyMiddleware('csrf');
$routes->connect('/', ['controller' => 'Pages', 'action' => 'display', 'home']);
$routes->fallbacks(DashedRoute::class);
});
/*
Router::scope('/api', function ($routes) {
// connect routes with *no* CSRF protection as that middleware is not active
// for this routing scope.
});
*/
Router::prefix('api', function ($routes) {
$routes->prefix('users', function ($routes) {
$routes->fallbacks(DashedRoute::class);
});
});
What I'm doing
Make a POST request to /api/users using Postman. The request goes through and I see the correct response. I want to make sure I have the protection enabled for the rest of the site, so I'm expecting one of those Missing CSRF token cookie errors though. Once confirmed, I will uncomment the API route exception.
What I've tried
Follow controllers/middleware.html#csrf-middleware and put the registerMiddleware() call into src/Application.php
Put some gibberish into the applyMiddleware() call. It complains about not being able to find that middleware, which confirms the function does get called
Put $this->loadComponent('Csrf'); into AppController.php. It works and I do get the Missing CSRF token cookie. It does not show me the warning about conflicting components like this page says it should
I'm under impression the middleware was not enabled properly, but it's not obvious to me what exactly is wrong. Please assist
Turns out this was actually the right setup.
I didn't realise the lower Router::prefix call with no middleware would negate the above Router::scope call (i.e. act as an exception), but it did.
I am building AngularJs and WebApi application, usin Aspnet Core rc1. I have problem with returning static index.html file. I have tried several methods. The first method was to use such code in Startup.cs
app.UseFileServer();
app.UseMvc();
In this way it works, if I call http://localhost:29838 (root url). But if I go on http://localhost:29838/books ( /books root is my angular root defined using ng-route, and I am using html5 mode) and renew the page, server will return 404 mistake of course.
Then, I read this article https://dzone.com/articles/fixing-html5mode-and-angular .I have tried to use rewrite module method in web.config/ Everything works fine. But I do not like this method. As I have understood it works only with IIS.
Finally, I have tried to use the first way, described in article (when Home/Index returns html file).controller code is:
public ActionResult Index()
{
return File("~/index.html", "text/html");
}
and Startup.cs is:
routes.MapRoute(
name: "Default",
url: "{*.}",
defaults: new
{
controller = "Home",
action = "Index",
}
);
Using this approach I have such erros: Refused to load the script 'http://localhost:29838/libs/jquery/dist/jquery.min.js' because it violates the following Content Security Policy directive: "script-src 'unsafe-inline'". And I can not overcome this. What am I doing wrong?
Try to use AspnetCore.SpaServices, they provide you legit HTML5 spa-fallback.
Something like this:
app.UseStaticFiles();
app.UseMvc(routes =>
{
routes.MapRoute(
name: "default",
template: "{controller=Home}/{action=Index}/{id?}");
routes.MapSpaFallbackRoute(
name: "spa-fallback",
defaults: new { controller = "Home", action = "Index" });
});
This library fix all your issues with SPA-fallback.
The SpaServices mentioned by #Andrei is great if you are using an MVC page that has server side render or some server logic.
If you don't have any logic in the server side, and you don't need it, you could just do the following:
app.Use(async (context, next) =>
{
await next();
if (context.Response.StatusCode == 404 && !Path.HasExtension(context.Request.Path.Value))
{
context.Request.Path = "/index.html";
await next();
}
})
.UseDefaultFiles(new DefaultFilesOptions { DefaultFileNames = new List<string> { "index.html" } })
.UseStaticFiles()
What the snippet does is look for pages that don't exist on the server side, and redirect them to '/index.html'. If you have a different entry point file, you may change the Url. Also, if the file requested has extension, it is served in order to allow javascript, css, html etc to be rendered on the client.
You can also take a look here: https://code.msdn.microsoft.com/How-to-fix-the-routing-225ac90f
Finally. I have found the solution. For security I use OpenIdConnect.Server. In sample project author used NWebsec.Middleware. And I have just copied csp settings from this sample project
app.UseCsp(options => options.DefaultSources(configuration => configuration.Self())
.ImageSources(configuration => configuration.Self().CustomSources("data:"))
.ScriptSources(configuration => configuration.UnsafeInline())
.StyleSources(configuration => configuration.Self().UnsafeInline()));
Notice, that authore misspelled calling .Self() method after ScripSources(). And I have not noticed that !!! Be carefull with copy and paste
I'm using Laravel and Angular to write a web app.
In the front end Laravel is used to create the basic template, but otherwise controlled by Angular. In the back end laravel is used to create a restful API.
I have a few routes like this:
Route::group(['domain' => 'domain.com'], function() {
Route::get('/', ['as' => 'home', function () {
return view('homepage');
}]);
Route::get('/login', ['as' => 'login', function () {
return view('login');
}]);
//users should be authenticated before accessing this page
Route::get('/dashboard', ['as' => 'dashboard', function () {
return view('dashboard');
}]);
});
Route::group(['domain' => 'api.domain.com', 'middleware' => ['oauth']], function() {
Route::post('/post/create', ['uses' => 'PostController#store']);
Route::get('/post/{id}', ['uses' => 'PostController#show']);
//other API endpoints
// ...
});
I want to make sure my domain.com/dashboard URL is only accessed by authenticated users.
In my backend I have OAuth implemented for my API routes which makes sure the user accessing those routes are authentic. Laravel's Auth::once() is used by the OAuth library to make sure the user credentials are correct then generates an access_token. Since Auth::once() is a "stateless" function no session or cookies are utilized and I cannot use Auth::check() to make sure a user is authenticated before the dashboard page is rendered.
How should I go about checking to see if the user trying to access domain.com/dashboard is authenticated? Should I send the access_token in the header when I forward the user from /login to /dashboard? Or should I implement Laravel's a session/cookie based authentication?
EDIT: As per this: Adding http headers to window.location.href in Angular app I cannot forward the user to the dashboard page with an Authorization header.
In order to reuse my API for my mobile apps I STRONGLY prefer to use some sort of token based authentication.
I would advise to use JWT (JSON Web Tokens) to control for authentication.
I think there are several tutorials for their use with Lavarel and AngularJS. I'm more into Python and I use Flask, but the followings look interesting :
Simple AngularJS Authentication with JWT : the AngularJS configuration
Token-Based Authentication for AngularJS and Laravel Apps : the connection with Laravel
JSON Web Token Tutorial: An Example in Laravel and AngularJS
Pierre was right in suggesting JWT for your token based auth.
When the user successfully logs in, before you finish the request, you can create a JWT and pass that back to the client. You can store it on the client (localStorage, sessionStorage) if you want. Then on subsequent requests, put the JWT inside of your Authorization header. You can then check for this header in your middleware and prevent access to your API routes if the token is valid. You can also use that token on the client and prevent Angular from switching routes if the token doesn't exists or isn't valid.
Now if you are trying to prevent the user from accessing the page entirely on initial load (Opens browser, goes straight to domain.com/dashboard), then I believe that is impossible since there is no way to get information about the client without first loading some code on the page.
Not sure about Angular, as I have never used it, but have you tried targeting a controller with your dashboard route? For example
Route::get('/dashboard', [
'uses' => 'UserController#getDashboard',
'as' => 'dashboard',
'middleware' => 'auth'
]);
UserController.php (I'm assuming you have a blade called dashboard.blade.php)
<?php
namespace App\Http\Controllers;
use Illuminate\Support\Facades\Auth;
use Illuminate\Http\Request;
use Illuminate\Support\Facades\Session;
class UserController extends Controller
{
public function getDashboard()
{
if(Auth::user()) {
return view('dashboard');
} else {
redirect()->back();
}
}
}
Also, you could always group whichever routes you want to protect with this (taken from the Laravel 5.2 documentation):
Route::group(['middleware' => 'auth'], function () {
Route::get('/', function () {
// Uses Auth Middleware
});
Route::get('user/profile', function () {
// Uses Auth Middleware
});
});
EDIT: Regarding the session token, your login blade should have this in its code:
<input type="hidden" name="_token" value="{{ Session::token() }}">
When the /dashboard HTML loads, does it already include data specific to the user's account?
I would suggest to load the /dashboard HTML separately from the user's data, and hide the dashboard items with ng-cloak while Angular loads the data to populate it.
Redirect to /dashboard URL
Load (static?) dashboard HTML / Angular app, hiding all parts with ng-cloak.
Have Angular access the API using the access_token to load all dashboard data.
Revealing the parts of the dashboard when the data from the API comes in, or showing an error message if the access_token wan't valid.
That way, your /dashboard HTML could actually be just a static HTML file and directly served by the web server and cached by any proxy on the way.
If that isn't an option, you could put your access_token into a cookie with Javascript that runs on the /login view, then redirect to /dashboard, then have your server-side /dashboard view read the cookie to check if the access_token is valid. But that sounds messy and mixes up things that should be separated.
#Pierre Cordier #Mr_Antivius Thank you guys for your answer, it helped me get insight into the problem and allowed me to tinker with with JWT but ultimately did not product a solution for me.
To allow only authenticated users to access domain.com/dashboard I had to implement a hybrid session and OAuth authentication system. I decided to go with Sentinel (instead of Laravel's out of the box auth system) because it has a user permission system I need in other places in my app. I use this library for the OAuth Server.
Here is what I do in my controller:
POST domain.com/auth/authenticate:
public function processLogin(Request $request)
{
$credentials = [
'email' => $request->input('username'),
'password' => $request->input('password'),
];
try
{
$sentinel = Sentinel::authenticate($credentials);
}
catch (\Cartalyst\Sentinel\Checkpoints\ThrottlingException $e)
{
$response = ['error' => [$e->getMessage()]];
$httpStatus = 429;
return response()->json($response, $httpStatus);
}
catch (\Cartalyst\Sentinel\Checkpoints\NotActivatedException $e)
{
$response = ['error' => [$e->getMessage()]];
$httpStatus = 401;
return response()->json($response, $httpStatus);
}
if ($sentinel) //user credentials correct
{
//get oauth token
$oauthToken = Authorizer::issueAccessToken();
$response = ['success' => true, 'user' => ['id' => $sentinel->id, 'email' => $sentinel->email]] + $oauthToken;
$httpStatus = 200;
}
else
{
$response = ['success' => false, 'error' => ['Incorrect credentials']];
$httpStatus = 401;
}
return response()->json($response, $httpStatus);
}
Here is the method the OAuth library looks at to authenticate the user:
public function verifyAuth($email, $password)
{
$credentials = [
'email' => $email,
'password' => $password,
];
if ($user = Sentinel::stateless($credentials))
{
return $user->id;
}
else
{
return false;
}
}
This would create a response like so:
{
"success": true,
"user": {
"id": 1,
"email": "email#domain.tld"
},
"access_token": "6a204bd89f3c8348afd5c77c717a097a",
"token_type": "Bearer",
"expires_in": 28800,
"refresh_token": "092a8e1a7025f700af39e38a638e199b"
}
Hope this helps someone out there
Side Note: I'm sending a POST request to domain.com/auth/authenticate instead of api.domain.com/auth/authenticate because I could not get domain.com/dashboard to recognize sentinel's cookie if I posted to api.domain.com. I've tried changing domain in config/session.php to .domain.com but still nothing. Maybe I'm doing something wrong?
I am creating an API but stuck debugging.
Using this in my controller method:
$this->validate($request, [
'project_id' => 'required',
'content' => 'required',
]);
If I call that route with PostMan I get a not found error return by Laravel's debugging screen.
However the API call works fine when using an Angular (ionic) $http request.
Any help?
https://laravel.com/docs/5.1/validation#form-request-validation
If validation fails, a redirect response will be generated to send the user back to their previous location. The errors will also be flashed to the session so they are available for display. If the request was an AJAX request, a HTTP response with a 422 status code will be returned to the user including a JSON representation of the validation errors.
Checkout the code from FormRequest
public function response(array $errors)
{
if ($this->ajax() || $this->wantsJson()) {
return new JsonResponse($errors, 422);
}
return $this->redirector->to($this->getRedirectUrl())
->withInput($this->except($this->dontFlash))
->withErrors($errors, $this->errorBag);
}
When you use angular, Laravel knows you are sending ajax requests. When using Postman, Laravel thought it's a form request and redirect you to previous page which is 404. The solution is to add a header Accept: application/json in postman requests, so that Laravel knows you wantsJson() or X-Requested-With: XMLHttpRequest so Laravel thinks it's a ajax() request.
You can try the following
$validator = \Validator::make($request->all(), [
'project_id' => 'required',
'content' => 'required',
]);
if($validator->fails()){
return 'Validation error';
}
else{
return 'No error';
}