I am using Cakephp 2.0 and Auth Component. My website consists of 2 user roles as follows
1. Admin
2. User
At a Time in a Browser either Admin or User can login to the website using Auth Component. it's not possible to handle Both User roles can log into the website at the same time in same browser. Is there any way to do it CAKEPHP. Now My client wants to login as Admin and User in same browser. But in Joomla and other frameworks has this feature. extremely sorry for this basic question
Depends on how your roles are defined and how your admin section is built. If you done it with proper prefix routing (/admin/:controller/:action/) then it is easy.
In you AppController::isAuthorized() just add a check like
if ($this->Auth->user('is_admin') == 1 && $this->request->params['prefix'] == 'admin') {
return true;
}
If you have an array of rules use in_array() to check for the allowed roles.
For more details read this link.
Related
is there a way to user your custom React GUI with oidc-client-js? I know that if you trigger authentication endpoint using:
// PopUps might be blocked by the user, fallback to redirect
try {
await this.userManager.signinRedirect(this.createArguments(state)); //Shows midleware login form
return this.redirect();
} catch (redirectError) {
console.log("Redirect authentication error: ", redirectError);
return this.error(redirectError);
}
Middleware will try to render its predefined login form:
However I have my own React form and I only need to pass to OICDClient params (email,password) and get back User instance to display UserName etc. Something like:
var loggedUser = await this.userManager.signinCustom(state.loginEmail, state.LoginPassword); //Login using credentials
I don't want to write all the logic by myself I really want to use all functionality from OIDCClient - only with my GUI (loginForm, registerForm, updateUserForm etc).
I'm using scaffolded library from MSDN using command:
dotnet new react -o <output_directory_name> -au Individual
Is there any method/implementation to initialise oidc-client-js from React components and not user default GUI forms?
Thanks a lot!
I might be missing some thing but the whole idea of using a 3rd partly federated auth provider be it your own/your company's SSO (say developed using Identity Server 4) or say Google sign in(say using their Firebase JS kit) or Microsoft sign in, Facebook sign in etc. is that you will be redirected to their authentication endpoint where you then use say your google credentials (if you are using google sign in for example) to sign on to google auth servers. Once you do that then a payload (consisting of an identity token and access token) is returned back to your redirect URL which you must configure for your specific app.
By saying you'd like to provide your own sign-in form you are missing the entire point of using a 3rd party authentication provider. Besides, you/your app shouldn't know about user names and passwords and you don't want to have access to all that information. All that you should be interested in knowing whether the user, who are using one of the federated authentication providers, that you would have configured for your app, are who they claim to be and you then delegate all that heavy lifting to your 3rd party authentication provider.
Besides, say your company has a SSO system of their own then all your company's app will use that SSO system and from a UI perspective you want to show the same login screen so as to give a consistent user experience.
In addition, if you show me a google authentication button and then on clicking that button you show me some weird form that doesn't look like the typical google picklist sign-in form then I'll shut down your app before you can say hello, and, I suspect most user would (and should) do the same. The reason being that when you show me a google sign-in page then I know that you/your app will only get back what you need and I wouldn't ever entrust my google user name and password to any other application.
If you really want to have your own authentication form then you'll have to manage user names and passwords yourself, the way we used to do things probably over 10+ years back.
If you decide to go the route of setting up your own authentication system and then say use identity server 4 then yes you can certainly change the UI and customize it to your heart's content, but that will happen at the server level, not at the level of your react app. Point being that in any SSO system the user will be redirected to the that auth provider's endpoint where they then authenticate (and, optionally, provider permission for your app to use certain claims) and once they do that they they are redirected back to your redirect endpoint with a payload (JWT token).
Lastly, even if you could some how wire up a client side sign in form, I'm not sure you would want to use it. Passing passwords & user names over the wire isn't a good idea. You'll always want to use a server rendered sign in form.
I'm doing a school project using reactjs and Firestore that has 2 users; user and admin. These are the features:
User:
User registers on the website. Upon registration, the system will generate a QR code for the user to be scanned. Upon scanning, the vaccination status of the user will be updated such as the vaccine type, dose, date of vaccination, and etc. The user may also input side effects they've experienced, and view the vaccination graph reports.
Admin:
Admin can log in and scan the qr code, view vaccination graph reports, Vaccine (CRUD), list of the users
Is it okay to have one login interface for both users and admin? Are there any security risk or defining the security rules is already enough?
Or is it preferable to have a separate login interface? If a separate login interface will
be used, would I need Firebase Admin SDK and Cloud Functions (the problem here is that we do not have a credit card for the Cloud functions)?
I am not sure how you are executing the QR Code logic for both admin and users and fetching all these details. Nonetheless, I would like to suggest an approach that you can follow. You can set your authentication based on role and create multiple routes for your application using React Router for Firebase.
For instance, a user should be able to visit a public landing page,
and also use sign up and sign in pages to enter the application as an
authenticated user. If a user is authenticated, it is possible to
visit protected pages like account or admin pages whereas the latter
is only accessible by authenticated users with an admin role.
There is no reason to show a non authenticated user the account or
home page in the first place, because these are the places where a
user accesses sensitive information. In this section, you will
implement a protection for these routes called authorization. The
protection is a broad-grained authorization, which checks for
authenticated users. If none is present, it redirects from a
protected to a public route; else, it will do nothing. The condition
is defined as:
const condition = authUser => authUser != null;
// short version
const condition = authUser => !!authUser;
In contrast, a more fine-grained authorization could be a role-based or permission-based authorization
// role-based authorization
const condition = authUser => authUser.role === 'ADMIN';
// permission-based authorization
const condition = authUser => authUser.permissions.canEditAccount;
The real authorization logic happens in the componentDidMount() lifecycle method. Like the withAuthentication() higher-order component, it uses the Firebase listener to trigger a callback function every time the authenticated user changes. The authenticated user is either an authUser object or null.. If the authorization fails, for instance because the authenticated user is null, the higher-order component redirects to the sign in page. If it doesn't fail, the higher-order component does nothing and renders the passed component (e.g. home page, account page).
You can check this tutorial and get an idea of the approach I was mentioning.
Just a reminder : While Firebase Realtime Database can be used on the free plan, Cloud Firestore is charged by usage. That's why you can set monthly quotas and budget alerts. You can always see the pricing plan, and adjust it, in the bottom left corner of your Firebase project's dashboard.
Also yes Cloud Functions still has a monthly free allowance that's documented in the pricing page. But you will have to provide a credit card and be on a billing plan in order to use it. You will be responsible for paying for any monthly overage. But I don’t think you will need Cloud functions for that matter, just some decent db rules to protect your database and the authentication of your application based on role and routes using React Router for Firebase should be good enough.
I am using Laravel as a Backend and Angularjs as a Frontend.
I am Using this full package https://github.com/andbet39/tokenAuth for my Local setup AWT authendication it working fine,
How to do admin authendication and redirect to admin page?
How to do in Admin Panel
You have choices to make here.
There are several packages out there that can provide a full fledged admin panel for you (e.g. TCG/Voyager).
Or you could build one yourself with Laravel/Angular, this way you can customize the way you want.
The question I'm sensing here (you didn't state one clear enough) is:
How do I redirect to my admin panel?
The anwser to that comes down to this.
You need to have a route protected by auth middleware
# L5
Route::middleware(['auth'])->get('/admin', 'AdminController#index)->name('admin.index');
And put the redirect in your controller
public function login(Request $request)
{
(..)
return redirect(route('admin.index'));
}
After a successful login, the user get's redirected to the admin page.
Since this is a very basic example you should add more validation based on if the user is allowed to even view the admin page. But that is for a later stage :)
I have a relatively simple question that I am having trouble finding the answer to. I want to set up a way for users to sign up for and log into my site using Facebook. I have been through tutorials which show me processes I need to go through in order to enable my website to communicate with Facebook.
My question is: Once I can communicate with Facebook, how do I then sign a user up permanently on my site? Do I pull information about the user from Facebook and just create a profile for them on my site using that information? Wouldn't I need to then associate that user's unique Facebook ID with the profile I create for them on my website. It seems like I will have to alter my databases in order to accommodate logging in through Facebook. Am I on the right track?
You can authorize/reauthorize a User with Facebook even without any Database, but if you want to store data for the User (name, email, ...) or connect it to an existing User account in your Database, you can store the unique ID.
Use FB.login to authorize with Facebook and FB.getLoginStatus to refresh the User session and to check if a returning User authorized your App already. The User ID is in the callback response of those functions, for example:
FB.getLoginStatus(function (response) {
if (response.status === 'connected') {
//user is authorized
console.log(response.authResponse.userID);
} else {
//user is not authorized or not logged in on facebook
}
});
Careful though, it is an "App Scoped ID" and only valid for one specific App. See changelog for more information: https://developers.facebook.com/docs/apps/changelog
Btw, here´s an article about Login with the JavaScrip SDK: http://www.devils-heaven.com/facebook-javascript-sdk-login/
I'm having problems integrating a CakePHP app (jSlate) into a bespoke non-Cake web application. All the alternative authentication scripts I've seen simply change the behaviour of the login form, in other words the login form still appears, and asks for username and password, but these are authenticated against an alternative source, such as LDAP.
What I actually want is for no login screen to appear at all. Instead I want a very simple behaviour:
Detect if user is already logged in to third party app.
If yes, automatically log them in to the CakePHP app (in this case jSlate).
If no, redirect to the third party app login screen.
Is there a tutorial for a CakePHP authentication along these lines? Or does someone know how to do this? I've worked out how to do part 3, but this behaviour is kind of useless without parts 1 and 2...
You can put this into your AppController::beforeFilter:
public function beforeFilter() {
if (!$this->Auth->user()) {
// if no user is currently logged in
if ($this->Cookie->read(...)) {
// or
if ($_COOKIE[...]) {
// or whatever else you want to detect
$this->redirect('http://some.external/login/service');
}
}
}
This external login service would then presumably redirect the user back to your Cake app at some point with some sort of token. You just need to define a publicly accessible action (no auth required) which it can redirect back to. In that action, you check all the tokens you need and can then "manually" authenticate the user:
$user = $this->User->find(/* find your Cake user by some id */);
if ($user) {
$this->Auth->login($user['User']['id']);
}
Congratulations, the user is now logged in as if he'd used a login form and has a valid Cake session.