tappleby / laravel-auth-token Goto Github PK

We need to have the functionality where the client can be logged into both the app on their phone and the admin panel on their pc at the same time. However currently when you log into one it logs you out of all others.

I see some discussion on the multiple tokens per user issue which could be the solution, however at the moment it seems to be a future addition which isnt helpful to me haha.

I was hoping you could maybe point me to a solution using laravel auth token that could atleast patch this somehow until the new stuff is implemented.

Is there any method that I can retrieve a public (serialized) token without creating a new one?

Any idea how I could write some Codeception tests while using this? I have the usernames/passwords to the users, but I'm unsure of how to do all the authenticating and whatnot

This is very handy package is working fine, however I find it difficult to override the default NotAuthorizedException with custom response.

I've tried to use only App::error(<...>) as defined in documentation.

But then the response is blank.

What I'm missing?

I have the following for my session config in app\config\session.php

return array(
    'driver' => 'database',
    'lifetime' => 120,
    'expire_on_close' => false,
    'files' => storage_path().'/sessions',
    'connection' => null,
    'table' => 'sessions',
    'lottery' => array(2, 100),
    'cookie' => 'laravel_session',
    'path' => '/',
    'domain' => null,
    'payload' => 'laravel_payload',
);

If I login 5 times in a row with 5 different users, it uses the same session ID. How do I need to configure the session config and the auth-token package so that I can kill the session if a new login occurs?

Issue #34 didn't seem to fix my problems.

Right now I'm trying to use the AuthTokenProviderInterface to look up a user based on the Auth Token.

use Tappleby\AuthToken\AuthTokenProviderInterface

class ItemController extends BaseController {

    public function __construct(AuthTokenProviderInterface $tokens)
    {
        $this->tokens = $tokens;
    }

This produces file:

"XXXXXXXX\vendor\laravel\framework\src\Illuminate\Container\Container.php"
line: 510
message: "Target [Tappleby\AuthToken\AuthTokenProviderInterface] is not instantiable."
type: "Illuminate\Container\BindingResolutionException"

However, I have added the service provider into the providers section of the config for both the local environment and the main configuration file.

I call the AuthTokenProviderInterface at

$item->user_id = $this->tokens->find($token);

Any ideas?

Seed your User table: http://laravel.com/docs/migrations

php artisan serve # In your first terminal

php artisan tinker # http://laravel-recipes.com/recipes/280

$user = User::find(1);
$authToken = AuthToken::create($user);
$publicToken = AuthToken::publicToken($authToken);

//Test a valid token

$login = AuthToken::driver()->validate($publicToken);
print_r($login);

//Test an invalid token

$bad = AuthToken::driver()->validate('badToken');
print_r($bad);

exit;

Hi,

Is it possible to reduce the length of the generated authtoken?

Thanks

I'm building a Laravel app which also includes an API. I'd like to extend the default Laravel auth scheme to allow api access via tokens. Same auth structure, but two vehicles: api users validated via tokens, web app users validated via Laravel's default auth scheme.

I have a SessionController which I use to login and log out for web app users:

<?php

class SessionController extends \BaseController {

public function create() {

    if (Auth::check()) {
        return Redirect::to('/post/dashboard');
    }
    return View::make('sessions.create');

}

public function store() {

    if ( Auth::attempt(Input::only('username', 'password')) ) {
        return Redirect::to('/post/dashboard');
    } else {

        return Redirect::to('/login')->with('error', 'Failed Auth.');
    }

}

public function destroy() {

    Auth::logout();
    return Redirect::route('login');
}

}

Is it preferred that the api users go through a wholly separate controller for authentication in order to generate and validate tokens? Or can I somehow add the tappleby auth token stuff inside my existing SessionsController and have it serve both purposes?
I'm interested in best practices here.

Hi,

i want to use the AuthToken in 'auth.token.valid' Event, but i cannot find a function to receive the actually Public Token, only i can generate a newer one by:

$authToken = AuthToken::create(Auth::user());
$publicToken = AuthToken::publicToken($authToken);

I've noticed that the POST: /auth route always return a token that is the same as laravel_session.
Is it correct?

I've tried installing the package using composer.

The package folder appears under the vendor folder, but it is empty.

I've successfully published the config.

However, when I run the migration, composer tells me that there is nothing to migrate. What could be causing this?

Hi,

I have just started using this package and I like it.

I have, however stumbled into a small issue. On my local development copy everything works fine, but on my staging copy when I call \Auth::user(). I get a null result.

Both versions are running php 5.5+ and laravel 4.2.11.

The issue on staging appears to be that the user is not being logged in correctly and as I cant repeat the issue locallly, its hard to debug the issue.

Currently laravel-auth-token uses the X-Auth-Token header. However, according to CORS, using a custom header forces a pre-flight OPTIONS request (https://developer.mozilla.org/en-US/docs/Web/HTTP/Access_control_CORS#Preflighted_requests).

This probably isn't an issue with native apps, but with single-page web apps a second OPTIONS call is always made that doesn't need to really be made. I'm using AngularJS.

However, standard headers, such as the 'Authorization' header do not cause a pre-flight request. Authorization can also be customized by setting a string before the token. For example, "Authorization: bearer [token]" is typical, but "Authorization: laravel [token]" could be used as well without creating a pre-flight request.

After installation and default settings I got errors, when sending valid data using email and password. The text in the main page "This package defaults to using email as the username field to validate against, this can be changed via the package configuration." is invalid, because in file:

AuthTokenController.php @ line 71 "array('username' => array('required'),...." and
AuthTokenController.php @ line 78 "$this->credentialsFormatter, $input['username'].."

After changing this to "email" instead of "username" all works fine.

As I see it is "hardcoded", and config file have no real purpose.

It would be fine if I can change table name from "ta_auth_tokens" to something more configurable.

All other things is working fine at this moment. Thank you for your awesome package!

Please, add small tutorial how can i use your bundle
I need details for creating private && public keys for post to auth action
Thank U

I'm looking for where in the code it logs the user into laravels auth system, but I can't seem to find it. Can you point me in the right direction?

Hi, how can i get this working?

I tried inserting a random character at the end and to my surprise it authenticated. Inserting it anywhere in the middle of the string or in the beginning will not authenticate. It varies by different sessions (one user will always authenticate with an extra character at the end, another user will always fail with one character at the end)

I am on Laravel 4.2.* and Auth-Token 0.3.*. I last updated about 3 months ago.

For some reasons I'm not allowed to update my code Laravel 4.1. This is the error I got when trying to install laravel-auth-token with Laravel 4.0:

Loading composer repositories with package information
Updating dependencies (including require-dev)
Your requirements could not be resolved to an installable set of packages.

  Problem 1
    - Conclusion: remove laravel/framework 4.0.x-dev
    - Conclusion: don't install laravel/framework 4.0.x-dev
    - Conclusion: don't install laravel/framework v4.0.10
    - Conclusion: don't install laravel/framework v4.0.9
    - Conclusion: don't install laravel/framework v4.0.8
    - Conclusion: don't install laravel/framework v4.0.7
    - Conclusion: don't install laravel/framework v4.0.6
    - Conclusion: don't install laravel/framework v4.0.5
    - Conclusion: don't install laravel/framework v4.0.4
    - Conclusion: don't install laravel/framework v4.0.3
    - Conclusion: don't install laravel/framework v4.0.2
    - Conclusion: don't install laravel/framework v4.0.1
    - Conclusion: don't install laravel/framework v4.0.0
    - Conclusion: don't install laravel/framework v4.0.0-BETA4
    - Conclusion: don't install laravel/framework v4.0.0-BETA3
    - tappleby/laravel-auth-token 0.2.0 requires illuminate/support 4.1.x -> satisfiable by laravel/framework[4.1.x-dev], illuminate/support[4.1.x-dev, v4.1.0, v4.1.1, v4.1.10, v4.1.11, v4.1.12, v4.1.13, v4.1.14, v4.1.15, v4.1.16, v4.1.17, v4.1.18, v4.1.19, v4.1.2, v4.1.20, v4.1.21, v4.1.22, v4.1.23, v4.1.24, v4.1.3, v4.1.4, v4.1.5, v4.1.6, v4.1.7, v4.1.8, v4.1.9].
    - tappleby/laravel-auth-token 0.2.1 requires illuminate/support 4.1.x -> satisfiable by laravel/framework[4.1.x-dev], illuminate/support[4.1.x-dev, v4.1.0, v4.1.1, v4.1.10, v4.1.11, v4.1.12, v4.1.13, v4.1.14, v4.1.15, v4.1.16, v4.1.17, v4.1.18, v4.1.19, v4.1.2, v4.1.20, v4.1.21, v4.1.22, v4.1.23, v4.1.24, v4.1.3, v4.1.4, v4.1.5, v4.1.6, v4.1.7, v4.1.8, v4.1.9].
    - don't install illuminate/support 4.1.x-dev|don't install laravel/framework v4.0.0-BETA2
    - don't install illuminate/support v4.1.0|don't install laravel/framework v4.0.0-BETA2
    - don't install illuminate/support v4.1.1|don't install laravel/framework v4.0.0-BETA2
    - don't install illuminate/support v4.1.10|don't install laravel/framework v4.0.0-BETA2
    - don't install illuminate/support v4.1.11|don't install laravel/framework v4.0.0-BETA2
    - don't install illuminate/support v4.1.12|don't install laravel/framework v4.0.0-BETA2
    - don't install illuminate/support v4.1.13|don't install laravel/framework v4.0.0-BETA2
    - don't install illuminate/support v4.1.14|don't install laravel/framework v4.0.0-BETA2
    - don't install illuminate/support v4.1.15|don't install laravel/framework v4.0.0-BETA2
    - don't install illuminate/support v4.1.16|don't install laravel/framework v4.0.0-BETA2
    - don't install illuminate/support v4.1.17|don't install laravel/framework v4.0.0-BETA2
    - don't install illuminate/support v4.1.18|don't install laravel/framework v4.0.0-BETA2
    - don't install illuminate/support v4.1.19|don't install laravel/framework v4.0.0-BETA2
    - don't install illuminate/support v4.1.2|don't install laravel/framework v4.0.0-BETA2
    - don't install illuminate/support v4.1.20|don't install laravel/framework v4.0.0-BETA2
    - don't install illuminate/support v4.1.21|don't install laravel/framework v4.0.0-BETA2
    - don't install illuminate/support v4.1.22|don't install laravel/framework v4.0.0-BETA2
    - don't install illuminate/support v4.1.23|don't install laravel/framework v4.0.0-BETA2
    - don't install illuminate/support v4.1.24|don't install laravel/framework v4.0.0-BETA2
    - don't install illuminate/support v4.1.3|don't install laravel/framework v4.0.0-BETA2
    - don't install illuminate/support v4.1.4|don't install laravel/framework v4.0.0-BETA2
    - don't install illuminate/support v4.1.5|don't install laravel/framework v4.0.0-BETA2
    - don't install illuminate/support v4.1.6|don't install laravel/framework v4.0.0-BETA2
    - don't install illuminate/support v4.1.7|don't install laravel/framework v4.0.0-BETA2
    - don't install illuminate/support v4.1.8|don't install laravel/framework v4.0.0-BETA2
    - don't install illuminate/support v4.1.9|don't install laravel/framework v4.0.0-BETA2
    - Can only install one of: laravel/framework[v4.0.0-BETA2, 4.1.x-dev].
    - Installation request for laravel/framework 4.0.*@dev -> satisfiable by laravel/framework[4.0.x-dev, v4.0.0, v4.0.0-BETA2, v4.0.0-BETA3, v4.0.0-BETA4, v4.0.1, v4.0.10, v4.0.2, v4.0.3, v4.0.4, v4.0.5, v4.0.6, v4.0.7, v4.0.8, v4.0.9].
    - Installation request for tappleby/laravel-auth-token 0.2.* -> satisfiable by tappleby/laravel-auth-token[0.2.0, 0.2.1].

So how can I use the package with Laravel 4.0?

Hi,

we use the 'auth.token.valid' Event and set Auth::setUser(), but when destroy the token, Laravel dont call "auth.logout" Event, because you not use the Auth logout, or?

Can u implement this hasty?

Hi,

we want to allow multiple tokens per user. It always updates the existing entry. Its possible?

Apologizes if this is not the right place for this matter.

Some frontend applications make OPTIONS request instead of GET to retrieve information when dealing with CORS.

I had an application that sends OPTIONS to Laravel. After spending quite amount of time, I realize I need to provide a route for OPTIONS as well.

Maybe it's a good idea to also add this to readme.md ?
(For people who might encounter the same problem. )

Route::options('auth', 'Tappleby\AuthToken\AuthTokenController@index');

PS:
It seems like the OPTIONS is only available in Laravel 4.1.
I am using Laravel 4.1.28

Cheers.

I added the three routes mentioned to my routes.php file, added the service provider to app.php, and added the 2 aliases to app.php as well.

When I try to POST to the auth route, however, I get:

Illuminate \ Container \ BindingResolutionException
Target [Tappleby\AuthToken\AuthTokenProviderInterface] is not instantiable.

Is there another piece of code I'm missing somewhere?

Thanks,
Paul

How can I extend your library to use the correct format for JWT's? They seem to have dots separating the different segments.

Hey, just noticed the last report was already closed. But yeah I am having this problem using angular too. Followed the github instructions for installing so fairly certain I have the latest version. Any idea why it might be throwing me 500 errors on unauthorised?

Hi,

we want to use dingo, but the AuthProvider must to be adjusted. Is this possible?

https://github.com/dingo/api/wiki/Authentication

We defined in User Model 'hidden' (protected), when i call a manual eloquent query the fields are hidden. When i use the auth (POST (store()), i see all fields.

Hi

Is this package compatible with sentry, or only works with Auth::?

Hello,

Logins etc works perfectly but when I am using before filter with auth.token, laravel's Auth::user is empty, any ideas whats wrong?

Route::group(array('prefix' => 'v1','before' => 'auth.token'), function() {
Route::post('events','EventtiController@store');
});

Access level to Tappleby\AuthToken\AuthTokenManager::getDefaultDriver() must be public (as in class Illuminate\Support\Manager)

During user authentication using the AuthTokenController@store I need to send the user as a json response but the token in the header.

So I need something like this instead of the current response:

return Response::json(array('token' => $serializedToken, 'user' => $user->toArray()))->header('X-Auth-Token', $serializedToken);

What is the best way to extend and include this functionality. I extended the controller (CustomAuthTokenController) in app/controllers and overrode the store() function, then updated the routes.php to use the extended controller, but I'm new to Laravel so I don't think I'm doing this right. I get this response:

error: {type: "Illuminate\Container\BindingResolutionException",…}
file: "/home/vagrant/Code/wedding/vendor/laravel/framework/src/Illuminate/Container/Container.php"
line: 513
message: "Target [Tappleby\AuthToken\AuthTokenProviderInterface] is not instantiable."
type: "Illuminate\Container\BindingResolutionException"

Access level to Tappleby\AuthToken\AuthTokenManager::getDefaultDriver() must be public (as in class Illuminate\Support\Manager)

Laravel code view:

Open: ...\vendor\tappleby\laravel-auth-token\src\Tappleby\AuthToken\AuthTokenManager.php

return new DatabaseAuthTokenProvider($connection, 'ta_auth_tokens', $encrypter,   $hasher);
}

  protected function getDefaultDriver() {
     return 'database';
  }
}

I've got this at the top of my Routes file

Event::listen('auth.token.valid', function($user)
{
  Auth::setUser($user);
});

App::error(function(AuthTokenNotAuthorizedException $exception) {
    return Response::json(array('error' => array( 'message'=> $exception->getMessage(), 'status_code' => $exception->getCode())), $exception->getCode());
});

Routes that are in my filter before => auth.token are working great and are properly protected. I've got some routes outside of that because they need to be accessible to both the public but also to do slightly different things if Auth::check() passes.

Auth::check() always returns false and Auth::user() is returning NULL, but if it's inside the auth.token required routes then everything is working fine

Session style is set to array because everything else causes weird issues with doing the API tokens

Hey guys, at the moment when i log in everything works lovely, however when i refresh the page my relations aren't loaded into the user like they are when logging in. Do i need to just load in the relations on the auth.token.valid event too or?

Event::listen('auth.token.valid', function($user)
{
//Token is valid, set the user on auth system.
Auth::setUser($user);
});

Event::listen('auth.token.created', function($user, $token)
{
$user->load('position', 'sites', 'roles', 'roleIds');
});

Hi Terry,

Thanks for your great work on this! I have it installed correctly and everything is working fine. I'm trying to make a tweak, however - when a user authenicates, I want to give them an "auth_token" cookie, and likewise, check that cookie during routing.

I'm able to give a cookie with this code:

Route::filter('give_auth_cookie', function($route, $request, $response)
{
    $data = $response->getData(true);
    $response->withCookie(Cookie::forever('auth_token', $data['token']));
});

Route::post('auth', array('uses' => 'Tappleby\AuthToken\AuthTokenController@store', 'after' => 'give_auth_cookie'));

Now my problem is trying to validate it. All my attempts to get access to a working AuthTokenDriver object have failed. My closest guess is:

$token = Cookie::get('auth_token');
$manager = new Tappleby\AuthToken\AuthTokenManager();
$driver = $manager->driver();
$success = $driver->validate($token);

This doesn't work because AuthTokenManager expects a working $app.

Can you suggest how to check if an auth token string is valid?

Thanks for any help you can give.

Hi,

how can i extend the auth response 'store' (POST)? i want extend the users model with another data, like permissions.

Thanks!

I'm trying to use laravel-auth-token for both browser http api and mobile api. No problems for mobile i guess, but im facing issues while trying to merge my existing Auth business logic with the auth token when dealing with javascript/browser client.

I have 2 login actions, one for plain user/pass and another for the fb connect. After a successful login i need to return the token, generated on server side, to the client for later javascript http calls.

I've read from docs that i can prepare a token like this

$authToken = AuthToken::create($user);
$token = AuthToken::publicToken($authToken);

so, what i'm trying to do, is

$authToken = AuthToken::create($user);
\Cookie::queue('auth_token', AuthToken::publicToken($authToken), 60, null, null, false, false );

This isn't working though, and i noticed that this cookie-d auth_token is not the same that i can obtain with a plain POST:/auth call. Am i missing something?

Can you make your controller "store" function input names to be configurable, for example add them to the config file, also with rules.

Hi,

I'm using multiauth with your laravel-auth-token. However, this is not working (yet).
I've asked the creator of multiauth to help. See this issue:
ollieread/multiauth#62

Could you point me in the right direction (I'm a colleague of @Ilyes512, the creator of the issue).
Thank you.

I am using laravel-auth-token. How to control the time the session will be active?

Is support for token expiration already built in and I'm missing it? Or should that be handled on the front-end using a DELETE call to destroy the token when it's expired?

I upgraded my system from 4.2.7 to 4.2.9 and it logs me in by giving the token but using it will cause Not authorized error. I downgraded to 4.2.7 and everything is ok. Went up to 4.2.8 and it works. Again tried 4.2.9 but then the problem occurs again. I'm not sure what causes this issue.

Since all this package does is put a token in a database, which then raises all kinds of issues like users not being able to login on 2 devices and tokens not expiring, it suddenly struck me that Laravel already has built-in auth token - it's the session ID. So After you log in why not just send back the session ID in the JSON response. And then include it on the next request as a URL param. Then to log the user you simply load up the other session and get the user ID and then set the current user to the same one:

$sessionID = '4842e441673747d0ce8b809fc5d1d06883fde3af'; // get this from \Session::getId(); from your previous authenticated request (after logging in because it changes).

    $s = new \Illuminate\Session\Store(NULL, \Session::getHandler(), $sessionID);
    $s->start();
    $userID = $s->get('login_82e5d2c56bdd0811318f0cf078b78bfc');

    \Session::set('login_82e5d2c56bdd0811318f0cf078b78bfc', $userID);
    return \Auth::user();

I'm not fully aware of all the consequences of this but there are some great benefits. You get multi-device login, and session timeout. If using cookies then the session that the user is set on, is now authenticated, so it doesn't need to do the steps above again, and as long as its being used it won't timeout, or you could just set the session config lifetime param in session.php to int max. I realised this after hours fighting trying to turn cookies off, so with all this you can just leave them on and not worry about them.

Hello!
I can't seem to figure out the proper configuration to return 401 instead of 500 on auth fail. Thanks for the help!
B

I have a problem by using Auth token package in laravel 4.3

Fix:
Tappleby\AuthToken\AuthToken.php
row 11. use \Illuminate\Contracts\Support\ArrayableInterface;

Tappleby\AuthToken\DatabaseAuthTokenProvider.php
row 10. use \Illuminate\Contracts\Auth\User as UserInterface;

Tappleby\AuthToken\AuthTokenProviderInterface.php
row 13. use \Illuminate\Contracts\Auth\User as UserInterface;

Tappleby\AuthToken\AuthTokenDriver.php
row 10. use \Illuminate\Contracts\Auth\User as UserInterface;

when support for Laravel 4.3 will shows up?

Does Auth.token.valid only get called when the auth.token filter is used, or does it also run an Auth::setUser() when the user is logged in (when token is generated).

Are you going to provide token expiration functionality? It is very useful for Mobile Apps API's
Thank you!

Sorry if it sounds a silly question and thanks for making your code available.

I am building a REST API to be used from a mobile application. I am also building the back end interface to visualise the data. As a result with the latter, I often need to pass the auth_token as a get parameter.

I am redirecting to a route after amending data through a PUT method. I then want to redirect to the individual object to show the results of the modification. For this I wrote :

Redirect::route('look', $id)->withInput(Input::only('auth_token'));

However in the AuthTokenFilter.php, I noticed it can't get the auth_token from the lines before.

Checking the $route and $request objects, it looks as if the request is made correctly and I can see the parameters in the headers of the request using a web developer tool.

Could you help ?