arubacao / http-basic-auth-guard Goto Github PK

Can you add sessions to your project? Is it possible to use illuminate/session or something similar with your basic auth guard?

Maybe something like this? http://qiita.com/mikakane/items/faa8becc85631be13156
Or maybe add support for this? https://packagist.org/packages/cuidong/lumen

Just a heads up. There seems to be an issue with bcrypt in Lumen 5.4. So you have to make sure to use:

app('hash')->make('password');

The test suite still uses the method bcrypt which isn't available since 5.4.

Hello! I've found your implementation, and was interested to use it with Lumen, after updating from 5.1 to 5.3 version.
I was scratching my head for a long time, wondering how to use token authorization (I use jwt) for several routes and how to use actually basic authorization for api routes. I was using basic authorization with sessions previously likewise. Everything worked fine, but there were some reasons to update, and get rid off sessions.
When I started to use your guard, everything seemed clear. I added few guards, and used them differently with routes. That was good, except the moment of using several middlewares one by one with this guard.
I believe that's because your guard doesn't have state, and it doesn't remember the user, like it was with sessions.
So I want to ask you - have you try such case? And have you thought about few middlewares with such authorization guard?

Hi,

Thank you for writing this package. I've followed the installation instructions (install package, register BasicGuardServiceProvider in bootstrap/app.php), however when I associate the basic driver to the api guard and update the routes.php file to use the auth:api middleware I receive the following

call_user_func_array() expects parameter 1 to be a valid callback, class     
'Arubacao\BasicAuth\BasicGuard' does not have a method 'handle'

I'm using version 1.0.1 of the package, and Lumen 5.2.7. Application otherwise running fine.

Any ideas?

Thank you!
Jason

The basic() method triggers check(), which triggers user() in return, which triggers onceBasic() (since commit 372eb68). This means if you run Auth::basic() it will always do Auth::onceBasic() first (with the default parameters). If this passes, it will never get to logging in. Is this on purpose?

My goal is to make sure the Illuminate\Auth\Events\Login event gets triggered, so I can check if $user->is_active === true - and return a 401 Unauthorized if it's false.

Is there a better way to this? Shouldn' the login/logout events be triggered, even on onceBasic? Maybe trigger the Logout event at the end of the request? To keep the statelessness of the basic authentication.

Thanks for the great package btw!

I setup a fresh 5.4 Lumen application. I then uncommented the following lines in my bootstrap/app.php:

$app->withFacades();
$app->withEloquent()
[...]
$app->routeMiddleware([
    'auth' => App\Http\Middleware\Authenticate::class,
]);
[...]
$app->register(App\Providers\AppServiceProvider::class);
$app->register(App\Providers\AuthServiceProvider::class);
$app->register(Arubacao\BasicAuth\BasicGuardServiceProvider::class);

Next, I added jwt-auth-1.0.0-beta-2 to my application using the composer require. Added the below line to my AppServiceProvider:

this->app->register(\Tymon\JWTAuth\Providers\LumenServiceProvider::class);

and did the php artisan jwt:secret step.

The following is my web.php router:

$app->group(['prefix' => 'api'], function($app){
    $app->post('/signup', [
        'uses' => 'UserController@Signup'
    ]);

    $app->group(['middleware' => 'auth:jwt-auth'], function($app){
        $app->post('/logout',[
	    'uses' => 'UserController@LogoutUser'
	]);
    });
});

In my UserContoller.php, this is what I do:

<?php

namespace App\Http\Controllers;

use App\Http\Controllers\Controller;
use Illuminate\Http\Request;
use Tymon\JWTAuth\JWTAuth;
use App\User;
use Tymon\JWTAuth\Exceptions\JWTException;

class UserController extends Controller
{

    /**
     * @var \Tymon\JWTAuth\JWTAuth
     */
    protected $jwt;

    public function __construct(JWTAuth $jwt)
    {
        $this->jwt = $jwt;
    }

    public function Signin(Request $request)
    {
        try {
            if (!$token = $this->jwt->attempt($request->only('email', 'password'))) {
                return response()->json(['The credentials provided are invalid.'], 404);
            }
        }  catch (JWTException $e){
            return response()->json([
                'message' => 'We could not sign you in. Try again later.'
            ], 500);
        }

        return response()->json(compact('token'));
    }

    public function LogoutUser(Request $request){
        $token = $this->jwt->getToken();

        if($this->jwt->invalidate($token)){
            return response()->json([
                'message' => 'User logged off successfully!'
            ], 200);
        } else {
            return response()->json([
                'message' => 'Failed to logout user. Try again.'
            ], 500);
        }
    }

}

Now the problem is I can access the signup route and generate the jwt token. But, when I try to do a logout it says unauthorized. I have various other routes under the same middleware and all of them say the same.

There's currently no way to change what fields the basic auth system is checking for username password combinations. Would it be possible to allow this to be configurable?