Warning: file_get_contents(/data/phpspider/zhask/data//catemap/0/laravel/11.json): failed to open stream: No such file or directory in /data/phpspider/zhask/libs/function.php on line 167

Warning: Invalid argument supplied for foreach() in /data/phpspider/zhask/libs/tag.function.php on line 1116

Notice: Undefined index: in /data/phpspider/zhask/libs/function.php on line 180

Warning: array_chunk() expects parameter 1 to be array, null given in /data/phpspider/zhask/libs/function.php on line 181
Php Laravel Sanctum多用户会话问题(用户共享会话/以多用户身份登录)_Php_Laravel_Laravel Sanctum_Laravel Fortify - Fatal编程技术网
Fatal编程技术网
  • php/
  • Php Laravel Sanctum多用户会话问题(用户共享会话/以多用户身份登录)

Php Laravel Sanctum多用户会话问题(用户共享会话/以多用户身份登录)

php laravel

Php Laravel Sanctum多用户会话问题(用户共享会话/以多用户身份登录),php,laravel,laravel-sanctum,laravel-fortify,Php,Laravel,Laravel Sanctum,Laravel Fortify,我正试图与一个叫SPA的定制守卫一起使用圣所防御 管理员正在使用Web guard登录后端 用户正在登录将承载VUEJS SPA的子域 管理员登录->并被重定向到工作->确定 用户登录(vue应用程序)。->好的 Vuefile: import axios from 'axios' axios.defaults.withCredentials = true; axios.defaults.baseURL = 'https://test.local:8890' export default {

我正试图与一个叫SPA的定制守卫一起使用圣所防御

管理员正在使用Web guard登录后端

用户正在登录将承载VUEJS SPA的子域

管理员登录->并被重定向到工作->确定

用户登录(vue应用程序)。->好的

Vuefile:

import axios from 'axios'
axios.defaults.withCredentials = true;
axios.defaults.baseURL = 'https://test.local:8890'

export default {
    name: 'Home',
    components: {
        HelloWorld
    },
    data: () => {
        return {
            email : 'doe@example.com',
            password : 'Password1!'
    }
},
methods : {
    login() {
  axios.get('/sanctum/csrf-cookie').then(response => {
    console.log(response.code);
    axios.post('web-api/login', {
      email : this.email,
      password : this.password
    }).then(response => {
          console.log(response);
      }
    ).catch(error => {
      console.log(error);
    })
  });
}}}
因此,我们的想法是,用户不能登录到仪表板上,而是拥有一个单独的表

当我登录我的管理员时,我进入仪表板。我在chrome中打开一个新选项卡,并以vue应用程序子域上的用户身份登录。当我返回到仪表板时,我仍然很好地登录,并且以用户身份登录到另一个选项卡(超级)

但是当检查chrome中的cookie并共享相同的cookie laravel_会话和xcsrf令牌时。。。它们是一样的

因此,现在当我转到admins选项卡并转到web api路由时,我会看到用户的凭据:

{“id”:4,“名字”:“快乐”,“姓氏”:“能源部”,“电子邮件”:doe@example.com“}

但我仍然可以作为管理员访问我的仪表板

config/auth.php

    'defaults' => [
        'guard' => 'web',
        'passwords' => 'admins',
    ],

'guards' => [
    'web' => [
        'driver' => 'session',
        'provider' => 'admins', //admin provider for web
    ],
    'spa' => [
        'driver' => 'session',
        'provider' => 'users' //user provicer for spa (and api)
    ],
    /*'api' => [
        'driver' => 'token',
        'provider' => 'users',
        'hash' => false, //user provider
    ],*/
],
我已将guard参数添加到sanctum配置中

配置/圣殿:

'guard' => 'spa', //set sanctum guard to spa.
在内核文件中,我将所有内容从“web”中间件复制到了“spa”,因为它的工作原理几乎相同

Kernel.php:

protected $middlewareGroups = [
    'web' => [
        \App\Http\Middleware\EncryptCookies::class,
        \Illuminate\Cookie\Middleware\AddQueuedCookiesToResponse::class,
        \Illuminate\Session\Middleware\StartSession::class,
        // \Illuminate\Session\Middleware\AuthenticateSession::class,
        \Illuminate\View\Middleware\ShareErrorsFromSession::class,
        \App\Http\Middleware\VerifyCsrfToken::class,
        \Illuminate\Routing\Middleware\SubstituteBindings::class,
    ],
    'spa' => [
        \App\Http\Middleware\EncryptCookies::class,
        \Illuminate\Cookie\Middleware\AddQueuedCookiesToResponse::class,
        \Illuminate\Session\Middleware\StartSession::class,
        \App\Http\Middleware\VerifyCsrfToken::class,
        \Laravel\Sanctum\Http\Middleware\EnsureFrontendRequestsAreStateful::class,
        'throttle:api',
        \Illuminate\Routing\Middleware\SubstituteBindings::class
    ],
    'api' => [
        'throttle:api',
        \Illuminate\Routing\Middleware\SubstituteBindings::class,
    ],
];
已在env文件中配置Sanctum参数

.env:

SESSION_DOMAIN=test.local
SANCTUM_STATEFUL_DOMAINS=.test.local
添加了SPA到routeServiceProvider引导方法

RouteServiceProvider.php:

public function boot()
{
    $this->configureRateLimiting();

    $this->routes(function () {
        Route::prefix('web-api')
            ->middleware('spa')
            ->namespace($this->namespace)
            ->group(base_path('routes/spa.php'));

        /*Route::prefix('api')
            ->middleware('api')
            ->namespace($this->namespace)
            ->group(base_path('routes/api.php'));*/

        Route::middleware('web')
            ->namespace($this->namespace)
            ->group(base_path('routes/web.php'));
    });
}
然后我在SpaAuthController中的登录功能:(由spa使用)

默认情况下,整个web登录由fortify控制器处理

POST | admin/login | | Laravel\Fortify\Http\Controllers\AuthenticatedSessionController@store|网

在这一点上,它变得有点可笑,我在这里做错了什么,我应该担心潜在的安全问题假设是:D)

public function loginSpa(Request $request){

    //Regenerate session 

    $request->session()->regenerate();

    $request->validate([
        'email' => 'required|email',
        'password' => 'required',
    ]);

    $authAttempt = Auth::guard('spa')->attempt(['email' => $request->email, 'password' => $request->password]);

    if($authAttempt){
        $user = Auth::guard('spa')->user();

        if (!$user->hasVerifiedEmail()){
            abort(401, 'Email address not verified.');
        }

        if ($user->blocked){
            abort(401, 'Your Account blocked.');
        }

        return response([],204);
    }

    return response(['message' => 'The provided credentials are incorrect.'],422);

}