Php Laravel Sanctum多用户会话问题(用户共享会话/以多用户身份登录)
我正试图与一个叫SPA的定制守卫一起使用圣所防御 管理员正在使用Web guard登录后端 用户正在登录将承载VUEJS SPA的子域 管理员登录->并被重定向到工作->确定 用户登录(vue应用程序)。->好的 Vuefile:Php Laravel Sanctum多用户会话问题(用户共享会话/以多用户身份登录),php,laravel,laravel-sanctum,laravel-fortify,Php,Laravel,Laravel Sanctum,Laravel Fortify,我正试图与一个叫SPA的定制守卫一起使用圣所防御 管理员正在使用Web guard登录后端 用户正在登录将承载VUEJS SPA的子域 管理员登录->并被重定向到工作->确定 用户登录(vue应用程序)。->好的 Vuefile: import axios from 'axios' axios.defaults.withCredentials = true; axios.defaults.baseURL = 'https://test.local:8890' export default {
import axios from 'axios'
axios.defaults.withCredentials = true;
axios.defaults.baseURL = 'https://test.local:8890'
export default {
name: 'Home',
components: {
HelloWorld
},
data: () => {
return {
email : 'doe@example.com',
password : 'Password1!'
}
},
methods : {
login() {
axios.get('/sanctum/csrf-cookie').then(response => {
console.log(response.code);
axios.post('web-api/login', {
email : this.email,
password : this.password
}).then(response => {
console.log(response);
}
).catch(error => {
console.log(error);
})
});
}}}
因此,我们的想法是,用户不能登录到仪表板上,而是拥有一个单独的表
当我登录我的管理员时,我进入仪表板。我在chrome中打开一个新选项卡,并以vue应用程序子域上的用户身份登录。当我返回到仪表板时,我仍然很好地登录,并且以用户身份登录到另一个选项卡(超级)
但是当检查chrome中的cookie并共享相同的cookie laravel_会话和xcsrf令牌时。。。它们是一样的
因此,现在当我转到admins选项卡并转到web api路由时,我会看到用户的凭据:
{“id”:4,“名字”:“快乐”,“姓氏”:“能源部”,“电子邮件”:doe@example.com“}
但我仍然可以作为管理员访问我的仪表板
config/auth.php
'defaults' => [
'guard' => 'web',
'passwords' => 'admins',
],
'guards' => [
'web' => [
'driver' => 'session',
'provider' => 'admins', //admin provider for web
],
'spa' => [
'driver' => 'session',
'provider' => 'users' //user provicer for spa (and api)
],
/*'api' => [
'driver' => 'token',
'provider' => 'users',
'hash' => false, //user provider
],*/
],
我已将guard参数添加到sanctum配置中
配置/圣殿:
'guard' => 'spa', //set sanctum guard to spa.
在内核文件中,我将所有内容从“web”中间件复制到了“spa”,因为它的工作原理几乎相同
Kernel.php:
protected $middlewareGroups = [
'web' => [
\App\Http\Middleware\EncryptCookies::class,
\Illuminate\Cookie\Middleware\AddQueuedCookiesToResponse::class,
\Illuminate\Session\Middleware\StartSession::class,
// \Illuminate\Session\Middleware\AuthenticateSession::class,
\Illuminate\View\Middleware\ShareErrorsFromSession::class,
\App\Http\Middleware\VerifyCsrfToken::class,
\Illuminate\Routing\Middleware\SubstituteBindings::class,
],
'spa' => [
\App\Http\Middleware\EncryptCookies::class,
\Illuminate\Cookie\Middleware\AddQueuedCookiesToResponse::class,
\Illuminate\Session\Middleware\StartSession::class,
\App\Http\Middleware\VerifyCsrfToken::class,
\Laravel\Sanctum\Http\Middleware\EnsureFrontendRequestsAreStateful::class,
'throttle:api',
\Illuminate\Routing\Middleware\SubstituteBindings::class
],
'api' => [
'throttle:api',
\Illuminate\Routing\Middleware\SubstituteBindings::class,
],
];
已在env文件中配置Sanctum参数
.env:
SESSION_DOMAIN=test.local
SANCTUM_STATEFUL_DOMAINS=.test.local
添加了SPA到routeServiceProvider引导方法
RouteServiceProvider.php:
public function boot()
{
$this->configureRateLimiting();
$this->routes(function () {
Route::prefix('web-api')
->middleware('spa')
->namespace($this->namespace)
->group(base_path('routes/spa.php'));
/*Route::prefix('api')
->middleware('api')
->namespace($this->namespace)
->group(base_path('routes/api.php'));*/
Route::middleware('web')
->namespace($this->namespace)
->group(base_path('routes/web.php'));
});
}
然后我在SpaAuthController中的登录功能:(由spa使用)
默认情况下,整个web登录由fortify控制器处理
POST | admin/login | | Laravel\Fortify\Http\Controllers\AuthenticatedSessionController@store|网
在这一点上,它变得有点可笑,我在这里做错了什么,我应该担心潜在的安全问题假设是:D)
public function loginSpa(Request $request){
//Regenerate session
$request->session()->regenerate();
$request->validate([
'email' => 'required|email',
'password' => 'required',
]);
$authAttempt = Auth::guard('spa')->attempt(['email' => $request->email, 'password' => $request->password]);
if($authAttempt){
$user = Auth::guard('spa')->user();
if (!$user->hasVerifiedEmail()){
abort(401, 'Email address not verified.');
}
if ($user->blocked){
abort(401, 'Your Account blocked.');
}
return response([],204);
}
return response(['message' => 'The provided credentials are incorrect.'],422);
}