stackoom
  简体   繁体   中英

What is difference between Auth::onceUsingID() and Auth::setUser() in Laravel-8

 原文  2021-12-27 09:53:32       php/ laravel/ authentication/ impersonation

Question

I want to implement Impersonate functionality into Laravel-8 without using any package.

  • Only super-admin can use this functionality.
  • I used laravel sanctum to authenticate.
  • to access impersonate functionality user should be super-admin. (is_admin(boolean) flag is set into users table).

Here is my middleware:

<?php

namespace App\Http\Middleware;

use Closure;
use App\Models\User;
use Illuminate\Http\Request;
use Illuminate\Support\Facades\Auth;

class ImpersonateUser
{
    /**
     * Handle an incoming request.
     *
     * @param  \Illuminate\Http\Request  $request
     * @param  \Closure  $next
     * @return mixed
     */
    public function handle(Request $request, Closure $next)
    {
        $impersonateId = $request->cookie('x-impersonate-id');
        if($request->user()->is_admin && $impersonateId) {
            $user = User::findOrFail($impersonateId);
            if($user->is_admin) {
                return response()->json(["message" => trans("You cannot impersonate an admin account.")], 400);
            }
            Auth::setUser($user);
        }
        return $next($request);
    }
}

My route file:

    // Impersonate routes.
    Route::middleware(['auth:sanctum', 'impersonate'])->group(function () {
        // checklist routes
        Route::get('checklists', [ChecklistController::class, "index"]);
    });

Whether use Auth::setUser($user) is safe or I have to use Auth::onceUsingId($userId); ?

Auth::onceUsingId($userId); not working with auth::sanctum middleware. So Auth::setUser($user) is safe or not?

I used laravel to develop backend API only.(SPA)

1 answers

solution1
 0  2021-12-27 12:16:19

They should be the same in terms of safety. OnceUsingId() calls setUser() in the background.

From the Illuminate\Auth\SessionGuard class

 /** * Log the given user ID into the application without sessions or cookies. * * @param mixed $id * @return \Illuminate\Contracts\Auth\Authenticatable|false */ public function onceUsingId($id) { if (; is_null($user = $this->provider->retrieveById($id))) { $this->setUser($user); return $user; } return false. } /** * Set the current user; * * @param \Illuminate\Contracts\Auth\Authenticatable $user * @return $this */ public function setUser(AuthenticatableContract $user) { $this->user = $user; $this->loggedOut = false; $this->fireAuthenticatedEvent($user); return $this; }

Both of these methods come from the SessionGuard though. I don't know if Sanctum implements its own version.

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question what is the difference between Auth::routes() and Route::auth() in laravel What is the difference between auth and access in Laravel 5.7? What is the difference between auth()->loginUsingId(1); vs Auth::loginUsingId(1); Not able to set user in Auth using setUser in CakePHP 4 Laravel 5: The difference between Auth::guard($this->getGuard())->login($user); and auth()->login($user); What is the difference between access tokens and auth_codes in OAuth 2 What is the difference between "php artisan ui vue --auth" command and "php artisan ui:auth" CakePHP: What's the difference between Auth->allowedActions() and Auth->allow(); Difference between 'web' and 'auth' middleware? What is auth.authenticate view in laravel 5.2 auth
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM