search

laravel / jetstream

Tailwind scaffolding for the Laravel framework.
https://jetstream.laravel.com
MIT License
3.94k stars 808 forks source link

Jetstream auth is not working via database session except if the remember me is checked. #1358

Closed RSickenberg closed 1 year ago

RSickenberg commented 1 year ago

Jetstream Version

v3.3.1

Jetstream Stack

Livewire

Laravel Version

v10.19.0

PHP Version

v8.2.8

Database Driver & Version

MySQL 8.0.32 on ARM (Docker)

Description

When using this stack:

laravel/fortify              v1.17.4  Backend controllers and scaffolding for Laravel authentication.
laravel/framework            v10.19.0 The Laravel Framework.
laravel/jetstream            v3.3.1   Tailwind scaffolding for the Laravel framework.
laravel/pint                 v1.11.0  An opinionated code formatter for PHP.
laravel/prompts              v0.1.5
laravel/sail                 v1.23.3  Docker files for running a basic Laravel application.
laravel/sanctum              v3.2.5   Laravel Sanctum provides a featherweight authentication system for SPAs and simple APIs.
laravel/serializable-closure v1.3.1   Laravel Serializable Closure provides an easy and secure way to serialize closures in PHP.
laravel/tinker               v2.8.1   Powerful REPL for the Laravel framework.

filament/actions       v3.0.22 Easily add beautiful action modals to any Livewire component.
filament/filament      v3.0.22 A collection of full-stack components for accelerated Laravel app development.
filament/forms         v3.0.22 Easily add beautiful forms to any Livewire component.
filament/infolists     v3.0.22 Easily add beautiful read-only infolists to any Livewire component.
filament/notifications v3.0.22 Easily add beautiful notifications to any Livewire app.
filament/support       v3.0.22 Core helper methods and foundation code for all Filament packages.
filament/tables        v3.0.22 Easily add beautiful tables to any Livewire component.
filament/widgets       v3.0.22 Easily add beautiful dashboard widgets to any Livewire component.

With out-of-the-box configurations, I face an issue when I set my SESSION_DRIVER to database.

In fact, my post auth routes using the middlewares

    'auth:sanctum',
    config('jetstream.auth_session'),
    'verified',

is not persisting my session.

My user have a verified email_verified_at.

The user model implements:

    use HasApiTokens;
    use HasFactory;
    use HasProfilePhoto;
    use Notifiable;
    use TwoFactorAuthenticatable;
    use HasRoles;
    use HasUlids;
    use MustVerifyEmail;

Here is my user definition:

return [
            'id' => $this->newModel()->newUniqueId(),
            'name' => $this->faker->name(),
            'email' => $this->faker->unique()->safeEmail(),
            'email_verified_at' => now(),
            'password' => '$2y$10$92IXUNpkjO0rOQ5byMi.Ye4oKoEa3Ro9llC/.og/at2.uheWG/igi', // password
            'remember_token' => Str::random(10),
            'profile_photo_path' => $this->faker->filePath(),
            'two_factor_confirmed_at' => now(),
        ];

FortifyServiceProvider

class FortifyServiceProvider extends ServiceProvider
{
    /**
     * Bootstrap any application services.
     */
    public function boot(): void
    {
        Fortify::createUsersUsing(CreateNewUser::class);
        Fortify::updateUserProfileInformationUsing(UpdateUserProfileInformation::class);
        Fortify::updateUserPasswordsUsing(UpdateUserPassword::class);
        Fortify::resetUserPasswordsUsing(ResetUserPassword::class);

        RateLimiter::for('login', static function (Request $request) {
            $throttleKey = Str::transliterate(Str::lower($request->input(Fortify::username())).'|'.$request->ip());

            return Limit::perMinute(5)->by($throttleKey);
        });

        RateLimiter::for('two-factor', static function (Request $request) {
            return Limit::perMinute(5)->by($request->session()->get('login.id'));
        });
    }
}

And my Kernel class:

<?php

namespace App\Http;

use Illuminate\Foundation\Http\Kernel as HttpKernel;

class Kernel extends HttpKernel
{
    /**
     * The application's global HTTP middleware stack.
     *
     * These middleware are run during every request to your application.
     *
     * @var array<int, class-string|string>
     */
    protected $middleware = [
        \App\Http\Middleware\TrustHosts::class,
        \App\Http\Middleware\TrustProxies::class,
        \Illuminate\Http\Middleware\HandleCors::class,
        \App\Http\Middleware\PreventRequestsDuringMaintenance::class,
        \Illuminate\Foundation\Http\Middleware\ValidatePostSize::class,
        \App\Http\Middleware\TrimStrings::class,
        \Illuminate\Foundation\Http\Middleware\ConvertEmptyStringsToNull::class,
    ];

    /**
     * The application's route middleware groups.
     *
     * @var array<string, array<int, class-string|string>>
     */
    protected $middlewareGroups = [
        'web' => [
            \App\Http\Middleware\EncryptCookies::class,
            \Illuminate\Cookie\Middleware\AddQueuedCookiesToResponse::class,
            \Illuminate\Session\Middleware\StartSession::class,
            \Illuminate\View\Middleware\ShareErrorsFromSession::class,
            \App\Http\Middleware\VerifyCsrfToken::class,
            \Illuminate\Routing\Middleware\SubstituteBindings::class,
        ],

        'api' => [
            // \Laravel\Sanctum\Http\Middleware\EnsureFrontendRequestsAreStateful::class,
            \Illuminate\Routing\Middleware\ThrottleRequests::class.':api',
            \Illuminate\Routing\Middleware\SubstituteBindings::class,
        ],
    ];

    /**
     * The application's route middleware.
     *
     * These middleware may be assigned to groups or used individually.
     *
     * @var array<string, class-string|string>
     */
    protected $routeMiddleware = [
        'auth' => \App\Http\Middleware\Authenticate::class,
        'auth.basic' => \Illuminate\Auth\Middleware\AuthenticateWithBasicAuth::class,
        'auth.session' => \Illuminate\Session\Middleware\AuthenticateSession::class,
        'cache.headers' => \Illuminate\Http\Middleware\SetCacheHeaders::class,
        'can' => \Illuminate\Auth\Middleware\Authorize::class,
        'guest' => \App\Http\Middleware\RedirectIfAuthenticated::class,
        'password.confirm' => \Illuminate\Auth\Middleware\RequirePassword::class,
        'signed' => \App\Http\Middleware\ValidateSignature::class,
        'throttle' => \Illuminate\Routing\Middleware\ThrottleRequests::class,
        'verified' => \Illuminate\Auth\Middleware\EnsureEmailIsVerified::class,
        'role' => \Spatie\Permission\Middlewares\RoleMiddleware::class,
        'permission' => \Spatie\Permission\Middlewares\PermissionMiddleware::class,
        'role_or_permission' => \Spatie\Permission\Middlewares\RoleOrPermissionMiddleware::class,
    ];
}

Steps To Reproduce

Setup a basic sail app and set jetstream to use livewire.

No different config should be used except setting the SESSION_DRIVER to database.

The views are from the artisan vendor:publish --tag=jetstream-views command.

Additional info

I'm fully available to answer your questions if needed.

crynobone commented 1 year ago

Hey there, thanks for reporting this issue.

We'll need more info and/or code to debug this further. Can you please create a repository with the command below, commit the code that reproduces the issue as one separate commit on the main/master branch and share the repository here?

Please make sure that you have the latest version of the Laravel installer in order to run this command. Please also make sure you have both Git & the GitHub CLI tool properly set up.

laravel new bug-report --github="--public"

Do not amend and create a separate commit with your custom changes. After you've posted the repository, we'll try to reproduce the issue.

Thanks!

driesvints commented 1 year ago

Feel free to resubmit the issue once you have a repo 👍