search

tappleby / laravel-auth-token

Hooks into the laravel auth module and provides an auth token upon success. This token is really only secure in https environment. This main purpose for this module was to provide an auth token to javascript web app which could be used to identify users on api calls.
MIT License
255 stars 64 forks source link

Auth store() ignores Model 'User' hidden #17

Closed dennisoderwald closed 10 years ago

dennisoderwald commented 10 years ago

We defined in User Model 'hidden' (protected), when i call a manual eloquent query the fields are hidden. When i use the auth (POST (store()), i see all fields.

tappleby commented 10 years ago

The library calls toArray on the user model which handles the hidden attributes: https://github.com/tappleby/laravel-auth-token/blob/master/src/Tappleby/AuthToken/AuthTokenController.php#L78

Is your model in app/config/auth.php set to the correct class? (https://github.com/laravel/laravel/blob/v4.1.27/app/config/auth.php#L31)

dennisoderwald commented 10 years ago

Hi,

thanks for your fast response!

Yes, of course. My app/config/auth.php is fine.

return array(

    /*
    |--------------------------------------------------------------------------
    | Default Authentication Driver
    |--------------------------------------------------------------------------
    |
    | This option controls the authentication driver that will be utilized.
    | This driver manages the retrieval and authentication of the users
    | attempting to get access to protected areas of your application.
    |
    | Supported: "database", "eloquent"
    |
    */

    'driver' => 'eloquent',

    /*
    |--------------------------------------------------------------------------
    | Authentication Model
    |--------------------------------------------------------------------------
    |
    | When using the "Eloquent" authentication driver, we need to know which
    | Eloquent model should be used to retrieve your users. Of course, it
    | is often just the "User" model but you may use whatever you like.
    |
    */

    'model' => 'User',

    /*
    |--------------------------------------------------------------------------
    | Authentication Table
    |--------------------------------------------------------------------------
    |
    | When using the "Database" authentication driver, we need to know which
    | table should be used to retrieve your users. We have chosen a basic
    | default value but you may easily change it to any table you like.
    |
    */

    'table' => 'users',
tappleby commented 10 years ago

Hrm strange, I will have to test it out this evening.

dennisoderwald commented 10 years ago

Ok, thanks!

dennisoderwald commented 10 years ago

@tappleby is tested? :)

tappleby commented 10 years ago

Sorry about the delay, just tested this on my local copy and the hidden field is working as expected:

User.php

class User extends Eloquent implements UserInterface, RemindableInterface {
    protected $hidden = array('password', 'password_raw');

    ...
}
http POST http://php.dev/l4_1/public/auth username=roger.hamilton98@example.com password=tosser

Response: 
{
    "token": "eyJpdiI6IlFcL2FCdU5GMjlOaXZHZk1qXC90UHdva1wvM3lyZkVFTisybFdHeWpcL0NuV0VjPSIsInZhbHVlIjoid2crWWprU0xCK3NPdzdaZ3hvMk5FU3Q2dUtiS0VxQmVtSVdmaEVNeVhPMDJkdWVEcnR1ZmpseEVldWV1VTdkRGt4TktjQmxQd1ZKbEIrME1GOXlzODA2K2h2MSt2cWNaTHlJY0NpeEYwaFwvOHVEMzgzRzFTV3pQM21QSTZKeVBEcUpjdEdMNEtcL2o2NVZnMDFGNzZ3SjY3ajQxdFRDRTZlbDllNmNzZjJ1N1E9IiwibWFjIjoiOWVlMmVhN2YxMTEwMTJiMmRhZmI3NjYwN2M5ZWRjYTJhM2U2ZjY2MGZkYjRiNWQwZTRiODcyNDczZDBhNDg0OCJ9",
    "user": {
        "created_at": "2013-12-14 18:45:39",
        "email": "roger.hamilton98@example.com",
        "first_name": "roger",
        "id": 1,
        "last_name": "hamilton",
        "picture": "http://api.randomuser.me/0.2/portraits/men/5.jpg",
        "updated_at": "2013-12-14 18:45:39"
    }
}
dennisoderwald commented 10 years ago

Strange - I'll check it again