search

tymondesigns / jwt-auth

🔐 JSON Web Token Authentication for Laravel & Lumen
https://jwt-auth.com
MIT License
11.29k stars 1.54k forks source link

How not to use Password in JWTAuth:attempt? #1641

Open mn6893 opened 6 years ago

mn6893 commented 6 years ago

Login without password - Undefined Index password

I want to login using emailid and userid, not with password. When i try login with emailid and userid, i'm getting "undefined index:password". It seems that "JWTAuth:attempt" is looking for password. But in my case i don't want to login with password.

Help!!

 $credentials = $request->only('emailid','userid');
            $rules = [
                'userid' => 'required',
                'emailid'   => 'required'
            ];
        $token = NULL;
        $validator = \Validator::make($credentials,$rules);
        $validator->errors()->toArray();
        if($validator->fails()){
            return response()->json([
                'message' =>"Invalidemailid/userid",
        ],200);
        }
        try{
            if(! $token = JWTAuth::attempt($credentials)){
                return response()->json([
                'message' =>"Invalid emailid/userid."],200);
            }
        }catch(JWTException $e){
            echo($e->getMessage());
            return response()->json([
                'message' =>"Server is not Reachable, Please try again later",
        ],500);
        }
        $user= \Auth::user();
        $user->image = \URL::to($user->image).$token;
        $user->token = $token;

        return response()->json([
            'message' =>"Successfully Logged in",
            'token'     => $token,
        ],200);

Your environment

Q A
Bug? yes
New Feature? no / yes
Framework Laravel /
Framework version 5.6
Package version 1.x.y
PHP version 7+
spacenate commented 5 years ago

I don't think this is a bug, this is how the default UserProvider works (take a look in Tymon\JWTAuth \JWTGuard::attempt(), it ends up calling $this->provider->validateCredentials().) You need some way to ensure the user is who they say they are ("authenticating" the user's credentials), and the default way of doing that is through a password.

If you are using "passwordless" authN (eg DarkGhostHunter/Passless), you authenticate the user's credentials by checking the temporary token that was sent to their email or phone is the same one as they are presenting to you in your login route (or that the signed route is valid, in the case of Passless). In that case, use the login() method instead of attempt().

stale[bot] commented 3 years ago

Is this still relevant? If so, what is blocking it? Is there anything you can do to help move it forward?

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs.