Strange behavior. If enter any phrase in the link, that should lead to a 404 page. Instead, an 404 error is raised:
Unable to generate a URL for the named route "login" as such route does not exist.
Login
Even if this part of the code is commented out, there will be an error for every other path.
For all other cases, everything works and controller links are generated.
Controller:
/**
* #Route("/login", name="login")
* #param AuthenticationUtils $authenticationUtils
* #return Response
*/
public function userLogin(AuthenticationUtils $authenticationUtils)
{
if ($this->isGranted('IS_AUTHENTICATED_REMEMBERED')) {
return $this->redirect($this->generateUrl('home_page'));
}
// get the login error if there is one
$error = $authenticationUtils->getLastAuthenticationError();
// last username entered by the user
$lastUsername = $authenticationUtils->getLastUsername();
return $this->render(
'user/security/login.html.twig', [
'last_username' => $lastUsername,
'error' => $error,
]
);
}
Related
I am trying upgrade Symfony application from 4.1 to 4.4 and I have error in authentication in SecurityController I have
public function loginAction (Request $request)
{
/* var AuthenticationUtils $authUtils */
$authUtils= $this->get('security.authentication_utils');
// get the login error if there is one
$error = $authUtils->getLastAuthenticationError();
// last username entered by the user
$lastUsername = $authUtils->getLastUsername();
return $this->render('admin/user/login.html.twig', array(
'error' => $error,
'last_username' => $lastUsername,
));
}
but after upgrade I have this error
how I may solve this error?
..as mentioned by #dbrunmann
public function loginAction (Request $request, AuthenticationUtils $authUtils)
{
// get the login error if there is one
$error = $authUtils->getLastAuthenticationError();
// last username entered by the user
$lastUsername = $authUtils->getLastUsername();
return $this->render('admin/user/login.html.twig', array(
'error' => $error,
'last_username' => $lastUsername,
));
}
Use php bon\console debug:autowiring <some_service_name> - to find out which typhint to use to get the right service
E.g. php bin\console debug:autowiring utils will give you
I created a custom operation to send sms using symfony and sarbacane :
in my AppUser entity I added annotations :
* "GET",
* "PUT",
* "PATCH",
* "DELETE",
* "send_sms"={
* "method"="POST",
* "path"="/app_users/{id}/sms",
* "controller"=SmsController::class,
* "normalization_context"={"groups"={"user:read"}},
* "put"={"validation_groups"={"Default", "sedValidation"}}
* }
* }
In my controller I implements the invoke method :
public function __invoke(AppUser $user, Request $request, SerializerInterface $serializer) : bool
{
$data = $request->getContent();
// json decode transforms to object by default
// add true
$json_encode = json_decode($data, true);
$content = $json_encode['content'];
$currentUser = $this->getUser();
$currentUserPhone = $currentUser->getPhone();
$res = $this->sarbacaneApiHelper->call('campaigns/sms', [
'name' => sprintf("eXpanded n°%s", uniqid()),
'kind' => 'SMS_NOTIFICATION',
'smsFrom' => "eXpanded", // entre 3 et 11 caractères alpha-numériques
'content' => $content, // max 450 caractères
]);
$phone = $currentUserPhone;
$sarbacaneCampaignId = $res->id;
// Ajoute des destinataires à la campagne Sarbacane
$res = $this->sarbacaneApiHelper->call(sprintf('campaigns/%s/recipients', $sarbacaneCampaignId), [
[
'phone' => $phone,
],
]);
$params = [
"phone" => $currentUserPhone,
];
$this->sarbacaneApiHelper->call(sprintf('campaigns/%s/send', $sarbacaneCampaignId), $params);
$sent = true;
return $sent;
}
I tested the api using postman, and I got 500 internal Server Error :
"hydra:description": "Cannot validate values of type "boolean" automatically. Please provide a constraint."
Why does this error message appear?
An invoke() method must return either:
a Symfony\Component\HttpFoundation\ResponseResponse instance,
an instance of the target entity (seems to be AppUser in this case).
In your case, the method returns true; since the validation comes right after the controller, Api-Platform try to validate this boolean, and this is not possible. It expects an entity.
About the showed code within the question
It remains pretty unclear to me what you're trying to achieve:
Why the $user arg is never used?
Do you want to save any entity once your e-mail is sent?
Why do you fetch the Request content ?
I want to access a specific product from a homepage :
{{ property.title }}
I specified the route in the controller
/**
* #Route("/property/{slug}-{id}", name="property.show", requirements={"slug": "[a-z0-9\-]*"})
* #param Property $property
* #return Response
*/
public function show(Property $property, string $slug): Response
{
if ($property->getSlug() !== $slug)
{
return $this->redirectToRoute('property.show', [
'id' => $property->getId(),
'slug' => $property->getSlug()
], 301);
}
$property = $this->repository->find($id);
return $this->render('property/show.html.twig', [
'property' => $property,
'current_menu' => 'properties'
]);
but when I click on the link, I get an error "No route found for "GET /my-first-property/property/-1" (from "http://localhost:8000/")"
The URL I'm trying to generate should be /property/my-first-property-1, I don't understand why it doesn't work.
For security reasons I want every user from a certain domain (for now I've used #company.com) to be forced to login using the login with Google button, so I wrote this check.
Which works fine but the error message on the login page doesn't change, it says FOUT: Verkeerde logingegevens. which is Dutch for ERROR: Wrong credentials.. I did return a new error with a different message, so how would I display this message?
function check_login($user, $username, $password) {
if (!empty($username)) {
if (substr($user->user_email, -12) == "#company.com") {
$user = new WP_Error( 'authentication_failed', __( '<strong>ERROR</strong>: Please login using Google.' ) );
}
}
return $user;
}
add_filter('authenticate', 'check_login', 100, 3);
Wordpress Core
Your issue comes from the fact that the $user variable you are filtering is already a WP_Error and not a WP_User, so your filter cannot work because $user->user_email is null, hopefully Wordpress uses another intermediate hook in it's login function
You should use this filter instead wp_authenticate_user which will fire after the user is retrieved from the database but before the password is checked, converting the user into a WP_Error
function check_login($user) {
if ($user instanceof WP_User) {
if (substr($user->user_email, -12) == "#company.com") {
$user = new WP_Error( 'authentication_failed', __( '<strong>ERROR</strong>: Please login using Google.' ) );
}
}
return $user;
}
add_filter('wp_authenticate_user', 'check_login', 9, 1);
Third Party plugin
If you are using a security plugin, they usually have an option that disable error login messages, here's how to disable it in some major ones
IThemes Security
One option this plugin provides is to hide all login error messages, you can disable this in the settings of the plugin > Wordpress Tweaks > Uncheck Login Error Messages
Or access this page by appending this url to your website /wp-admin/admin.php?page=itsec&module=wordpress-tweaks&module_type=recommended
Wordfence
This plugin gives the user a generic error message to prevent revealing if it's the password or the username that is incorrect, you can disable this option there
You'll need to remove the original authenticate filter and replace it with your own.
This way, you can set a custom error message for each different case.
Just make sure to add your custom #company.com check at the top, before checking for other cases.
remove_filter('authenticate', 'wp_authenticate_username_password');
add_filter('authenticate', 'wpse_115539_authenticate_username_password', 20, 3);
/**
* Remove Wordpress filer and write our own with changed error text.
*/
function wpse_115539_authenticate_username_password($user, $username, $password) {
if (!empty($username)) {
if (substr($user->user_email, -12) == "#company.com") {
return new WP_Error('authentication_failed', __('<strong>ERROR</strong>: Please login using Google.'));
}
}
if (is_a($user, 'WP_User'))
return $user;
if (empty($username) || empty($password)) {
if (is_wp_error($user))
return $user;
$error = new WP_Error();
if (empty($username))
$error->add('empty_username', __('<strong>ERROR</strong>: The username field is empty.'));
if (empty($password))
$error->add('empty_password', __('<strong>ERROR</strong>: The password field is empty.'));
return $error;
}
$user = get_user_by('login', $username);
if (!$user)
return new WP_Error('invalid_username', sprintf(__('<strong>ERROR</strong>: Invalid username. Lost your password?'), wp_lostpassword_url()));
$user = apply_filters('wp_authenticate_user', $user, $password);
if (is_wp_error($user))
return $user;
if (!wp_check_password($password, $user->user_pass, $user->ID))
return new WP_Error('incorrect_password', sprintf(__('<strong>ERROR</strong>: The password you entered for the username <strong>%1$s</strong> is incorrect. Lost your password?'),
$username, wp_lostpassword_url()));
return $user;
}
FYI, I found this code here.
function wp_authenticate( $username, $password ) {
$username = sanitize_user( $username );
$password = trim( $password );
$user = apply_filters( 'authenticate', null, $username, $password );
if ( $user == null ) {
// TODO what should the error message be? (Or would these even happen?)
// Only needed if all authentication handlers fail to return anything.
$user = new WP_Error( 'authentication_failed', __( '<strong>ERROR</strong>: Invalid username, email address or incorrect password.' ) );
}
$ignore_codes = array( 'empty_username', 'empty_password' );
if ( is_wp_error( $user ) && ! in_array( $user->get_error_code(), $ignore_codes ) ) {
do_action( 'wp_login_failed', $username );
}
return $user;
}
I'm a Laravel developer. I develop one ecommerce plugin with Laravel and I just want to combine WordPress with Laravel. So I need to share or make common login session between Laravel and WordPress.
How could I implement this? And are there special plugins available for this? Or could I use laravel-Auth?
The right way of doing it is to Have a Laravel (or Wordpress) as an Auth server
And create like an SSO plugin.
I was doing the same with NodeBB Forum login from Laravel.
Steps that I suggest:
Look at this package Laravel OAuth Server
Create or find any SSO plugin for wordpress
So you have all users in laravel (Registration and etc)
and if they want to login to Wordpress they login to Laravel App and give permission to login to wordpress.
Think of it Like you add Facebook Login to your site
Reading more for wordpress SSO
But to play with session and cookies it can be security issues.
Hope Helped.
Enabling Single-Sign-On in WordPress took me 18+ hours of struggle but might take you only a few minutes:
I experimented with all sorts of things: Laravel Passport (OAuth2), OpenID Connect, etc.
But the only solution I could get to work was to have the WordPress login page redirect to an auth-protected Laravel route that generates a JWT (JSON Web Token) and redirects back to a special callback URL on WordPress that either creates a new user or logs in an existing user.
It works well.
class JwtController extends Controller {
/**
* Inspired by https://github.com/WebDevStudios/aad-first-party-sso-wordpress/tree/master/lib/php-jwt
*
* #param Request $request
* #return ResponseInterface
*/
public function redirectWithToken(Request $request) {
$key = config('jwt.key');
$wpJwtUrl = $request->input('callback');
$redirectUrlAfterLogin = $request->input('redirect_to'); //Get the original intended destination and append as URL param to /jwt.
$tokenArray = $this->getToken(auth()->user(), $redirectUrlAfterLogin);
$jwt = \Firebase\JWT\JWT::encode($tokenArray, $key);
$wpJwtUrlWithTokenAsParam = $wpJwtUrl . '?token=' . $jwt;
return redirect()->away($wpJwtUrlWithTokenAsParam);
}
/**
*
* #param \App\User $user
* #param string $redirectUrlAfterLogin
* #return array
*/
public function getToken($user, $redirectUrlAfterLogin) {
$now = \Carbon\Carbon::now();
$aud = config('jwt.audience'); //root URL of the WordPress site
$firstName = StrT::getFirstNameFromFullName($user->name);
$expirationMins = config('jwt.expirationMins');
$token = [
"iss" => url("/"),
"aud" => $aud, //"audience" https://tools.ietf.org/html/rfc7519#section-4.1.3
"iat" => $now->timestamp, //"issued at" https://tools.ietf.org/html/rfc7519#section-4.1.6
"exp" => $now->addMinutes($expirationMins)->timestamp, //"expiration" https://tools.ietf.org/html/rfc7519#section-4.1.4
"attributes" => [
'emailAddress' => $user->email,
'firstName' => $firstName,
'lastName' => StrT::getLastNameFromFullName($user->name),
'nickname' => $firstName,
'displayName' => $user->name,
'redirectUrlAfterLogin' => $redirectUrlAfterLogin//In plugin: use redirectUrlAfterLogin from attributes after login.
]
];
return $token;
}
}
Install this WordPress plugin, but don't activate it until you're finished with everything else: https://wordpress.org/plugins/wp-force-login/
Install this WordPress plugin: https://as.wordpress.org/plugins/jwt-authenticator/
And then edit its auth.php to be this:
// register the callback
add_action('rest_api_init', function () {
register_rest_route('jwt-auth/v1', 'callback', [
'methods' => 'GET',
'callback' => 'ja_login'
], true);
});
require_once('JWT.php');
function ja_login() {
//get all attributes
$options = get_option('ja_settings');
$token_name = $options['token_name'];
$secret_key = $options['secret_key'];
$iss = $options['iss'];
$aud = $options['aud'];
// decode the token
$token = $_GET[$token_name];
$key = $secret_key;
$JWT = new JWT;
$json = $JWT->decode($token, $key);
$jwt = json_decode($json, true);
// use unix time for comparision
$exp = is_int($jwt['exp']) ? $jwt['exp'] : strtotime($jwt['exp']);
$nbf = $jwt['nbf'] ?? null;
$now = strtotime("now");
// if authentication successful
if (($jwt['iss'] == $iss) && ($jwt['aud'] == $aud) && ($exp > $now) && ($now > $nbf)) {
return getUserFromValidToken($options, $jwt);
} else {
return 'Login failed. Please let us know exactly what happened, and we will help you out right away.';
}
}
/**
*
* #param array $options
* #param array $jwt
* #return string
*/
function getUserFromValidToken($options, $jwt) {
$attributesKey = $options['attributes'];
$mail = $options['mail'];
$givenname = $options['first_name'];
$surname = $options['last_name'];
$nickname = $options['nickname'];
$displayname = $options['displayname'];
$default_role = $options['default_role'];
$attributes = $jwt[$attributesKey];
$redirectUrlAfterLogin = $attributes['redirectUrlAfterLogin'] ?? get_site_url();
$_SESSION['attributes'] = $attributes;
$_SESSION['jwt'] = $jwt;
// find or create user
$user = ja_find_or_create_user($attributes[$mail], $attributes[$mail], $attributes[$givenname], $attributes[$surname], $attributes[$nickname], $attributes[$displayname], $default_role);
// login user
if ($user) {
wp_clear_auth_cookie();
wp_set_current_user($user->ID, $user->user_login);
wp_set_auth_cookie($user->ID);
do_action('wp_login', $user->user_login);
wp_safe_redirect($redirectUrlAfterLogin);
exit();
} else {
return 'getUserFromValidToken failed!';
}
}
/**
*
* #param string $username
* #param string $emailAddress
* #param string $firstName
* #param string $lastName
* #param string $nickname
* #param string $displayName
* #param string $defaultRole
* #return mixed
*/
function ja_find_or_create_user($username, $emailAddress, $firstName, $lastName, $nickname, $displayName, $defaultRole) {
// if user exists, return user
if (username_exists($username)) {
return get_user_by('login', $username);
} elseif (email_exists($emailAddress)) {
return get_user_by('email', $emailAddress);
} else {// create user
$length = 16;
$include_standard_special_chars = false;
$random_password = wp_generate_password($length, $include_standard_special_chars);
// create user
$user_id = wp_create_user($username, $random_password, $emailAddress);
// update user metadata and return user id
$userData = [
'ID' => $user_id,
'first_name' => $firstName,
'last_name' => $lastName,
'nickname' => $nickname,
'display_name' => $displayName,
'role' => $defaultRole
];
return wp_update_user($userData);//(If successful, returns the user_id, otherwise returns a WP_Error object.)
}
}
/**
* Get login message link HTML for adding to the login form
* #return string
*/
function getLoginMessage() {
$options = get_option('ja_settings');
$redirect_to = $_GET['redirect_to'] ?? null;
$login_url = $options['login_url'] . '?callback=' . urlencode(site_url('/wp-json/jwt-auth/v1/callback'));
if($redirect_to){
$login_url .= '&redirect_to=' . urlencode($redirect_to);
}
$login_message = $options['login_message'];
return "<a id='jwt_link' href='{$login_url}'>{$login_message}</a>";
}
add_filter('login_message', 'getLoginMessage');
add_action( 'load-profile.php', function() {//https://wordpress.stackexchange.com/a/195370/51462 Redirect from profile.php to the dashboard since there is no reason for WordPress users to see or manage their profile since their main account is on the other site.
if( ! current_user_can( 'manage_options' ) ){
$redirectUrl = get_site_url();//admin_url()
exit( wp_safe_redirect( $redirectUrl ) );
}
} );
function show_admin_bar_conditionally(){//remove the WordPress admin toolbar https://premium.wpmudev.org/blog/remove-the-wordpress-admin-toolbar/
return current_user_can( 'manage_options' );
}
add_filter('show_admin_bar', 'show_admin_bar_conditionally');//can use 'show_admin_bar_conditionally' or '__return_false' for never.
//------------------------------------------------------------------
//for https://wordpress.org/support/topic/rest-api-26/#post-9915078
//and https://github.com/kevinvess/wp-force-login/issues/35
//and https://wordpress.org/support/topic/rest-api-26/page/2/#post-10000740
//and https://wordpress.org/support/topic/jwt-authentication/#post-10698307
add_filter( 'rest_authentication_errors', '__return_true' );
This belongs in functions.php of your theme in WordPress:
// https://codex.wordpress.org/Customizing_the_Login_Form
function my_custom_login_page() { ?>
<style type="text/css">
#loginform, #login #nav{display: none;}
#jwt_link{font-weight: bold; font-size: 20px;}
</style>
<script>
document.addEventListener("DOMContentLoaded", function(event) {
document.getElementById('jwt_link').click();//immediately upon load of login page, click the JWT link automatically
});
</script>
<?php }
add_action( 'login_enqueue_scripts', 'my_custom_login_page' );