Laravel API-Auth-Guard不区分大小写?

时间:2017-06-08 20:19:10

标签: laravel laravel-5.4 api-design

我正在使用Laravel对API进行原型设计,并注意到使用标准的Auth-Guard for API时API-Token不区分大小写。所以api_tokens喜欢' CVC'和' cvc'同等对待。

这是预期的行为吗?在安全方面这是理想的吗?不要这么想,即使是60字节的字符串,或者你怎么看?有没有办法改变它?

感谢您的想法! 卡斯滕

1 个答案:

答案 0 :(得分:0)

事实并非如此。 Laravel尝试resolve the token in several ways first 

 * Get the token for the current request.
 *
 * @return string
 */
public function getTokenForRequest()
{
    $token = $this->request->query($this->inputKey);
    if (empty($token)) {
        $token = $this->request->input($this->inputKey);
    }
    if (empty($token)) {
        $token = $this->request->bearerToken();
    }
    if (empty($token)) {
        $token = $this->request->getPassword();
    }
    return $token;
}

attempting to resolve an instance of the user时调用该方法:

/**
 * Get the currently authenticated user.
 *
 * @return \Illuminate\Contracts\Auth\Authenticatable|null
 */
public function user()
{
    // If we've already retrieved the user for the current request we can just
    // return it back immediately. We do not want to fetch the user data on
    // every call to this method because that would be tremendously slow.
    if (! is_null($this->user)) {
        return $this->user;
    }
    $user = null;
    $token = $this->getTokenForRequest();
    if (! empty($token)) {
        $user = $this->provider->retrieveByCredentials(
            [$this->storageKey => $token]
        );
    }
    return $this->user = $user;
}

此案例中的providerDatabaseUserProvider,方法retrieveByCredentials performs a strict case-sensitive check使用数据库工厂->where()方法,没有之类的使用,你可以在这里看到: 

public function retrieveByCredentials(array $credentials)
{
    // First we will add each credential element to the query as a where clause.
    // Then we can execute the query and, if we found a user, return it in a
    // generic "user" object that will be utilized by the Guard instances.
    $query = $this->conn->table($this->table);
    foreach ($credentials as $key => $value) {
        if (! Str::contains($key, 'password')) {
            $query->where($key, $value);
        }
    }
    // Now we are ready to execute the query to see if we have an user matching
    // the given credentials. If not, we will just return nulls and indicate
    // that there are no matching users for these given credential arrays.
    $user = $query->first();
    return $this->getGenericUser($user);
}

所以不,你的情况不典型,可能还有其他组件在这里发挥,我们并不知情。

相关问题
最新问题