Jwt-auth: Bug? I changed the default User model to my custom one

Created on 23 May 2016 · 8Comments · Source: tymondesigns/jwt-auth

this framework uses the default USER model that I have setup in the namespace.

Usually this file is the App/User.php file
It usually uses the authentication fields email and password to authenticate

For purposes of my project,

my User model file is called SE_Users.php
my authentication fields are se_users and se_password

I have every thing setup correctly. And it finds the custom table. But then I get the error message below:

1.  in EloquentUserProvider.php line 116
2.  at HandleExceptions->handleError('8', 'Undefined index: password', '/home/vagrant/Code/apiServer/vendor/laravel/framework/src/Illuminate/Auth/EloquentUserProvider.php', '116', array('user' => object(SE_Users), 'credentials' => array('user_email' => '[email protected]', 'user_password' => 'testpass'))) in EloquentUserProvider.php line 116

even though my field is called se_password it is still looking for password.

I found the issue in the file EloquentUserProvider.php in the validateCredentials function.

    public function validateCredentials(UserContract $user, array $credentials)
    {
        $plain = $credentials['password'];

        return $this->hasher->check($plain, $user->getAuthPassword());
    }

Is this a bug? it is looking for the key password and this is hard coded?

Source

patchthecode

Most helpful comment

EloquentUserProvider is part of Laravel core, not this library. The password requirement is enforced by its defaults. However there are a number of ways to address this issue:

Create a custom user provider that doesn't have the password hardcoded. Laravel docs have details on this. You'll want to override the validateCredentials method (like you suggested) and probably have everything else inherit from EloquentUserProvider.
(As described in #356:) You can also just change the key of the field in the credentials array so it _does_ have the key password. Then if your $user->getAuthPassword() method works right everything should be peachy.

(1) is the "more correct"/"more Laravel" way to do things, but (2) is a lot simpler, as long as you can get over the uneasiness of manually re-keying something.

You should also note that these problems should all go away with the new JWTGuard approach, but I can't recommend it quite yet because there aren't many instructions for it. Eventually that will probably be the preferred answer though.

tdhsmith on 25 May 2016

👍2

All 8 comments

Are you proposing a custom property for denoting the password attribute on the user model being validated?

mr-feek on 24 May 2016

@feeekkk from your response i take it that we can't select a custom property right now. hmm...

In terms of proposing it, I say, why not? With password hardcoded, its basically forcing users to have the field called password ... I don't think this is a good thing.

patchthecode on 24 May 2016

Maybe this functionality could live within JWTSubject as getPasswordIdentifier or something so all models would have to implement it? I'm not a huge fan of requiring all models to have to implement this though considering password is probably used 99% of the time...

Then validateCredentials could be changed to something like

public function validateCredentials(UserContract $user, array $credentials)
{
    $plain = $credentials[$user->getPasswordIdentifier()];

    return $this->hasher->check($plain, $user->getAuthPassword());
}

I'm not sure how well this would work, just an idea.

mr-feek on 25 May 2016

Ok. I am not used to writing php libraries. I am used to writing Swift/ObjectiveC libs for iOS.
My PHP still needs some work, so i can't understand what the code you wrote above says.

But is it basically this?

Ask the user for what key they wish to use in the database as the password key
Then use that key as the field to use in the database table

If it's that then i think this will be a good idea rather than requiring all users to have a field in their database called password. I wish others could chime in on this suggestion though

patchthecode on 25 May 2016

👍1

EloquentUserProvider is part of Laravel core, not this library. The password requirement is enforced by its defaults. However there are a number of ways to address this issue:

Create a custom user provider that doesn't have the password hardcoded. Laravel docs have details on this. You'll want to override the validateCredentials method (like you suggested) and probably have everything else inherit from EloquentUserProvider.
(As described in #356:) You can also just change the key of the field in the credentials array so it _does_ have the key password. Then if your $user->getAuthPassword() method works right everything should be peachy.

(1) is the "more correct"/"more Laravel" way to do things, but (2) is a lot simpler, as long as you can get over the uneasiness of manually re-keying something.

tdhsmith on 25 May 2016

👍2

@tdhsmith man thank you so much for this info!

patchthecode on 25 May 2016

👍1

Not a problem! :ok_hand:

tdhsmith on 25 May 2016

I'm just chipping here to say that I too, have been having this problem.

My "user" model lets users login just by typing in a 6 digit code. Therefore, Laravel is none too happy when I point it at the model for this...which doesn't include a password field.

Do I need to create a new UserProvider that somehow returns my model? I'm feeling a bit lost here.