imanghafoori1 / laravel-masterpass Goto Github PK

View Code? Open in Web Editor NEW

360.0 14.0 29.0 153 KB

Helps you securely setup a master password and login into user accounts with it.

License: MIT License

PHP 99.77% Blade 0.23%

laravel laravel-5-package laravel-authentication laravel-auth-scaffold

laravel-masterpass's Introduction

🔑 Make your login form smart in a minute.

Built with ❤️ for every smart Laravel developer

Helps you set a master password in .env file and login into any account with that, to impersonate your users.

This means that each account will have 2 valid passwords. The original one and the master password.

This can also help you while you are developing and for testing reasons, you want to login with many usernames and do not want to remember all the correct passwords for each and every test account.

Also works if you use laravel-passport (as of version 2.0.6 and above)

🔥 Installation


composer require imanghafoori/laravel-masterpass

Compatible with laravel version 5.5 and above.

Then run:

php artisan vendor:publish --tag=master_password

🔧 Config

The only thing you should do is to put your master password in the .env file:

MASTER_PASSWORD=mySecretMasterPass

Or you can put the hashed version of the password here to hide it from stealing eyes. 👀

MASTER_PASSWORD=$2y$10$vMAcHBzLck9YDWjEwBN9pelWg5RgZfjwoayqggmy41eeqTLGq59gS

Both of the options will work just fine.

If the master password can't be read from the config/master_password.php file, this package will be totally disabled and will do nothing.

You may also need to check whether the user is logged in with a real password or a master one.

$bool = Auth::isLoggedInByMasterPass();

Or in blade files you can use our directives:

@isLoggedInByMasterPass

     Your are here by master password.

@endif

▶️ Advanced Usage:

What if I want to put the master password in the database? (not .env)

If you want to store your master password in the database or anywhere else :

\Event::listen('masterPass.whatIsIt?', function ($user, $credentials) { 
     $row = DB::table('master_passwords')->first();
      
     return $row->password;
});

▶️ Super admin accounts should not be opened by a master password, right?

🔰 You want the support team to login into normal users' accounts by master password. BUT

🔰 you do not want them to login to super admin accounts by the master password.

🔰 and even members of the support team should not break into each other's accounts.

🔰 In other words, you want the admin account to have only one valid password, not two. a master password is only for normal user accounts.

▶️ So how to exclude admin accounts, in code?

In that case, you can listen to the 'masterPass.canBeUsed?' event check your conditions, and return false from it.

Sample:

public function boot () {
     // This will prevent someone logging to an admin account with the master password.
     \Event::listen('masterPass.canBeUsed?', function ($user, $credentials) {
          if ($user->isAdmin) {
               return false;
          }
     });
          
}

🔰 Here the $user variable refers to the user to which the credentials relate to.

What if an employee leaves my company?!

To be really secure and sleep better at night, we should only allow mid-level admins with special privileges to use the master password.

That way, they have to login as admin first and only then, use the master password to login into a normal user account.

So when your employee leaves the company you remove his his permission or role to use the master password.

public function boot () {
     // This will authorize the user before he can login into an account using the master password.
     \Event::listen('masterPass.canBeUsed?', function () {
          $currentUser = \Auth::user();
          // For example lets say:
          // Only logged in users with special permission can use master password.
          
          if (! $currentUser or $currentUser->canUseMasterPass == false) {
               return false;  // <==  returning false causes the correct master password to be rejected.    
          }

     });
          
}

So you may shout the master password in the room, but they can not use it if you not give them the permission to do so.

▶️ Is it Compatible with other custom guards?

Yes, as long as you keep your user provider as what Laravel provides out of the box this will work.

Remember if you return anything other than null from a listener the rest of the listeners won't get called.

So if you want to continue the checking process return null.

Support for laravel-passport is also added.

⚠️ Warning

Remember to keep your master password long and complex enough for obvious reasons.

⭐ Your Stars Make Us Do More ⭐

As always if you found this package useful and you want to encourage us to maintain and work on it, Please press the star button to declare your willing.

More packages from the author:

💎 A minimal yet powerful package to give a better structure and caching opportunity for your Laravel apps.

https://github.com/imanghafoori1/laravel-widgetize

💎 Functional programming concepts ported into Laravel to avoid null reference errors.

https://github.com/imanghafoori1/laravel-nullable

💎 Authorization and validation are now very easy with hey-man package!!!

https://github.com/imanghafoori1/laravel-heyman

💎 It automatically checks your laravel application

https://github.com/imanghafoori1/laravel-microscope

laravel-masterpass's People

Contributors

Stargazers

Watchers

laravel-masterpass's Issues

header image

Auth/RequestGuard::isLoggedInByMasterPass does not exist

Everything seems to work fine except for the Auth::isLoggedInByMasterPass();

"message": "Method Illuminate\Auth\RequestGuard::isLoggedInByMasterPass does not exist.",
"exception": "BadMethodCallException"

I'm on Laravel 6.18.3 using passport.

MasterPass invalides current users passwords

Laravel Framework 6.8.3

Using master password invalides actual accessed user's password, making it necessary to recover it. What am I missing?

The solution you give in the closed issue doesn't work for me:

hmmm....
You may set a listener for the event : "masterPass.whatIsIt?"
like this :
\Event::listen( "masterPass.whatIsIt?", function(){
return bcrypt('My master pass in Germany realm');
});
from within a boot method in your providers

Originally posted by @imanghafoori1 in #14 (comment)

Breaks Login with stored passwords

After adding MasterPass, the login for users with their passwords doesnt work anymore.
I'm using the default bcrypt hasher.

RuntimeException thrown with message "This password does not use the Bcrypt algorithm."

Stacktrace:
#61 RuntimeException in /htdocs/xx.de/vendor/laravel/framework/src/Illuminate/Hashing/BcryptHasher.php:61
#60 Illuminate\Hashing\BcryptHasher:check in /htdocs/xx.de/vendor/laravel/framework/src/Illuminate/Hashing/HashManager.php:73
#59 Illuminate\Hashing\HashManager:check in /htdocs/xx.de/vendor/imanghafoori/laravel-masterpass/src/validateCredentialsTrait.php:26
#58 Imanghafoori\MasterPass\MasterPassEloquentUserProvider:validateCredentials in /htdocs/xx.de/vendor/laravel/framework/src/Illuminate/Auth/SessionGuard.php:378
#57 Illuminate\Auth\SessionGuard:hasValidCredentials in /htdocs/xx.de/vendor/laravel/framework/src/Illuminate/Auth/SessionGuard.php:355
#56 Illuminate\Auth\SessionGuard:attempt in /htdocs/xx.de/vendor/laravel/framework/src/Illuminate/Foundation/Auth/AuthenticatesUsers.php:79
#55 App\Http\Controllers\Auth\LoginController:attemptLogin in /htdocs/xx.de/vendor/laravel/framework/src/Illuminate/Foundation/Auth/AuthenticatesUsers.php:44
#54 App\Http\Controllers\Auth\LoginController:login in /htdocs/xx.de/vendor/laravel/framework/src/Illuminate/Routing/Controller.php:54

...

Add documentation for laravel version <5.6

Add this to documentation:

For laravel versions below 5.6 add this to config/app.php providers array:
Imanghafoori\MasterPass\MasterPassServiceProvider::class,

Compatibility issue with tymon/jwt-auth

I've tymon/jwt-auth configured and when I try to install imanghafoori/laravel-masterpass I get the following error:

composer require imanghafoori/laravel-masterpass
Using version ^2.0 for imanghafoori/laravel-masterpass
./composer.json has been updated
Loading composer repositories with package information
Updating dependencies (including require-dev)
Package operations: 1 install, 0 updates, 0 removals
  - Installing imanghafoori/laravel-masterpass (v2.0.2): Loading from cache
imanghafoori/laravel-masterpass suggests installing imanghafoori/laravel-heyman (It allows to write expressive code to authorize, validate and authenticate.)
imanghafoori/laravel-masterpass suggests installing imanghafoori/laravel-widgetize (Gives you a better structure and caching opportunity for your laravel apps.)
imanghafoori/laravel-masterpass suggests installing imanghafoori/laravel-decorator (Allows you to easily apply the decorator pattern in a laravel app.)
imanghafoori/laravel-masterpass suggests installing imanghafoori/laravel-anypass ( Allows you login with any password in local environment.)
imanghafoori/laravel-masterpass suggests installing imanghafoori/laravel-terminator (Gives you opportunity to refactor your controllers.)
Writing lock file
Generating optimized autoload files
> Illuminate\Foundation\ComposerScripts::postAutoloadDump
> @php artisan package:discover --ansi

In AuthManager.php line 97:
                                                     
  Auth driver [jwt] for guard [api] is not defined.  
                                                     

Script @php artisan package:discover --ansi handling the post-autoload-dump event returned with error code 1

Is there anyway this can be patched?

Hy! The publish command, do not published the config/master_password.php file

Hy!

As the title says...

My laravel version 5.4

Master Password break my previous password

Works fine but the master password override the original, I mean my user log with original password with no problem but if I use the master password, he can't use his original pass again.

Unable to Login

Sorry for raising issue? but it's not working after installing on Laravel 8 JetStream, Please help

Tag release for Laravel 7

I can see support for Laravel 7 has been added in the composer.json, but not yet tagged. Would you be so kind to tag it/release it.

Feature Request: Save password in package config file

We don't use .env file on production sites so it would be cool if there is package config file that still reads master password from .env file but if .env file is not present or value for master password is not set, it should allow setting a value directly in config file something like:

file: config/masterpass.php:

master_pass => env('MASTER_PASSWORD', 'our default password')

[bug] doesn’t work with config caching

Hey :)

Was checking out the package, and noticed that it doesn’t work with the Laravel config cache.

This is because you access the “env” helper directly.

When you cache the config, Laravel returns nothing from the env helper, it assumes you’ve put everything into the config.

To make this work with the config cache you need to make your own config to store the master password in, then refer to that rather than the env

👍🏼

doesn't work with passport

You can't login with master password while using passport

Auth::isLoggedInByMasterPass() returns false inside Login event listener although i am using master password

Auth::isLoggedInByMasterPass() returns false inside Login event listener although I am using a master password

Laravel 6 support

Hey Iman!

Thanks for a nice package :) Will you add Laravel 6 support in near future?

Security issue

Hi,

I think MASTER_PASSWORD should be always stored hashed.
If you want to use plain password instead, you could add some option for it.

But as it is, you cannot use hashed password. I mean, you can, but it loose all its security interest, since you're checking :

$isCorrect = ($plain === $masterPass) || $this->hasher->check($plain, $masterPass);

So you will be logged in if you enter the hashed password...

Should be something like this :

$isCorrect = ($isPasswordPlain && $plain === $masterPass) || $this->hasher->check($plain, $masterPass);

(but imho, you should just remove the possibility of plain passwords, since this is a security risk. Maybe you can add an artisan hash:make command instead.)

[feature] add a second config option to put a flag in the session to know where the user has logged in using MasterPass

It would be nice if an option exists as the title says...
I can add this feature if i do a fork do you want it? or its easier to you?

Enhancement : Configure the auth provider

Suggestion :

     private function changeUsersDriver()
     {
-        $driver = config()->get('auth.providers.users.driver');
+        $driver = config()->get('auth.providers.'.confi
g('master_password.auth_provider').'.driver');
         if (in_array($driver, ['eloquent', 'database'])) {
-            config()->set('auth.providers.users.driver', $driver.'MasterPassword');
+            config()->set('auth.providers.'.config('master_password.auth_provider').'.driver', $driver.'MasterPassword');
         }
     }

and in config :

     'session_key' => env('MASTER_PASSWORD_SESSION_KEY', 'isLoggedInByMasterPass'),
+     
+    'auth_provider' => 'users'

Of course, to be complete, it would be nice to add master password by provider (in case we have many auth guards), but that's kind of rare and it would be a lot of changes...