Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

dbAuth.returnedColumns also affects $_SESSION['user'] #1052

Closed
nkappler opened this issue Feb 1, 2025 · 5 comments
Closed

dbAuth.returnedColumns also affects $_SESSION['user'] #1052

nkappler opened this issue Feb 1, 2025 · 5 comments
Assignees
@mevdschee
Labels
help wanted

Comments

@nkappler
Copy link
Contributor

nkappler commented Feb 1, 2025

Hi,

I'd like to store some user metadata in the user session to use it in another api endpoint, but not return it to the frontend.
Is there a way to do it?
@mevdschee
Copy link
Owner

Did the authorization middleware help you? Or was that limiting? Or you want to prevent it from ending up in the session variable? Is that it? I suggest creating a view in that case.

@mevdschee mevdschee self-assigned this Feb 1, 2025
@nkappler
Copy link
Contributor Author

nkappler commented Feb 3, 2025

The authorization middleware is limiting.

Basically, I have columns in my user table for user/password for another API script (also php)
I'd like the user and password to become part of the $_SESSION['user'] variable when the user logs in, so I don't have to query the database in the other API script.
But for obvious reasons, I don't want to return these columns to the frontend, when a logged-in user queries the /me endpoint.

I'm not sure how a view would be helpful in this specific case.

Please let me know if it is still unclear.

@mevdschee
Copy link
Owner

mevdschee commented Feb 3, 2025
edited
Loading

I'd like the [...] password to become part of the $_SESSION['user'] variable when the user logs in,

Are you sure that that is what you want? Isn't that insecure?

unset($user[$passwordColumnName]);
$_SESSION['user'] = $user;

It seems the code does this, so it is intended not to have the password in there.

so I don't have to query the database in the other API script.

Why? Because of performance?

@nkappler
Copy link
Contributor Author

nkappler commented Feb 3, 2025
edited
Loading

Are you sure that that is what you want? Isn't that insecure?

I'm in full control of the backend, so not really I think.

It seems the code does this, so it is intended not to have the password in there.

It is not the user's password used for authentication. It is a password for another API, which my backend is used as a proxy to connect to.

Why? Because of performance?

Performance is a consideration, but mostly convenience.

@mevdschee
Copy link
Owner

when a logged-in user queries the /me endpoint.

Then it return the session variable's contents:

    if ($method == 'GET' && $path == 'me') {
        if (isset($_SESSION['user'])) {
            return $this->responder->success($_SESSION['user']);
        }
        return $this->responder->error(ErrorCode::AUTHENTICATION_REQUIRED, '');
    }

So I guess the answer is: No, there is (currently) no way to do it.

see: https://github.com/mevdschee/php-crud-api/blob/main/src/Tqdev/PhpCrudApi/Middleware/DbAuthMiddleware.php#L179

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@mevdschee mevdschee

Labels
help wanted
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@mevdschee @nkappler