I like the fact that you show how you debug in real life. It gives me confidence that I am not a dull lad. When I watch error-free screencasts, I feel like there is a stage in programming when you are not supposed to ever have an error in your code! Meanwhile, I got Laracast's lifetime account so that I can just copy and use straight out of the box. If you have done it, why should I repeat 🤭🤭
At least you are also victim of random problem occuring when making a video and debugging on point. Not like other people who just doing copy paste from their 2nd screen 😅. ❤
This approch can be used for admins, sometimes admin wants to see user screen so if it has implemented for only admin users than admin can check the user screen. And Admin does need to know user's password. It is very usefull for me. It is exacly what I want. Many thaks.
@@iWhacko you are right! Maybe we can add another session guard and admin can login with this guarded new session. If I am wrong, sorry coz, I'm new into laravel :) still I am trying to learn detailed concept for laravel. There are many tutorails about it but anyone can not tell detailed approch , lifecycles, logic etc.... Such as service containers, providers, configs very important. When use them, you can figure it out very easyly to diffucult process. And kernel logic very important. No one does not dive to into kernel.
While simple security like this may seem a positive step and make life easier for your users. It's not. What if the user no longer has access to the email address? How do they log in to change it? This system can also be used in a password reset attack if the implementation Isn't protected against it. Some email systems can take quite a while before the email is delivered. For example my ISP delays emails by up to 10 min. Which means I have to wait 10 minutes before I can log in.
Or not at all if the URL is valid for 5 minutes but the mail takes longer to arrive. Or your mail server is down and thus can't login. Password has always been the standard and will always be. Even Yubikey will probably never see widespread adoption, cause you'd have to carry it with you everywhere you go and if you lose it you can't just reset your password.
Great teaching as always. One quick note: I would also give positive feedback to the user in case the provided e-mail address is not in the database. This prevents guessing website users.
When you changed the user id to 2 it showed as 404 not found, shouldn't any change in the sign url give a 403 status code ? Because it looks like the validation is passing and because there is no user it gives a 404 which will be concerning, if the middleware was working then it should not give a 404. I don't know if i am correct. I'll check
@@timothybelekollie6461 ok i made a new laravel project and sure enough it gives me a 403 forbidden when i change the parameter not sure what happened here strange
403 gives unauthorised which gives you a hint of that user being in the system(exposing user ID). That's why 404. That's my theory(as far as I can think about security)
@@vinit095 yupp correct laravel tries to find the user first and then it tries to apply the middleware that is why if there is no user it just gives a 404, which is again bad for security but hey you could use any other implementation such as using uuid.
A question: When you hit the url with user id 2, laravel is throwing "404 | Not Found", probably because user does not exists in the database. I may be wrong, but it should throw "403 | Invalid Url" or "403 | Invalid Signature" whatever it is. I guess, Laravel is allowing the URL to be hit the method "loginWithToken" with user ID 2. Please correct me If I am wrong. Always enjoy Laracasts' Video. Keep Posting.
This is because route model binding is performed before the validation of the signed route. So when there is no record 2, you get a 404, but if there is a record with ID of 2 then the route model binding works and the invalid signature occurs.
If a page or application forces me to go to my inbox and therefore doing an extra step that would otherwise be unnecessary it's a no from me. I'd rather have my browser autofill the input than having open my inbox, click on the link and close the old browser tab. Just like I hate it when pages or applications have the login inputs on different pages or the password input is revealed after submitting the email/username, thus having an extra click.
My god this is such bad practice. let me explain in a couple steps: 1. email is NOT a secure channel. 2. your link might be secure, but you're sending it over an INSECURE channel. 3. You basically allow anyone who know the email to log in without knowing the password, >>> 4. if the email is compromised . 5. you removed the "something you know part" from security principles. 6. why is everyone going to 2fa? 7. to ADD another step: "Something you have". 8. convenience over security is ALWAYS bad. 9. giving a hint, that the email is not found?? BAD gives attackers info to retry with another email.
@@esyx6476 if you click forgot password, and the service immediately sends you a new password, yes thats bad. That's why we have security questions, to verify identity. Or nowadays, people have devices linked to their account, which can verify identity before setting a new password. NOT mailing it.
I like the fact that you show how you debug in real life. It gives me confidence that I am not a dull lad.
When I watch error-free screencasts, I feel like there is a stage in programming when you are not supposed to ever have an error in your code!
Meanwhile, I got Laracast's lifetime account so that I can just copy and use straight out of the box. If you have done it, why should I repeat 🤭🤭
Great tutorial. Passwordless authentication is becoming more mainstream. For example, Shopify uses passwordless auth for all new customer accounts 👍
At least you are also victim of random problem occuring when making a video and debugging on point. Not like other people who just doing copy paste from their 2nd screen 😅. ❤
This approch can be used for admins, sometimes admin wants to see user screen so if it has implemented for only admin users than admin can check the user screen. And Admin does need to know user's password. It is very usefull for me. It is exacly what I want. Many thaks.
you have the "impersonate feature" in a couple of laravel plugins. don't use this method. it's insecure
@@iWhacko you are right! Maybe we can add another session guard and admin can login with this guarded new session. If I am wrong, sorry coz, I'm new into laravel :) still I am trying to learn detailed concept for laravel. There are many tutorails about it but anyone can not tell detailed approch , lifecycles, logic etc.... Such as service containers, providers, configs very important. When use them, you can figure it out very easyly to diffucult process. And kernel logic very important. No one does not dive to into kernel.
So easy. I'm in love with Laravel
While simple security like this may seem a positive step and make life easier for your users. It's not. What if the user no longer has access to the email address? How do they log in to change it? This system can also be used in a password reset attack if the implementation Isn't protected against it. Some email systems can take quite a while before the email is delivered. For example my ISP delays emails by up to 10 min. Which means I have to wait 10 minutes before I can log in.
Or not at all if the URL is valid for 5 minutes but the mail takes longer to arrive. Or your mail server is down and thus can't login. Password has always been the standard and will always be. Even Yubikey will probably never see widespread adoption, cause you'd have to carry it with you everywhere you go and if you lose it you can't just reset your password.
Great teaching as always. One quick note: I would also give positive feedback to the user in case the provided e-mail address is not in the database. This prevents guessing website users.
Bad option. Bad actors continue to submit email addresses until they find as many as they need. Feedback makes it easy for them.
How can I make these changes in laravel jetstream?
thabk you laraway, you are the best.
When you changed the user id to 2 it showed as 404 not found, shouldn't any change in the sign url give a 403 status code ? Because it looks like the validation is passing and because there is no user it gives a 404 which will be concerning, if the middleware was working then it should not give a 404. I don't know if i am correct. I'll check
I have not implemented this but I was also thinking the same.
@@timothybelekollie6461 ok i made a new laravel project and sure enough it gives me a 403 forbidden when i change the parameter not sure what happened here strange
403 gives unauthorised which gives you a hint of that user being in the system(exposing user ID). That's why 404. That's my theory(as far as I can think about security)
@jontyrodrigues , then it all make sense now with the 403 forbidden code.
@@vinit095 yupp correct laravel tries to find the user first and then it tries to apply the middleware that is why if there is no user it just gives a 404, which is again bad for security but hey you could use any other implementation such as using uuid.
Your videos are awesome; however, I really like the way you set up your editor. Can you please share how I can set up mine like yours?
Yes please!
I'll get to know this stuff soon
I also do ray() most in my development and ray does encodes html entities in the URL most of the times..
A question:
When you hit the url with user id 2, laravel is throwing "404 | Not Found", probably because user does not exists in the database.
I may be wrong, but it should throw "403 | Invalid Url" or "403 | Invalid Signature" whatever it is.
I guess, Laravel is allowing the URL to be hit the method "loginWithToken" with user ID 2. Please correct me If I am wrong.
Always enjoy Laracasts' Video. Keep Posting.
Just tested manually and Jeffrey is right. I have a user with ID 2 and when I manually edit the URL I get the 403 INVALID SIGNATURE response.
@@richard_keep noted
This is because route model binding is performed before the validation of the signed route. So when there is no record 2, you get a 404, but if there is a record with ID of 2 then the route model binding works and the invalid signature occurs.
Thank you for this great explanation. Passwordless would be better with passkey or Fido2. Is it possible to extend your example app with passkeys?
What PhpStorm theme do you use?
it's Carbon bro :)
I will use this for board of directors approval email. They won’t need to login or access the system to give a quick approval.
Thanks for this 🙏
If a page or application forces me to go to my inbox and therefore doing an extra step that would otherwise be unnecessary it's a no from me. I'd rather have my browser autofill the input than having open my inbox, click on the link and close the old browser tab. Just like I hate it when pages or applications have the login inputs on different pages or the password input is revealed after submitting the email/username, thus having an extra click.
perfect.
I use this for "Shit I forgot my password"
My god this is such bad practice. let me explain in a couple steps:
1. email is NOT a secure channel.
2. your link might be secure, but you're sending it over an INSECURE channel.
3. You basically allow anyone who know the email to log in without knowing the password, >>>
4. if the email is compromised .
5. you removed the "something you know part" from security principles.
6. why is everyone going to 2fa?
7. to ADD another step: "Something you have".
8. convenience over security is ALWAYS bad.
9. giving a hint, that the email is not found?? BAD gives attackers info to retry with another email.
how is that different from clicking "forgot password" if the email is already compromised?
@@esyx6476 if you click forgot password, and the service immediately sends you a new password, yes thats bad. That's why we have security questions, to verify identity. Or nowadays, people have devices linked to their account, which can verify identity before setting a new password. NOT mailing it.