Printing the Auth class user password in Laravel 10

MehmetNedimBilgi231
November 11, 2023
224 views
0 votes
2 Answers

When I checked the user logged in to Laravel 10, I noticed this. When I run the print_r(Auth::user()) code, it also prints the user’s password.

Html output when I print the "Auth::user()" code with "print_r".

Ana Sayfa
stdClass Object
(
[user] => AppModelsUser Object
(
[connection:protected] => mysql
[table:protected] => users
[primaryKey:protected] => id
[keyType:protected] => int
[incrementing] => 1
[with:protected] => Array
(
)

)

My user model;

    namespace AppModels;

// use IlluminateContractsAuthMustVerifyEmail;
use IlluminateDatabaseEloquentFactoriesHasFactory;
use IlluminateFoundationAuthUser as Authenticatable;
use IlluminateNotificationsNotifiable;
use LaravelSanctumHasApiTokens;

class User extends Authenticatable
{
    use HasApiTokens, HasFactory, Notifiable;

    /**
     * The attributes that are mass assignable.
     *
     * @var array<int, string>
     */
    protected $fillable = [
        'username',
        'email',
        'email_verified_at',
        'remember_token',
        'email_valid',
    ];

    /**
     * The attributes that should be hidden for serialization.
     *
     * @var array<int, string>
     */
    protected $hidden = [
        'password',
        'remember_token',
    ];

    /**
     * The attributes that should be cast.
     *
     * @var array<string, string>
     */
    protected $casts = [
        'email_verified_at' => 'datetime',
        'password' => 'hashed',
    ];
}

My login function;

     $username = $request->post('username');
        $password = ($request->post('password'));
       
        $login = Auth::attempt([
            'username' => $username,
            'password' => $password
        ]);

        if($login){
            $user = Auth::user();
            return redirect('home');
        }else{ 
            return redirect(route('login'))->with('login_fail_1',"Kullanıcı adı yada parola       hatalı.");
        }

As far as I know, the Auth class uses sessions. When the user logs in, I do not want critical information such as password to be saved in the session in any way.

Answers

- DenisSinyukov
- November 11, 2023 at 9:22 pm
- 0 votes
0
The point is that when you get a record about a user you get its full information, and further you regulate the output of fields through I hidden – this is normal behavior. You can fix it through your custom authorization driver, where you will use a truncated set of fields after verifying email + password

Here’s what happens internally when you log in via session – retrieveByCredentials() on file vendor/laravel/framework/src/Illuminate/Auth/DatabaseUserProvider.php.

you don’t have to worry if someone finds out the password hash, because it can’t be decoded back. At login it is compared to the password, which is hashed again and compared to the hash in the database.

using this function you create a password in the database, password-hash
```
public function make($value, array $options = [])
{
    $hash = password_hash($value, PASSWORD_BCRYPT, [
        'cost' => $this->cost($options),
    ]);

    if ($hash === false) {
        throw new RuntimeException('Bcrypt hashing not supported.');
    }

    return $hash;
}
```
Login or Signup to reply.

- FardinAhsan
- November 11, 2023 at 9:37 pm
- 0 votes
0
This is normal behavior. when you are in debug mode there is nothing wrong with that. In the bellow you can see, that if you return the value all hidden attributes are removed.

[

Login or Signup to reply.

Please signup or login to give your own answer.

Click here to cancel reply.