Hi,
I set up Auth0 with Laravel 9 and I’m facing a few problems.
The problem I want to discuss in this topic is the management of the session.
It appears not to be working properly.
I set the session driver to “file” as recommended, but if I enable the debugger to stop on any exception, I see that Laravel always raises an exception for being unable to decrypt the session cookie.
Consequently, SOMETIMES but not every time, it cannot find the auth()->user() and store it in request()->user(), and that causes everything else to fail, pretty much, but the critical failure that Laravel raises is “session not stored on request”.
Other times it just finds the auth()->user(), even if the session cookie decryption fails EVERY TIME.
What is going on here?
A bit more context:
- this website has a few subdomains ran within the same Laravel app, and the authentication in 1 subdomain should be valid for all the rest
- I had to use a custom user repository to get a proper user model from the auth()->user() helper function. I need a proper user model mostly because I’m using the Spatie Permission package to manage roles and permissions, and I need to be able to call methods such as auth()->user()->role(‘Administrator’)
Env file
AUTH0_DOMAIN=mytenant.eu.auth0.com
AUTH0_CLIENT_ID=secret
AUTH0_CLIENT_SECRET=secret
AUTH0_COOKIE_SECRET=secret
AUTH0_COOKIE_DOMAIN=.mybasedomain.com
AUTH0_ROUTE_HOME=/
SESSION_DRIVER=file
SESSION_LIFETIME=120
SESSION_DOMAIN=.mybasedomain.com
App\Models\User
use Auth0\Laravel\Contract\Model\Stateful\User as Auth0StatefulUser;
// use .. other stuff
class User extends Authenticatable implements Auth0StatefulUser, MustVerifyEmail
{
use Notifiable, SoftDeletes, HasRoles, CanResetPassword, Metable;
// ...
}
config\auth
<?php
return [
'defaults' => [
'guard' => 'auth0',
//'guard' => 'web',
'passwords' => 'users',
],
'guards' => [
'auth0' => [ // spatie permissions will use the first guard as default
'driver' => 'auth0',
'provider' => 'auth0',
],
/*'web' => [
'driver' => 'session',
'provider' => 'users',
],
'api' => [
'driver' => 'passport',
'provider' => 'users',
],*/
],
'providers' => [
'users' => [
'driver' => 'eloquent',
'model' => App\Models\User::class,
],
'auth0' => [
'driver' => 'auth0',
'repository' => App\Auth\CustomUserRepository::class,
'model' => App\Models\User::class, // needed by spatie permission. No, we're not using auth0 permissions.
//'repository' => \Auth0\Laravel\Auth\User\Repository::class
],
],
'passwords' => [
'users' => [
'provider' => 'users',
'table' => 'password_resets',
'expire' => 60,
'throttle' => 60,
],
],
'password_timeout' => 10800,
];
App\Auth\CustomUserRepository
<?php
declare(strict_types=1);
namespace App\Auth;
use App\Models\User;
class CustomUserRepository implements \Auth0\Laravel\Contract\Auth\User\Repository
{
public function fromSession(array $user): ?\Illuminate\Contracts\Auth\Authenticatable
{
return User::firstWhere('email', $user['email']);
}
public function fromAccessToken(array $user): ?\Illuminate\Contracts\Auth\Authenticatable
{
// Simliar to above. Used for stateless application types.
return null;
}
}
Is it really necessary to use the session file driver anyways? I’d like to use the database driver in order to throttle the origin IP requests.