S
S
SM_ST2021-03-02 16:35:07
Laravel
SM_ST, 2021-03-02 16:35:07

User authorization by phone number and SMS code?

Good afternoon
Task:
Make authorization by phone number without a password, that is, the user enters a password, a code is sent to his phone, if the code is correct, then we authorize him in the system, if not, then the error

is currently implemented like this, but is it right?

public function login(Request $request)
    {

        $sms = SmsCode::where('code', '=', $request->code)->where('is_check', '=', 0)->first();
        
        if (!$sms) return response()->json(['error' => false, 'message' => 'Неверный код']);

        $user = User::where('phone', '=', $sms->phone)->first();

        if (empty($user)) {
            if (!$sms) return response()->json(['error' => false, 'message' => 'Пользователь отсутствует']);
        }

        if(! $token = Auth::login($user)){
            return response()->json(['error' => 'Unauthorized'], 401);
        }

        $sms->is_check = 1;
        $sms->updated_at = Carbon::now();
        $sms->save();

        return $this->createNewToken($token);
    }

Answer the question

In order to leave comments, you need to log in

4 answer(s)
S
Sanes, 2021-03-02
@Sanes

Such things are usually done through Middleware. There is also an example verified.

V
Vladimir Kokhan, 2021-03-02
@SkazochNick

1. A person in the first registration form enters only his name and phone number
2. The controller checks if such a phone number is in the database, if not, then move on
3. We generate a 6-digit code to confirm the phone, send an SMS to the phone via a third-party API , and also save this code to the user's session.
4. At the front, we show him the following screen, i.e. confirmation code entry form.
5. A person enters the code, he is registered (then all actions are clear

J
jazzus, 2021-03-03
@jazzus

Create a LoginRequest to prescribe the specified sms and user checks (custom rule, exists depends on logic) and messages .
Why is this needed

if(! $token = Auth::login($user)){
    return response()->json(['error' => 'Unauthorized'], 401);
}

it is not clear
the sign = in where you can not put
empty in if you can not use
updated_at and so it is updated when the model is updated.

K
Konstantin B., 2021-03-04
@Kostik_1993

There is a bomb option, but it requires a little skill, I did a firebase phone login on several sites
. They have an SDK for PHP, as well as a ready-made implementation on the front. All you need to do is to authenticate on the front by phone, then a token arrives from firebase, send the token to the back, using the PHP SDK from the back you send a request to get a user by token, the user and his phone come back, look for the user in the database by number and log it in. As a bonus, you get 10 thousand free entries per month to all numbers and another 10 thousand to numbers from the USA
That is, save 20-30 thousand per month on SMS

Didn't find what you were looking for?

Ask your question

Ask a Question

731 491 924 answers to any question