I'm trying to implement Sanctum SPA authentication with roles (user/admin). The thing is that I want to use separate admin table.
Read all of the laravel documentation related to that subject but with no result.
Tried to make a new guard and provider inside of config/auth.php but didn't succeed at conjunction it with Sanctum.
Any additional resources and ides how to do it will be appreciated! :)
Sanctum (SPA auth) only deals with authentication (who you are) - what you are asking/looking for is how to authorize users (what you can do) to perform/access specific resources.
If what you need is only to separate users between regular users and admins, you can get away with a boolean column on the users table: is_admin and then use that to check wether a user is an admin or not.
If you need more granular control, you could probably make use of Spatie's laravel-permissions package.
Related
I am building a Laravel webapp, where I need to implement a custom registration process. Now I am not sure, whether I can/should use the built-in Authentication features from Laravel or not.
I have three types of users:
Admin users: My colleagues in my company who talk to clients, onboard them, etc.
Clients: Users who create certain tasks, that need to be done. They could more or less use a "standard registration" process
Service Providers: Users who fulfill tasks for clients. They need to be onboarded by our company. So our admin users would create their user profile and send them an invitation link.
Especially the Service Providers are giving me a headache. Is this kind of custom registration flow possible in Laravel or do I have to build my own custom athentication to accomplish this?
Thank you for posting your question. I have implemented Laravel Authentication with custom features before, I would recommend you to take the following steps:
Install Laravel Authentication.
Update users table with a column name type that will distinguish between users.
Create middleware for each user. Middleware helps you which user can access or perform which tasks.
If you have different elements for each user then you can also implement policies or gates to show specific elements on your blade template according to user type.
I would not recommend creating custom Authentication for this scenario, as you have to implement proper session handling throttling, forgot password, verify the process along with emails and notifications. which is built-in by default in Laravel.
If you want to edit the register and login function you can do that. ;)
Hi I'm building an app with Larval and vue.js. This app is not a fully single page application but is a combination of vue and blade.
For example, the dashboard or login page and some other pages are SPA-based and are fully implemented with vue. But the landing page and some other pages have been created by blades that may have used vue components in some of them.
My question is about authentication in such cases. Is laravel passport appropriate for such cases? Or should I use jwt or something else? Because I need authentication on both types of pages (Vue-based, Blade-based). And it's done on almost every page.
On the other hand, I used laravel-permission - Spatie to control permissions and roles. Is it possible for passports to define roles and permissions and control based on them? I mean displaying or hiding elements and links, accessing certain sections, or doing some work with permissions checking.
What resources do you offer to start learning how to develop authentication and authorization in such apps?
Edit:
Maybe there was some ambiguity in my question, so I'll explain a little more. Suppose our website has three parts:
The first part that includes landing page, display of a post, display of all posts and more. This section is implemented by blade and may also use vue components.
The second part is the user profile page of the site where users can edit their own information, view their posts and edit them, view registered comments and more. This section is SPA and is fully implemented with Vue and only logged in users can see it.
The third part is the admin dashboard page, which is needed to manage different sections, apply settings and more. This section is also SPA and fully implemented with Vue. In this section, only users with the Administrator role are allowed, and each one can perform certain tasks based on the permissions given to them. This means, it must be checked whether the user is allowed to see a section or perform a specific task, or not.
Routing is also performed by vue on the user profile and admin dashboard pages, and actions are performed by axios and sending requests to apis written in laravel. And all three parts are in the same application.
So the question is, how should Authentication and Authorization be done in this scenario? Is laravel-passport appropriate for this task? Is it possible to do both in laravel-passport? For example, Authorization is going to be done in the front-end section by vue, how should this be done? Is it possible to combine laravel-passport and laravel-permission - Spatie? Or do we need it at all? Perhaps the more general question: Is this scenario reasonable?
You can use the intermediate approach, blade login/register and the Laravel passport middleware https://laravel.com/docs/6.x/passport#consuming-your-api-with-javascript.
This Passport middleware will attach a laravel_token cookie to your outgoing responses. This cookie contains an encrypted JWT that Passport will use to authenticate API requests from your JavaScript application. Now, you may make requests to your application's API without explicitly passing an access token
Spatie permission is great for managing permissions and roles. You can protect your api routes with middleware or checks in your controller.
You making it too complicated. if you are calling your vue components in blade file you don't need passport at all but if your front end is separate from back end then you need to use passport because you don't have access to session...
On the other hand, I used laravel-permission - Spatie to control permissions and roles. Is it possible for passports to define roles and permissions and control based on them?
Passport doesn't care what kinda permission and role system you want to use you can use anything that you want
Actually I am beginner in Laravel. By the way, I am using auth and there is a wonderful method, I mean "check" of Auth facade that enable you to protect all routes or controller in that way you want. But Befor this I should say which users can use this route or controller and which users can't.
I seach for it but I didnt find.
Actually I miss a part of this authentication mechanism in Laravel.Please help me about this.
Laravel has a feature called Middlewares where you can check for the user role based on your role_id.
Please see the below link for more clear reference.
https://laravel.com/docs/5.8/middleware
Happy Coding.:)
You need to use middleware for this kind of functionality. Read about middleware in laravel documentation here
Moreover you can use this package to create role for users if you don't want to create roles from scratch. Just add user to a role and use the role name as the middleware.
Have you gone through with ACL stuff in laravel??
Well it will work as per permission which is given by user as per it's role.
For an example Admin has all role so he can access anything. Employee has few rights to access modules so that will define as per need in laravel and that user that do not have access to use some module they'll get some error desgined by developer.
So this all handle through Middleware, and generally that defines by acl
Anything else you want to know?
I want to assign specific role for registered user to distinct access in application. As instance I need roles: admin, operator.
Is it possible to do with Laravel Passport?
Whats difference between grand and role?
There are no such thins as roles on passport, you have scopes. As for the grant types they define a flow which your app should follow in order to get valid credentials, i recommend you to read the following article and to look for oauth2 documentation so you get a little more insight on the matter.
https://laravel-news.com/passport-grant-types
#Karim soubai already mention how to achieve roles.
since laravel's built in authentication uses user model? For example I want to separate the admin from the user so I will build two different layers in my application, the admin and the user. How can I achieve this to laravel since it's default auth uses users table and user model?
In my opinion, there's no real need to separate the two. Administrators and typical users can exist on the same database table, because they are both users but can have different permissions.
It seems like you're just looking for a typical permissions system (ACL). There's multiple packages available that can help you handle this.
Orchestra Auth
Sentinel
Entrust
Normally as an admin is still an user you give them a role column and let say you have : users, moderators and admins. Then you got role 0,1,2 for them. Just make it an enum and if you need to check in Laravel use : Auth::user()->role == 2 for example of admin rights :)