I am building an app and will need multi auth to works well. First, users that will log as employees using table users with email and password. I´m using Voyager as backend and using roles and permissions. So far, so good. Now I have another kind of user: they are registered on an ERP and I reach then via WS using CPF (like the social-secure number) and password stored in ERP. Then I get then and record at a table all the data I need. It is working well as good. Well, was working. For those users, I used the API route, just not to make a mess on my web routes file. Yesterday I ran PHP artisan make:auth and that´s when things start to get crazy.
Every axios call now returns me an 'unauthorized' message cause, obviously, they´re not authenticated.
What would be better?
Refactory Users login to use CPF instead of email and give a new role for those others API guys and make then pass trough web.php file like everybody?
Use a multiauth package?
Or anything else?
Please, help!
To me, a user is a user. It seems to be a common thing that if an application has more than one “type” of user, that developers instantly start creating multiple Eloquent models, then guards, then controllers, then views, and so on; and then find themselves in a mess when they need a route that can be accessed by more than one type of user.
Instead, elevate “type” to its own model and add it as a relation to your User model. If a user can only be of one type, then make it a one-to-many relation. If a user can have many roles, then make it a belongs-to-many relation. You then use authorization to determine whether a user can access a route based on the role(s) they have.
Related
what I want to create is Laravel 5.2 Admin and there are around 200 users who will use it with different permissions, so you can say 200 roles with different permissions.
I was planning to eliminate the role part from the picture and create some slug based mechanism, slugs will be related to controller public functions in short routes.
In Admin panel superuser will be able to assign permissions to user on controller functions with slugs.
Is this possible with any existing laravel package currently? If not then what will be the optimal solution you guys propose.
I always use Spatie Package, it is very flexible. You can manage role & permissions or only permissions. It is full of functions that make it easy. Check the documentation.
spatie-laravel-permission
Actually I am beginner in Laravel. By the way, I am using auth and there is a wonderful method, I mean "check" of Auth facade that enable you to protect all routes or controller in that way you want. But Befor this I should say which users can use this route or controller and which users can't.
I seach for it but I didnt find.
Actually I miss a part of this authentication mechanism in Laravel.Please help me about this.
Laravel has a feature called Middlewares where you can check for the user role based on your role_id.
Please see the below link for more clear reference.
https://laravel.com/docs/5.8/middleware
Happy Coding.:)
You need to use middleware for this kind of functionality. Read about middleware in laravel documentation here
Moreover you can use this package to create role for users if you don't want to create roles from scratch. Just add user to a role and use the role name as the middleware.
Have you gone through with ACL stuff in laravel??
Well it will work as per permission which is given by user as per it's role.
For an example Admin has all role so he can access anything. Employee has few rights to access modules so that will define as per need in laravel and that user that do not have access to use some module they'll get some error desgined by developer.
So this all handle through Middleware, and generally that defines by acl
Anything else you want to know?
I plan to develop a system that has three user types (admin, business, personal). I want to have each user types information stored in a separate table for easy access and to reduce the number of blank fields (if they were all in one table).
Having looked at multiple Multi-auth packages available for Laravel, they all appear to be insisting on an approach with URLs like the following:
/admin/login
/business/login
/personal/login
Ideally, I would like to take an approach where the standard Laravel Auth /login can be used meaning that all users log in from the same page.
My knowledge of Laravel is limited so all and any help is appreciated.
The usual approach is to have one users table which has the ID/email/username (as primary key), login credentials and user types for all the users which will be logging into the system. The information however can be stored in separate tables for each type, referencing the foreign key.
After authenticating the user, then you can decide what to do with the user based on the user type.
If you store login credentials in multiple tables, that's data redundancy. Unless you want the same email/username to have more than one user type, but then during login, the user has to decide which user type they want to log into (maybe by selecting a dropdown option).
Update: about user roles
If you need to simply redirect users after logging in, use $redirectTo. Or if you need to decide what to do with the users depending on the roles after logging, you can make use of authenticated() method (add this method if it's not already there, it will overwrite the AuthenticatesUsers trait) inside your AuthController/LoginController.
Throughout your application, I'd suggest assigning middleware to route groups to restrict routes based on user roles. And yes, in your views and controllers you can use something like if(Auth::user()->hasRole('business')) when needed, but first you'll need to create the hasRole() method in your User model. If you feel it's getting complicated, you may try packages like laravel-permission and Entrust. I haven't tried them though :)
I have setup an API in Laravel using Passport for authentication and spatie/laravel-permission to add permission functionality. I also have a calling application, again written in Laravel. I can authenticate from the calling app to the api but how do i ensure that the calling app knows the permissions available? What should the user/roles/permissions tables look like at the api and in the calling app?
Essentially i would like to use code like: $user->can('do something') in both applications.
My understanding of the Spatie package is that it allows you to make such code calls as $user->can('do something'), and reading the Github page it looks like it creates tables default named "role" and "permission" when you run the Migration after installing the package. In other words it's a matter of configuring the models and database connections in both of your apps correctly, specifically the User Model and the Permission table for both apps.
To clarify, I think you are asking these questions:
how can a second app know what permissions are available,
how would you be able to use something like "$user->can('do something')" in BOTH applications, touching the exact same data.
Answers:
If the "permission" and "role" tables already exist, then if your API doesn't have some endpoint to ask for the roles or permissions already available, you'd define a new one. For instance, some API call that asks the Permission table "getPermissions" or something and that your second application can call -- it either has to ask the database itself (via the API), or it has to get that from the second application. Which depends on how your two applications interact with each other
you would have to make sure to configure the second application so that the "User" model refers to the same table as the table the first application uses for the User model. Essentially, the model is being used as an interface to the table, so if both applications have a defined User model that references the same table and both are configured to connect to the same database that table is in, Laravel's user model will "just know" the data in question (this is the basis of Laravel's Eloquent for Models).
Additionally, for what it's worth, I haven't used the spatie/laravel-permission package, but in relation to question #1 I did find a function in the docs that might also be used to grab currently made permissions in list form from a "permission table":
Permission Model, getPermissions
And for reference, about Laravel's Eloquent and Models (which may be something you already know, but I'll leave this link anyway):
Laravel Eloquent ORM
since laravel's built in authentication uses user model? For example I want to separate the admin from the user so I will build two different layers in my application, the admin and the user. How can I achieve this to laravel since it's default auth uses users table and user model?
In my opinion, there's no real need to separate the two. Administrators and typical users can exist on the same database table, because they are both users but can have different permissions.
It seems like you're just looking for a typical permissions system (ACL). There's multiple packages available that can help you handle this.
Orchestra Auth
Sentinel
Entrust
Normally as an admin is still an user you give them a role column and let say you have : users, moderators and admins. Then you got role 0,1,2 for them. Just make it an enum and if you need to check in Laravel use : Auth::user()->role == 2 for example of admin rights :)