I'm trying to build an internal admin system to get to grips with creating a Laravel app from scratch. Currently everything is public so I'm looking at implementing a very simple login system.
There will be no DB connection needed as we want a single user. We'll store the relevant username and password in the .env file most likely.
I feel like I've looked everywhere and haven't been able to find any tutorials covering this requirement! From everything I've read it seems I have to use a 'custom authentication driver' or possibly build my own user provider class but I have no idea how to go about this task.
The idea is that if the app is expanded in future we'd like to be able to just go back to using Laravel's built in db auth functionality. For this reason it would be nice to retain all the common methods relating to checking the current user, using auth middleware on my routes and managing login tokens etc.
Thanks in advance for any help offered.
Related
I am new to laravel and creating a REST API. The client of the API will be mobile app only. There is no front end view to be shown in browser. I have created the routes and the controllers to handle API requests. Furthermore I deleted the Users table (created by laravel) because I do not need an Web interface etc.
I just want simple token based authentication at this stage ( I am aware there is passport authentication) but I can not even understand that at this stage.
There is only one table in the project.
Candidates
(id (PK), name, phone, details)
mobile app users are candidates also, should I create a token column in this table ? and manually create token at the time of register API and return it back as response ?
Please any simple guide or directions will help, I have search quite a bit online and there seems to be quite a lot many topics that show up such as guards, providers, passport which I am struggling to get.
Thanks,
Elliot.
First of all, you didn’t need to delete the users table. You can use it for api auth too. You just need to create a seperate token table.
However, if you want to implementit manually you need to do a lot of things manually.
This is a huge thing to impelement manually and it's not possible to describe it in a single answer. I will try my best to explain it as simply as I can.
You have to create a authentication system yourself that is for login. Define a middleware to check the authorization of the token sent from client to check the validity of every request (this is the guard part).
Also keep track of the token expiry time. Refreshing the token after each expiry needs to be done too (this is the provider part).
Now there are a lot things inside. Like keeping track of the device the request is coming from, providing different tokens for differenet devices for a single user etc.
If you are into learning how everything works then you can try to build one yourself. But if you plan on deploying it to a professional website, I would suggest try to get accustomed with passport. Reinventing the wheel is really not necessary. I hope it gives you a basic idea. If you have any more questions feel free to comment.
Okay so I know there are a ton of tutorials out there talking about changing the authentication to your liking, but I couldn't find one for my specific case. So here it goes:
In one of my projects I've been using the standard authentication system that comes with Laravel. I have a user model, and each user has an email and a password. They also have roles and permissions and everything works as expected.
I also have a client model. There are projects and each project belongs to a client. Now there is a new requirement for the app, where clients should be able to login and see all of their projects.
Clients should login with a username (not email) and a password.
My question is: What steps are necessary to completely get this going. All I can find online are some pieces of the puzzle, but unfortunately I'm not able to put this together on my own. I know it involves creating a user provider, but that is only part of it. How do I hook up routes/controllers for this, how do I use the custom user provider, how can I use the Auth facade in addition to the standard "user" authentication (I will need to use both side by side)?
If someone knows of a comprehensive tutorial I will be happy to read that and apologize for this question ;-) Otherwise I will be very thankful for a little checklist of all the things I have to consider.
PS: There a many reasons why I can't just use my user model with a special role or something like that. I need to use the client model for authentication.
I found this tutorial which contains the gist of what you're looking for. The basics come down to something along these lines:
Create a new Authenticatable model
Adjust auth.php with new guards and providers
Adjust routing to take both models in account
I'm not sure how the Auth facades plays its role in this, but it might require some additional configuration.
I am developing a web system in php using the laravel framework, I arrived at the part of authentication of users, where it is not allowed the type of user x access to page y. What is the best way to do this with laravel? I thought about creating a session and saving the id of the user, so every time he accesses a certain controller I check if he has access to the id or not. so I had some doubts.
Is this a good way to perform this authentication?
Is this really safe?
is there any way for the client to change my session?
What would be a better method for authenticating user access?
Laravel provides a very good authentication system out of the box. Even though Hacking is inevitable it provides very good protection and since Laravel is pretty popular framework you don't have to worry about the security part. if there is any security bug, patches will be available almost immediately.
And your second concern can a client can change the session ? the answer is NO, if you code it properly. session resides in the server unlike cookies, so there is no direct way for a user to change the session. if you follow good coding practices you are good to go.
And how do you limit userA from accessing pageB. This is a pretty common feature needed in almost all the applications. As of now Laravel does not provide an out of the box solution for this. but this is pretty simple, you can add a role column to the users table, and check whether user have appropriate permission in each page. Laravel keeps the user object in the session, and it is avilable via the auth() helper or Auth Facade. if you want a little sophisticated solution there is a package out there [entrust][1]. it seems a good choice.
You may want to read about
Authorization
Csrf Protection
Authentication
I hope I have addressed all your concerns
Laravel provides a simple way to authorize action thats purpose built for what you need:
https://laravel.com/docs/5.5/authorization
I implemented codeigniter Ion_Auth library for user registration and etc. I noticed it does not have a built-in user manager such as edit user accounts. Does a user manager such as edit user accounts exist? I can always code one, but I rather not reinvent the wheel.
I use Ion Auth too, it is pretty well coded I and I like writing code with it.
I also needed users editing, but I find it quite easy, because I needed only one simple form, because the library has update_user() and you need only to pass an array with your new data.
Download a CMS because it looks to me you have little or no experience with codeigniter or php for that matter. I dont mean that in a rude way by any means but if you cant perform simple CRUD operations, install a pre-built system as it will save you lots of headaches.
I've just started using CI and am also using Ion Auth for authentication. I'm handling user signup/authentication exclusively with ion auth and extending public profiles using Grocery CRUD. All public info can be viewed globally, but only edited by the user that owns it (as defined by linking the ion auth user table to the extended profile table). I don't know if this is the best way to do it, but it is what I'm doing so far.
I was wondering if anyone can shed some light on setting up basic user authentication. I've installed the admin app into my project and it works great. But I need a basic user role that can have it's own registration page etc.
I need to see something like
domain.com/users/user.slug
would take them to their profile page
I'm also going to have nested resources, so a user can have a project associated to them.
domain.com/users/user.slug/projects/project.slug
or
domain.com/users/user.slug/project.slug
The admin piece worked great, but I have no idea how to setup registration etc for a user model?
I've used devise in the past with Rails and I'm wondering if anything like it currently exists? I've seen some discussion around warden. Is there a defacto solution that people are using or am I able to implement the admin app to handle this? Right now /accounts is protected and can only be accessed by the admin role.. so I can't have users go to accounts/new
Thanks
For now I basically just copied the admin app.. into my own Users app while using my own User model.
The user model is basically a direct port of the account model.. as is the session controller etc. Just switched the model names around.
I'm still not sure if this is the best approach or if I'm able to leverage the admin app to handle this also?
This solution is working, though again, I'm not sure if it's the optimal approach.