User Authentication and Authorization

Get Started. It's Free
or sign up with your email address
Rocket clouds
User Authentication and Authorization by Mind Map: User Authentication and Authorization

1. User Model and Migration

1.1. Laravel shipped with default Authentication Model : App/User

1.2. run `php artisan make:auth` to create authentication class

1.3. Using auth() Global helper and the Auth Facade

1.3.1. auth()->guest(): check if user is guest

1.3.2. auth()->check(): return true if user is loggedin

1.3.3. auth()->user(), or auth()->id() : to get the user instance or id of currently logged in user

2. The Auth Controllers

2.1. Auth-namespaced controllers:

2.1.1. RegisterController

2.1.2. LoginController

2.1.3. ResetPasswordController

2.1.4. ForgotPasswordController

2.2. RegisterController

2.2.1. `$redirectTo` defines where user will be redirected after register

2.2.2. method `validator()` defines how to validate registrations

2.2.3. RegisterUsers trait showRegistrationForm: display a view for user to input information `register`: register user to database `auth`: to use the guard

2.3. LoginController

2.3.1. AuthenticatesUsers trait responsible for: . show users the login forms . validating the login . throttling failed logins . handling logout . redirecting users after successful logins

2.3.2. ThrottleLogins trait interface of Illuminate\Cache\RateLimiter ThrottleLogins limit any given combination of User name and IP address to 5 attempts per secs

2.4. ResetPasswordController

2.4.1. showResetForm: show the `auth.passwords.reset` view

2.4.2. resetPassword: actually reset the password

2.5. ForgotPasswordController

2.5.1. SendsPasswordResetEmails trait

2.5.2. can customize the broker methods

2.6. Auth::routes()

2.6.1. Auth::routes add these routes for authentication, registration, and password resets

2.7. Auth Scaffold

2.7.1. adding migrations for user

2.7.2. adding `Auth::routes()` to routes file

2.7.3. adding a view for each route from `Auth::routes()`

2.7.4. creates a HomeController to serve as landing page for logged in user

2.8. RememberMe

2.8.1. laravel shipped the remember_me to remember user via cookie

2.8.2. when a user accessed, it will check whether the `remember_me` token exists then will automatically log this user in

2.8.3. cookie expired is about 5 years (forever cookie)

3. Guards

3.1. authentication will go through Guards

3.2. including: . drivers: define how it persist (session vs token) . provider: allow getting a user by certain criteria (get User from MongoDB instead of MySQL

3.3. Changing default Guard

3.3.1. defined in : app/auth.php

3.3.2. default: guards for web using sessions/users

3.3.3. $apiUser = auth()->guard('api')->user() we can use another guard for this call

3.4. Adding a new guard

3.4.1. define in auth.guards. we already defined . auth.guards.web . auth.guards.api

3.4.2. We can define new User Provider

3.4.3. auth route middleware can take additional parameters for guard name Route::group(['middleware' => 'auth:trainees'], function(){ //trainee routes goes here });

3.4.4. We must create a new class implements Illuminate\Contracts\Auth\UserProvider interface for NoSQL DB

4. Access Control List (ACL)

4.1. Definition: can, cannot, allows, denies is the verbs to check whether user has enough right to perform specify actions

4.2. Perform via GATE

4.3. Defining Authorization Rules

4.3.1. AuthServiceProvider::boot

4.3.2. Illuminate\Contracts\Auth\Access\Gate is injected automatically

4.3.3. sample: $gate::define('update-contact', function($user, $contact){ return $user->id === $contact->id });

4.3.4. can define by [email protected] instead of closure

4.4. Gate facade

4.4.1. we can pass new parameters (exclude $user) by Gate::allows('update-contact', [$contact]){ })

4.4.2. passing multiple params by passing arrays

4.4.3. Authorize entire routes by Route::get('people/create', function(){ })->middleware('can:create-person)

5. Auth Middleware

5.1. define in App\Http\Kernel

5.2. authentication related middleware are . auth: restrict route access to authenticated users. . auth.basic: HTTP basic authentication to authenticated users . guest: restrict access to unauthenticated users (for example we don't want logged in user to access login page again)

6. Auth Events

6.1. events are broadcast to system

6.2. Illuminate\Auth\Events\Attempting

6.3. Illuminate\Auth\Events\Login

6.4. Illuminate\Auth\Events\Logout

6.5. Illuminate\Auth\Events\Lockout

7. Controller Authorization

7.1. import AuthorizeRequestTraits

7.2. 3 methods for authorization . authorize() . authorizeForUser() . authorizeResource()

7.2.1. authorize({ability-name}, {array-of-parameters') : validate if logged-in user has the right to edit this resources

7.2.2. authorizeForUser({user}, {ability-name}, {array-of-parameter')

7.2.3. authorizeResource: call in controller constructor to maps a predefined set of authorization rules

7.3. We can checking on User instance $user->can('create-contact')

8. Other Checks

8.1. Blade Check

8.1.1. blade have directives to check authorization

8.1.2. @can, @cannot, @endcan can do these authorization check

8.2. Intercepting Check

8.2.1. using before to override the authorization

8.2.2. $gate->before(function($user, $ability){ if ($user->isAdmin()){ return true } );

8.3. Policies

8.3.1. organizing structures to help grouping authorization logic based on resource you're controlling

8.3.2. make it easy to manage defining authorization rules for behavior toward a particular Eloquent model

8.3.3. defined in: $policies parameter in AuthService Provider

8.3.4. protected $policies = [ Contact::class => ContactPolicy::class ];

8.3.5. Gate will determine the first parameter to figure out which methods to check on the policy

8.4. Overriding Policies

8.4.1. before: just like normal ability definitions, define before methods allow us to override any call before it's even processed

8.4.2. public function before($user, $ability){ if $user->isAdmin() { return true; } };

9. Testing

9.1. Using $this->be($user) for testing