Skip to content

2_6_Authentication and authorization

Jump to bottom Edit New page
YMHuang edited this page Jul 26, 2016 · 3 revisions

Authentication

VMS authenticates a user by username and password for via requesting the /auth endpoint which invokes login() in App\Http\Controllers\Api\V1_0\VolunteerAuthController. If the username and password are correct, VMS will send a response with a token. The token is generated by JSON Web Token (JWT) for authentication and indentification. If a client send a request to protected endpoint, the request MUST contain a validated token in HTTP header and the api.auth middleware checks the token.

Generate a JSON Web Token

In app/Services/JwtService.php file, the getToken() method in JwtService class provides get a JWT token by username and password.

Retrieve user's identification by JWT

In app/Services/JwtService.php file, if the token is validated, the getVolunteer() and getUser() method in JwtService class will return Volunteer model. Otherwise, it throws AuthenticatedUserNotFoundException or JWTTokenNotFoundException.

Authorization

The authorization implements by Laravel policies and Gate.

Policies

The policies contain authorization logic which control the user's action for resource. You can find the detail in Laravel Authorization - Policies section.

Take app/Policies/VolunteerEducationPolicy as an example for authorization logic.

There are two methods, update() and delete() for controlling user update and delete Education model. Because each Education model contains volunteer_id which means the Education belongs to a volunteer. It makes sure the equation between the id in Volunteer model and the volunteer_id in Education model.

<?php

namespace App\Policies;

use App\Volunteer;
use App\Education;

class VolunteerEducationPolicy
{
    public function update(Volunteer $volunteer, Education $education)
    {
        // Make sure update action is able to be executed by owner
        return $volunteer->id === $education->volunteer_id;
    }

    public function delete(Volunteer $volunteer, Education $education)
    {
        // Make sure delete action is able to be executed by owner
        return $volunteer->id === $education->volunteer_id;
    }
}

Gate

Gate has check(), allows() and denies() methods for checking if the user has abilities to access certain resource.

For example, in app/Http/Controllers/Api/V1_0/VolunteerEducationController.php file, a update() method in VolunteerEducationController updates an Education model by education's id. Since, each Education model MUST be updated by the user who has it. It use the Gate:denies() to check if the user is able to update the Education model or not.

The Gate receives the update action with Education model, and it calls App\Policies\VolunteerEducationPolicy::update() and passes the Volunteer model automatically.

class VolunteerEducationController extends BaseAuthController
{
    public function update(UpdateEducationRequest $request)
    {
        $education = Education::findOrFail($request->input('id'));

        // Check the App\Policies\VolunteerEducationPolicy::update()
        if (Gate::denies('update', $education)) {
            // Forbidden to update
            throw new AccessDeniedException();
        }

        $education->update($request->except('id'));

        return response()->json(null, 204);
    }
}
Add a custom footer
Add a custom sidebar
Clone this wiki locally