-
-
Notifications
You must be signed in to change notification settings - Fork 2
9.1 Authentication
Authentication is key to any transactional web application. This framework provides a quick and easy way to have a basic authentication into your application by providing the necessary models, views and controllers readily available.
In this video, we will learn how to create a database model, how to link it to Caligrafy and how to perform CRUD operations using Controllers.
In this video, you will learn how you can authenticate users using the authentication module that is prepackaged with Caligrafy.
In order to use authentication, the Database needs to be activated.
In order to activate authentication, the following line should be uncommented from /application/config/routing/web.php
:
// AUTHENTICATION - Remove comment if you have an authentication implemented
Auth::authentication('User', 'users');
This framework comes with a prepackaged set of routes that help illustrate how logging in, registration and logging out work. In order to activate these routes, the following lines should be uncommented from /application/config/routing/web.php
:
// Auth Routes - Uncomment only if AUTHENTICATION activated above
Route::get('/home', 'AuthController@home');
Route::get('/login', 'AuthController');
Route::get('/logout', 'AuthController@logout');
Route::get('/notAuthorized', 'AuthController@notAuthorized');
Route::get('/register', 'AuthController@registerForm');
Route::post('/login', 'AuthController@login');
Route::post('/register', 'AuthController@register');
Also this framework comes with prepackaged user interfaces to manage users. In order to activate user management routes, the following lines should be uncommented from /application/config/routing/web.php
:
// User Administration Routes - Uncomment only if AUTHENTICATION activated above
Route::get('/admin', 'AdminController');
Route::get('/users', 'AdminController');
Route::get('/users/{id}/edit', 'AdminController@editUserForm');
Route::put('/users/{id}/edit', 'AdminController@updateUser');
Route::delete('/users/{id}/edit', 'AdminController@deleteUser');
As part of this framework, a MySql script is provided to create the basic users
table to put in place an authentication mechanism. This script can be found in application/models/Auth/create_db.sql
.
This script can be run from either the Terminal or from a DB manager application such as phpMyAdmin
.
Run from the Terminal
~: cd /application/models/Auth/
~: mysql -u <username> -p <databasename> < create_db.sql
Run from phpMyAdmin
- Click on the database name that you created
- Click
Import
from the action menu - Browse to
application/Models/Auth
- Select the file
create_db.sql
- Click on
Go
The framework has a User
Model already created for use that can be found in /application/Models/Auth/User.php
.
This model is a representation of the database table that was previously created.
Both the table and the model have basic attributes id
, username
, passcode
, permissions
, created_at
, modified_at
.
Before making any changes to both the table and the model, we recommend that you understand how the authentication mechanism works and how the out-of-the-box controllers and views are implemented
The authentication controller is the controller that will allow interfacing with the User
model, the users
table and the different authentication views (explained in the next section).
This controller can be found in /application/Controllers/Auth/AuthController.php
.
This controller is shipped with 4 methods that can be accessed from the route
-
index(): This method is called from a
GET
route and it returns theindex
view that has 2 states, authorized and not authorized. -
register(): This method is called from a
POST
route to create a new record in theusers
tables. -
login(): This method is called from a
POST
route to validate the credentials entered against a record in theusers
table. -
logout(): This method is called from a
GET
route and calls alogout
core helper method that unauthorizes a user and redirects to a specified URL after logging out.
It is also shipped with 3 administration methods that can be accessed from the route. The following administration methods are controlled by the guard
method. Out-of-the-box, permissions
is set to 0, thus allowing any register user to manage user records. You can change the guard permissions appropriately to control access to the admin methods below.
-
index(): This method is called from a
GET
route and it returns theusers
view that lists all the users that are registered in the system -
editUserForm(): This method is called from a
GET
route and it returns themanageusers
in an editing form that allows modifying the user information -
updateUser(): This method is called from a
PUT
route to update the user record -
deleteUser(): This method is called from a
DELETE
route to delete a user record
This framework comes with several views out-of-the-box to perform the basic authentication interactions.
-
/application/Views/default/index.pug
: This view acts as a welcome page that has 2 states, authorized and unauthorized - to help illustrate how authentication works. -
/application/Views/Auth/login.pug
: This view has a basic login form with basic field validations. -
/application/Views/Auth/register.pug
: This view has a basic registration form with basic field validations.
The following view are user management views:
-
/application/Views/Auth/users.pug
: This view displays all the users registered in a tabular format. -
/application/Views/Auth/manageusers.pug
: This view has an editing form to modify the user record.
Once a user is authenticated, this framework comes with a set of core helper methods that can be used in the context of a Controller
to restrict or grant access to the different controller actions.
- Check if logged in: In order to check if a user is authorized (logged in)
function authorized(); // returns a boolean of whether or not a user is logged in
function user(); // returns the information of a logged in user, otherwise it returns null
- Log in or log out: In order to authorize (log in) or unauthorize (logout) a user
function authorize($user); // use this method upon your login mechanism to authorize user
function unauthorize(); // use this method upon your logout mechanism to unauthorize all users
function logout($redirectUrl = '/'); // logs out an authenticated user and redirects to the specified url
-
Permissions: In order to check for permissions, this framework provides a way to put a
guard
on a controller action. Theguard
not only checks if the user is authenticated (logged in) but it also checks their permission level and restricts their access to the action if their permission is<
than the accepted permission level to run the action.
function guard($permissionAttribute, $acceptedPermission, $loginUrl = '/'); // checks if user is permitted to use controller, otherwise redirect to the specified url
The $permissionAttribute
is the name of the attribute in the users
database table that holds the permissions. In the out-of-the-box table, this attribute name is permissions
. If that attribute is changed in the table, the guard
function provides a way to change it.