how to implement custom authentication in laravel
Hi guys,
We’ll look into how to implement custom authentication in laravel. This is the topic of this article. Laravel has an authentication function built-in. If you wish to alter the authentication procedure in your application, this article will show you how.
Laravel has a built-in authentication feature, and it makes it simple to use. You can change the authentication configuration from the config/auth.php file. Laravel authentication uses guards and providers.
Database Considerations:
Laravel uses Eloquent driver inside App\User model in the app directory. You may use a database driver which uses laravel query builder. Before implementing the custom authentication process in laravel. we look at a built-in feature.
Authentication:-
Routing:
For authentication purposes, you can use the laravel/ui package. It will scaffold all views and routes with simple commands.
composer require laravel/ui:^2.4 php artisan ui vue --authIt will generate several pre-built authentication controllers located inside the App\Http\Controller\auth directory. You want to disable registration from your application. You can disable it by removing RegisterController and modify authentication routes.
Auth::routes(['register' => false]);Views:
After executing, the command php artisan ui vue -auth command will create all necessary views inside the resources/views/auth directory. It makes a master layout for your application inside the layouts directory.
Authenticating:-
After executing the above command, you are ready to register and authenticate a new user for your application. When a user is successfully login into your application, we should redirect it to /home URI. You can also change the redirect path using the HOME constant inside RouteServiceProvider.
If you want to customize the response returned when a user authenticates. Laravel provides an authenticated() method from the AuthenicatesUsers trait.
By default, laravel uses the email field for an authentication process. you may define a username method inside your LoginController Controller.
public function username()
{
return 'username';
}You can also customize the guard when it authenticates and register users and also defines the guard method on auth generated controller.
use Illuminate\Support\Facades\Auth; protected function guard()
{
return Auth::guard('guard-name');
}
Retrieving the authenticated user:
You may use Auth facade for accessing user’s data.
use Illuminate\Support\Facades\Auth;
// Get the currently authenticated user...
$user = Auth::user();
// Get the currently authenticated user's ID...
$id = Auth::id();After a user authenticates, you can access the authenticated user via Request instance.
<?php
namespace App\Http\Controllers;
use Illuminate\Http\Request;
class ProfileController extends Controller
{
/**
* Update the user's profile.
*
* @param Request $request
* @return Response
*/
public function update(Request $request)
{
// $request->user() returns an instance of the authenticated user...
}
}You can also check whether a user is a login using the check() function.
use Illuminate\Support\Facades\Auth;
if (Auth::check())
{
// The user is logged in...
}Protecting Routes:
We can authenticate users to access a route using auth middleware. We already registered middleware in your HTTP kernel.
Route::get('profile', function () {
// Only authenticated users may enter...
})->middleware('auth');You can also define the middleware method inside your constructor instead of specifying in route.
public function __construct()
{
$this->middleware('auth');
}When attaching the auth middleware to a route, you may specify which guard should authenticate the user.
public function __construct()
{
$this->middleware('auth:api');
}Password Confirmation:
You want to confirm their password before accessing further options of the application. Attaching the password.confirm middleware to a route will redirect users to a screen where they need to confirm their password before they can continue:
Route::get('/settings/security', function () {
// Users must confirm their password before continuing...
})->middleware(['auth', 'password.confirm']);Login Throttling:
Laravel provides a Login throttling feature. After several times with incorrect user credentials, the user cannot log in for one minute.
Manually Authenticating Users:-
You should import Auth facade service at the top of the class. For authentication, you can use the attempt() method.
<?php
namespace App\Http\Controllers;
use Illuminate\Http\Request;
use Illuminate\Support\Facades\Auth;
class LoginController extends Controller
{
/**
* Handle an authentication attempt.
*
* @param \Illuminate\Http\Request $request
*
* @return Response
*/
public function authenticate(Request $request)
{
$credentials = $request->only('email', 'password');
if (Auth::attempt($credentials)) {
// Authentication passed...
return redirect()->intended('dashboard');
}
}
}We are passing an array of key and value pairs to the attempt method. It will check in your database table. If the two hashed passwords matched with the database entry. laravel starts the user’s sessions. The attempt method returns true if a user authenticates. Otherwise, it returns false.
The intended method will redirect users to the URL. They were attempting to access before being intercepted by the authentication middleware. You can add an extra condition to the authentication query in the attempt method.
if (Auth::attempt(['email' => $email, 'password' => $password, 'active' => 1])) {
// The user is active, not suspended, and exists.
}You can also manage authentication for your application using the guard() method.
if (Auth::guard('admin')->attempt($credentials)) {
//
}The logout method clears the authentication information in the user’s session.
Auth::logout();Remembering Users:
You can pass the second argument to the attempt method, which keeps the user authenticated until it logout from the system. Remember me token stored in user’s table for easy to access.
if (Auth::attempt(['email' => $email, 'password' => $password], $remember)) {
// The user is being remembered...
}You can check with the viaRemember() method. If it authenticates, the user using the “remember me” cookie.
if (Auth::viaRemember()) {
//
}Other Authentication Methods:-
Authenticate a user instance
You can pass the user instance to the login method. Laravel will authenticate the user and process it.
Auth::login($user); // Login and "remember" the user... Auth::login($user, true);You can also add a guard instance while authenticating the user.
Auth::guard('admin')->login($user);With the help of their id, we can log in a user into the application. You can use the loginUsingId method. You can pass the primary key to this method.
Auth::loginUsingId(1); // Login and "remember" the given user... Auth::loginUsingId(1, true);The once method use to log into the user inside your application. It will not maintain sessions or cookies.
if (Auth::once($credentials)) {
//
}HTTP Basic Authentication:-
By default, Laravel gives HTTP Basic authentication without creating a login page. You can attach ‘auth.basic’ middleware to your route.
Route::get('profile', function () {
// Only authenticated users may enter...
})->middleware('auth.basic');You will see the prompt for authentication when accessing the route in a browser. By default, ‘auth.basic’ middleware will use the email column on the user record.
If you are using FastCGI, HTTP basic authentication does not work correctly. You must add the following code in the .htaccess file.
RewriteCond %{HTTP:Authorization} ^(.+)$
RewriteRule .* - [E=HTTP_AUTHORIZATION:%{HTTP:Authorization}]Stateless HTTP Basic Authentication:
you can use HTTP basic authentication with setting user cookies in session using the onceBasic method.
<?php
namespace App\Http\Middleware;
use Illuminate\Support\Facades\Auth;
class AuthenticateOnceWithBasicAuth
{
/**
* Handle an incoming request.
*
* @param \Illuminate\Http\Request $request
* @param \Closure $next
* @return mixed
*/ public function handle($request, $next)
{
return Auth::onceBasic() ?: $next($request);
}
}
After defining middleware, we can attach it to the route.
Route::get('api/user', function () {
// Only authenticated users may enter...
})->middleware('auth.basic.once');Logging Out:-
It is a simple way to clear authentication information in the user’s session.
Auth::logout();Invalidating session on other devices:
It is best practice to maintain an account on many devices without invalidating the current device session. You should make sure that Illuminate\Session\Middleware\AuthenicateSession middleware is present inside the kernel.php file. It should be un-commented in the web middleware group.
'web' => [ // ... \Illuminate\Session\Middleware\AuthenticateSession::class,
// ... ],The logoutOtherDevices method requires the current password as the first argument.
use Illuminate\Support\Facades\Auth; Auth::logoutOtherDevices($password);
The logoutOtherDevices method applies, as all other user’s sessions invalidate from all guards.
Adding Custom Guards:-
You can create your guards with extend() method in the service provider. We can place code inside the AuthServiceProvider provider.
<?php
namespace App\Providers;
use App\Services\Auth\JwtGuard;
use Illuminate\Foundation\Support\Providers\AuthServiceProvider as ServiceProvider;
use Illuminate\Support\Facades\Auth;
class AuthServiceProvider extends ServiceProvider
{
/**
* Register any application authentication/authorization services.
*
* @return void
*/
public function boot()
{
$this->registerPolicies();
Auth::extend('jwt', function ($app, $name, array $config) {
// Return an instance of Illuminate\Contracts\Auth\Guard...
return new JwtGuard(Auth::createUserProvider($config['provider']));
});
}
}After defining a custom guard, you may use this guard from the guard’s configuration of the auth.php configuration file.
'guards' =>
[ 'api' =>
[ 'driver' => 'jwt', 'provider' => 'users', ],
],Closure Request Guards:
It is the best way to implement an HTTP request-based authentication system using the Auth::viaRequest method. The viaRequest method accepts an authentication driver name as the first argument and closure that receives the incoming HTTP request. It will return a user instance otherwise null.
use App\User;
use Illuminate\Http\Request;
use Illuminate\Support\Facades\Auth;
/** Register any application authentication/authorization services.
* @return void */
public function boot()
{
$this->registerPolicies();
Auth::viaRequest('custom-token', function ($request) {
return User::where('token', $request->token)->first();
});
}After defining the custom driver for authentication, you can use it inside the guard’s configuration of your auth.php file.
'guards' => [
'api' => [ 'driver' => 'custom-token', ],
],Adding Custom User Providers:-
The provider method from Auth facade is to define a custom user provider.
<?php
namespace App\Providers;
use App\Extensions\RiakUserProvider;
use Illuminate\Foundation\Support\Providers\AuthServiceProvider as ServiceProvider;
use Illuminate\Support\Facades\Auth;
class AuthServiceProvider extends ServiceProvider
{
/**
* Register any application authentication/authorization services.
*
* @return void
*/
public function boot()
{
$this->registerPolicies();
Auth::provider('riak', function ($app, array $config) {
// Return an instance of Illuminate\Contracts\Auth\UserProvider...
return new RiakUserProvider($app->make('riak.connection'));
});
}
}Afterward, you define a new user provider in the auth.php file. You may use this provider in your guard’s configuration.
'providers' => [
'users' => [
'driver' => 'riak',
],
],
'guards' => [
'web' => [
'driver' => 'session', 'provider' => 'users',
],
],Events:-
Laravel emits a variety of events during the authentication process. You may be listeners to these events in your EventServiceProvider.
/** The event listener mappings for the application.
* @var array */
protected $listen = [ 'Illuminate\Auth\Events\Registered' => [
'App\Listeners\LogRegisteredUser',
], 'Illuminate\Auth\Events\Attempting' => [
'App\Listeners\LogAuthenticationAttempt',
], 'Illuminate\Auth\Events\Authenticated' => [
'App\Listeners\LogAuthenticated',
], 'Illuminate\Auth\Events\Login' => [
'App\Listeners\LogSuccessfulLogin',
], 'Illuminate\Auth\Events\Failed' => [
'App\Listeners\LogFailedLogin',
], 'Illuminate\Auth\Events\Validated' => [
'App\Listeners\LogValidated',
], 'Illuminate\Auth\Events\Verified' => [
'App\Listeners\LogVerified',
], 'Illuminate\Auth\Events\Logout' => [
'App\Listeners\LogSuccessfulLogout',
], 'Illuminate\Auth\Events\CurrentDeviceLogout' => [
'App\Listeners\LogCurrentDeviceLogout',
], 'Illuminate\Auth\Events\OtherDeviceLogout' => [
'App\Listeners\LogOtherDeviceLogout',
], 'Illuminate\Auth\Events\Lockout' => [
'App\Listeners\LogLockout',
], 'Illuminate\Auth\Events\PasswordReset' => [
'App\Listeners\LogPasswordReset',
],
];I hope this article (how to implement custom authentication in laravel) helps you better understand the authentication of laravel, so it speeds up your production release. For this article, I followed this link. If you have questions, please leave a comment on and I will respond as soon as possible.
Thank you for reading this article. Please share this article within your friend circle. That’s it for the day. Stay Connected!
Cheers,
Originally published at https://www.devrohit.com on September 23, 2021.