There are many ways to secure the admin area. You can use one default User model and check permissions based on roles and policies. But sometimes it may turn out to be too inflexible over time. Also Laravel does not suggest the right choice here and that's great. The Laravel team gives us a lot of flexibility here because everything depends on your project.
Securing applications is a mandatory step in software development. It is no secret that software becomes more and more sophisticated every day, giving hackers the opportunity to break in to web applications with little effort. The consequences for users can be severe when software isn't secure enough.
The application's admin area is an especially vulnerable part of software because it typically has unrestricted access to almost all parts of the software. Admin areas are attractive targets for hackers because they give attackers complete control over the software. Since most software packages use admin interfaces, these threats pose a real risk to anyone using any kind of software. In this article you will learn how to easily create two types of users. I assume that you already used the standard User model for the user things, so we will only focus on the new one. To do list:
- create migration
- create model
- add guard
- add provider
Create Admin migrations
# migration file
Schema::create('admins', function (Blueprint $table) {
$table->id();
$table->string('username', 100);
$table->string('password', 100);
# you can add more fields if you want
$table->timestamps();
});
Create Admin model
<?php
# ./app/Models/Admin.php
namespace App\Models;
use Carbon\CarbonInterface;
use Illuminate\Foundation\Auth\User as Authenticatable;
/**
* @property int id
* @property string username
* @property string password
* @property CarbonInterface|null created_at
* @property CarbonInterface|null updated_at
*/
class Admin extends Authenticatable
{
protected $table = 'admins';
protected $fillable = [
'username',
'password',
];
protected $hidden = [
'password',
];
}
Create AdminGuard and AdminProvider
# ./config/auth.php
'guards' => [
// ...
'admin' => [
'driver' => 'session',
'provider' => 'admins',
],
],
'providers' => [
// ...
'admins' => [
'driver' => 'eloquent',
'model' => App\Models\Admin::class,
],
],
Summary
And that's it. Now you can use it everywhere you need with Auth
facade or Request
.
# routes.php
Route::middleware('auth:admin')->group(function () {
Route::get('/admin/dashboard', [AdminDashboard::class, 'view']);
});
# controller
public function action(Request $request)
{
# via $request
$admin = $request->user('admin');
# via Auth facade
$admin = Auth::guard('admin');
# to login
$credentials = $request->only("username", "password");
if (Auth::guard('admin')->attempt($credentials)) {
return redirect()->route('admin.dashboard');
} else {
return view('admin.login');
}
}