9.1 Authentication - caligrafy/caligrafy-quill GitHub Wiki

Authentication is key to any transactional web application. This framework provides a quick and easy way to have a basic authentication into your application by providing the necessary models, views and controllers readily available.

CRUD operations on a database

In this video, we will learn how to create a database model, how to link it to Caligrafy and how to perform CRUD operations using Controllers.

Authentication

In this video, you will learn how you can authenticate users using the authentication module that is prepackaged with Caligrafy.

In order to use authentication, the Database needs to be activated.

Learn more about Database Activation

In order to activate authentication, the following line should be uncommented from /application/config/routing/web.php:

// AUTHENTICATION - Remove comment if you have an authentication implemented
  Auth::authentication('User', 'users');

This framework comes with a prepackaged set of routes that help illustrate how logging in, registration and logging out work. In order to activate these routes, the following lines should be uncommented from /application/config/routing/web.php:

// Auth Routes - Uncomment only if AUTHENTICATION activated above
  Route::get('/home', 'AuthController@home');
  Route::get('/login', 'AuthController');
  Route::get('/logout', 'AuthController@logout');
  Route::get('/notAuthorized', 'AuthController@notAuthorized');
  Route::get('/register', 'AuthController@registerForm');
  Route::post('/login', 'AuthController@login');
  Route::post('/register', 'AuthController@register');

Also this framework comes with prepackaged user interfaces to manage users. In order to activate user management routes, the following lines should be uncommented from /application/config/routing/web.php:

// User Administration Routes - Uncomment only if AUTHENTICATION activated above
Route::get('/admin', 'AdminController');
Route::get('/users', 'AdminController');
Route::get('/users/{id}/edit', 'AdminController@editUserForm');
Route::put('/users/{id}/edit', 'AdminController@updateUser');
Route::delete('/users/{id}/edit', 'AdminController@deleteUser');

As part of this framework, a MySql script is provided to create the basic users table to put in place an authentication mechanism. This script can be found in application/models/Auth/create_db.sql.

This script can be run from either the Terminal or from a DB manager application such as phpMyAdmin.

Run from the Terminal

~: cd /application/models/Auth/
~: mysql -u <username> -p <databasename> < create_db.sql

Run from phpMyAdmin

• Click on the database name that you created
• Click Import from the action menu
• Browse to application/Models/Auth
• Select the file create_db.sql
• Click on Go

The framework has a User Model already created for use that can be found in /application/Models/Auth/User.php. This model is a representation of the database table that was previously created. Both the table and the model have basic attributes id, username, passcode, permissions, created_at, modified_at.

Before making any changes to both the table and the model, we recommend that you understand how the authentication mechanism works and how the out-of-the-box controllers and views are implemented

The authentication controller is the controller that will allow interfacing with the User model, the users table and the different authentication views (explained in the next section). This controller can be found in /application/Controllers/Auth/AuthController.php.

This controller is shipped with 4 methods that can be accessed from the route

• index(): This method is called from a GET route and it returns the index view that has 2 states, authorized and not authorized.
• register(): This method is called from a POST route to create a new record in the users tables.
• login(): This method is called from a POST route to validate the credentials entered against a record in the users table.
• logout(): This method is called from a GET route and calls a logout core helper method that unauthorizes a user and redirects to a specified URL after logging out.

It is also shipped with 3 administration methods that can be accessed from the route. The following administration methods are controlled by the guard method. Out-of-the-box, permissions is set to 0, thus allowing any register user to manage user records. You can change the guard permissions appropriately to control access to the admin methods below.

• index(): This method is called from a GET route and it returns the users view that lists all the users that are registered in the system
• editUserForm(): This method is called from a GET route and it returns the manageusers in an editing form that allows modifying the user information
• updateUser(): This method is called from a PUT route to update the user record
• deleteUser(): This method is called from a DELETE route to delete a user record

This framework comes with several views out-of-the-box to perform the basic authentication interactions.

• /application/Views/default/index.pug: This view acts as a welcome page that has 2 states, authorized and unauthorized - to help illustrate how authentication works.
• /application/Views/Auth/login.pug: This view has a basic login form with basic field validations.
• /application/Views/Auth/register.pug: This view has a basic registration form with basic field validations.

The following view are user management views:

• /application/Views/Auth/users.pug: This view displays all the users registered in a tabular format.
• /application/Views/Auth/manageusers.pug: This view has an editing form to modify the user record.

Once a user is authenticated, this framework comes with a set of core helper methods that can be used in the context of a Controller to restrict or grant access to the different controller actions.

• Check if logged in: In order to check if a user is authorized (logged in)

function authorized(); // returns a boolean of whether or not a user is logged in
function user(); // returns the information of a logged in user, otherwise it returns null

• Log in or log out: In order to authorize (log in) or unauthorize (logout) a user

function authorize($user); // use this method upon your login mechanism to authorize user
function unauthorize(); // use this method upon your logout mechanism to unauthorize all users
function logout($redirectUrl = '/'); // logs out an authenticated user and redirects to the specified url

• Permissions: In order to check for permissions, this framework provides a way to put a guard on a controller action. The guard not only checks if the user is authenticated (logged in) but it also checks their permission level and restricts their access to the action if their permission is < than the accepted permission level to run the action.

function guard($permissionAttribute, $acceptedPermission, $loginUrl = '/'); // checks if user is permitted to use controller, otherwise redirect to the specified url

The $permissionAttribute is the name of the attribute in the users database table that holds the permissions. In the out-of-the-box table, this attribute name is permissions. If that attribute is changed in the table, the guard function provides a way to change it.

Next Section: Learn about Payments with Stripe