Laravel ‐ Middleware and Authentication in Laravel - johnverz22/appdev-lessons GitHub Wiki

Module 1: Introduction to Middleware

Objective:

Understand Laravel middleware and how it works for request handling.

Topics Covered:

1. What is Middleware?

   • Role of middleware in Laravel.
   • Types of middleware (global, route, and group middleware).

2. Creating Middleware in Laravel

   • Generating middleware:

     php artisan make:middleware CheckRole
     

   • Handling request lifecycle in middleware:

     public function handle(Request $request, Closure $next)
     {
         if (!$request->user() || !$request->user()->isAdmin()) {
             abort(403, 'Unauthorized access');
         }
     
         return $next($request);
     }
     

3. Registering Middleware

   • Global middleware (app/Http/Kernel.php).
   • Route-specific middleware using middleware() in routes.

---

Module 2: API Authentication with Laravel Sanctum

Objective:

Implement authentication for API-only applications using Laravel Sanctum.

Topics Covered:

1. Installing Sanctum

   • Install and publish Sanctum:

     composer require laravel/sanctum
     php artisan vendor:publish --provider="Laravel\\Sanctum\\SanctumServiceProvider"
     php artisan migrate
     

2. Configuring Sanctum

   • Add Sanctum middleware in app/Http/Kernel.php:

     'api' => [
         \Laravel\Sanctum\Http\Middleware\EnsureFrontendRequestsAreStateful::class,
         'throttle:api',
         \Illuminate\Routing\Middleware\SubstituteBindings::class,
     ],
     

3. Setting Up Authentication Routes

   • Creating login and registration endpoints:

     Route::post('/register', [AuthController::class, 'register']);
     Route::post('/login', [AuthController::class, 'login']);
     Route::middleware('auth:sanctum')->get('/user', [AuthController::class, 'user']);
     

4. Handling User Authentication in Controllers

   • Register method:

     public function register(Request $request)
     {
         $validated = $request->validate([
             'name' => 'required|string|max:255',
             'email' => 'required|string|email|max:255|unique:users',
             'password' => 'required|string|min:8|confirmed',
         ]);
     
         $user = User::create([
             'name' => $validated['name'],
             'email' => $validated['email'],
             'password' => bcrypt($validated['password']),
         ]);
     
         $token = $user->createToken('auth-token')->plainTextToken;
     
         return response()->json(['token' => $token], 201);
     }
     

   • Login method:

     public function login(Request $request)
     {
         if (!Auth::attempt($request->only('email', 'password'))) {
             return response()->json(['message' => 'Invalid credentials'], 401);
         }
     
         $user = Auth::user();
         $token = $user->createToken('auth-token')->plainTextToken;
     
         return response()->json(['token' => $token], 200);
     }
     

5. Protecting API Routes with Sanctum Middleware

   Route::middleware('auth:sanctum')->group(function () {
       Route::get('/profile', function (Request $request) {
           return response()->json($request->user());
       });
   });
   

6. Logging Out Users

   public function logout(Request $request)
   {
       $request->user()->tokens()->delete();
       return response()->json(['message' => 'Logged out']);
   }
   

---

Module 3: Full-Stack Authentication Using Laravel Breeze

Objective:

Implement full authentication using Laravel Breeze with Blade templates.

Topics Covered:

1. Installing Laravel Breeze

   composer require laravel/breeze --dev
   php artisan breeze:install
   npm install && npm run dev
   php artisan migrate
   

2. Understanding Laravel Breeze

   • Pre-built authentication (login, registration, password reset).
   • Uses Laravel Blade templates.

3. Protecting Routes Using Middleware

   • Applying authentication middleware:

     Route::middleware(['auth', 'verified'])->group(function () {
         Route::get('/dashboard', function () {
             return view('dashboard');
         });
     });
     

4. Using Authentication Guards

   • Switching between web and api guards in config/auth.php:

     'defaults' => [
         'guard' => 'web',
         'passwords' => 'users',
     ],
     

5. Restricting Access Based on User Role

   • Middleware to restrict admin access:

     public function handle(Request $request, Closure $next)
     {
         if ($request->user() && $request->user()->role !== 'admin') {
             return redirect('/dashboard');
         }
     
         return $next($request);
     }
     

   • Apply middleware to routes:

     Route::middleware(['auth', 'role:admin'])->group(function () {
         Route::get('/admin', function () {
             return view('admin.dashboard');
         });
     });
     

---

Practice Problems

1. Middleware Practice

• Task: Create a middleware named EnsureUserIsAdmin that restricts access to certain routes for non-admin users.
• Hint: Use $request->user()->role to check for an admin role.

2. API Authentication with Sanctum

• Task: Implement an API route /user-profile that returns the authenticated user's details only if they provide a valid token.
• Hint: Use auth:sanctum middleware.

3. Laravel Breeze Login Flow

• Task: Modify the Laravel Breeze authentication to include an extra field in registration (e.g., phone_number).
• Hint: Update the User model's fillable properties and validation rules.

4. Role-Based Access

• Task: Create an admin panel where only users with an admin role can access /admin-dashboard.
• Hint: Use custom middleware and apply it to routes.

5. Logout for API Users

• Task: Implement a logout feature for API users using Sanctum.
• Hint: Use $request->user()->tokens()->delete(); to delete all tokens.