I am working on an application, Where i have three type of users(real scenario), The application have three areas Freelancers and Lms (Learning Management systems) and admin panel for both :
Currently i am not using any kind of multi auth functionalities, And whenever i login in a user in the freelancer section and i goes to the lms section the authenticated user is available there.
As i am using only one table for the users where i have a column userType(Which is not in use but there for future proofing).
I know a couple of packages Like this one. which i can implement but i haven't and thought that there might be a better way and stackoverflow community can provide one.
My question is how to handle this type of situation, Whats the most efficient and robust way.
It's probably not multiauth you're looking for but permissions on certain pages. Take a look at: https://github.com/spatie/laravel-permission
It's very simple and straightforward. It even lets you single out users, that for example both have admin level, but just one can view it.
The most efficient and robust way is to use simple user_type column to store user type and create some helpers. For example, to check if user is an admin you can create something like this in the User model:
public function isAdmin()
{
return auth()->check() && auth()->user()->user_type === 3;
}
This is the simplest method with a lot of advantages. It's good for apps that use a lot of relationships, it's good for speed etc.
This is how I would do it.
I am going to skip long details about setting up auth controllers and views. They are quite straight forward to scaffold using the artisan console.
The first thing we need is new field on your Users table. An admin field if you only have two levels (admin and non-admin). An ENUM value in your case.
Depending on what the value in that field is you want to grant (or not) access to certain sections/pages/resources etc.
The artisan console generates all the necessary pages, middle-ware, routes for a basic login. But after you have done that you will need a second middle-ware to check for different levels of access. Lets call it CheckAdmin.
Use the following command php artisan make:middleware CheckAdmin. This creates a new middleware with specified name in app\Http\Middleware
Now register the middleware in Kernel.php (Last line of code). This gives the middleware class that we just created a name (admin in this case).
protected $routeMiddleware = [
'auth' => \Illuminate\Auth\Middleware\Authenticate::class,
'auth.basic' => \Illuminate\Auth\Middleware\AuthenticateWithBasicAuth::class,
'bindings' => \Illuminate\Routing\Middleware\SubstituteBindings::class,
'can' => \Illuminate\Auth\Middleware\Authorize::class,
'guest' => \App\Http\Middleware\RedirectIfAuthenticated::class,
'throttle' => \Illuminate\Routing\Middleware\ThrottleRequests::class,
'admin' => \App\Http\Middleware\CheckAdmin::class,
];
All the routes in your that check for certain admin rights should use the admin middleware we just registered right after the auth factory middleware provided with laravel. There are two ways of doing this depending how you are building your app/website.
A. NOT using a resources controllers for the route.
Go to your routes web.php file. And register the auth and admin middleware for a request. An example follows.
Route::get('/example-admin-only-route', function () { //SOME LOGIC
})->middleware('auth', 'admin');
B. USING resources controllers. (Which you probably should whenever you can)
In the constructor of the resource controller. ExampleController.php for our Example resource.
class ExampleController extends Controller
{
public function __construct()
{
$this->middleware('auth');
$this->middleware('admin');
}
...
}
Write the logic for your CheckAdmin middleware.
namespace App\Http\Middleware;
use Closure;
class CheckAdmin
{
/**
* Handle an incoming request.
*
* @param \Illuminate\Http\Request $request
* @param \Closure $next
* @return mixed
*/
public function handle($request, Closure $next)
{
if($request->user()->admin == 'Admin') //or FreeLancers or LMS (or maybe Unicorns)
{
return $next($request);
}
else
{
return redirect("/not-worthy");
}
}
}
The code checks the admin privileges and either lets the request pass or does something else with it. In our-case redirects to a different end-point. But you may wish to do more creative things with it.
Cheers.