DEV Community

Cover image for Understanding Laravel Authentication: Best Practices and Tips
Asfia Aiman
Asfia Aiman

Posted on

Understanding Laravel Authentication: Best Practices and Tips

In the realm of Laravel development, user authentication serves as the gatekeeper, ensuring only authorized individuals access your application's valuable resources. But with an array of options at your disposal, choosing the most suitable authentication strategy can feel like navigating a labyrinth. This blog delves into the intricacies of sessions, tokens, JSON Web Tokens (JWTs), Single Sign-On (SSO), and OAuth in Laravel, equipping you with the knowledge to make an informed decision for your project.

1. Sessions: The Traditional Sentinel

Sessions, the time-tested guardians of user state, have long been a cornerstone of web application authentication. Laravel leverages cookies to store a session identifier that acts as a secret handshake between the user's browser and the server. This handshake grants access to user data stored on the server for the duration of the session, typically until the user logs out or their browser window closes.

<?php

namespace App\Http\Controllers\Auth;

use App\Http\Controllers\Controller;
use Illuminate\Http\Request;
use Illuminate\Support\Facades\Auth;
use Illuminate\Support\Facades\Session;

class LoginController extends Controller
{
    public function showLoginForm()
    {
        return view('auth.login');
    }

    public function login(Request $request)
    {
        $credentials = $request->only('email', 'password');

        if (Auth::attempt($credentials)) {
            // Authentication passed...
            $request->session()->regenerate();

            return redirect()->intended('dashboard');
        }

        return back()->withErrors([
            'email' => 'The provided credentials do not match our records.',
        ]);
    }

    public function logout(Request $request)
    {
        Auth::logout();

        $request->session()->invalidate();

        $request->session()->regenerateToken();

        return redirect('/');
    }
}
Enter fullscreen mode Exit fullscreen mode

Advantages:

  • Simplicity: Sessions are a well-established approach, making them easy to implement and integrate into existing Laravel applications.
  • State Management: Session data allows you to maintain user progress and context throughout their browsing session, vital for features like shopping carts or multi-step forms.

Disadvantages:

  • Scalability: As session data resides on the server, large user bases can strain server resources and hinder scalability.
  • Security Concerns: Session hijacking, where an attacker steals the session identifier, poses a potential security risk if not mitigated with proper security measures.

2. Tokens: The Stateless Samurai

Tokens, the stateless warriors of the authentication realm, offer a more modern approach. These self-contained units of information encapsulate user data and a cryptographic signature, eliminating the need for server-side session storage. This makes them ideal for:

  • API Authentication: Tokens are lightweight and don't require session management, perfectly suited for the fast-paced world of APIs and microservices architectures.
  • Enhanced Security: The cryptographic signature ensures data integrity, preventing unauthorized modifications during transmission.

However, tokens come with their own set of considerations:

  • Limited State Management: Tokens themselves don't store user state, requiring additional mechanisms for complex scenarios that necessitate maintaining user progress across requests.
  • Increased Complexity: Implementing robust token generation, verification, and authorization logic can add complexity to your application.
<?php

namespace App\Http\Controllers;

use Illuminate\Http\Request;
use Illuminate\Support\Facades\Auth;
use Illuminate\Support\Facades\Hash;
use App\Models\User;

class AuthController extends Controller
{
    // Register a new user and generate a token
    public function register(Request $request)
    {
        $request->validate([
            'name' => 'required|string|max:255',
            'email' => 'required|string|email|max:255|unique:users',
            'password' => 'required|string|min:8|confirmed',
        ]);

        $user = User::create([
            'name' => $request->name,
            'email' => $request->email,
            'password' => Hash::make($request->password),
        ]);

        $token = $user->createToken('auth_token')->plainTextToken;

        return response()->json([
            'access_token' => $token,
            'token_type' => 'Bearer',
        ]);
    }

    // Login user and generate a token
    public function login(Request $request)
    {
        $request->validate([
            'email' => 'required|string|email',
            'password' => 'required|string',
        ]);

        $credentials = $request->only('email', 'password');

        if (!Auth::attempt($credentials)) {
            return response()->json(['message' => 'Unauthorized'], 401);
        }

        $user = Auth::user();
        $token = $user->createToken('auth_token')->plainTextToken;

        return response()->json([
            'access_token' => $token,
            'token_type' => 'Bearer',
        ]);
    }

    // Logout user and revoke token
    public function logout(Request $request)
    {
        $request->user()->currentAccessToken()->delete();

        return response()->json(['message' => 'Successfully logged out']);
    }

    // Get user details
    public function me(Request $request)
    {
        return response()->json($request->user());
    }
}
Enter fullscreen mode Exit fullscreen mode

3. JWTs: The Compact and Secure Enforcer

JWTs (JSON Web Tokens) are a specific type of token format that elevates security and compactness to new heights. These tokens are JSON-encoded and digitally signed, offering several advantages:

  • Security: The digital signature ensures data integrity and prevents tampering with the token's contents.
  • Compactness: JWTs are lightweight and efficient, making them suitable for resource-constrained environments or mobile applications.
  • Self-Contained: JWTs can optionally embed a limited amount of user data, reducing the need for additional server-side calls to retrieve user information.

While JWTs boast these benefits, they also have limitations:

  • Limited Server-Side Storage: Similar to traditional tokens, JWTs don't store user state on the server, requiring additional mechanisms for complex scenarios.
  • Potential Decodability: Depending on the implementation, the payload within a JWT might be decodable, revealing some user data.

Laravel Packages:

Laravel offers several robust packages like Tymon JWT or Lcobucci JWT to simplify JWT implementation, handling token generation, verification, and middleware integration seamlessly.

<?php

namespace App\Http\Controllers;

use Illuminate\Http\Request;
use Illuminate\Support\Facades\Auth;
use App\Models\User;
use Tymon\JWTAuth\Facades\JWTAuth;
use Tymon\JWTAuth\Exceptions\JWTException;

class AuthController extends Controller
{
    public function login(Request $request)
    {
        $credentials = $request->only('email', 'password');

        try {
            if (! $token = JWTAuth::attempt($credentials)) {
                return response()->json(['error' => 'invalid_credentials'], 400);
            }
        } catch (JWTException $e) {
            return response()->json(['error' => 'could_not_create_token'], 500);
        }

        return response()->json(compact('token'));
    }

    public function register(Request $request)
    {
        $user = User::create([
            'name' => $request->name,
            'email' => $request->email,
            'password' => bcrypt($request->password),
        ]);

        $token = JWTAuth::fromUser($user);

        return response()->json(compact('token'));
    }

    public function getAuthenticatedUser()
    {
        try {
            if (! $user = JWTAuth::parseToken()->authenticate()) {
                return response()->json(['user_not_found'], 404);
            }
        } catch (Tymon\JWTAuth\Exceptions\TokenExpiredException $e) {
            return response()->json(['token_expired'], $e->getStatusCode());
        } catch (Tymon\JWTAuth\Exceptions\TokenInvalidException $e) {
            return response()->json(['token_invalid'], $e->getStatusCode());
        } catch (Tymon\JWTAuth\Exceptions\JWTException $e) {
            return response()->json(['token_absent'], $e->getStatusCode());
        }

        return response()->json(compact('user'));
    }
}
Enter fullscreen mode Exit fullscreen mode

4. SSO: The Unified Kingdom

SSO (Single Sign-On) establishes a kingdom of trust, allowing users to log in once and access a multitude of applications within a trusted network. This eliminates the need for repeated logins across different applications, streamlining the user experience.

While SSO offers convenience, it comes with its own considerations:

  • Third-Party Integration: Implementing SSO often requires integrating with established providers like Okta or Auth0, adding an external dependency to your application.

  • Increased Complexity: Setting up and maintaining an SSO infrastructure adds complexity to your project and introduces new security considerations.

<?php

namespace App\Http\Controllers\Auth;

use App\Http\Controllers\Controller;
use Illuminate\Http\Request;
use Illuminate\Support\Facades\Auth;
use Socialite;

class SSOController extends Controller
{
    public function redirectToProvider()
    {
        return Socialite::driver('sso-provider')->redirect();
    }

    public function handleProviderCallback()
    {
        try {
            $user = Socialite::driver('sso-provider')->user();
            $authUser = $this->findOrCreateUser($user);
            Auth::login($authUser, true);
            return redirect()->intended('/home');
        } catch (\Exception $e) {
            return redirect('/login')->withErrors(['msg' => 'Unable to login using SSO.']);
        }
    }

    private function findOrCreateUser($user)
    {
        $authUser = User::where('provider_id', $user->id)->first();
        if ($authUser) {
            return $authUser;
        }

        return User::create([
            'name' =>'name' => $user->name,
    'email' => $user->email,
    'provider' => 'sso-provider',
    'provider_id' => $user->id,
]); 
Enter fullscreen mode Exit fullscreen mode

5. OAuth: The Delegation Diplomat

OAuth, the skilled diplomat of the authentication world, facilitates controlled access to user data across different services. It allows users to grant access to their data on one platform (like a social media account) to another application. This is beneficial for:

- Social Logins:
Users can leverage their existing social media credentials to log in to your application, providing a convenient login option.

- Third-Party Data Access:
Granting access to specific user data from other services, such as accessing photos from a user's Facebook account.

However, OAuth also presents some challenges:

- Security Concerns:
Since OAuth relies on third-party providers, it introduces potential security risks.

- Revocation Mechanisms:
Revoking access granted through OAuth requires coordination with the third-party provider, potentially introducing delays or complexities.

- Limited Control:
The level of control you have over user data obtained through OAuth depends on the provider's policies and APIs.

<?php

namespace App\Http\Controllers\Auth;

use App\Http\Controllers\Controller;
use Illuminate\Http\Request;
use Laravel\Socialite\Facades\Socialite;
use App\Models\User;
use Illuminate\Support\Facades\Auth;
use Illuminate\Support\Facades\Hash;

class OAuthController extends Controller
{
    // Redirect the user to the OAuth Provider
    public function redirectToProvider($provider)
    {
        return Socialite::driver($provider)->redirect();
    }

    // Obtain the user information from the provider
    public function handleProviderCallback($provider)
    {
        $user = Socialite::driver($provider)->user();

        // Check if the user already exists in the database
        $existingUser = User::where('email', $user->getEmail())->first();

        if ($existingUser) {
            // Log the user in
            Auth::login($existingUser);
        } else {
            // Create a new user
            $newUser = User::create([
                'name' => $user->getName(),
                'email' => $user->getEmail(),
                'password' => Hash::make(uniqid()), // Generate a random password
                'provider' => $provider,
                'provider_id' => $user->getId(),
            ]);

            Auth::login($newUser);
        }

        // Redirect to the intended page
        return redirect()->intended('/home');
    }
}

// In routes/web.php

use App\Http\Controllers\Auth\OAuthController;

Route::get('login/{provider}', [OAuthController::class, 'redirectToProvider']);
Route::get('login/{provider}/callback', [OAuthController::class, 'handleProviderCallback']);

// In config/services.php

return [

    // Other services...

    'github' => [
        'client_id' => env('GITHUB_CLIENT_ID'),
        'client_secret' => env('GITHUB_CLIENT_SECRET'),
        'redirect' => env('GITHUB_REDIRECT_URI'),
    ],

    'google' => [
        'client_id' => env('GOOGLE_CLIENT_ID'),
        'client_secret' => env('GOOGLE_CLIENT_SECRET'),
        'redirect' => env('GOOGLE_REDIRECT_URI'),
    ],

    // Add other providers as needed...

];

// In .env file

GITHUB_CLIENT_ID=your-github-client-id
GITHUB_CLIENT_SECRET=your-github-client-secret
GITHUB_REDIRECT_URI=http://your-callback-url

GOOGLE_CLIENT_ID=your-google-client-id
GOOGLE_CLIENT_SECRET=your-google-client-secret
GOOGLE_REDIRECT_URI=http://your-callback-url

// Add other provider credentials as needed...
Enter fullscreen mode Exit fullscreen mode

Choosing Your Champion: A Comparative Analysis

Now that we've explored the strengths and weaknesses of each approach, let's delve into a comparative analysis to guide your decision-making process:

Image description

Remember: The optimal authentication strategy hinges on your project's specific requirements. Consider these factors:

1. Application Type:
Web application, API, Mobile App, etc.

2. Scalability Needs:
Expected number of users and potential for growth.

3. Security Requirements:
Sensitivity of user data and desired level of security.

4. User Experience:
Prioritize a seamless and convenient login process.

Conclusion

Laravel equips you with a diverse arsenal of authentication tools. By wielding the knowledge of sessions, tokens, JWTs, SSO, and OAuth, you can make informed decisions to secure your application and provide a frictionless user experience. Explore the Laravel documentation and community resources for in-depth implementation details and best practices to solidify your authentication strategy. This guide equips you to confidently navigate the labyrinth of authentication options and select the champion best suited to protect your Laravel application's castle.

Top comments (8)

Collapse
 
vdelitz profile image
vdelitz

Interesting article! Ever tried to implement passkeys in Laravel?

Collapse
 
asfiaaiman profile image
Asfia Aiman

Yes while making APIs for projects

Collapse
 
vdelitz profile image
vdelitz

What was your experience? How complex was it to get it working for a real-life project?

Thread Thread
 
asfiaaiman profile image
Asfia Aiman

It really gave me a tough time sometimes, however, I learnt many new things that have helped me in my work after. Whatever is tough first time, gives you a lifetime lesson so it is a win-win situation

Collapse
 
bobbyiliev profile image
Bobby Iliev

Great post! 👏

I could also suggest this free auth package here that allows you to customize your auth pages easily:

GitHub logo thedevdojo / auth

This is the repo for the DevDojo Auth package

Auth Logo


Build Status Total Downloads Latest Stable Version License

About

Auth is a plug'n play authentication package for any Laravel application.

Be sure to visit the official documentation at devdojo.com/auth/docs

Installation

You can install this package into any new Laravel application, or any of the available Laravel Starter Kits.

composer require devdojo/auth

After the package has been installed you'll need to publish the authentication assets, configs, and more:

php artisan vendor:publish --tag=auth:assets
php artisan vendor:publish --tag=auth:config
php artisan vendor:publish --tag=auth:ci
php artisan vendor:publish --tag=auth:migrations

Next, run the migrations:

php artisan migrate
Enter fullscreen mode Exit fullscreen mode

Finally extend the Devdojo User Model:

use Devdojo\Auth\Models\User as AuthUser;

class User extends AuthUser

in your App\Models\User model.

Now, you're ready to rock! Auth has just been isntalled and you'll be able to visit the following authentication routes:

  • Login (project.test/auth/login)
  • Register (project.test/auth/register)
  • Forgot Password (project.test/auth/register)
  • Password Reset (project.test/auth/password/reset)
  • Password Reset Token (project.test/auth/password/ReAlLyLoNgPaSsWoRdReSeTtOkEn)
  • Password Confirmation (project.test/auth/password/confirm)
  • Two-Factor Challenge (project.test/auth/two-factor-challenge)

You'll also have access to the Two Factor…

Collapse
 
asfiaaiman profile image
Asfia Aiman

Thank you for sharing. I would love to try it!

Collapse
 
litlyx profile image
Antonio | CEO at Litlyx.com

Great content!

Collapse
 
asfiaaiman profile image
Asfia Aiman

Thank you :)