The importance of authentication in web applications
The importance of authentication in web applications is self-explanatory: it helps confirm the user is who they say they are before giving them access to the application.
This is useful because someone may have your username and password without you giving it to them (either through spyware or data leaks online, for instance). Authentication prevents this person from accessing your account.
How Laravel makes use of guards
The framework makes use of guards (which are essentially the “gatekeepers”) that determine whether a user is denied or granted access. The user also provides their email address and password despite the type of guard used.
Laravel makes use of token guards. These use API tokens for authenticating users. Unlike session guards, API tokens offer a secure way of authentication without relying on sessions.
Token guards store unique API tokens in a database. This is sent to the client in their HTTP header. The token guard works to get this token on each request from the header for authentication.
Typically the token is stored on a JSON Web Token (JWT) and includes the issuing entity, the user being authenticated, the time of the token’s issue, the time of the token’s expiry, and any other custom choices such as roles and permissions.
The returned token can either be stored locally in the cookies.
Laravel also makes use of session guards. Sessions are created when a user logs in. At this point, a session ID is made and stored in the cookies. With each request, the session guard gets the ID from the cookies and uses the related session data for authentication.
How Laravel authenticates users using session-based authentication
After creating a database in Laravel and storing user data in it, you’ll be able to see the user, their email, and their password. Laravel protects the user’s password by encrypting it and only being able to interpret it itself.
You’ll also need routes:
- One for showing where the user can input their credentials,
- Another to handle the form submission,
- And one, finally, for the dashboard that the successfully authenticated users go to.
The form should have two fields, one for an email address and another to input the password. You should also have an error variable to display validation errors after form submission.
Each form submission should also have a controller. This is known as the Auth Controller. This includes the validator that validates the user input and the attempt method to match the credentials with database records. There also needs to be a redirect field that returns the user with an error such as “invalid credentials.”
In a nutshell: Laravel matches the credentials given by the user with a record within the database. It considers this user currently logged in. The user ID is stored in the session data. For logging out, Laravel removes the user ID from the session data.
Laravel also provides many different configuration options which can be used for session management. This includes session lifetime, secure session handling, and session storage drivers.
As you can see, Laravel is secure and well-thought-out.
But this isn’t the only reason the PHP platform is so popular. Documentation for Laravel can be found on their official website. So please refer to it for in-depth information and the best practices relevant today.
Laravel’s authentication packages
Now that we’ve gone into some depth about Laravel’s authentication processes let’s take a moment to explore the packages available.
Built-in browser authentication
These can be accessed either through the Auth or Session facades. This is a cookie-based authentication initiated from your web browser. This lets you verify and authenticate users and automatically store the appropriate data on the session cookie.
API authentication services
There are two packages you can use to manage API tokens and requests. These are Passport and Sanctum.
Passport allows you to issue a variety of tokens and is the most comprehensive option for authentication in this way. This OAuth2 provider may not always be needed and may be unnecessarily complicated.
The second package available is Sanctum, which is much simpler than Passport and solves the complexity issue. This can handle API requests and first-part web requests.
Space to build dynamic web solutions
Laravel offers an ideal space to build great web solutions. And I can’t even begin to cover the depth of in-built authentication in this article as the framework is so well-developed and established. I hope at least I’ve been able to create a mental “framework” for how it all works and give you a better understanding of Laravel.