Freek.dev

AnyList explains in great detail why they made this decision.

Read more [blog.anylist.com]

Mohamed Said explains an interesting pattern for you to consider that can potentially make authenicating from the frontend easier.

Read more

Mohammed Said tweeted out a couple of very interesting videos on some of Laravel's security related features.

Read more

Mohammed Said wrote a good explanation of what Laravel Airlock brings to the table.

Read more [divinglaravel.com]

Implementing the change-password-url spec in Laravel (aka: it's really dead simple) https://t.co/ow1PNMqecy pic.twitter.com/kTJK6Jq5rn

— /dev/eloper (@mattiasgeniar) December 7, 2018

Read more [twitter.com]

?Did you know you can prevent registration of register routes or enable the verification route in your @laravelphp routes file when using the auth scaffolding?

Pass register or verify keys with boolean values to control this. pic.twitter.com/u8ysLHsppo

— Michael Dyrynda (@michaeldyrynda) November 29, 2018

Read more [twitter.com]

One of our more popular packages is laravel-permission. It enables you to easily save roles and permissions in the database. It hooks into Laravel's native authorization capabilities. Allthough it's quite powerful, the package doesn't come with any UI out of the box.

If you do need a UI for this in your projects you're in luck. On Scotch.io Caleb Oki wrote down an extensive tutorial on how you can build screens to manage users, permissions and roles that use our package.

When building an application, we often need to set up an access control list (ACL). An ACL specifies the level of permission granted to a user of an application. For example a user John may have the permission to read and write to a resource while another user Smith may have the permission only to read the resource.

In this tutorial, I will teach you how to add access control to a Laravel app using laravel-permission package. For this tutorial we will build a simple blog application where users can be assigned different levels of permission.

https://scotch.io/tutorials/user-authorization-in-laravel-54-with-spatie-laravel-permission

Read more

In an amazing article on SitePoint, Christopher Pitt demonstrates how to create an async PHP server that can requests a fingerprint scan on the client side. He uses React Native, WebSocket, an async PHP server, PHP preprocessing, ... Really amazing stuff.

I’m going to describe the process of building custom multi-factor authentication for all transactions. I don’t want to do the usual (and boring on its own) SMS or push notification one-time-password stuff. I want to build a fingerprint scanner right into my phone.

In this tutorial, we’re going to look at how to set up a simple iOS app using React Native. We will also set up an asynchronous HTTP server, with a web socket connection to the app.

We will follow this up by adding fingerprint scanning capabilities to the app, and asking for these fingerprint scans from the HTTP server. Then we will build an endpoint through which GET requests can request a fingerprint scan and wait for one to occur.

https://www.sitepoint.com/scan-fingerprints-async-php-react-native/

Read more

A few week ago we released a new major version of laravel-permission. This package makes it easy to store permission and roles in the database. Our package plays nice with Laravel's Gate and has support for multiple guards.

In a new post on his blog Saqueib Ansari shows how you can create an interface to assign permissions and roles to a user using our package.

Laravel comes with Authentication and Authorization out of the box, I have implemented many role and permissions based system in the past, using laravel, it’s peace of cake. In this post, we are going to implement a fully working and extensible roles and permissions on laravel 5.4. When we finish we will have a starter kit which we can use for our any future project which needs roles and permissions based access control.

http://www.qcode.in/easy-roles-and-permissions-in-laravel-5-4

Read more

A great feature of Laravel Spark is it's ability to impersonate other users. As an admin you can view all screens as if you are logged in as another user. This allows you to easily spot a problem that your user might be reporting. Laravel-impersonate is a package, made by MarceauKa and Thibault Chazottes that can add this behaviour to any Laravel app.

Here are some code examples taken from the readme.

Auth::user()->impersonate($otherUser); // You're now logged as the $otherUser.

Auth::user()->leaveImpersonation(); // You're now logged as your original user.

$manager = app('impersonate');

// Find an user by its ID
$manager->findUserById($id);

// TRUE if your are impersonating an user.
$manager->isImpersonating();

// Impersonate an user. Pass the original user and the user you want to impersonate
$manager->take($from, $to);

// Leave current impersonation
$manager->leave();

// Get the impersonator ID
$manager->getImpersonatorId();

It even includes some handy blade directives:

@canImpersonate
    <a href="{{ route('impersonate', $user->id) }}">Impersonate this user</a>
@endCanImpersonate

@impersonating
    <a href="{{ route('impersonate.leave') }}">Leave impersonation</a>
@endImpersonating

Want to know more, take a look at the package on GitHub.

Read more

Laravel Passport is an easy to use OAuth2 server that was released alongside Laravel 5.3. Mohamed Said wrote an excellent guest post at Laravel News about the grant types used in Passport.

OAuth2 is a security framework that controls access to protected areas of an application, and it’s mainly used to control how different clients consume an API ensuring they have the proper permissions to access the requested resources.

Laravel Passport is a full OAuth2 server implementation; it was built to make it easy to apply authentication over an API for laravel-based web applications.

https://laravel-news.com/2016/08/passport-grant-types/

Read more

In my book Joseph Silber is one of the unsung heroes of the Laravel ecosystem. Whenever I open up internals on Larachat or Github he's giving friendly and thoughtful advice. I was happy to learn that Joseph started a blog.

In the first post he goes over all the improvements made to authentication in Laravel 5.3.

Authentication has gotten some nice improvements in 5.3, so let's examine it piece by piece.

• Introducing the authenticate method
• The exception handler's unauthenticated method
• The Authenticate middleware
• Authenticating against multiple guards
• Route model binding and global scopes
• Bonus: the request's expectsJson method

https://josephsilber.com/posts/2016/07/10/authentication-improvements-in-laravel-5-3

If you're looking for a package that can handle roles and abilities in Laravel, be sure to check out his Bouncer package.

Read more

Laravel hero Matt Stauffer has a new article on his blog where he talks about using a social network site login as the primary login for your application.

Laravel's Socialite package makes it simple to authenticate your users to Facebook, Twitter, Google, LinkedIn, GitHub and Bitbucket. You can authenticate them for the purpose of connecting their pre-existing user account to a third-party service, but you can also use it as your primary login mechanism, which we'll be talking about here.

I'm working on a new little micro-SaaS that is purely dependent on GitHub in order to operate, so there's no reason to set up any user flow other than just GitHub. Let's do it.

Read more

Typically my applications have a UI and authentication is done through a simple login page. Obviously for a RESTful API, having a login page isn't ideal. Instead, my hope was to have users append an api_token to the end of their query string and use that to authenticate their request. I was happy to find that 5.2 also ships with a TokenGuardlink class that allows you to do exactly that, but the documentation on getting it to work was a bit thin, so here you go.

Read more

If you have a form on your website where one of the fields is of the `type="password"`, the page will now be marked as insecure in your browser if it is served over a plain HTTP connection.

Read more

Matt Stauffer wrote another excellent article on Laravel. This time he gives a tour of Laravel Spark.

In case you're still having a bit of trouble understanding what Spark is really about, Spark is a tool designed to make it quicker for you to spin up SaaS applications, and it handles user authentications, plans and payments and coupons, and team logic.

Most SaaSes have these same components: user accounts, Stripe-based payments, and different payment plans. And many have payment coupons and team payment options.

Rather than re-creating this functionality with every new Laravel app you create, just use Spark, and you'll get all that and a free SaaS landing page to boot.

Read more

Socialite is a first party package that was introduced together with Laravel 5. It aims to provide a very convenient way to authenticate with OAuth providers. Natively it supports Facebook, Twitter, Google, GitHub and Bitbucket.

DraperStudio and Andy Wendt made a whole bunch of other Socialite providers.

Read more