I built an app where my customer can handle his customer's data. Thus, this is a very secure dataset.

To secure my app, I added a custom auth guard filter, which checks, if a user has a session isLoggedIn. I add this filter to each secure route:

//AuthGuard.php
class AuthGuard implements FilterInterface
{
    public function before(RequestInterface $request, $arguments = null)
    {
        if (!session()->get('isLoggedIn')) {
            return redirect()->to('/login');
        }
    }

    public function after(RequestInterface $request, ResponseInterface $response, $arguments = null)
    {

    }
}

//Routes.php
$routes->add('/list_customer', 'Customer::list_customer', ['filter' => 'authGuard']);

My LoginController is setting this session:

$session_data = [
    'id' => $employee->id,
    'name' => $employee->name,
    'email' => $employee->email,
    'isLoggedIn' => true,
    'level' => $employee->level,
];

$this->session->set($session_data);
return redirect()->to('/dashboard');

When the user is logged in, the different controllers, that are accessible once the auth guard has been passed, present almost every data, that is available in the database. I assume, that I don't need to protect my models (like with JWT), as all of the app content is accessible only, when the user is logged in.

E.g.:

class Customer extends BaseController
{
    public function list_customer()
    {
       $customer_model = new CustomerModel();
       $data['all_customer'] = $customer_model->findAll(); // <-- this will show ALL customer data. Very very sensitive data!
       return view('list_customer', $data);
    }

CodePudding user response：

This is ok. Only thing I'd recommend (it's not that you did it wrong it's just a preference) is use $filters under Config\Filters instead of defining filters for each router.

https://codeigniter4.github.io/userguide/incoming/filters.html#filters

This is more convenient for me, your choice.