Home > front end >  Laravel - Password protect a Route
Laravel - Password protect a Route

Time:06-15

I have an application which doesn't have user roles, as all functions apart from 1 are open to all users.

As we have added an SMS notification function which comes with a cost, I want to limit who can use this function behind a password.

So currently in my Form I have the following:

<div >
            <div >
                <div >
                    <h2 >Send SMS Notification</h2>
                    <p >Please note a password is required for this function</p>
                    <div >
                        <div >
                            <h4 >Enter Message</h4>
                        </div>
                    </div>
                    {!! Form::open(array('action' => ['NotificationController@sms'],'method'=>'POST', 'class'=>'form-horizontal')) !!}
                    <div class = "card-body">
                        @if (count($errors)>0)
                            <div class = "alert alert-danger">
                                <strong>Whoops!</strong> There were some problems with your input.<br><br>
                                <ul>
                                    @foreach ($errors->all() as $error)
                                        <li>{{ $error }}</li>
                                    @endforeach
                                </ul>
                            </div>
                        @endif

                        <div class = "row">
                            <label class = "col-sm-2 col-form-label">Message: </label>
                            <div class = "col-sm-6">
                                <div class = "form-group">
                                    <input type = "text" class = "form-control" maxlength="160" name="message">
                                </div>
                            </div>
                        </div>
                    </div>
                    <div class = "card-footer">
                        <div class = "row">
                            <div class = "col-md-4">
                                <div >
                                        <a href="{{action('HomeController@index')}}" class = "btn btn-danger">Cancel</a>
                                </div>
                            </div>
                            <div class ="col-md-4">
                                <button type="submit" >Send SMS Notification</button>
                            </div>
                        </div>
                    </div>
                    {!!Form::close()!!}


                </div>
            </div>
        </div>

So the idea is when the Send SMS Notification is press, the system will ask for a password which the user needs to enter.

I have no idea how to add this function, and google hasn't helped. Currently, the code for sending a message is fine and not facing any issues here.

Other suggestions are welcome.

Thanks

CodePudding user response:

I think you are looking for Laravel Basic Auth. Basic Auth comes with Laravel auot of the box.

You need an users table with their emails and passwords. You can protect routes with that midleware witch only accept authenticater users to get next request.

In your case if you want to limit users acces to sms sending feature you will have to add some kind of differentiation in your user model something like a policy where you control which users can or cannot send sms.

Http basic auth expect find an email as username in Basic Auth form.

The only thing, you need to do is

Route::get('/sendsms', [SmsController::class,'index'])->middleware('auth.basic');

More about this in Laravel Doc

CodePudding user response:

besides middleware you can do simple check in controller (assuming you storing password hased, as it should be stored), just add password field in send sms form

  $validated = request()->validate([
    'password' => 'required',
    // other rules here    
  ]);
  // take it from users table or where you're going to store passwords
  $hashedOriginal = Hash::make('smspassword');

  $isPasswordValid = Hash::check($validated['password'], $hashedOriginal);
  if (!$isPasswordValid) {
    abort('401');
  }
  // your send sms code next

in general middleware allowes you extend password protected functions very easy, so if there is any chance that sending sms is not the last password protected function you'd better stick with middleware

  • Related