Authentication Middleware¶
Introduction¶
The AuthenticationMiddleware
class is used to ensure that a user is authenticated before accessing protected routes in a web application. It checks if a user is logged in by verifying the existence of the $_SESSION['USER']
variable, which should contain the user object of the authenticated user. If the user is not logged in, the middleware redirects the user to the login page.
Usage¶
To use the AuthenticationMiddleware
in your web application, you need to add it as a middleware to the route that you want to protect. This can be done in the route definition or in the controller method that handles the request.
// Route definition
use App\Middlewares\AuthenticationMiddleware;
Route::get('/profile', function () {
// Protect this route using AuthenticationMiddleware
})->middleware(AuthenticationMiddleware::class);
// Controller method
use App\Middlewares\AuthenticationMiddleware;
class ProfileController extends Controller
{
public function index()
{
// Protect this method using AuthenticationMiddleware
AuthenticationMiddleware::handle();
}
}
Code Explanation¶
The AuthenticationMiddleware
class has a single public static method called handle()
. This method is called every time a route or controller method that uses this middleware is accessed. Here is a detailed explanation of what the code does:
-
The middleware first checks if the
$_SESSION['USER']
variable is set. If it is not set, the middleware redirects the user to the login page and exits the script usingexit()
. This ensures that the rest of the code in the route or controller method is not executed if the user is not authenticated.if (!isset($\_SESSION['USER'])) { redirect('login'); exit(); }
-
If the
$_SESSION['USER']
variable is set, the middleware retrieves the user object from the database using theUser::find()
method. This ensures that the user object is up-to-date and reflects any changes made to the user account since the user logged in.$user = User::find($_SESSION['USER']->id);
-
If the user object cannot be retrieved from the database, the middleware redirects the user to the logout page and exits the script using
exit()
. This ensures that the user is logged out if there is an issue with their account.if (!$user) { redirect('logout'); exit(); }
-
The middleware checks if the user account has been deleted by querying the
DeletedAccount
table in the database. If the account has been deleted and the deletion has been approved, the middleware redirects the user to the logout page and exits the script usingexit()
. This ensures that deleted accounts are not accessible by users.$deleted = DeletedAccount::where("user_id", '=', $_SESSION['USER']->id)->first(); if ($deleted && $deleted->approved == true) { redirect('logout'); exit(); }
-
The middleware checks if the user has a role. If the user does not have a role and the current URL is not the welcome page, the middleware redirects the user to the welcome page and exits the script using
exit()
. This ensures that users with no role are not able to access protected pages.if (!$user->role && "http://$_SERVER[HTTP_HOST]$_SERVER[REQUEST_URI]" != APP_URL . '/welcome') { redirect('welcome'); exit(); } else { $_SESSION['USER'] = $user; }