Skip to content

Authentication Middleware

Introduction

The AuthenticationMiddleware class is used to ensure that a user is authenticated before accessing protected routes in a web application. It checks if a user is logged in by verifying the existence of the $_SESSION['USER'] variable, which should contain the user object of the authenticated user. If the user is not logged in, the middleware redirects the user to the login page.

Usage

To use the AuthenticationMiddleware in your web application, you need to add it as a middleware to the route that you want to protect. This can be done in the route definition or in the controller method that handles the request.

// Route definition
use App\Middlewares\AuthenticationMiddleware;

Route::get('/profile', function () {
    // Protect this route using AuthenticationMiddleware
})->middleware(AuthenticationMiddleware::class);

// Controller method
use App\Middlewares\AuthenticationMiddleware;

class ProfileController extends Controller
{
    public function index()
    {
        // Protect this method using AuthenticationMiddleware
        AuthenticationMiddleware::handle();
    }
}

Code Explanation

The AuthenticationMiddleware class has a single public static method called handle(). This method is called every time a route or controller method that uses this middleware is accessed. Here is a detailed explanation of what the code does:

  1. The middleware first checks if the $_SESSION['USER'] variable is set. If it is not set, the middleware redirects the user to the login page and exits the script using exit(). This ensures that the rest of the code in the route or controller method is not executed if the user is not authenticated.

    if (!isset($\_SESSION['USER'])) {
    redirect('login');
    exit();
}

  2. If the $_SESSION['USER'] variable is set, the middleware retrieves the user object from the database using the User::find() method. This ensures that the user object is up-to-date and reflects any changes made to the user account since the user logged in.

    $user = User::find($_SESSION['USER']->id);

  3. If the user object cannot be retrieved from the database, the middleware redirects the user to the logout page and exits the script using exit(). This ensures that the user is logged out if there is an issue with their account.

    if (!$user) {
    redirect('logout');
    exit();
}

  4. The middleware checks if the user account has been deleted by querying the DeletedAccount table in the database. If the account has been deleted and the deletion has been approved, the middleware redirects the user to the logout page and exits the script using exit(). This ensures that deleted accounts are not accessible by users.

    $deleted = DeletedAccount::where("user_id", '=', $_SESSION['USER']->id)->first();
if ($deleted && $deleted->approved == true) {
    redirect('logout');
    exit();
}

  5. The middleware checks if the user has a role. If the user does not have a role and the current URL is not the welcome page, the middleware redirects the user to the welcome page and exits the script using exit(). This ensures that users with no role are not able to access protected pages.

    if (!$user->role && "http://$_SERVER[HTTP_HOST]$_SERVER[REQUEST_URI]" != APP_URL . '/welcome') {
    redirect('welcome');
    exit();
} else {
    $_SESSION['USER'] = $user;
}