Web applications

Tasks studies - laboratory

---

Project maintained by dawidolko Hosted on GitHub Pages — Theme by dawidolko

Web Applications 1 (AI1) – Lab No. 8

Laravel – Authentication and Authorization

Start of the lab:

• In XAMPP, start Apache and MySQL, then go to phpMyAdmin,

• Download the Lab008_AI1_start.zip archive to your desktop, which contains the starting project for performing tasks, and unpack this archive,

• Go to the unpacked folder and, if you have settings other than the default ones (e.g. database connection), change them in .env.example and start.…,

• Run the start.bat script (Windows, double-click) or start.sh (other systems, via the bash start.sh command).

Tasks (Laravel):

Task 8.1: *

Explain the following issues:

• identification,

• authentication,

• authorization,

• what are the incorrect translations of the word “authentication” into Polish?,

• is HTTP a stateless protocol?,

• stateful application,

• sessions, session id,

• cookies.

Task 8.2:

Open the cmd terminal (Command Prompt) in VSCode. Start the php development server for using artisan’s serve command.

php artisan serve

In your web browser, go to: http://localhost:8000/trips

Task 8.3:

Get familiar with the following (already prepared) application elements:

• migration adding a new column country_id (a foreign key with constraints) to the users table to determine the origin of a given person,

• migration adding a new table roles to store user roles (columns: id, name) and adding a new column role_id (a foreign key with constraints) to the users table to determine the role of a given person (application user),

• database\seeders\RoleSeeder.php concerning the role of users (two roles: admin, user),

• database\seeders\UserSeeder.php (only the first user Jan is the administrator, the rest are regular users),

• database\seeders\DatabaseSeeder.php (calling the three remaining seeders),

• routes\web.php (routing for the AuthController function),

• app\Http\Controllers\AuthController.php,

• resources\views\shared\navbar.blade.php (links to the login/logout subpage, visible depending on whether the user is currently logged in),

• resources\views\auth\login.blade.php,

• app\Providers\AppServiceProvider.php (disabling cookie encryption – for laboratory purposes).

link

link

link

link

link

link

link

Task 8.4:

Check the functionality of user login by:

• attempting to log in by entering any data,

• logging in as any user by entering correct data,

• logging out by clicking the link in the navbar,

• going to the login subpage when the user is currently logged in.

In a web browser, go to the address: http://localhost:8000/auth/login

Task 8.5:

Log out (if any user is currently logged in). Then:

• go to phpMyAdmin to check the contents of the sessions table,

• in another browser tab go to the login subpage,

• open the Developer Panel (F12) and go to the Data/Application tab,

• go to cookies, expand the details of the laravel_session cookie.

Each time checking the contents of the table and cookies:

• log in as any user,

• log out.

link

Task 8.6:

Supplement the routing for the CountryController controller with the possibility of accessing its functionality only for logged-in users.

Check the operation by:

• going to the countries subpage when the user is logged in,

• going to the countries subpage when the user is not logged in.

Indicate the code fragment in the project that performs the observed automatic redirects.

After checking the operation, restore access for users who are not logged in.

link

->middleware(‘auth’);

In a web browser, go to: http://localhost:8000/countries

Task 8.7:

Supplement the boot function in app\Providers\AppServiceProvider.php with a new gateway

named is-admin that checks if the user is an administrator.

link

use Illuminate\Support\Facades\Gate;
use App\Models\User;

Gate::define('is-admin', function (User $user) {
return $user->role_id == 1;
});

Task 8.8:

Use the above gateway in resources\views\trips\index.blade.php so that links to edit trips (from the last column of the table) are visible only to the logged-in administrator. Check the operation by:

• going to the countries subpage when the user is not logged in,

• going to the countries subpage when the administrator is logged in,

• going to the countries subpage when the user is logged in.

Explain whether the above application is effective in preventing the edit operation for users other than administrators. If it is not, propose an effective solution.

link

@can('is-admin')

<!-- ... -->

@endcan

In your web browser, go to: http://localhost:8000/trips

link

if (! Gate::allows('is-admin')) {
abort(403);
}

Task 8.9:

Open the second tab of the cmd terminal (Command Prompt) in VSCode. Generate a permissions policy file for the Country model. Manually register the policy in app\Http\Providers\AppServiceProvider.php.

link

php artisan make:policy CountryPolicy --model=Country

link

Gate::policy(Country::class, CountryPolicy::class);

Task 8.10:

Go to app\Policies\CountryPolicy.php.

Set the return value to true in all functions.

Set the update function so that only the user from that country is allowed to update the country.

link

public function update(User $user, Country $country): bool
{
return $user->country_id === $country->id; }

Task 8.11:

Apply the policy from the previous task to the update function in CountryController in two ways:

– with an if with cannot,

– using the facade: Gate.

Check the editing of different countries from different users.

link

if ($request->user()->cannot('update', $country)) {
abort(403);
}

link

Gate::authorize('update', $country);

Task 8.12:

In resources\views\countries\index.blade.php hide country editing links for those users who do not have the ability to edit them.

link

@can('update', $country)@endcan

Task 8.13:

Check whether the mechanism for “autodiscovering” policies in appropriately named files works automatically by commenting out the registration of the CountryPolicy policy in app\Http\Providers\AppServiceProvider.

link

Task 8.14:

Add the isAdmin() function to the User model, so that you can check if the user is an admin.

Use it in the is-admin gateway.

public function isAdmin() : bool {
return $this->role_id == DB::table('roles')->where('name', 'admin')->value('id');
}

Task 8.15:

Add a new gateway of type before allowing the administrator to perform any action protected by other gateways, policies.

Comment this gateway later.

link

Gate::before(function (User $user, string $ability) {
return $user->isAdmin();
});

Tasks (Laravel cont.):

Task 8.16: *

Create a user registration form and program the ability to register a new user. Implement password confirmation in the second field of the form.

Use AuthController and add new functions to it.

Add a link to the registration subpage to the navbar. It should be visible when the user is not logged in.

php -r "touch('resources\views\auth\register.php');"

link

Task 8.17: *

Subject: “Safely storing passwords in the database”. Consider the following issues:

• What is the reason for this need?

• Storing passwords in plain text,

• Hashing operation, hashing vs. encryption,

• Forms of attacks: password cracking, brute force method, dictionary method, rainbow tables,

• Adding salt/pepper to the password,

• Hashing algorithms and their modern security: MD5, SHA…, bcrypt,

• Password hashing in PHP and the Laravel framework,

• Creating a password in database\seeders\UserSeeder.php.

Task 8.18: *

Topic “Data and password security from the user’s perspective”. Consider the following issues: • HTTPS,

Task 8.19: *

Create a new project using the Laravel Breeze starter kit. Familiarize yourself with the components provided, including: password reset, email address confirmation, password verification.

link

• – tasks/sub-items to complete/perform on your own,

• – tasks/sub-items for those interested.

To pack the project, use the script archiving.bat. After unpacking the project, use start.bat again.

File version: v1.0