Different ways to add extra conditions in Laravel 5.2 Authentication

Adding extra conditions in default Laravel Authentication

Laravel comes with a very simple yet powerful authentication system out-of-box. The Authentication system is HIGHLY flexible to meet all different types of requirement for authentication.

In this post we will see about adding extra conditions to default Laravel authentication i.e for example add a check for is_approved when a user login.

First thing we need to know is authentication happens inside AuthController Present in App\Http\Controllers\Auth namespace. This AuthController class uses AuthenticatesAndRegistersUsers and ThrottlesLogins Traits by default. As the name of this trails suggests AuthenticatesAndRegistersUsers is used for Authentication and registration of users, and ThrottlesLogins is used to block a user after multiple failed logins attempt (of course you can remove this trail if throttle is not required).

AuthenticatesAndRegistersUsers trait is present in /vendor/laravel/framework/src/Illuminate/Foundation/Auth/ (check here in laravel github repo) directory and it uses AuthenticatesUsers trait present in same directory. If we look inside this trait it has a method login which does all the heavy lifting of users authentication.

Now in order to add a new condition for login, we have two different ways to do it (you can use the one you feel is the best):

1.  Defining a authenticated method in AuthController:
   • If we take a deeper look inside login method, we will find that after the user credentials has been validated, handleUserWasAuthenticated method is called.
     
     login method

     PHP

     if (Auth::guard($this->getGuard())->attempt($credentials, $request->has('remember'))) { return $this->handleUserWasAuthenticated($request, $throttles); }

     1 2 3

     if (Auth::guard($this->getGuard())->attempt($credentials, $request->has('remember'))) {     return $this->handleUserWasAuthenticated($request, $throttles); }

   • handleUserWasAuthenticated method checks if there is any authenticated method defined by user which needs to be called after validating the credentials.
   • So, simply define authenticated method in AuthController Class with all different checks which is required.
     
     PHP

     protected function authenticated(Request $request, $user) { //Check if user is approved if(!$user->is_approved) { Auth::logout(); return redirect('/') ->withErrors(array('global' => "Sorry, account not approved by admin yet.")); } else { //Redirect to the intended page after login. } }

     1 2 3 4 5 6 7 8 9 10 11 12

     protected function authenticated(Request $request, $user) {     //Check if user is approved     if(!$user->is_approved) {         Auth::logout();         return redirect('/')           ->withErrors(array('global' => "Sorry, account not approved by admin yet."));       } else {          //Redirect to the intended page after login.     } }

   So that’s all. Now the authentication system works the way you want it to. 🙂

2. Override ‘getCredentials’ method present in ‘AuthenticatesUsers’ trait :
   • Create a getCredentials method in AuthController
   • This ‘getCredentials’ gets all the values which need to be check for validating. So add is_approved = 1 along with username and password.
     PHP

     protected function getCredentials(Request $request) { $input = $request->only($this->loginUsername(), 'password'); $input['is_approved'] = 1; //Add extra key,value which need to be checked. return $input; }

     1 2 3 4 5 6

     protected function getCredentials(Request $request) {     $input = $request->only($this->loginUsername(), 'password');     $input['is_approved'] = 1; //Add extra key,value which need to be checked.     return $input; }

   • So that’s all with this way of doing. Now, Auth attempt method will check for username/password/is_approved before authenticating any user.

While both ways work perfectly, I preferred solution 1, just because it gives a more accurate error message to user i.e “not yet approved”. With solution 2, it is not possible to get a accurate error message, only message we can display is “These credentials do not match our records”.

Hope it made you understand process of adding some extra conditions in Laravel authentication.

Feel free to ask any question and share your view/suggestions.

Thank you 🙂

Author

Nikhil Agrawal

Nikhil is a Lead Web Developer working at The Web Fosters. A passionate coder and likes dealing with challenging algorithms. He has an expertise in web programming and is also a Zend Certified PHP Engineer.