If we want it that a user must be authenticated before being able to perform a certain operation, we can pass an array as the second parameter with middleware
as the key to force the route to call the auth
middleware on the search
method of AccommodationsController
:
Route::get('search-accommodation', ['middleware' => 'auth','AccommodationsController@search']);
In this case, the user will be redirected to the login page if not authenticated.
Routes may be grouped together to share the same middleware. For example, if we want to protect all of the routes in our application, we can create a route group and just pass in the key-value pair middleware
and auth
. The code is as follows:
Route::group(['middleware' => 'auth'], function() { Route::resource('accommodations', 'AccommodationsController'), Route::resource('accommodations.amenities', 'AccommodationsAmenitiesController'), Route::resource('accommodations.rooms', 'AccommodationsRoomsController'), Route::resource('accommodations.locations', 'AccommodationsLocationsController'), Route::resource('amenities', 'AmenitiesController'), Route::resource('rooms', 'RoomsController'), Route::resource('locations', 'LocationsController'), })
This protects every method of every route that lies inside the route group.
If even more protection is desired against nonauthenticated users, we could create a whitelist to only allow users within a certain range of IP addresses to access the application.
The following command will create the middleware that is needed:
$ php artisan make:middleware WhitelistMiddleware
The WhitelistMiddleware
class looks like this:
<?php namespace MyCompanyHttpMiddleware; use Closure; class WhitelistMiddleware { private $whitelist = ['192.2.3.211']; /** * Handle an incoming request. * * @param IlluminateHttpRequest $request * @param Closure $next * @return mixed */ public function handle($request, Closure $next) { if (in_array($request->getClientIp(),$this->whitelist)) { return $next($request); } else { return response('Unauthorized.', 401); } } }
Here, a private $whitelist
array was created with a list of the IP addresses that are set up within a company. Then, the remote port of the request is compared to the values in the array, and it is allowed to continue by returning the $next
closure. Otherwise, an unauthorized response is returned.
Now, the whitelist
middleware needs to be combined with the auth
middleware. To use the whitelist
middleware within the route group, an alias for the middleware needs to be created and inserted into the app/Http/Kernel.php
file in the $routeMiddleware
array. The code is as follows:
protected $routeMiddleware = [ 'auth' => 'MyCompanyHttpMiddlewareAuthenticate', 'auth.basic' => 'IlluminateAuthMiddlewareAuthenticateWithBasicAuth', 'guest' => 'MyCompanyHttpMiddlewareRedirectIfAuthenticated', 'log' => 'MyCompanyHttpMiddlewareLogMiddleware', 'whitelist' => 'MyCompanyHttpMiddlewareWhitelistMiddleware' ];
Next, to add this to the list of middlewares for this route group, it is necessary to substitute the string auth
with an array, having both auth
and whitelist
as its contents. The code is as follows:
Route::group(['middleware' => ['auth','whitelist']], function() { Route::resource('accommodations', 'AccommodationsController'), Route::resource('accommodations.amenities', 'AccommodationsAmenitiesController'), Route::resource('accommodations.rooms', 'AccommodationsRoomsController'), Route::resource('accommodations.locations', 'AccommodationsLocationsController'), Route::resource('amenities', 'AmenitiesController'), Route::resource('rooms', 'RoomsController'), Route::resource('locations', 'LocationsController'), });
Now, even if the user is logged in, it will not be possible to access the protected content unless the IP address is in the whitelist.
Also, if only some of the routes are desired to be whitelisted, routes group may be nested as follows:
Route::group(['middleware' => 'auth', function() { Route::resource('accommodations', 'AccommodationsController'), Route::resource('accommodations.amenities', 'AccommodationsAmenitiesController'), Route::resource('accommodations.rooms', 'AccommodationsRoomsController'), Route::resource('accommodations.locations', 'AccommodationsLocationsController'), Route::resource('amenities', 'AmenitiesController'), Route::group(['middleware' => 'whitelist'], function() { Route::resource('rooms', 'RoomsController'), }); Route::resource('locations', 'LocationsController'), });
This will require both authentication (auth
) and whitelisting for the RoomsController
, while all of the other controllers inside the route group will require only authentication.