amar
/
perling
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
perling/docs/authentication.md

223 lines
4.5 KiB
Markdown
Raw Blame History

# Authentication System Documentation
## Overview
The application uses a dual authentication system:
- **Web Authentication**: Session-based with cookies for browser access
- **API Authentication**: Token-based using Laravel Sanctum for API access
## Web Authentication (Session + Cookies)
### Login
**Endpoint**: `POST /auth/session-login`
**Controller**: `WebAuthController@sessionLogin`
```bash
curl -X POST http://localhost:8000/auth/session-login \
-H "Content-Type: application/json" \
-H "X-CSRF-TOKEN: your-csrf-token" \
-d '{
"identifier": "user@example.com",
"password": "password123"
}'
```
**Response**:
```json
{
"success": true,
"message": "Login berhasil",
"user": {
"id": 1,
"name": "John Doe",
"email": "user@example.com",
"username": "johndoe"
}
}
```
### Logout
**Endpoint**: `POST /auth/logout`
**Controller**: `WebAuthController@sessionLogout`
```bash
curl -X POST http://localhost:8000/auth/logout \
-H "Content-Type: application/json" \
-H "X-CSRF-TOKEN: your-csrf-token"
```
### Protected Routes
All admin routes are protected with `web.auth` middleware:
- `/dashboard/*`
- `/admin/*`
## API Authentication (Token-based)
### Login
**Endpoint**: `POST /api/auth/login`
**Controller**: `AuthController@login`
```bash
curl -X POST http://localhost:8000/api/auth/login \
-H "Content-Type: application/json" \
-d '{
"identifier": "user@example.com",
"password": "password123",
"device_name": "mobile-app"
}'
```
**Response**:
```json
{
"success": true,
"message": "Login berhasil",
"token": "1|abc123def456...",
"token_type": "Bearer",
"user": {
"id": 1,
"name": "John Doe",
"email": "user@example.com",
"username": "johndoe",
"roles": ["admin"],
"permissions": ["dashboard.view", "settings.manage"]
}
}
```
### Using API Token
Include the token in the Authorization header:
```bash
curl -X GET http://localhost:8000/api/auth/me \
-H "Authorization: Bearer 1|abc123def456..."
```
### Get User Info
**Endpoint**: `GET /api/auth/me`
```bash
curl -X GET http://localhost:8000/api/auth/me \
-H "Authorization: Bearer your-token"
```
### Logout (Current Device)
**Endpoint**: `POST /api/auth/logout`
```bash
curl -X POST http://localhost:8000/api/auth/logout \
-H "Authorization: Bearer your-token"
```
### Logout All Devices
**Endpoint**: `POST /api/auth/logout-all`
```bash
curl -X POST http://localhost:8000/api/auth/logout-all \
-H "Authorization: Bearer your-token"
```
## Configuration
### Guards
- `web`: Session-based authentication for web interface
- `sanctum`: Token-based authentication for API
### Middleware
- `web.auth`: Custom middleware for web session authentication
- `auth:sanctum`: Laravel Sanctum middleware for API authentication
### Token Management
- Tokens are device-specific (one token per device)
- Old tokens for the same device are automatically revoked on new login
- Tokens don't expire by default (configurable in sanctum config)
## Security Features
### Web Authentication
- CSRF protection enabled
- Session regeneration on login
- Remember token invalidation on logout
- Cookie cleanup on logout
### API Authentication
- Device-specific tokens
- Token revocation on logout
- Automatic cleanup of old tokens
- Rate limiting (configurable)
## Error Handling
### Common Error Responses
**Invalid Credentials**:
```json
{
"message": "The given data was invalid.",
"errors": {
"identifier": ["Email/username atau password yang diberikan salah."]
}
}
```
**Unauthenticated**:
```json
{
"success": false,
"message": "Unauthenticated"
}
```
## Testing
### Web Authentication Test
```bash
# Login
curl -c cookies.txt -X POST http://localhost:8000/auth/session-login \
-H "Content-Type: application/json" \
-d '{"identifier": "admin@example.com", "password": "password"}'
# Access protected route
curl -b cookies.txt http://localhost:8000/dashboard
# Logout
curl -b cookies.txt -X POST http://localhost:8000/auth/logout
```
### API Authentication Test
```bash
# Login and save token
TOKEN=$(curl -X POST http://localhost:8000/api/auth/login \
-H "Content-Type: application/json" \
-d '{"identifier": "admin@example.com", "password": "password"}' \
| jq -r '.token')
# Use token
curl -H "Authorization: Bearer $TOKEN" http://localhost:8000/api/auth/me
# Logout
curl -X POST http://localhost:8000/api/auth/logout \
-H "Authorization: Bearer $TOKEN"
```
Reference in New Issue View Git Blame Copy Permalink