4.5 KiB
4.5 KiB
Authentication System Documentation
Overview
The application uses a dual authentication system:
- Web Authentication: Session-based with cookies for browser access
- API Authentication: Token-based using Laravel Sanctum for API access
Web Authentication (Session + Cookies)
Login
Endpoint: POST /auth/session-login
Controller: WebAuthController@sessionLogin
curl -X POST http://localhost:8000/auth/session-login \
-H "Content-Type: application/json" \
-H "X-CSRF-TOKEN: your-csrf-token" \
-d '{
"identifier": "user@example.com",
"password": "password123"
}'
Response:
{
"success": true,
"message": "Login berhasil",
"user": {
"id": 1,
"name": "John Doe",
"email": "user@example.com",
"username": "johndoe"
}
}
Logout
Endpoint: POST /auth/logout
Controller: WebAuthController@sessionLogout
curl -X POST http://localhost:8000/auth/logout \
-H "Content-Type: application/json" \
-H "X-CSRF-TOKEN: your-csrf-token"
Protected Routes
All admin routes are protected with web.auth middleware:
/dashboard/*/admin/*
API Authentication (Token-based)
Login
Endpoint: POST /api/auth/login
Controller: AuthController@login
curl -X POST http://localhost:8000/api/auth/login \
-H "Content-Type: application/json" \
-d '{
"identifier": "user@example.com",
"password": "password123",
"device_name": "mobile-app"
}'
Response:
{
"success": true,
"message": "Login berhasil",
"token": "1|abc123def456...",
"token_type": "Bearer",
"user": {
"id": 1,
"name": "John Doe",
"email": "user@example.com",
"username": "johndoe",
"roles": ["admin"],
"permissions": ["dashboard.view", "settings.manage"]
}
}
Using API Token
Include the token in the Authorization header:
curl -X GET http://localhost:8000/api/auth/me \
-H "Authorization: Bearer 1|abc123def456..."
Get User Info
Endpoint: GET /api/auth/me
curl -X GET http://localhost:8000/api/auth/me \
-H "Authorization: Bearer your-token"
Logout (Current Device)
Endpoint: POST /api/auth/logout
curl -X POST http://localhost:8000/api/auth/logout \
-H "Authorization: Bearer your-token"
Logout All Devices
Endpoint: POST /api/auth/logout-all
curl -X POST http://localhost:8000/api/auth/logout-all \
-H "Authorization: Bearer your-token"
Configuration
Guards
web: Session-based authentication for web interfacesanctum: Token-based authentication for API
Middleware
web.auth: Custom middleware for web session authenticationauth:sanctum: Laravel Sanctum middleware for API authentication
Token Management
- Tokens are device-specific (one token per device)
- Old tokens for the same device are automatically revoked on new login
- Tokens don't expire by default (configurable in sanctum config)
Security Features
Web Authentication
- CSRF protection enabled
- Session regeneration on login
- Remember token invalidation on logout
- Cookie cleanup on logout
API Authentication
- Device-specific tokens
- Token revocation on logout
- Automatic cleanup of old tokens
- Rate limiting (configurable)
Error Handling
Common Error Responses
Invalid Credentials:
{
"message": "The given data was invalid.",
"errors": {
"identifier": ["Email/username atau password yang diberikan salah."]
}
}
Unauthenticated:
{
"success": false,
"message": "Unauthenticated"
}
Testing
Web Authentication Test
# Login
curl -c cookies.txt -X POST http://localhost:8000/auth/session-login \
-H "Content-Type: application/json" \
-d '{"identifier": "admin@example.com", "password": "password"}'
# Access protected route
curl -b cookies.txt http://localhost:8000/dashboard
# Logout
curl -b cookies.txt -X POST http://localhost:8000/auth/logout
API Authentication Test
# Login and save token
TOKEN=$(curl -X POST http://localhost:8000/api/auth/login \
-H "Content-Type: application/json" \
-d '{"identifier": "admin@example.com", "password": "password"}' \
| jq -r '.token')
# Use token
curl -H "Authorization: Bearer $TOKEN" http://localhost:8000/api/auth/me
# Logout
curl -X POST http://localhost:8000/api/auth/logout \
-H "Authorization: Bearer $TOKEN"