📄️ Section Intro
Alright, so we have a complete CRUD app with a nice base infrastructure/framework. Now we are going to start adding authentication and authorization. This is a vanilla PHP course, so we will be doing everything manually with sessions, but just know that there are many packages and libraries that can help with this.
📄️ Initial Controller & Views Setup
Let's start by creating a route to both the login and register controller methods. Open routes.php and add these routes:
📄️ Register Form Validation & Error Partials
We have our forms displayed, now we need to make them work. We will start with the registration form and storing the user. In this lesson, we will add the validation and also refactor a bit to create a partial for the error messages.
📄️ User Registration
In this lesson, we will add the code to check if a user exists and to submit the user to the database.
📄️ Session Class
We can now create a user, but we also want to create a session so that the user is logged in. We will create a Session class with static methods that will handle all of our session related tasks.
📄️ Navbar Links
Right now, there is no way in our app to show that we are logged in and there is a session/cookie. Let's open the App/views/partials/navbar.php file and replace the current code with the following:
📄️ Logout Functionality
Now we want to be able to logout and destroy the session. Let's start by adding the method and action to the logout form. Open the App/views/partials/nav.php file and make sure that the form with the logout button looks like this:
📄️ Login Functionality
We are able to register a user and then log in directly after and we can logout. Now we need a way for an existing user to authenticate.
📄️ Authorize Middleware
Now that we have a way to uniquely identify a user, we can create a middleware that will check if a user is logged in for certain routes. If they are not, they will be redirected to the login page. We will also have some routes that are only accessible to guests (non-logged in users) such as the login and register pages.
📄️ Delete Authorization
Some people get confused when it comes to authentication vs authorization. Authentication is the process of verifying that a user is who they say they are. We have done that. A user can register and login and verify who they are. Authorization is the process of verifying that a user has access to certain resources. For example, if a user creates a listing, they should be the only one that can edit or delete it. We need to make sure that the user is authorized to edit or delete a listing.
📄️ Flash Message Methods
In this lesson we will add a couple methods to our Session class to set and get flash messages rather than using the $_SESSION superglobal within the controller.
📄️ Update Authorization
In the last lesson, we made it so only owners can delete their listings. Now we need to make it so not only can owners do an update, but only owners should be able to see the edit form for their listings.