Analysis of Laravel5 fast authentication logic flow

Source: Internet
Author: User
Tags app service sha1
This article mainly introduces the Laravel5 Fast authentication logic flow analysis, has a certain reference value, now share to everyone, the need for friends can refer to

Laravel5 itself comes with a set of user authentication functions, just under the new project, using the command line php artisan make:auth andphp artisan migrate就可以使用自带的快速认证功能。

The following is a logical analysis of the analysis login function, whichever is laravel version 5.5.

by command PHP artisan route:list get login route (red box):

Open View/app/http/controller/auth/logincontroller.php, the file code is very concise, in fact, the login logic and methods are integrated in the illuminate/foundation/auth/ In the trait of authenticatesusers:

To view the login method of the Illuminate\foundation\auth\authenticatesusers code, the parameter $request is the request object, and the information containing the login request includes the login name, password, etc.:

line31: The Validatelogin method is responsible for invoking the Validate method of the controller itself to verify that the user name and password conform to the simple rules, which is not necessary to go into the story.

Notable is the red box callout username method, the developer can customize this method in Logincontroller trait this method, custom login account field, trait default is ' email '.

Do not directly change the trait username () method, to maintain the integrity of the LARAVEL5 framework, the reason is unknown.

Line36:hastoomanyloginattempts method, used to verify that the number of attempts to log on the account has reached the maximum value set.

This method refers to the trait of illuminate\foundation\auth\throttleslogins. Look at the trait name and guess it's responsible for avoiding violent logins.

Limiter () returns the Ratelimiter object (as its name implies: Frequency limiter), which is created by the app service container. The object originates from the: Illuminate\cache\ratelimiter file.

As you can see from the location of the object, it uses the Laravel caching mechanism to process the number of logins.

So the Hastoomanyloginattempts method is to call the Toomanyattempts method of the Ratelimiter object to verify the number of logins:

The Toomanyattempt method has three parameters:

$key: The relative key that is used to cacche the value of the login number that holds the current account. The key consists of this:

So the key value is roughly the same: "Email|101:10:45:12". From here it can be seen that the brute force prevention is the use of IP. Of course, if you change the IP I can still try to login, although there is always limitations, but always more than bare.

$maxAttempts: The maximum number of attempts to login is set.

The value is customizable and can be written in the Logincontroller custom Maxattempts property, which defaults to 5 times:

$decayMinutes: The wait time (in minutes) to resume the login after the maximum number of attempts.

The value is also customizable, and in Logincontroller the property is customized by default for 1 minutes:

Back to the Ratelimiter::toomanyattempts method, this method will determine whether the current number of logins has reached the setpoint, if the set value is reached and is also within the distance of the last forbidden logon time range, returns True, indicating that the current user (IP) is also forbidden to sign in state.

The red box in the cache to determine whether $key. ': Timer ' value is used in the buffer, which uses the above $decayminutes time as the expiration time, so the presence or absence of this value is the key to restoring the login status.

If the cached value is not present, the current user can log on. At this point the Resetattempts method clears the $key cache login value, starting from the zero-based record.

Code execution goes back to Illuminate\foundation\auth\authenticatesusers's Line36 line again:

When Hastoomanyloginattempts returns True, the lockout event is initiated and the Lockoutresponse response is returned. The user can generate the lockout event Monitor to handle the event-related logic, such as logging log-in logs, and so on.

The lockoutresponse response is essentially a throw validation exception that is automatically interpreted by Laravel as a 423 status code response, with Auth.throttle configuration information attached. The original language of the configuration is located at:/resources/lang/en/auth.php. Users can customize their own language information.

Next, go back to Illuminate\foundation\auth\authenticatesusers's Line42 line and start performing login verification:

The Attemptlogin method generates the corresponding gatekeeper object by config/auth.php the configured gatekeeper name, and then calls the object's attempt for login verification.

The Laravel5 keeper currently supports two types: Sessionguard and Tokenguard, which are stored in the Illuminate\auth folder and are implemented in the Illuminate\contracts\auth\guard interface. So if you need to customize the gatekeeper, implement the interface.
The Illuminate\contracts\auth\statefulguard interface can be further implemented if the gatekeeper of the web is to be implemented.

As for which Watchmen to use in which case, they are configured in config/auth.php:

Since I am analyzing the Web login process this time, I want to see the attempt method of Illuminate\auth\sessionguard:

Line 351: This function is to retrieve the account information through the configured provider provider. There are two types of providers: Databaseuserprovider and Eloquentuserprovider. Files are located at:/illuminate/auth.

Specify which provider to use in the ' guards ' parameter when configured with the providers parameter configuration of the config/auth.php. The provider is essentially providing a way to query the database Account table, database is directly with the DB window query, eloquent the model query.

Laravel By default is Eloquentuserprovider, looking at the Retrievebycredentials method, it is obvious that the direct account name to query the user information:

Back to the attempt method of Illuminate\auth\sessionguard, the Hasvalidcredentials method of line356 line verifies the password, if the user information of the previous step can be retrieved normally.

As can be seen from the Hasvalidcredentials method body, it invokes the provider's Validatecredentials method for password authentication. View the following eloquentuserprovider::validatecredentials methods:

The validation method uses the check method of the hash class implemented by the Hashercontract contract. The specific implementation classes are: Illuminate\hashing\bcrypthasher. We look at the check method for this class:

It is clear that it uses the Password_verify function to compare the input plaintext password to the hashed password value. This requires that the password for the database has been hashed with Password_hash.

Returns true if the authentication password is successful. Back to Sessionguard Execute line357 login method, log session and cookie login status.

The key and value of the saved session are:

' Key ' = ' login_session_ '. SHA1 (Static::class)//static::class refers to the Sessionguard class itself

' Value ' = The current user's primary key value

If the Remember_me option is used, the following Cookie,key and value are saved:

' Key ' = ' remember_session_ '. SHA1 (Static::class)//static::class refers to the Sessionguard class itself

' Value ' = The user primary key value. ' | '. The last Remember_token value saved. ' | '. User Password hash value

To this, the user has successfully logged in, the execution point and finally back to Illuminate\foundation\auth\authenticatesusers Line42,attemptlogin has executed and returns True, Then call the Sendloginresponse method to jump to the landing page or the last login page.

Note The authenticated method is an empty method that allows you to redefine how to jump and process other logic after the Logincontroller has been customized by the method.

If the login is unsuccessful, the Illuminate\foundation\auth\authenticatesusers incrementloginattempts ($request) method is executed to increase the number of failed logons. The method of increasing the number of times is also indirectly called the hit () method of the Ratelimiter class.
The last call to Sendfailedloginresponse returns the login exception.

Finally attached to the timing diagram, drawing general, some of the UML concept is not well mastered, forgive me:

The above is the whole content of this article, I hope that everyone's learning has helped, more relevant content please pay attention to!

Related Article

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.