1

When a user logs in I'm storing the status in local storage as shown below using and they get redirected to their dashboard. The dashboard is viewable when we have authenticated = 'true' in the local storage. That works well but now anyone who navigates to the local storage and provides that manually then they can be able to view the dashboard. How can I protect the page if one is not authenticated and they try to view it manually? Sidenote: The APIs are protected with sanctum.

authUser.js

import { defineStore } from 'pinia'
import router from '../router'
import { useLocalStorage } from '@vueuse/core'


export const useLoginStore = defineStore('login', {
    state: () => {
        return {
            fields: {},
            errors: {},
            loading: false,
            authenticated: useLocalStorage('authenticated', null)
        }


    },
    actions: {
        logout() {
            axios.get("/sanctum/csrf-cookie").then(() => {
                axios.post("/api/logout").then((response) => {
                    this.authenticated = null
                    router.push({ name: "Login" });
                });
            });
        },
        login() {
            this.loading = true;
            axios
                .post("/api/login", this.fields)
                .then((res) => {
                    if (res.status == 201) {
                        this.fields = {}
                        this.authenticated = true
                        this.loading = false;
                        router.push({ name: "Dashboard" });
                    }
                })
                .catch((error) => {
                    if (error.response.status == 422) {
                        this.errors = error.response.data.errors;
                        this.loading = false;
                    }
                });
        },
    },

})
Alphy Gacheru
  • 489
  • 1
  • 9
  • 28
  • You can create a middleware in which you can simply do a validation for authenticated flag and use that middleware for each of the APIs. – Bhushan May 18 '22 at 17:37
  • @Bhushan, thank you for the reply but I didn't understand you. The APIs are well protected, I don't have a problem with that. No protected API end point is accessible when a user is not authenticated. Would you perhaps point me to a link to read or watch on that? – Alphy Gacheru May 18 '22 at 18:35
  • Either you protect the dashboard route with Laravel or you do not worry as all the data on the dashboard page is anyway protected by your api calls being protected. – BobB May 18 '22 at 21:32
  • @BobB, I'm not worried about the data. I thought it would be nice to make the dashboard to be visible only to an authenticated user. The dashboard route is using vue-router. Can that be protected with Laravel? – Alphy Gacheru May 18 '22 at 22:22
  • @Alphy In a dashboard page you will call the APIs to fetch the data. Right? – Bhushan May 19 '22 at 04:09
  • @Bhushan correct. – Alphy Gacheru May 19 '22 at 05:15
  • @Alphy In those API calls, I think you are only doing auth token validation but you are not checking about user is authorized for that request or nor. Please go with the authorization doc of laravel(Link given below) and handle exception in FE according to API response if user is not authorized. https://laravel.com/docs/9.x/authorization – Bhushan May 19 '22 at 05:20
  • @Bhushan That's correct, currently no user is allowed to get past the API if not authenticated. I fail to understand why I should authorize a user again. Currently, I can catch a Status ```Code: 401 Unauthorized``` if one is not authenticated. Isn't authorizing just being verbose? I apologize if I'm the one who is not getting your point. If you don't mind you can kindly help out ,explaining with code and if you need more code e.g my controller logic I'll provide it. – Alphy Gacheru May 19 '22 at 05:57
  • @Alphy, There are two things. Authentication & Authorization. Authentication is being used for user validation. In API, we do it by access token. If token expires or invalid token we throw 401(Unauthenticated) error. Authorization is being used to check a validated user has access on that data or not. If user is not authorized then in API we generally throw 403(Unauthorized) error. To know more about difference you can check it on below link: https://auth0.com/docs/get-started/identity-fundamentals/authentication-and-authorization – Bhushan May 19 '22 at 12:57
  • @Alphy, I have an example but it's a longer one so I am not sure how can I show you. – Bhushan May 19 '22 at 12:57
  • Let us [continue this discussion in chat](https://chat.stackoverflow.com/rooms/244877/discussion-between-alphy-gacheru-and-bhushan). – Alphy Gacheru May 19 '22 at 13:17

0 Answers0