Laravel 5.0 multiauth

Question

I have an application which has two parts back-end, and front-end. In the back-end admin can log in, and in the front-end the client can log in. Now it has been implemented. All application's query is done by logged in user id in both admin and client end.

Now my app needs a functionality where admin can view client data as same as client see their profile.There are a lot of things in client end. I can you use Auth::loginUsingId($client_id). Here client profile is showing perfectly but admin loggin session is lost as expected.

How to achieve this while admin login remain and admin can see client full data?

Answer 1

Let me introduce the simpliest way to have login as client functionality. First, define asuser and returnback routes.

Routes and actions

Route::get('/asuser/{user}', 'AdminController@asuser')
        ->where('user', '[0-9]+')
        ->name('asuser');
Route::get('/returnback', 'ClientController@returnback')
        ->name('returnback');

In admin's controller:

public function asuser(User $client, Request $request) {
    /* insert checking if user has right either here with some field 
     * like $user->is_admin or using middleware settings and Policy
     */
    # who user is
    $fromId = Auth::user()->getId();

    # logging as a client
    Auth::login($client, true);

    # but keeping admin in a session
    $request->session()->put('adm_id', $fromId);

    return redirect()->route('some-client-route')
                    ->with('status', 'You are logged in as a client');
}

And for returning back ClientController

public function returnback(Request $request) {
    $fromId = Auth::user()->getId();

    # getting admin id
    $admId = $request->session()->pull('adm_id');
    $adminUser = User::find($admId);

    if (!$adminUser) {
        return redirect()->back()
                        ->with('status', 'Not allowed');
    }

    # logging out as a client and logging in as admin
    Auth::logout();
    Auth::login($adminUser, true);

    return redirect()->route('some-admin-route')
                    ->with('status', 'Welcome back!');
}

Is it ready for production

No, it's not. That's not a great solution, it's just a glimpse how to use it. Sessions have lifetime, so if admin doesn't return back in its lifetime, session variables are lost and he becomes a client (if remember me=true, as in the code above). You can store value not in a session but in a database column.

In addition as t1gor mentioned, you must pay attention to the fact that you can't log client's actions and send events when admin is a client. That's the most serious problem of logging as a client. Anyway, I suppose, it is easier to solve that, than to move all the auth logic out of the views.

Well, hope it is helpful.

Answer 2

I think a good way to manage client/user profiles is to implement an user management section at your backend, display and edit your users and their profiles there.

Answer 3

Laravel does not provide mixed sessions. You can only be authenticated as one user at a time. If you really need this kind functionality in Laravel 5.0 you could solve this by hackish user ping-pong (e.g. login temporarily as client and switching back to admin right after).

But it seems like your problem is more Authorization-related (in contrast to Authentication). Laravel implemented an authorization layer in v5.1.11. Since v5.0 is not supported anymore you should update regardless of this feature.

You can find more information about authorization in the official documentation: https://laravel.com/docs/5.1/authorization