Skip to main content

Overview

Wecode uses Laravel’s built-in authentication system with custom LDAP integration. The Auth::routes() call in web.php registers all standard authentication routes, which are then handled by controllers in app/Http/Controllers/Auth/.

Authentication Routes

Standard Routes

The Auth::routes() method registers these routes:
MethodURINameControllerDescription
GET/loginloginLoginController@showLoginFormDisplay login form
POST/login-LoginController@loginProcess login
POST/logoutlogoutLoginController@logoutLogout user
GET/registerregisterRegisterController@showRegistrationFormDisplay registration form
POST/register-RegisterController@registerProcess registration
GET/password/resetpassword.requestForgotPasswordController@showLinkRequestFormPassword reset request form
POST/password/emailpassword.emailForgotPasswordController@sendResetLinkEmailSend reset link email
GET/password/reset/{token}password.resetResetPasswordController@showResetFormPassword reset form
POST/password/resetpassword.updateResetPasswordController@resetProcess password reset
GET/password/confirmpassword.confirmConfirmPasswordController@showConfirmFormPassword confirmation form
POST/password/confirm-ConfirmPasswordController@confirmProcess password confirmation
GET/email/verifyverification.noticeVerificationController@showEmail verification notice
GET/email/verify/{id}/{hash}verification.verifyVerificationController@verifyVerify email
POST/email/resendverification.resendVerificationController@resendResend verification email

Login System

LoginController

Location: app/Http/Controllers/Auth/LoginController.php

Constructor

public function __construct()
Middleware:
  • guest - Only non-authenticated users can access login routes
  • Exception: logout method accessible to authenticated users

login()

public function login(Request $request)
Processes user login with multi-tier authentication strategy.
username
string
required
User’s username
password
string
required
User’s password
remember
boolean
Remember me checkbox (optional)
Authentication Flow:
  1. Via Remember Cookie
    • Check if user has valid remember token
    • Auto-login if token valid
  2. LDAP Authentication (if enabled)
    • Connect to AD/LDAP server
    • Validate credentials
    • Fetch user info (name, email)
    • Login existing user or create new user
  3. Database Authentication
    • Check credentials against database
    • Hash comparison for password
Post-Login Processing: 
// Trial period check
if ($user->trial_time && $user->created_at->addHours($user->trial_time) <= Carbon\Carbon::now()) {
    $user->role_id = 5; // Set to guest role
}

// Track login times
if ($user->first_login_time == NULL) 
    $user->first_login_time = now();
else 
    $user->last_login_time = now();

$user->save();
Returns:
  • Success: Redirect to intended page or /home
  • Failure: Redirect back with errors

LDAP Integration

uit_ldap()

protected function uit_ldap($user, $password)
Connects to UIT Active Directory LDAP server for authentication.
user
string
required
LDAP username
password
string
required
LDAP password
LDAP Configuration: 
$ldap_host = 'ad.uit.edu.vn';
$ldap_dn = 'DC=AD,DC=UIT,DC=EDU,DC=VN';
LDAP Options:
  • LDAP_OPT_PROTOCOL_VERSION: 3
  • LDAP_OPT_REFERRALS: 0
  • LDAP_OPT_TIMELIMIT: 1 second
  • LDAP_OPT_NETWORK_TIMEOUT: 1 second
Returns: Array with user info: 
[
    'masv' => $username,
    'hoten' => $displayName,
    'email' => $email,
    'GV' => $isTeacher  // Boolean
]
Example from controller: 
$bind = @ldap_bind($ldap, $user . '@' . $ldap_host, $password);
if ($bind) {
    $filter = "(sAMAccountName=" . $user . ")";
    $attr = array("memberof", "displayname", "mail");
    $result = ldap_search($ldap, $ldap_dn, $filter, $attr);
    $entries = ldap_get_entries($ldap, $result);
    
    if ($entries[0]) {
        $userinfo['masv'] = $user;
        $userinfo['hoten'] = $entries[0]['displayname'][0];
        $userinfo['email'] = $entries[0]['mail'][0];
        $userinfo['GV'] = strpos($entries[0]['dn'], 'OU=UIT') !== FALSE;
    }
}

ldap_authentication()

protected function ldap_authentication($username, $password, $remember = false)
Authenticates user via LDAP and logs them into Wecode.
username
string
required
Username to authenticate
password
string
required
Password to verify
remember
boolean
Whether to remember the user
Process:
  1. Call uit_ldap() to validate credentials
  2. Look up user in local database by username
  3. If found, log in user
  4. Optionally update display name from LDAP
  5. Optionally create new user if not exists (commented out)
Returns: Boolean indicating success Optional User Creation: 
// Optional: create ldap user if not present.
// $user = User::create([
//     'username' => $ldap_user['masv'],
//     'email' => $ldap_user['email'],
//     'display_name' => $ldap_user['hoten'],
//     'password' => Hash::make(Str::random(80)),
//     'role_id' => $ldap_user['GV'] ? '3' : '4' // Instructor or student
// ]);
// Auth::login($user, $remember);

logout()

public function logout(Request $request)
Logs out the current user and destroys the session. Process:
  1. Call Auth::logout() to clear authentication
  2. Invalidate session
  3. Regenerate session token (CSRF protection)
Returns: Redirect to login page Route: POST /logout

Registration System

RegisterController

Location: app/Http/Controllers/Auth/RegisterController.php

Constructor

public function __construct()
Middleware:
  • guest - Only non-authenticated users can register
Redirect After Registration: 
protected $redirectTo = '/home/';

validator()

protected function validator(array $data)
Validates registration form data.
registration_code
string
required
Registration code (must match system setting)
username
string
required
Username (alpha-dash, max 50 chars, unique)
display_name
string
Display name (optional, max 255 chars)
email
string
required
Email address (valid email, max 255 chars, unique)
password
string
required
Password (min 8 chars, must be confirmed)
Validation Rules: 
[
    'registration_code' => ['regex:/' . Setting::get('registration_code') . '/'],
    'username' => ['required', 'alpha_dash', 'max:50', 'unique:users'],
    'display_name' => ['nullable', 'string', 'max:255'],
    'email' => ['required', 'string', 'email', 'max:255', 'unique:users'],
    'password' => ['required', 'string', 'min:8', 'confirmed'],
]
Registration Code Check: If registration is disabled in settings, aborts with 403: 
if (Setting::get('enable_registration') == false) 
    abort(403, 'admin has disable new user registration');

create()

protected function create(array $data)
Creates a new user account after validation. Process:
  1. Check if registration is enabled
  2. Hash password
  3. Assign default student role
  4. Set trial time from settings
  5. Create user record
Returns: User model instance Example from controller: 
return User::create([
    'username' => $data['username'],
    'email' => $data['email'],
    'display_name' => $data['display_name'],
    'password' => Hash::make($data['password']),
    'role_id' => Role::where('name', 'student')->first()->id,
    'trial_time' => Setting::get('default_trial_time')
]);

Password Reset System

ForgotPasswordController

Handles sending password reset links via email. Route: GET /password/reset Process:
  1. User enters email address
  2. System sends reset link to email
  3. Link contains unique token
  4. Link expires after configured time

ResetPasswordController

Handles the actual password reset. Route: GET /password/reset/{token} Process:
  1. User clicks link in email
  2. Token validated
  3. User enters new password
  4. Password updated and user logged in

Session Management

Session Lifecycle

  1. Login
    • Session created
    • User ID stored in session
    • Remember token generated (if requested)
  2. Active Session
    • Session data persisted across requests
    • CSRF token in session
    • User authenticated via session
  3. Logout
    • Session invalidated
    • CSRF token regenerated
    • Remember cookie deleted (if exists)

Remember Me Feature

When “Remember Me” is checked: 
Auth::login($user, true); // Second parameter = remember
Behavior:
  • Creates persistent cookie (default 2 weeks)
  • Cookie contains encrypted token
  • User auto-logged on return visits
  • Token stored in remember_token column
Checking Remember Status: 
if (Auth::viaRemember()) {
    // User authenticated via remember cookie
}

Security Features

CSRF Protection

All POST routes require CSRF token: 
<form method="POST" action="{{ route('login') }}">
    @csrf
    <!-- form fields -->
</form>

Password Hashing

Passwords hashed using bcrypt: 
'password' => Hash::make($data['password'])

Throttling

Laravel includes login throttling to prevent brute force:
  • Too many failed attempts = temporary lockout
  • Configurable in AuthenticatesUsers trait

Trial Period System

Wecode includes a trial period system for new users: During Registration: 
'trial_time' => Setting::get('default_trial_time')
During Login: 
if ($user->trial_time && $user->created_at->addHours($user->trial_time) <= Carbon\Carbon::now()) {
    $user->role_id = 5; // Downgrade to guest role
}
Process:
  1. User registers with trial period (hours)
  2. User has full access during trial
  3. After trial expires, role automatically downgraded to guest
  4. Guest role has limited permissions

Login Tracking

Wecode tracks user login times: 
if ($user->first_login_time == NULL) 
    $user->first_login_time = now();
else 
    $user->last_login_time = now();

$user->save();
Usage:
  • Track user engagement
  • Identify inactive accounts
  • Calculate usage metrics

Middleware

guest

Protects routes that should only be accessible to non-authenticated users:
  • Login form
  • Registration form
  • Password reset request
Redirects authenticated users to home.

auth

Protects routes that require authentication:
  • All application features
  • User dashboard
  • Submissions, assignments, etc.
Redirects unauthenticated users to login.

Authentication Configuration

Guards

Wecode uses the default web guard:
  • Session-based authentication
  • Stores user ID in session
  • Uses database user provider

Providers

Users table as authentication provider:
  • Model: App\Models\User
  • Table: users
  • Password field: password

Customization

Custom Login Logic

Wecode overrides default login() method:
  • Adds LDAP authentication
  • Trial period checking
  • Login time tracking

Custom Registration Logic

Wecode adds:
  • Registration code requirement
  • Trial period assignment
  • Role assignment
  • Optional LDAP auto-creation

enable_registration

Type: Boolean Description: Enable/disable new user registration Effect: When false, registration form shows 403 error

registration_code

Type: String (regex pattern) Description: Required code to register Usage: Limit registration to users with code

default_trial_time

Type: Integer (hours) Description: Trial period duration for new users Effect: User downgraded to guest after expiration

Error Messages

Login Errors

withErrors([
    'username' => 'Either your username or password are incorrect.',
    'password' => 'Either your username or password are incorrect.',
])

Registration Errors

  • Invalid registration code
  • Username already taken
  • Email already taken
  • Password too short
  • Password confirmation mismatch

Best Practices

For Users

  1. Use strong passwords (min 8 characters)
  2. Don’t share credentials
  3. Logout when done
  4. Use “Remember Me” only on personal devices

For Administrators

  1. Set strong registration codes
  2. Monitor trial period expiration
  3. Review login tracking data
  4. Configure LDAP if using institutional authentication
  5. Enable/disable registration as needed

Build docs developers (and LLMs) love

Get started for freeTalk to us