Multiple User Providers for authenthication (e.g. : using different model for Admin & User)

[ahmaruff]

Hello, I've search this topic in multiple place but it seem there is no explanation.
in my project, I try to separate user & admin to different models & table. because each have different table schema,
how to achive this using this library?. I'm thinking like "guards" in laravel that have different "providers".
in this library, file Config/Auth.php seems only allow 1 userProviders, so I don't know how to do this.

or maybe CI4/Shield using different strategy that I'm not aware?, please tell me, thank you.

[datamweb]

Hi,
To be honest, I did not understand your question, every user (administrator, normal user, etc.) has some characteristics, such as name, f_name, l_name, email, etc.

To separate the type of users, you must set user groups or access accesses for each user.
You are free to use the model of this library or to expand it, and there are no restrictions for you. You can also create a model without dependency on this library.

Perhaps providing more details, including the structure of the administrator and user tables, or explaining it in more detail, or providing minimal code to understand the issue will help answer your question.

[ahmaruff]

Sorry if it confuse you.
I mean, in laravel i could create custom guard for each type of user. Ex: admin guard & user guard. Each has different Model Provider.

My question is, is there something similiar in this library?

Why i want to do this?, Because admin only need fewer attributes than regular users and i think it is easier to manage.

But maybe you can share different approach to achieve something like this

[kenjis]

Shield's user table has minimum attributes.
Shield does not expect to have more than one UserProvider as you noticed in the config file.
I don't know what "guards" is. So I don't understand what exactly you want.

But if you want to use multiple UserProviders, you can create (extend) your class(es) for it.
Changing the UserProvider at runtime is not so difficult.

[ahmaruff]

Thanks for your explanation.
I try to stick with this library concept/philosophy, so extending userProvider (as you mentioned) will be my last option.

I think the simplest solution is create separate table/model that have 1:1 relationship with users table. (Ex: UserDataModel)

Now i'm thinking about registration process, since Admin only need fewer data, is it better to create separated RegisterView & RegisterAction for admin & user?. (because User input some additional data in registration that is saved in UserDataModel & admin doesnt need this additional data)

[kenjis]

All I can say is that the current Shield is not supposed to have multiple UserProviders.

If you have two register pages (for users and admins), I think it is easier to understand you have two controllers (and the methods).

[kenjis]

The Auth class has getProvider():

shield/src/Auth.php

Line 126 in 2e582d9

public function getProvider(): UserModel

If you override this, you can change the UserProvider.

[janroz]

I perfectly understand the question, because I am facing the same problem. I will try to explain it.

Some years ago I made simple CMS on CI4. There is backend for editors, we have articles, pages and list of editors.
Then we have a website with some articles and news. Visitors can sign-up, then they can comment posts, like some posts etc.

So there are two dashboards - for admins and for visitors. I would like to separate this two things because of security, I don't want visitors in the same table, as admin accounts etc.

When I will have some time, I look at it deeper.

[nestorochoa]

Any news on this topic?
I have the same issue, I have three different roles that the users are in different tables.
Can we create a Provider for each one and use it when we need?

[ahmaruff]

My solution is basically using default shield UserModel and create separate userData table for each type of user (1:1 relationship).
then in registration process, I assign that user to different role/Group.
and then while login, it will redirect based on its role/group to their dashboard

---

1. use single UserModel using default Shield UserModel
2. create separate db table/model for additional data for user. add foreign key to user model (1:1) (e.g. UserbiodataModel)
3. create two separate filters for admin & user
   mine is app/filtersAdminAuth.php and app/filters/SiswaAuth.php

// AdminAuth.php
 public function before(RequestInterface $request, $arguments = null)
    {
        if(auth()->user()->inGroup('superadmin','admin')) {
            return;
        }
        return redirect()->route('login');
    }

// SiswaAuth.php
public function before(RequestInterface $request, $arguments = null)
    {
        if(auth()->user()->inGroup('user')) {
            return;
        }
        return redirect()->route('login');
    }

4. add those filters to app/Config/Filters.php (don't forget to enable $multipleFilters app/Config/Feature.php)

    public array $aliases = [
        'csrf'          => CSRF::class,
        'toolbar'       => DebugToolbar::class,
        'honeypot'      => Honeypot::class,
        'invalidchars'  => InvalidChars::class,
        'secureheaders' => SecureHeaders::class,
        'admin-auth'    => AdminAuth::class,
        'siswa-auth'    => SiswaAuth::class,
    ];

5. add different redirect path for different type of user app/Config/Auth.php after login

public function loginRedirect(): string
    {
        if (auth()->user()->can('admin.access')) {
            return '/admin';
        }

        if (auth()->user()->can('user.access')) {
            return '/siswa';
        }

        $url = setting('Auth.redirects')['login'];

        return $this->getUrl($url);
    }

6. ROUTES (app/Config/Routes.php)

service('auth')->routes($routes, [ 'except' => ['login', 'register']]);

$routes->get('login',       '\App\Controllers\Auth\LoginController::loginView');
$routes->post('login',      '\App\Controllers\Auth\LoginController::loginAction');
$routes->get('register',    '\App\Controllers\Auth\RegisterController::registerView');
$routes->post('register',   '\App\Controllers\Auth\RegisterController::registerSiswaAction');

$routes->group('siswa',['filter' => ['session','siswa-auth']], static function($routes) {
    $routes->get('/','\App\Controllers\Siswa\SiswaController::dashboard');
    // some other user routes
});

$routes->group('admin',['filter' => ['session','admin-auth']], static function($routes) {
    $routes->get('/', '\App\Controllers\Admin\AdminController::dashboard');
    // some other admin routes
});

7. login controller

public function loginAction() : RedirectResponse
     {
        // validate first
        $rules = $this->getValidationRules();

        if(!$this->validate($rules)) {
            return redirect()->back()->withInput()->with('errors', $this->validator->getErrors() );
        }

        $credentials = $this->request->getPost(setting('Auth.validFields'));
        $credentials = array_filter($credentials);
        $credentials['password'] = $this->request->getPost('password');
        $remember                = (bool) $this->request->getPost('remember');

        /** @var Session $authenticator */
        $authenticator = auth('session')->getAuthenticator();

        // If an action has been defined for login, start it up.
        if ($authenticator->hasAction()) {
            return redirect()->route('auth-action-show')->withCookies();
        }

        // Attempt to login
        $result = $authenticator->remember($remember)->attempt($credentials);

        // if login fail
        if (! $result->isOK()) {
            return redirect()->route('login')->withInput()->with('error', $result->reason());
        }

        // if login success, 
        return redirect()->to(config('Auth')->loginRedirect())->withCookies();
    }

8. in RegisterController, its only for regular user. for admin account, I use DatabaseSeeder (directly insert to database).

/**
     * Attempts to register the user
*/
public function registerSiswaAction() {
        if (auth()->loggedIn()) {
            return redirect()->to(config('Auth')->registerRedirect());
        }

        // Check if registration is allowed
        if (! setting('Auth.allowRegistration')) {
            return redirect()->back()->withInput()
                ->with('error', lang('Auth.registerDisabled'));
        }

        $users = $this->getUserProvider();

        // Validate here first, since some things,
        // like the password, can only be validated properly here.

        $validationRules = $this->getValidationRules(); // DEFAULT SHIELD USERS VALIDATION RULES

        // RULES
        $usersRules = [
            'email' => $validationRules['email'],         
        ];
        
        // RULES FOR ADDITIONAL USER DATA
        $biodataRules = [
            'nama' => [
                'label' => 'nama',
                'rules' => ['required', 'string'],
            ],
            'tempat_lahir' => [
                'label' => 'tempat_lahir',
                'rules' => ['required', 'string'],
            ],
            // some other fields rules
        ];
        
        // validation
        if (!$this->validate($usersRules) || !$this->validate($biodataRules)) {
            return redirect()->back()->withInput()->with('errors', $this->validator->getErrors());
        }

        // --------- SAVE USER ------
        // USERNAME
        $username = $this->request->getPost('username');

        // GENERATE PASSWORD/PIN (6 number PIN)
        $password = mt_rand(100000,999999);
        
        // GET EMAIL FROM REQUEST 
        $email = $this->request->getPost('email');

        // USER DATA REQUEST
        $userRequest = [
            'email' => $email,
            'username' => $username
            'password' => $password,
            'password_confirm' => $password,
        ];

        $user = $this->getUserEntity();
        $user->fill($userRequest);

        // Workaround for email only registration/login
        if ($user->username === null) {
            $user->username = null;
        }

        // BIODATA DATA REQUEST
        $biodataFields = array_keys($biodataRules);
        $biodataRequest = $this->request->getPost($biodataFields);

        try 
           //save to UserModel
            $users->save($user);
            $id_user = $users->getInsertID();

            // ADD id_user
            $biodataRequest['id_user'] = $id_user;
          
            // SAVE biodata
            $this->db->table('biodata')->insert($biodataRequest); //you can use Model instead of query builder

        } catch (ValidationException $e) {
            return redirect()->back()->withInput()->with('errors', $users->errors());
        }

        // To get the complete user object with ID, we need to get from the database
        $user = $users->findById($users->getInsertID());

        // Add to default group (user group)
        $users->addToDefaultGroup($user);

        Events::trigger('register', $user);

        /** @var Session $authenticator */
        $authenticator = auth('session')->getAuthenticator();

        // If an action has been defined for register, start it up.
        $hasAction = $authenticator->startUpAction('register', $user);
        if ($hasAction) {
            return redirect()->to('auth/a/show');
        }

        // RETURN TO SUCCESS PAGE
        $data = [
            'email' => $email,
            'nama' => $biodataRequest['nama'],
            'username' => $username,
            'password' => $password,
        ];

        // Success!
        return view('auth/register-success',$data);
    }

app/Database/Seeds/CreateAdminAccount

class CreateAdminAccount extends Seeder
{
    public function run()
    {
        $users = new UserModel();
        $admin = new User([
            'username' => 'admin',
            'email' => '[email protected]',
            'password' => 'admin123',
        ]);
        $users->save($admin);
        $admin = $users->findById($users->getInsertID());
        $admin->addGroup('superadmin');
    }
}

NOTE:

1. maybe there is some step that I forgot to mention, but I think this litle explanation could give you general idea how it's done
2. I think as @kenjis mention in here, it is a better solution. I just too dumb to get this thing works.