Lab 10: Login & Authentication (Part 2)

Resources

Overview

In this lab, you will implement authentication and authorization for your e-commerce application. Building on Part 1 (User Registration), you will create login functionality, manage user sessions, protect routes with middleware, and implement role-based access control.

Your e-commerce site has two protected areas:

Admin Panel: only administrators can access the admin panel.
Checkout Process: only logged-in customers can checkout items from their cart.

Learning Objectives

Implement password verification using password_verify().
Create a login form and authentication logic.
Manage user sessions using SessionManager.
Build middleware to protect routes (AuthMiddleware, AdminAuthMiddleware).
Implement role-based access control (admin vs. customer).
Create a protected dashboard view.

Prerequisites

Part 1 completed: user registration system with UserModel.
Session Middleware lab completed (SessionManager and SessionMiddleware).
Flash Messages lab completed.
SessionMiddleware registered globally in the application.
UserModel and AuthController classes implemented.

Step 1: Add `verifyCredentials()` Method to UserModel

This method accepts an identifier (email or username) and a plain-text password. It looks up the user by email first, then by username. If a user is found, it verifies the password against the stored hash. It returns the user data on success or null on failure. Always return null for invalid credentials to avoid revealing whether an email or username exists in the system.

Open app/Domain/Models/UserModel.php and add:

1
/**
2
 * Verify user credentials by email/username and password.
3
 *
4
 * @param string $identifier Email or username
5
 * @param string $password Plain-text password to verify
6
 * @return array|null User data if credentials are valid, null otherwise
7
 */
8
public function verifyCredentials(string $identifier, string $password): ?array
9
{
10
    // TODO: Look up the user by their identifier (try email first, then username).
11
    //       If found, verify the password against the stored hash.
12
    //       Return the user data on success or null on failure.
13
}

The login form uses a single “identifier” field that accepts either an email address or a username, giving users flexibility to log in with whichever they prefer.

Create app/Views/auth/login.php:

1
<?php
2

3
use App\Helpers\ViewHelper;
4

5
ViewHelper::loadHeader($title);
6
?>
7

8
<div class="row justify-content-center">
9
    <div class="col-md-5">
10
        <div class="card">
11
            <div class="card-header">
12
                <h3 class="text-center">Login</h3>
13
            </div>
14
            <div class="card-body">
15
                <form method="POST" action="<?= APP_BASE_URL ?>/login">
16
                    <div class="mb-3">
17
                        <label for="identifier" class="form-label">Email or Username</label>
18
                        <input
19
                            type="text"
20
                            class="form-control"
21
                            id="identifier"
22
                            name="identifier"
23
                            placeholder="Enter your email or username"
24
                            required>
25
                    </div>
26

27
                    <div class="mb-3">
28
                        <label for="password" class="form-label">Password</label>
29
                        <input
30
                            type="password"
31
                            class="form-control"
32
                            id="password"
33
                            name="password"
34
                            placeholder="Enter your password"
35
                            required>
36
                    </div>
37

38
                    <div class="d-grid gap-2">
39
                        <button type="submit" class="btn btn-primary">Login</button>
40
                    </div>
41
                </form>
42

43
                <div class="mt-3 text-center">
44
                    <p>Don't have an account? <a href="<?= APP_BASE_URL ?>/register">Register here</a></p>
45
                </div>
46
            </div>
47
        </div>
48
    </div>
49
</div>
50

51
<?php ViewHelper::loadFooter(); ?>

The AuthController handles user authentication by processing login requests, verifying credentials against the database, managing user sessions, and redirecting users based on their roles (admin vs. customer).

Open app/Controllers/AuthController.php and add:

1
/**
2
 * Display the login form (GET request).
3
 */
4
public function login(Request $request, Response $response, array $args): Response
5
{
6
    // TODO: Create a $data array with 'title' => 'Login'
7

8
    // TODO: Render 'auth/login.php' view and pass $data
9
}
10

11
/**
12
 * Process login form submission (POST request).
13
 */
14
public function authenticate(Request $request, Response $response, array $args): Response
15
{
16
    // TODO: Extract the identifier and password from the submitted form
17

18
    // TODO: Validate that both fields are present
19

20
    // TODO: Attempt to verify the credentials using the UserModel
21

22
    // TODO: If authentication fails, display an error and redirect to the login page
23

24
    // TODO: Store the authenticated user's data in the session
25
    //       (ID, email, full name, role, and a flag indicating they are authenticated)
26

27
    // TODO: Display a welcome message and redirect based on role:
28
    //       admins go to the admin dashboard, customers go to the user dashboard
29
}
30

31
/**
32
 * Logout the current user (GET request).
33
 */
34
public function logout(Request $request, Response $response, array $args): Response
35
{
36
    // TODO: Destroy the session, display a success message, and redirect to the login page
37
}

Step 4: Create AuthMiddleware

AuthMiddleware acts as a gatekeeper for protected routes. It intercepts requests, checks if a user is authenticated (logged in), and either allows the request to proceed or redirects to the login page.

Create app/Middleware/AuthMiddleware.php:

1
<?php
2

3
namespace App\Middleware;
4

5
use App\Helpers\FlashMessage;
6
use App\Helpers\SessionManager;
7
use Psr\Http\Message\ResponseFactoryInterface;
8
use Psr\Http\Message\ResponseInterface as Response;
9
use Psr\Http\Message\ServerRequestInterface as Request;
10
use Psr\Http\Server\MiddlewareInterface;
11
use Psr\Http\Server\RequestHandlerInterface as RequestHandler;
12
use Slim\Routing\RouteContext;
13

14
class AuthMiddleware implements MiddlewareInterface
15
{
16
    public function __construct(private ResponseFactoryInterface $responseFactory)
17
    {
18
    }
19

20
    /**
21
     * Process the request - check if user is authenticated.
22
     */
23
    public function process(Request $request, RequestHandler $handler): Response
24
    {
25
        // TODO: Retrieve the user's authentication status from the session.
26
        //       If not authenticated, display an error flash message and redirect to the login page.
27
        //       If authenticated, allow the request to proceed.
28
        //
29
        //       Use the following to generate the login URL and create a redirect response:
30
        //       $routeParser = RouteContext::fromRequest($request)->getRouteParser();
31
        //       $loginUrl = $routeParser->urlFor('auth.login');
32
        //       $response = $this->responseFactory->createResponse(302);
33
        //       return $response->withHeader('Location', $loginUrl);
34
    }
35
}

Step 5: Create AdminAuthMiddleware

AdminAuthMiddleware provides enhanced protection for admin-only routes. It performs two checks: verifying the user is logged in AND confirming they have the admin role. Regular customers are redirected to their dashboard even if they are logged in.

Create app/Middleware/AdminAuthMiddleware.php:

1
<?php
2

3
namespace App\Middleware;
4

5
use App\Helpers\FlashMessage;
6
use App\Helpers\SessionManager;
7
use Psr\Http\Message\ResponseFactoryInterface;
8
use Psr\Http\Message\ResponseInterface as Response;
9
use Psr\Http\Message\ServerRequestInterface as Request;
10
use Psr\Http\Server\MiddlewareInterface;
11
use Psr\Http\Server\RequestHandlerInterface as RequestHandler;
12
use Slim\Routing\RouteContext;
13

14
class AdminAuthMiddleware implements MiddlewareInterface
15
{
16
    public function __construct(private ResponseFactoryInterface $responseFactory)
17
    {
18
    }
19

20
    /**
21
     * Process the request - check if user is authenticated AND is an admin.
22
     */
23
    public function process(Request $request, RequestHandler $handler): Response
24
    {
25
        // TODO: Retrieve the user's authentication status and role from the session.
26
        //       If not authenticated, redirect to the login page.
27
        //       If authenticated but not an admin, redirect to the user dashboard
28
        //       with an access denied message.
29
        //       If both checks pass, allow the request to proceed.
30
        //
31
        //       Use the same redirect pattern as AuthMiddleware (RouteParser + responseFactory).
32
    }
33
}

Step 6: Create Dashboard View

This is a simple customer dashboard that displays user information from the session. The header layout is loaded via ViewHelper, so flash messages are already rendered.

Create app/Views/user/dashboard.php:

1
<?php
2

3
use App\Helpers\SessionManager;
4
use App\Helpers\ViewHelper;
5

6
ViewHelper::loadHeader($title);
7
?>
8

9
<h1>User Dashboard</h1>
10

11
<div class="row">
12
    <div class="col-md-4">
13
        <div class="card">
14
            <div class="card-body">
15
                <h5 class="card-title">My Profile</h5>
16
                <p class="card-text">
17
                    <strong>Name:</strong> <?= hs(SessionManager::get('user_name', 'N/A')) ?><br>
18
                    <strong>Email:</strong> <?= hs(SessionManager::get('user_email', 'N/A')) ?><br>
19
                    <strong>Role:</strong> <?= hs(SessionManager::get('user_role', 'N/A')) ?>
20
                </p>
21
            </div>
22
        </div>
23
    </div>
24

25
    <div class="col-md-8">
26
        <div class="card">
27
            <div class="card-body">
28
                <h5 class="card-title">Quick Actions</h5>
29
                <div class="d-grid gap-2">
30
                    <a href="<?= APP_BASE_URL ?>/" class="btn btn-primary">Browse Products</a>
31
                    <a href="<?= APP_BASE_URL ?>/logout" class="btn btn-outline-secondary">Logout</a>
32
                </div>
33
            </div>
34
        </div>
35
    </div>
36
</div>
37

38
<?php ViewHelper::loadFooter(); ?>

Add to AuthController.php:

1
/**
2
 * Display user dashboard (protected route).
3
 */
4
public function dashboard(Request $request, Response $response, array $args): Response
5
{
6
    // TODO: Create a $data array with 'title' => 'Dashboard'
7

8
    // TODO: Render 'user/dashboard.php' view and pass $data
9
}

Step 7: Register All Routes

Some routes require authentication while others do not. Open app/Routes/web-routes.php and follow the steps below.

Step 7.1: Import Required Classes

Add these imports at the top of your routes file:

1
use App\Controllers\AuthController;
2
use App\Middleware\AuthMiddleware;
3
use App\Middleware\AdminAuthMiddleware;

Step 7.2: Register Public Routes

The following routes do not require authentication. Users must be able to access the login and logout pages without being logged in.

1
// Public routes (no authentication required)
2
// TODO: Create a GET route for '/login' that maps to AuthController::class 'login' method
3
//       Set the route name to 'auth.login'
4

5
// TODO: Create a POST route for '/login' that maps to AuthController::class 'authenticate' method
6

7
// TODO: Create a GET route for '/logout' that maps to AuthController::class 'logout' method
8
//       Set the route name to 'auth.logout'

Step 7.3: Register Protected User Dashboard Route

This route requires authentication but is available to all logged-in users (both admin and customer).

1
// TODO: Create a GET route for '/dashboard' that maps to AuthController::class 'dashboard' method
2
//       Set the route name to 'user.dashboard'
3
//       Apply AuthMiddleware using ->add(AuthMiddleware::class)

For example:

1
$app->get('/dashboard', [AuthController::class, 'dashboard'])
2
    ->setName('user.dashboard')
3
    ->add(AuthMiddleware::class);

The middleware checks the session before the route handler runs. If the user is not logged in, they are redirected to the login page. If they are logged in, the request proceeds to the dashboard.

Step 7.4: Protect Checkout Routes (Optional)

If you have implemented a shopping cart, protect checkout routes with AuthMiddleware so that only logged-in users can place orders. Otherwise, skip this step.

1
// TODO: Create a route group for '/checkout' and apply AuthMiddleware
2
//       $app->group('/checkout', function ($group) {
3
//           $group->get('', [CartController::class, 'checkout']);
4
//           $group->post('', [CartController::class, 'processCheckout']);
5
//       })->add(AuthMiddleware::class);

Using a route group applies the middleware to all routes in the group at once, so you don’t need to add it to each route individually.

Step 7.5: Protect Admin Routes

Apply AdminAuthMiddleware to your existing admin route group. This middleware checks both authentication AND the admin role, so regular customers are denied access even if they are logged in.

1
// TODO: Apply AdminAuthMiddleware to your existing admin route group
2
//       Find your '/admin' route group and add ->add(AdminAuthMiddleware::class) at the end
3
//
4
//       $app->group('/admin', function ($group) {
5
//           $group->get('/dashboard', [AdminController::class, 'dashboard'])->setName('admin.dashboard');
6
//           // ... your other admin routes
7
//       })->add(AdminAuthMiddleware::class);

Make sure your admin dashboard route has the name 'admin.dashboard' so the login redirect works correctly for admin users.

Testing Your Implementation

Visit http://localhost/[your-app]/login
Enter valid credentials from Part 1
Click “Login”
You should see a success message and be redirected to the dashboard

Invalid Credentials

Test with a wrong password, a non-existent email, and empty fields. In all cases, the error message should say “Invalid credentials” without revealing whether the email or username exists.

Try logging in with your username instead of email. It should work the same way.

Protected Route Access

Without logging in, visit http://localhost/[your-app]/dashboard. You should be redirected to the login page with an error message.
Log in, then visit /dashboard again. The dashboard should display your user information.

Admin Route Access

Register a new user through the registration form, then open phpMyAdmin and change the role column to 'admin' for that user.
Log in as a regular customer and try to visit /admin/dashboard. You should see “Access denied” and be redirected to the user dashboard.
Log in as the admin user and visit /admin/dashboard. The admin dashboard should display successfully.

Logout

While logged in, visit /logout
You should see a success message and be redirected to the login page
Try to access /dashboard again. You should be redirected to login since the session was destroyed.

Role-Based Redirection

After login, customers should be redirected to /dashboard and admins to /admin/dashboard.