3.4 KiB
3.4 KiB
AuthController plan
Scope
- Controller:
app/Http/Controllers/Api/Auth/AuthController.php - Purpose: JWT login, token refresh, current-user lookup, logout.
- Primary dependencies:
App\Services\Auth\ApiLoginSecurityService(rate limiting / IP blocking, attempt tracking, response builder)PHPOpenSourceSaver\JWTAuth\Facades\JWTAuth(token issuance/refresh/invalidation)Illuminate\Support\Facades\Auth(current user)
Routes
- Public (no
/v1)POST /api/login→login
- Versioned (
/v1)POST /api/v1/login→login
- Auth prefix (
/v1/auth)POST /api/v1/auth/login→loginPOST /api/v1/auth/refresh→refresh(middleware:jwt.auth)POST /api/v1/auth/logout→logout(middleware:auth:api)GET /api/v1/auth/me→me(middleware:auth:api)
Authentication & authorization
login: public; checks credentials, then issues JWT.refresh: requires a valid JWT viajwt.auth.me/logout: requireauth:api(JWT/guarded user).
Request/validation expectations
login:- Accepts JSON or form payload. Extracts
email,password. - Returns
400if missing. - Normalizes email to lowercase; looks up
Userby case-insensitive email.
- Accepts JSON or form payload. Extracts
refresh:- Expects bearer token in request (handled by
JWTAuth::parseToken()).
- Expects bearer token in request (handled by
logout:- Attempts JWT invalidation when bearer token looks like a JWT (3 dot-separated segments).
- Also deletes
currentAccessToken()when supported (supports Sanctum-style tokens if present).
Response shapes
loginsuccess:ApiLoginSecurityService::buildLoginResponse($user, $jwtToken)(treat as canonical shape).loginfailures:400:{ status:false, message:"Email and password are required." }401:{ status:false, message:"Invalid email or password." }403:{ status:false, message:"Account suspended. Please reset your password." }429:{ status:false, message:"Too many failed attempts..." }
refreshsuccess (Base API shape):{ status:true, message:"Token refreshed.", data:{ access_token, token_type:"bearer", expires_in } }
mesuccess (Base API shape):{ status:true, message:"OK", data:{ id, firstname, lastname, email, class_section_id, class_section_name } }
logoutsuccess (Base API shape):{ status:true, message:"Logged out.", data:null }
Side effects & security notes
- Logs IP attempt / failed attempt / successful login via
ApiLoginSecurityService. - Suspended users are rejected after verifying credentials (avoids email enumeration by response shape).
Error handling expectations
refresh: any exception becomes401viarespondError('Token refresh failed.', 401).logout: JWT invalidation errors are intentionally ignored.
Test plan (feature)
- Login
- Missing email/password →
400. - Unknown email →
401and IP attempt logged. - Wrong password →
401and failed attempt handling invoked. - Suspended user with correct password →
403. - Successful login returns expected response shape and includes token.
- IP blocked →
429.
- Missing email/password →
- Refresh
- Valid token refresh returns new token + expires_in.
- Invalid/missing token returns
401.
- Me/Logout
- Requires auth; returns
401unauthenticated. - Logout returns success even if token invalidation fails.
- Requires auth; returns