area17 / twill-http-basic-auth
A Twill Capsule to add and handle HTTP Basic Auth
Fund package maintenance!
area17
Requires
- php: >=8.0
- area17/http-basic-auth: 1.x-dev
- area17/twill: ^3.0
Requires (Dev)
- friendsofphp/php-cs-fixer: ^3.0
- laravel/dusk: ^7.12
- nunomaduro/larastan: ^2.0
- orchestra/testbench: ^7.11
- phpstan/phpstan: ^1.8
README
This Twill Capsule is intended to enable developers to configure Basic Auth on their applications.
Domains
You can add as many domains as you need and configure different passwords for each. You can have the https://site.com, for instance, unprotected to allow public access to it, and block access to https://origin.site.com and https://admin.site.com to only allow access to people with an account, and those that have access to the HTTP Basic Auth username and password.
One config for all
Once you enable the all domains (*)
entry, the same configuration will be used for all domains available, and all other domain configurations will be hidden.
Middleware
A middleware is automatically added to all web
routes, but you can configure this behaviour or even disable it to configure your middleware yourself:
'middleware' => [ 'automatic' => true, 'groups' => ['web'], 'class' => \A17\TwillHttpBasicAuth\Http\Middleware::class, ],
Using authentication
If you don't want to share a single username and password with everyone that will access your pages, you can configure the package to allow existing users, both on Twill (CMS) and/or Laravel (frontend), to use their own passwords to pass Basic Auth.
Installing
Supported Versions
Composer will manage this automatically for you, but these are the supported versions between Twill and this package.
Require the Composer package:
composer require area17/twill-http-basic-auth
Publish the configuration
php artisan vendor:publish --provider="A17\TwillHttpBasicAuth\ServiceProvider"
Load Capsule helpers by adding calling the loader to your AppServiceProvider:
/** * Register any application services. * * @return void */ public function register() { \A17\TwillHttpBasicAuth\Services\Helpers::load(); }
Configuring via the .env
file
This package is disabled by default, so you must enabled it in your .env file:
TWILL_HTTP_BASIC_AUTH_ENABLED=true
You can configure credentials both via CMS settings or the on .env
file. If you set them on .env
the *
domain will be enabled, all other domains hidden, and the username and password overloaded by the .env
keys.
TWILL_HTTP_BASIC_AUTH_USERNAME=frontend TWILL_HTTP_BASIC_AUTH_PASSWORD=secret
Database login
You can configure the package to allow users pass HTTP Auth Basic with their existing email and password, by just enabling the feature on the .env
file:
TWILL_HTTP_BASIC_AUTH_TWILL_DATABASE_LOGIN_ENABLED=true TWILL_HTTP_BASIC_AUTH_LARAVEL_DATABASE_LOGIN_ENABLED=true
Rate limiting
The package will also, by default, rate limit users to max of 500 requests per minute to each domain. You can configure it using this .env
variable:
TWILL_HTTP_BASIC_AUTH_RATE_LIMITING_ATTEMPTS=5
By requiring users to have an enabled account in Twill (or Laravel) to access a protected website, this becomes an additional security feature. It also allows you to avoid disclosing the same username and password to everyone who is authorized to view the site.
Contribute
Please contribute to this project by submitting pull requests.