Authentication
Admin login, session-based auth, password reset, and profile/session management.
How it works
The admin panel uses Laravel's session-based authentication. Unauthenticated visitors hitting /admin/* are redirected to the login page. Authenticated requests must pass the admin.auth middleware, which validates the session and loads the current user (with roles eager-loaded).
Login flow
| Route | Method | Purpose |
|---|---|---|
/admin/login | GET | Show login form |
/admin/login | POST | Authenticate (email + password). Optional "remember me". |
/admin/logout | POST | Destroy session and redirect to login |
/ | GET | Redirects to /admin/login |
Validation
email— required, valid emailpassword— required, min 8 charsremember— optional boolean
Security
- Failed attempts increment a rate-limit counter keyed by IP+email; after a threshold, login is throttled.
- Successful login regenerates the session ID (Laravel default) to prevent fixation.
- Password hashing uses bcrypt via Laravel's
Hashfacade.
Profile management
Each admin can manage their own profile, avatar, password, and active sessions.
| Route | Method | Purpose |
|---|---|---|
/admin/profile | GET | Show the current user's profile |
/admin/profile | PUT | Update name, email, avatar upload |
/admin/profile/avatar | DELETE | Remove avatar |
/admin/profile/password | PUT | Change password (requires current password) |
/admin/profile/sessions/revoke | POST | Revoke all other active sessions |
Authorization
Permissions are role-based. Each role stores a JSON permission map (roles.permissions), and the User model exposes a can($ability) helper that checks all of the user's roles. Permissions are enforced in controllers and Blade views via gates.
app/Http/Controllers/Admin/AuthController.php, app/Http/Controllers/Admin/ProfileController.php, app/Http/Middleware/AdminAuth.php.Initial credentials
After running php artisan migrate:fresh --seed, a default admin user is created by the seeder. Check database/seeders/ for the credentials in your environment.