area17/twill-http-basic-auth

A Twill Capsule to add and handle HTTP Basic Auth

v2.0.2 2024-01-31 14:02 UTC

This package is auto-updated.

Last update: 2024-12-01 00:12:56 UTC


README

This Twill Capsule is intended to enable developers to configure Basic Auth on their applications.

screenshot 1

screenshot 2

Domains

You can add as many domains as you need and configure different passwords for each. You can have the https://site.com, for instance, unprotected to allow public access to it, and block access to https://origin.site.com and https://admin.site.com to only allow access to people with an account, and those that have access to the HTTP Basic Auth username and password.

One config for all

Once you enable the all domains (*) entry, the same configuration will be used for all domains available, and all other domain configurations will be hidden.

Middleware

A middleware is automatically added to all web routes, but you can configure this behaviour or even disable it to configure your middleware yourself:

'middleware' => [
    'automatic' => true,

    'groups' => ['web'],

    'class' => \A17\TwillHttpBasicAuth\Http\Middleware::class,
],

Using authentication

If you don't want to share a single username and password with everyone that will access your pages, you can configure the package to allow existing users, both on Twill (CMS) and/or Laravel (frontend), to use their own passwords to pass Basic Auth.

Installing

Supported Versions

Composer will manage this automatically for you, but these are the supported versions between Twill and this package.

Require the Composer package:

composer require area17/twill-http-basic-auth

Publish the configuration

php artisan vendor:publish --provider="A17\TwillHttpBasicAuth\ServiceProvider"

Load Capsule helpers by adding calling the loader to your AppServiceProvider:

/**
 * Register any application services.
 *
 * @return void
 */
public function register()
{
    \A17\TwillHttpBasicAuth\Services\Helpers::load();
}

Configuring via the .env file

This package is disabled by default, so you must enabled it in your .env file:

TWILL_HTTP_BASIC_AUTH_ENABLED=true

You can configure credentials both via CMS settings or the on .env file. If you set them on .env the * domain will be enabled, all other domains hidden, and the username and password overloaded by the .env keys.

TWILL_HTTP_BASIC_AUTH_USERNAME=frontend
TWILL_HTTP_BASIC_AUTH_PASSWORD=secret

Database login

You can configure the package to allow users pass HTTP Auth Basic with their existing email and password, by just enabling the feature on the .env file:

TWILL_HTTP_BASIC_AUTH_TWILL_DATABASE_LOGIN_ENABLED=true
TWILL_HTTP_BASIC_AUTH_LARAVEL_DATABASE_LOGIN_ENABLED=true

Rate limiting

The package will also, by default, rate limit users to max of 500 requests per minute to each domain. You can configure it using this .env variable:

TWILL_HTTP_BASIC_AUTH_RATE_LIMITING_ATTEMPTS=5

By requiring users to have an enabled account in Twill (or Laravel) to access a protected website, this becomes an additional security feature. It also allows you to avoid disclosing the same username and password to everyone who is authorized to view the site.

Contribute

Please contribute to this project by submitting pull requests.