Documentation SmartAdmin PHP built-in Authentication routine


This demo requires Database configured. Please head over to the database installation page to play around with it.


SmartAdmin for PHP comes with a built-in Authentication routine that you can use out of the box. The workflow follows standard security guidelines for authenticating secured pages.
To play around with this feature, head over to the Login page.

Login methods

There are three ways you can authenticate the user. Via Username & Password, Access Token and Social Login.

With password

// username and password usually from $_POST
$auth = ['username' => $username, 'password' => $password];

$authenticated = \App\App::webAuth($auth);
if ($authenticated) {
    // redirect to the secured page
} else {
    throw Exception('Invalid username or password');

If webAuth is successful, you most probably want to redirect the user to a secured page. From there, you can verify the user if already authenticated.

With Access Token

If you want to authenticate the user by access_token, used in the REST API for example, you need to use the \App\App::tokenAuth method instead.

$user = \App\App::tokenAuth([
    'username' => USERNAME,
    'access_token' => ACCESS_TOKEN

Social Login (Google & Facebook)

This feature uses Hybridauth package to handle social media authentication -- ready to use out of the box. This package supports multiple providers as well.
Once you've secured your provider credentials, modify and set the .env file.



# ...

Redirect URIs

OAuth providers requires you to specify your redirect URIs. The URIs used for each provider are the following:

Secured pages

When someone opens a secure page, you'll have to check if the user is authenticated. Use can do this by requiring init.auth.php in the page. This will initiate $_SESSION and fill in the $_user global variable -- the current logged-in user.

Note that this requires init.db.php as well, see Database Installation guide.

require_once 'init.php';

// require the db and auth
require_once 'init.db.php';
require_once 'init.auth.php';

// authenticate the page

The authenticate_page method will check if the user is authenticated. If the page is opened via a browser, it will redirect automatically to the login page if not authenticated. If the request is via ajax, it will set the HTTP Status to 403 Forbidden.