PHP Auth library vs. Laravel Auth

[mocny]

So I have a dilema if using a library, that was planned to be rewritten in the y2020 (git-repo: PHPAuth) is 'secure enough', or whether I should rather use up-to-date handling like Laravel is (as I believe). Or maybe one other library delight-im/PHP Auth.

I am only delving into PHP, so I am not capable of doing a lot of magic and editing properly those libs myself, but I am asking, if it is even relevant at this point and if Laravel would be more useful to learn, though I do not need so much options and as a big package as Laravel provides.

I am not a PHP developer, I am more of a frontend guy/graphic designer, though PHP looks appealing to me.

Thanks.

[requinix]

Laravel is dumb, but a thing that exists and is popular and is dumb and people do use it. It's primarily an entire framework, as in it provides a dumb foundation for an entire website/application, but there are dumb library aspects to it too. I wouldn't suggest it because it is really more of a dumb framework than a library, so using pieces of it may not work out. Not that I ever have done so myself, given that Laravel is dumb, though I have used Laravel (as a framework) before, so take that with a grain of salt. You should also consider that Laravel is dumb.

I would put far more faith in an ecosystem like Symfony, which is pretty much the de-facto choice of libraries for PHP, than I would in random things you'll find across the internet. Especially things that haven't been touched in years, which means they haven't been maintained, and since no code is ever perfect this also means it has bugs that aren't getting fixed. Meanwhile Laravel, despite being dumb, actually uses some Symfony pieces internally, which isn't dumb. Using Symfony does require a little more effort on your part as it tends to try to be powerful and this can mean it sacrifices some ease of use, but this is a good thing as you're working with a - dare I say - not dumb library.

But I wouldn't be a senior developer unless I gave you the standard reply: "it depends". The primary matter is going to be what kind of "auth" you're talking about. Do you mean a full user system, like with signups and password resets and an administration tool? Do you mean something to password-protect some files, or a section of your site? Do you need something that looks nice or can it be something super simple provided it can do the job? Do you need to deal with user accounts being added and disabled, or just something quick where you can give out a password to people you want to allow access?

[mocny]

Thank you for your response. Basically I just need to protect custom admin panel, for managing content, public calendar, uploading images/photos/managingGallery and basic stuff like this. I do not need multiple user accounts to differentiate changes on the page though. But I do need signup, password resets/forgots, email verification and captcha I guess. But those can be handled by those libraries, so that is why I am considering libs vs. full fledged framework. I know about Symphony but it has steeper learning curve, though I am aware of its power. Don't care if Laravel is dumb, but I am a bit concerned from my frontend/graphic point of view, that I will be limited to some degree with what I can do with my site. As someone who has seen and understand Laravel structure, can you comment on this? If I may hit rock-bottom at some point in my development, if I would like to do some wild stuff on with sites? For reference: sites like you can find on awwwards.com where Laravel frmwrk is not as much seen (if at all) a lot of animation, three.js and other libraries are used, or I shouldn't be concerned about that at all and routing shouldn't be problem?

I still feel that for my purpose even Symfony or any framework would be overkill. Or maybe learning proper auth in PHP would be more effective in my case? I am a bit disappointed that I can not find some functional open-source PHP lib that would be updated regularly by some PRO PHP developers 😕 If someone knows up-to-date manuals for proper PHP auth, please do share, thank you.

PS: When I speak about Auth, I mean authentication+authorization, since I know about Casbin (author. lib) but some lib. that would handle it all for PHP exclusively.

Edited June 14 by mocny

[mocny]

I have found cartalyst/sentinel that seems to be bundled also in Laravel (or at least previous versions were) and is framework agnostic, so I will check it out.

If someone has any suggestions/ideas/opinions, I will read it gladly.

[requinix]

On 6/14/2024 at 4:11 AM, mocny said:

I do not need multiple user accounts to differentiate changes on the page though. But I do need signup, password resets/forgots, email verification and captcha I guess.

 

If you don't need multiple user accounts then why do you need signup and password resets and such? Those features are for letting (multiple) users manage their own accounts - if you don't have multiple users, or if you don't mind managing their accounts for them, then you don't need those features.

 

On 6/14/2024 at 4:11 AM, mocny said:

But those can be handled by those libraries, so that is why I am considering libs vs. full fledged framework.

Partly. A library will give you the tools to build a bookcase, but you still have to build the bookcase yourself.

 

On 6/14/2024 at 4:11 AM, mocny said:

As someone who has seen and understand Laravel structure, can you comment on this?

My opinion of Laravel is primarily technical in nature: I don't believe it is a well-designed piece of software. Laravel provides a lot of features, but it will not be everything you need: you will have to do some work yourself. Which means you'll have to understand Laravel and deal with its... eccentricities.

 

On 6/14/2024 at 4:11 AM, mocny said:

If I may hit rock-bottom at some point in my development, if I would like to do some wild stuff on with sites? For reference: sites like you can find on awwwards.com where Laravel frmwrk is not as much seen (if at all) a lot of animation, three.js and other libraries are used, or I shouldn't be concerned about that at all and routing shouldn't be problem?

Spoiler alert: Laravel or Symfony or CakePHP or whatever runs on the backend has approximately 0% to do with what you see on the website itself. Those things are nails and screws and paint primer and are great at keeping the bookcase together and usable, but you are absolutely not going to be judging the bookcase based on whether it used nails or screws. Whatever system you choose, the frontend is what users see and interact with, and the frontend can be whatever you want regardless of what's happening in the backend.

Frameworks like Laravel will give you a starting point to build from, but unless you want to keep the stock appearance they provide you with out of the box, you're going to need something separate. Maybe you make it yourself, maybe you buy it, whatever.

 

On 6/14/2024 at 4:11 AM, mocny said:

Or maybe learning proper auth in PHP would be more effective in my case?

The problem is that things like user authentication are tricky. It's easy to do, but it's not easy to do right. Learning how to do it right will take a long time and you'll be reinventing how shelves work. If you want to do that then great, and I even encourage it, but most people want shelves they can put their books on today.

 

On 6/14/2024 at 4:11 AM, mocny said:

I am a bit disappointed that I can not find some functional open-source PHP lib that would be updated regularly by some PRO PHP developers 😕 If someone knows up-to-date manuals for proper PHP auth, please do share, thank you.

Professional, huh? So how much money are you willing to spend? You willing to help pay the salary of some "professional" developers?

Those are rhetorical questions. Fact is, the best stuff you're going to find is what I've already said and you've already seen. Another fact is that there is rarely, rarely ever going to be a piece of software out there that does everything you want. Because you're the only one who knows what you want, and you're not out there writing it. So you have two choices: you can lower your expectations to find common denominators already available, or you can keep your desired set of features and functionality and accept that you'll have to do some amount of work yourself.

[gizmola]

I will 2nd Requinix's advice:  Just use Symfony.

I say this as someone who has built and/or extended a number of enterprise systems using Symfony and Laravel.  They are both capable of doing most of what you want, and have things in common beyond both being MVC frameworks, as in for example, they both are examples of Dependency Injection frameworks.  But of the two, Symfony has consistently made choices that represent forward thinking and the best practices in modern framework based software development.  Symfony provides great utility, without sacrificing flexibility or resorting to "magic" and hard wired conventions.

There was a time when Laravel's "opinionated ... just do it the way we tell you" was an advantage to developers new to php framework based development, and especially in the area of application users, authentication and security, as compared to symfony.

Symfony was intentionally agnostic, flexible, and required more decision making on the part of the developer, with features like voters that allow you to create sophisticated authentication schemes that can factor in roles as well as data.  Voters are great when you need them, but can be intimidating when you don't or aren't sure what they are for. 

At this point, all that has been smoothed out.  Symfony is still architected to make it easy for people to plug into any of the many ways that people might want to implement or integrate with existing enterprise or single sign on infrastructure, however, for what you want, you can just use the maker bundle to generate the vast majority of code you need, and follow the advice and instructions in the Security documentation.

Once you've chosen Symfony, significantly in my opinion, you get the Doctrine ORM which is superior to Laravel's Eloquent, and as you will make use of it for security, you'll also discover its utility and likely end up using it for many other things you build into your application.  It is far better designed for advanced relational database features like transactions.