jj63systems's avatar

Security design approach - what would you suggest

Hi, I'm designing an application which will allow users to self-register and there will be personal data recorded against them (entered by users) in a number of categories.

  1. from my understanding, Laravel Breeze or Jetstream is required to implement the register / login / 2FA etc. - is there anything else that might be appropriate / "better"?

This application will need to permit the user (USERA) to grant access to another user (USERB) - that grant being either read-only or manage-on-my-behalf. USERB may or may not already exist.

  1. If using Breeze / Jetstream, do you know if it would lend itself to this kind of feature (or limit my ability to develop it)?

  2. As the user will have personal data and we only ever want that user to see their own data (unless they have been granted access to another person's data) would you agree with the approach of putting a user_id column on all the relevant child (d'oh - no brainer/required of course!) but also grandchild (and great-grandchild) tables? This always makes it easy to see the data that relates to a specific user without the necessity to join other tables. I am in two minds on this.

  3. In terms of (via the application) ensuring that a user can ONLY ever access data that belongs to them, is that something that is provided within Laravel (or via Breeze / Jetstream)?

Really appreciate thoughts on this, I am sketching out the required components and want to start building ASAP - and figure the first thing to build is a robust security model - and then build the specific application functionality on the top of this.

cheers j

0 likes
1 reply
LaryAI's avatar
LaryAI
AI
1 year ago
Level 58

To address your questions regarding the security design approach for your Laravel application, let's break it down step by step:

  1. User Registration and Authentication:

    • Laravel Breeze and Jetstream: Both are excellent starting points for implementing user registration, login, and two-factor authentication (2FA). Breeze is simpler and more lightweight, while Jetstream offers more features, including team management and API support via Laravel Sanctum.
    • Alternatives: If you need more customization or a different approach, you might consider using Laravel Fortify, which provides backend authentication services without any frontend scaffolding, allowing you to build your own UI.

  2. Granting Access to Other Users:

    • Breeze/Jetstream Flexibility: Both can be extended to support additional features like granting access to other users. You would need to implement custom logic to handle the permissions and roles for USERA and USERB.

    • Implementation Suggestion: You can create a permissions table to manage access levels between users. For example:

      Schema::create('permissions', function (Blueprint $table) {
    $table->id();
    $table->foreignId('owner_id')->constrained('users');
    $table->foreignId('grantee_id')->constrained('users');
    $table->enum('access_level', ['read-only', 'manage']);
    $table->timestamps();
});

  3. Database Design for User Data:

    • User ID Columns: Adding a user_id column to child tables is a common practice to ensure data is associated with the correct user. However, adding it to grandchild tables depends on your specific use case. If the relationship is indirect, you might not need it on every table, but it can simplify queries.
    • Considerations: Ensure that your database design supports efficient queries and maintains data integrity. You might use foreign keys and indexes to optimize performance.

  4. Data Access Control:

    • Laravel's Built-in Features: Laravel provides policies and gates to manage user permissions. You can define policies for your models to ensure users can only access their own data or data they have been granted access to.

    • Example Policy:

      public function view(User $user, DataModel $data)
{
    return $data->user_id === $user->id || $user->hasPermissionTo('view', $data);
}

    • Middleware: You can also use middleware to check permissions before allowing access to certain routes.

  5. Security Model First Approach:

    • It's wise to establish a robust security model before building application-specific functionality. This ensures that your application is secure from the ground up and can handle sensitive user data appropriately.

By leveraging Laravel's built-in features and extending them with custom logic, you can create a secure and flexible application that meets your requirements.

Please or to participate in this conversation.