Be part of JetBrains PHPverse 2026 on June 9 – a free online event bringing PHP devs worldwide together.

bagwaa's avatar
bagwaa
OP
5 years ago
Level 12

Multiple Auth Guards vs Roles / Permissions

Howdy,

So I am in the process of building a new app, and I am stuck on what would be considered the best approach to handle authentication.

The app in question needs to allow the following :-

  • Regular user registration (automatic email confirmation, and then log in once email has been verified)

  • Regular user login through /login

  • Vendor registration (this won't allow the user to login until they have been approved as a vendor, so the flow is different to regular users)

  • Vendor login through /vendor/login

  • Admin user login, this is basically the owner of the site, and they will be able to approve or deny vendor registrations.

In my head I am thinking I would use three different auth guards, and a table for each type of user, however I keep wondering if the better approach here would be to use a single users table, a single auth guard but the use something like a permissions / roles system to differentiate between the user types.

The only reason I am thinking a role base system wouldn't work so well is because vendors and users will have a totally different registration flow and need to login via different URLs.

Has anyone any thoughts on this type of multi user table approach, I can't work out if I like the approach or not, or if there is a more structured way.

Thanks,

Rich

0 likes
7 replies
bobbybouwmann's avatar
bobbybouwmann
5 years ago
Best Answer
Level 88

Yeah, so I would always go with the roles/permissions way for the authentication part. This way you can just have one way to log in.

You can split the login form or you can use the same form for all roles. Based on their role you can redirect them to another page where they can see their actions. For example, a separate vendor dashboard. You can use different login URLs of course where you only allow users to login with a certain role. This is a small adaption to the current login flow by just checking on the role as well. You can even create your own controller for it if needed.

You can always use middleware or permission based on the current role of the user to determine where they can go or what they can see.

Multi auth always makes it more complex, while in your case you just have users that log in but have different permissions

8 likes
ignaciodev's avatar

@bobbybouwmann but doesn't this mean that, if a user registers as a vendor, they cannot use that email if one day they decide to buy on the app as a customer?

I have always used multiple guards, but I am considering changing to single user table approach for my next project. But I'm really struggling to switch my mindset about it.

If anyone can recommend any articles with examples of this workflow, please share them :)

ignaciodev's avatar

Or what if vendors need to verify their email, but customers dont?

Snapey's avatar

@ignaciodev If you associate the user with a 'vendor' role or a 'customer' role, you can decide whether to fill in the verified field or not.

CItyTrader's avatar

@ignaciodev To be honest, I am also very confused about the whole thing. Have you gotten clarity on it?

bagwaa's avatar
bagwaa
OP
5 years ago
Level 12

Thanks Bobby, I think this is what I needed to hear

Snapey's avatar

anyone with a login is a user. Everything else is just authorisation. (my 2d)

3 likes

Please or to participate in this conversation.