Security Laravel Package

Getting Started

Start by installing the package via Composer:

composer require nette/security

This package provides authentication, authorization, and ACL (Access Control List) management — ideal for securing web applications. In Laravel, you’ll likely integrate it as a standalone service (not via Laravel’s native auth system), since it’s a standalone library not tied to the framework. First use case: implement user login using SimpleAuthenticator with in-memory credentials (e.g., for demos or small apps). Configure a custom authenticator service in your Laravel app/Providers/AppServiceProvider.php or a dedicated service provider — the authenticator implements Nette\Security\IAuthenticator.

Implementation Patterns

• Custom Authenticator: Extend SimpleAuthenticator or implement IAuthenticator to validate credentials from your database (e.g., using Eloquent models). Return a SimpleIdentity with user role(s) and optional metadata.
• Authorization via ACL: Use the Permission class (ACL implementation) to define roles and resources, then check permissions using $user->isInRole() or $user->getIdentity()->hasRole().
• Storage & Session: Prefer SessionStorage (default) or CookieStorage for persistence — configure via User::setStorage() in your bootstrap. Use User::setExpiration() for timeouts, and User::refreshStorage() to reset cached identity after critical actions.
• Integration with Laravel: Hook Nette\Security\User into Laravel middleware — inject the User instance into controllers or middleware to check authorization before handling requests. Alternatively, create a Laravel-compatible guard using Laravel’s Authenticatable interface wrapper around User.
• Password Handling: Use the Passwords service (auto-injected in Nette DI contexts) to hash (Passwords::hash()) and verify (Passwords::verify()) passwords securely.

Gotchas and Tips

• PHP Version Constraint: Nette Security 3.2+ requires PHP 8.2–8.5 — double-check your environment. Older versions used different BC breaks (e.g., removal of IUserStorage in v3.2).
• Identity Caching: The User caches identity across requests — always call refreshStorage() after password changes or role updates to avoid stale authentication.
• Sensitive Parameters: Use #[\SensitiveParameter] on password parameters to avoid leakage in stack traces (available since v3.1.8).
• SameSite & Cookies: If using CookieStorage, ensure SameSite attribute is correctly set (fixed in v3.1.6); mismatch can cause silent auth failures.
• Extension Dependency: The SecurityExtension for DI container integration assumes Nette DI — if not using it in Laravel, register services manually and inject dependencies explicitly.
• Role Types: Roles can be objects (v3.1.3+) — implement __toString() for seamless compatibility with isInRole().
• Debugging Auth Failures: Enable UserPanel (if using Tracy) or log failed authentications manually. Remember: User::isLoggedIn() checks both existence and validity of identity — not just presence of session data.
• Avoid StaticClass Antipattern: In v2.x, Passwords was static; from v2.4.4 onward it’s object-based — inject or instantiate it properly instead of calling statically.