- Search and view tour information
- Book tours online with relevant requirements (such as number of guests, travel time tour, contact person, price...)
- Receive and view the resulting installation tour
- Update travel list and related information (list of locations, homes) restaurants, hotels... suitable for tours)
- User management
- Manage and process online orders
- Nguyen Duc Anh:
- Login (Authentication, SSO)
- Register (Confirm account by email)
- Forgot password (Recover password by email)
- Account information
- Change password
- Home page
- Decentralize admin and user rights
- Vu Minh Phong
Link Web: Travel Easy
- Email: [email protected]
- Password: 1234
- Email: [email protected]
- Password: 123456
Link report: Thiet ke web nang cao
Laravel is a powerful and popular PHP framework, chosen by many developers for web projects, including complex websites like travel websites. Here are some key reasons why Laravel is the ideal choice for building a Travel Easy website:
-
Clear MVC structure: Laravel uses the MVC (Model-View-Controller) model, which provides a clear separation between processing logic and user interface, making the source code easy to understand and maintain.
-
Rich ecosystem: Laravel offers a rich ecosystem with many supporting packages and tools, such as Laravel Passport for API authentication, Laravel Cashier for payments, and Laravel Socialite for social login. These tools help develop complex features with ease.
-
Eloquent ORM: Laravel's ORM system, Eloquent, makes working with databases easy and efficient. You can interact with data tables using PHP model classes, minimizing manual SQL code and increasing security.
-
Built-in security features: Laravel integrates many built-in security features such as protection against CSRF (Cross-Site Request Forgery) attacks, protecting user data with encryption and easy access control. easy.
-
Scalability and high performance: Laravel has good scalability and supports optimal performance, helping your website to handle a large number of users at the same time without problems.
-
Large community and rich documentation: Laravel has a large and active community, along with rich documentation and many learning resources, making it easy to find support and solve development problems project.
-
Ability to integrate with third-party services: Laravel supports easy integration with third-party services such as payment services, email, and external APIs, helping you create a complete system and flexible.
-
Convenient development tools: Laravel provides many convenient tools for developers such as Laravel Artisan (powerful CLI to perform common tasks), Laravel Mix (CSS and JavaScript compilation tool), and Laravel Tinker (REPL for PHP).
- Step 1: Install Composer and PHP
- Step 2: After you have installed PHP and Composer, you can create a new Laravel project via Composer command (create-project):
composer create-project laravel/laravel example-app- Step 3: Once the project has been created, start Laravel's local development server using the Laravel Artisan command
serve
cd example-app
php artisan serve- Step 4: Go to the
php.inifile and remove the;sign. before the command lineextension=zip
- If you wish to use MySQL, update your
.envconfiguration file's DB_* variables like so:
DB_CONNECTION=mysql
DB_HOST=127.0.0.1
DB_PORT=3306
DB_DATABASE=laravel
DB_USERNAME=root
DB_PASSWORD=- Create the database and run your application's database migrations:
php artisan migrateUserController.php
- Authenticates users based on their email, password, and role (role must be 0).
use Illuminate\Support\Facades\Auth;
public function storeLogin(Request $req)
{
if(Auth::attempt(['email'=>$req->email,'password'=>$req->password,'role'=> 0]))
{
return redirect()->route('index')->with('success','Logged in successfully');
} else {
return redirect()->back()->with('error','Login failed, please log in again!');
}
}- Logs out the currently authenticated user.
public function logout()
{
Auth::logout();
return redirect()->back()->with('success','Logout in successfully');
}SSO is a relatively simple and straightforward solution for single sign on (SSO).
With SSO, logging into a single website will authenticate you for all affiliate sites. The sites don't need to share a toplevel domain.
When using SSO, we can distinguish 3 parties:
- Client - This is the browser of the visitor
- Broker - The website which is visited
- Server - The place that holds the user info and credentials
The broker has an id and a secret. These are known to both the broker and server.
When the client visits the broker, it creates a random token, which is stored in a cookie. The broker will then send the client to the server, passing along the broker's id and token. The server creates a hash using the broker id, broker secret and the token. This hash is used to create a link to the user's session. When the link is created the server redirects the client back to the broker.
The broker can create the same link hash using the token (from the cookie), the broker id and the broker secret. When doing requests, it passes that hash as a session id.
The server will notice that the session id is a link and use the linked session. As such, the broker and client are using the same session. When another broker joins in, it will also use the same session.
- Configure Laravel
-
Add credentials to config/services.php.
-
These providers follow the OAuth 2.0 spec and therefore require a client_id, client_secret and redirect url. We’ll obtain these in the next step! First, add the values to the config file because socialite will be looking for them when we ask it to.
'google' => [
'client_id' => env('GOOGLE_CLIENT_ID'),
'client_secret' => env('GOOGLE_CLIENT_SECRET'),
'redirect' => env('GOOGLE_REDIRECT')
],- Create the basic authentication scaffold
php artisan make:auth
-
Create your app in Google
- Create a project: https://console.developers.google.com/projectcreate
- Create credentials: https://console.developers.google.com/apis/credentials
-
A modal will pop up with your apps client id and client secret. Add these values to your
.envfile:
GOOGLE_CLIENT_ID =
GOOGLE_SECRET_ID =
GOOGLE_REDIRECT = - Update the users table migration
- Update your create_users_table migration to include these new fields.
- You could alternatively create a new migration for adding theses columns, which would be good for an existing app:
<?php
use Illuminate\Database\Migrations\Migration;
use Illuminate\Database\Schema\Blueprint;
use Illuminate\Support\Facades\Schema;
return new class extends Migration
{
public function up(): void
{
Schema::table('users', function (Blueprint $table) {
$table->string('google_id') -> nullable();
});
}
public function down(): void
{
}
};- SSO route
//SSO
Route::get('/auth/google', [GoogleController::class, 'redirectToGoogle'])->name('auth.google');
Route::get('/auth/google/callback', [GoogleController::class, 'handleGoogleCallback'])->name('auth.google.callback');- SQL injection vulnerabilities: SQL Injection occurs when a web application allows users to input data into SQL queries in an unsafe manner, leading to the possibility of executing malicious SQL commands.
- Cross-Site Scripting (XSS): XSS occurs when an application allows users to enter data that may contain malicious JavaScript code, which is then displayed back to other users without checking or encryption.
- Cross-Site Request Forgery (CSRF): CSRF is when a user is unaware they are sending a malicious request to a web application they have authenticated, resulting in unwanted actions being taken.
- Insecure Direct Object References (IDOR): IDOR occurs when an application allows direct access to objects based on user input without checking permissions, resulting in the exposure of other users' information or data.
- Broken Authentication and Session Management: This issue occurs when authentication and session management mechanisms are not configured or implemented properly, leading to the risk of attacks from password guessing, session theft, or account hijacking. clause.
- Security Misconfiguration: Security Misconfiguration occurs when the system or application is not properly configured for security, leading to security vulnerabilities.
- Sensitive Data Exposure: Sensitive data exposure occurs when information such as passwords, credit card information or personal data is not properly protected.
- Using Components with Known Vulnerabilities: Using libraries, modules or software with known security vulnerabilities that have not been patched.
- Insufficient Logging and Monitoring: Failure to fully record or monitor system activity, leading to failure to promptly detect unusual behavior or attacks.
- File Upload Vulnerabilities: Vulnerabilities related to uploading files without proper inspection, which can lead to malicious code execution or information disclosure.
- Application error 500 (Not Found): Error 500 occurs when the server encounters an unknown problem and cannot process the request.
- Key Exposure or Rubbish Character: Revealing sensitive information such as API keys, encryption keys or unwanted characters appearing in data
- SQL Injection
- Use Eloquent ORM or Query Builder: Laravel provides Eloquent ORM and Query Builder to build safe queries
// Use Eloquent ORM
$users = User::where('email', $email)->get();// Use Query Builder
$users = DB::table('users')->where('email', $email)->get();- Use methods with bound values: Avoid writing raw SQL queries without protections.
// Use binding method
DB::select('select * from users where email = ?', [$email]);- Cross-Site Scripting (XSS)
- Use Blade template engine: Laravel's Blade automatically escapes variables.
// In Blade template
<h1>{{ $user->name }}</h1>- Escape outputs: Use the e() function to escape outputs in sections that do not use Blade.
// Escape output
echo e($user->name);- Cross-Site Request Forgery (CSRF)
- Use of CSRF tokens: Laravel automatically protects against CSRF using tokens
- Check CSRF token in important requests: Laravel automatically handles this through the CSRF middleware.
- Insecure Direct Object References (IDOR)
- Use middleware and policies: Laravel provides middleware and policies to control access to resources.
// Middleware example
public function handle($request, Closure $next)
{
if ($request->user()->id !== $request->route('id')) {
return redirect('home');
}
return $next($request);
}- Check ownership before accessing: Ensure that the user has access to the object.
// Check ownership
if ($request->user()->id !== $post->user_id) {
abort(403, 'Unauthorized action.');
}- Broken Authentication and Session Management
- Use Laravel's built-in authentication system: Laravel provides powerful and easy-to-use authentication mechanisms.
//Use auth middleware
Route::get('/profile', 'ProfileController@index')->middleware('auth');- Use HTTPS: Ensure that the application runs over HTTPS to protect login information and sessions.
- Set reasonable session timeout: Configure session timeout to reduce the risk of session being stolen.
- In the file
config/session.php
'lifetime' => 120, // 120 minutes
'secure' => true, // Only transmit session over HTTPS- Security Misconfiguration
- Check and properly configure
.env files: Ensure that sensitive information is not exposed.
APP_DEBUG=false- Ensure that APP_DEBUG=false in production environments: To avoid revealing detailed error information.
- Correctly configure file and folder permissions: Ensure that files and folders such as
storageandbootstrap/cachehave the appropriate permissions.
- Sensitive Data Exposure
- Use Laravel's encryption mechanism: Laravel provides methods to encrypt data.
use Illuminate\Support\Facades\Crypt;
$encrypted = Crypt::encryptString('hello world');
$decrypted = Crypt::decryptString($encrypted);- Do not store sensitive information in plain text: Use hash functions to store passwords.
use Illuminate\Support\Facades\Hash;
$hashed = Hash::make('password');- Use HTTPS: To protect data during transmission.
- Using Components with Known Vulnerabilities
- Regularly update libraries and dependencies: Use composer update to update libraries.
composer update- Use vulnerability testing tools: Such as
SnykorOWASP Dependency-Checkto check libraries for security vulnerabilities.