Authentication & Access
🔐 Authentication & Access
DotHRB offers a flexible, secure system for managing user authentication and state, supporting two primary architectural mechanisms:
- Session Cookies: Used primarily for web pages and server-rendered controllers to enable seamless user experiences. Session cookies are automatically encrypted and encoded by the runtime for maximum security.
- JWT (JSON Web Tokens): Ideal for stateless API endpoints accessed directly by third-party applications, single-page applications (SPAs), or mobile apps, providing an industry-standard, secure method for authentication.
Key Features and Configuration
- Customizable Schema Order: You can explicitly define the execution order in which authentication schemas are processed, granting fine-grained control over multi-tier access workflows.
- Access Control Lists (ACL): Easily define allowed paths (endpoints bypassed by the auth firewall), enforce required claims, and tune security profiles per mechanism.
Authentication Workflow
The framework handles protection differently depending on the target architecture of your endpoint:
| Target Endpoints | Protection Model | Claims Retrieval |
|---|---|---|
| Web Pages | Secure by Default: Automatically protected unless explicitly white-listed in the "allowed paths" configuration. | Extracted and verified automatically from the active session cookie. |
| API Endpoints | Explicit Protection: Explicitly secured using the ::authorize() method inside the custom controller class logic. | Extracted and verified automatically from the defined authentication schema. |
Once an identity is successfully verified (via either Cookie or JWT), the runtime populates the user's validated claims into the ::hClaims hash property, making permission checks instantly available throughout your application logic.