Route and Middleware RainLab.User


I have two “sections” in my website.

  1. public one :
  2. internal portal for customers/suppliers :

I need all routes after /hub/ to be protected by RainLab.User authentification.

That being said, as per the plugin documentation:

Access to routes can be restricted by applying the AuthMiddleware.

Route::group(['middleware' => 'RainLab\User\Classes\AuthMiddleware'], function () {
    // All routes here will require authentication

So I tried this :

Route::middleware(['web', 'RainLab\User\Classes\AuthMiddleware'])->group(function () {
    Route::get('/hub/{any}', function () {

    })->where('any', '.*');

Which kinda work;

  • It’s returning ‘Forbidden’ if I am not logged in
  • But it giving me a blank page if I’m logged in, I think the response die inside the function.

Any ideas how it should be implemented ?

Thank you.

I found an alternative. I let the thread open to see if there is a way with the routes.

I created a layout that I will use in all my /hub/* page with this:

redirect = "login"
security = "user"

You did not set a controller action in your route or return a response, that is why you get a blank page. Or was that just in the example?


I know that. You can put “return ‘hi’;” if you want and you will see hi displayed and not a blank page.

What I was wondering is how can I wrap all my url’s after /hub/ with the Authentification middleware without adding any overhead (redirecting to a view etc.).

Well, if you define a route you’ll have to also define what should happen when that route is called. I don’t think there is a shortcut around this. How did you use your frontend routes without the authentication restriction?
Or are you asking about Laravels routing system? OCMSv2: Routing - Laravel - The PHP Framework For Web Artisans, OCMSv3: Routing - Laravel - The PHP Framework For Web Artisans

If it is a CMS page, I’d suggest - as you found out - to use the Session component, if it’s an API you want to protect you would put all the routes into a group and protect that group with the middleware etc. etc.

Imho the most important aspect is, that the protection and the target to protect are together. e. g. CMS page and Component, routes and middleware - but not CMS pages protected by a middleware.

One thing that might be what you want:
you can extend Rainlabs middleware with a custom plugin, add your middleware to the kernel for all calls, check in the middleware if it’s an URI you want to have protected and then hand off the request to Rainlabs middleware or let it through.

thank you for your support @marco.grueter