Support the ongoing development of Laravel.io →
Authentication Security

The auth scaffolding in Laravel 5.2 is super helpful and convenient and easy to use, but I wonder if there's a potential security risk:

If everyone uses Laravel's out-of-the-box auth feature solely for creating and managing user accounts, then there's no problem. But I have to think that a lot of people use it to create an admin section for site management, content management, etc.

If that's the case, then one of the first things I might do after generating the auth scaffold is remove the "Register" link from the view that Laravel's auth scaffold has created for me.

I might then go on to work on other parts of the site, forgetting that the register route is still active on my site, which is easy to do because the auth scaffold doesn't add register as a route in my routes file. If I continue developing my admin site without ever overriding the behavior of that route, then basically all anyone has to do is go to the register route on my site, create an account and they'll have full privileges to my admin area.

Shouldn't the register part of the auth scaffold be an optional add-on, not a built-in, out-of-the-box feature? And/or shouldn't the register route at least be added to the routes file to remind the developer to do something with that route if they're using auth for an admin section, not user accounts?

Just wondering.

Last updated 2 years ago.
0

Route::auth() just registers routes for you. You can register them yourself if you want different functionality.

If you looked into the Router you would see the routes that are added for you when calling Route::auth().

You can also change the layout yourself to remove that link, as you have.

The second part is you are responsible for your application and its routes. If you leave routes or links in your templates that shouldn't be there, that is on you.

You can easily see all your routes with a simple artisan route:list.

As with many things this is a helper for convenience. If you want something else or different functionality you don't have to use it at all.

Last updated 9 years ago.
0

Sign in to participate in this thread!

Eventy

Your banner here too?

johnnycho johnnycho Joined 16 Mar 2014

Moderators

We'd like to thank these amazing companies for supporting us

Your logo here?

Laravel.io

The Laravel portal for problem solving, knowledge sharing and community building.

© 2025 Laravel.io - All rights reserved.