# Auth And Dashboard ## Auth Routes File: `routes/web.php` - `GET /login`, name `login`, middleware `guest`, controller `App\Http\Controllers\AuthController::showLoginForm` - `POST /login`, middleware `guest`, controller `App\Http\Controllers\AuthController::login` - `POST /logout`, name `logout`, controller `App\Http\Controllers\AuthController::logout` There are no registration, password reset, email verification, or password confirmation routes in `routes/web.php`. `routes/api.php` has only `GET /api/user` under `auth:sanctum`. ## Auth Controller File: `app/Http/Controllers/AuthController.php` Class: `App\Http\Controllers\AuthController` Methods: - `showLoginForm()`: returns `resources/views/auth/login.blade.php` - `login(Request $request)`: validates credentials and calls `Auth::attempt($request->only('email', 'password'), $request->boolean('remember'))` - `logout(Request $request)`: calls `Auth::logout()`, invalidates session, regenerates CSRF token, redirects `/` Login validation: - `email`: required email - `password`: required Successful login: - Session is regenerated. - Redirects to route `dashboard.leads.index` (`/dashboard/leads`). Failed login: - Throws `ValidationException` on `email`: "The provided credentials do not match our records." ## Login View File: `resources/views/auth/login.blade.php` Form: - Action: `route('login')` - Method: `POST` - CSRF: `@csrf` - Fields: - `email`, type email, required, autocomplete `email` - `password`, type password, required, autocomplete `current-password` - `remember`, checkbox Navigation: - Brand link to `/` - Back to website link to `/` ## Auth Config File: `config/auth.php` Defaults: - Guard: `web` - Password broker: `users` Guard: - `web`: driver `session`, provider `users` Provider: - `users`: driver `eloquent`, model `App\Models\User` Password reset config exists: - Provider `users` - Table `password_reset_tokens` - Expire 60 minutes - Throttle 60 seconds Needs verification: password reset table/config exists, but no password reset routes/views/controllers were found. ## User Model And Table Model: `app/Models/User.php` Class: `App\Models\User` Extends: `Illuminate\Foundation\Auth\User` Traits: - `HasFactory` - `Notifiable` Fillable: - `name` - `email` - `password` - `is_admin` Hidden: - `password` - `remember_token` Casts: - `email_verified_at`: datetime - `password`: hashed - `is_admin`: boolean Migration: `database/migrations/2026_01_20_000000_create_users_table.php` Columns: - `id` - `name` - `email` unique - `email_verified_at` nullable - `password` - `is_admin` - `remember_token` - `created_at` - `updated_at` Seeder: `database/seeders/DatabaseSeeder.php` - Empty. No hardcoded admin user found in seeders. ## Session Config File: `config/session.php` Relevant values: - Driver: `env('SESSION_DRIVER', 'file')` - Lifetime: 120 minutes default - Encrypt: `true` - Path: `/` - HTTP only: `true` - Same-site: `lax` - Secure: `env('SESSION_SECURE_COOKIE')` ## Auth Middleware File: `app/Http/Kernel.php` - Route middleware `auth`: `Illuminate\Auth\Middleware\Authenticate` - Route middleware `guest`: `App\Http\Middleware\RedirectIfAuthenticated` File: `app/Http/Middleware/RedirectIfAuthenticated.php` - If authenticated, redirects to `/dashboard/leads`. ## Dashboard Routes File: `routes/web.php` All routes below are in `Route::middleware(['auth', 'admin'])->prefix('dashboard')`. - `GET /dashboard`, name `dashboard`, redirects to `dashboard.leads.index` - `GET /dashboard/design-system`, name `dashboard.design-system`, controller `App\Http\Controllers\Dashboard\DesignSystemController::index` - `GET /dashboard/leads`, name `dashboard.leads.index`, controller `App\Http\Controllers\LeadDashboardController::index` - `GET /dashboard/leads/export`, name `dashboard.leads.export`, controller `LeadDashboardController::export` - `POST /dashboard/leads/bulk-delete`, name `dashboard.leads.bulk-delete`, controller `LeadDashboardController::destroyBulk` - `GET /dashboard/leads/{lead}`, name `dashboard.leads.show`, controller `LeadDashboardController::show` - `PATCH /dashboard/leads/{lead}/status`, name `dashboard.leads.update-status`, controller `LeadDashboardController::updateStatus` - `DELETE /dashboard/leads/{lead}`, name `dashboard.leads.destroy`, controller `LeadDashboardController::destroy` Authorization: - Authenticated admins only. - Admin flag: `users.is_admin`. - Middleware: `app/Http/Middleware/EnsureAdmin.php`. - Middleware alias: `admin` in `app/Http/Kernel.php`. - Existing users were marked admin by migration `database/migrations/2026_05_09_000001_harden_leads_dashboard_and_schema.php` to avoid locking out the current dashboard account. ## Dashboard Views ### Leads Index File: `resources/views/dashboard/leads/index.blade.php` Standalone HTML document. Does not use `resources/views/layouts/app.blade.php`. Header/nav: - Brand link to `/` - Page title `Leads Dashboard` - Link to `dashboard.design-system` - Current user name via `Auth::user()->name` - Push notification button - Export link - Logout form - Site link Main areas: - Stats card row - Filter/search form - Lead card grid - Pagination - Right sidebar widgets - Status modal Assets: - Tailwind CDN - Google Font Inter - Pusher Beams CDN - Pusher JS CDN - `/service-worker.js` - `/dashboard.webmanifest` - `/images/criazo-icon@2x.png` ### Lead Detail File: `resources/views/dashboard/leads/show.blade.php` Standalone HTML document. Header/nav: - Back to `dashboard.leads.index` - Current user name - Status select - Delete form Main areas: - Hero card - Contact info - Interest/project info - Message - Tracking - Timeline/activity log Actions: - Status update via inline JavaScript `PATCH` - Delete via form `DELETE` ### Design System File: `resources/views/dashboard/design-system/index.blade.php` Route: `dashboard.design-system` Controller: `app/Http/Controllers/Dashboard/DesignSystemController.php` Protected by `auth` route group. Shows internal design system documentation and links back to leads dashboard. It includes logout and current user display. ## Dashboard Data Sources `LeadDashboardController::index` builds: - `$leads`: `Lead::query()->with('events')`, filtered, ordered newest first, paginated 20. - `$stats`: counts from `getStatistics`. - `$topSources`: grouped `source_page`. - `$topReferralSources`: grouped `COALESCE(utm_source, referrer_domain, Direct)`. - `$serviceBreakdown`: grouped `service_name`. - `$marketBreakdown`: per market using `Lead::market`. ## Login Flow ```mermaid flowchart TD A["Guest opens /login"] --> B["guest middleware"] B --> C["AuthController::showLoginForm"] C --> D["auth/login.blade.php"] D --> E["POST /login with email/password/remember"] E --> F["AuthController::login"] F --> G["validate email/password"] G --> H["Auth::attempt"] H --> I["session regenerate"] I --> J["redirect /dashboard/leads"] ``` ## Protected Dashboard Flow ```mermaid flowchart TD A["GET /dashboard/leads"] --> B["auth + admin middleware"] B --> C{"Authenticated admin?"} C -- "No" --> D["Redirect to /login"] C -- "Yes" --> E["LeadDashboardController::index"] E --> F["Lead stats + paginated leads"] F --> G["dashboard/leads/index.blade.php"] ``` ## Risks / Technical Debt - Dashboard routes now require `is_admin=true`; non-admin authenticated users receive 403. - No registration route exists, but users can exist in the database; user creation process is not documented in code. Needs verification operationally. - Password reset table/config exists, but no reset route/UI was found. - Login has no explicit throttle middleware in `routes/web.php`.