When developing a Radicle application, in general would you recommend handling authentication from WP or from Laravel?
In particular, my application will have:
- a public-facing website that will not require regular users to be logged into Wordpress (no WP comments, for instance)
- the WP Admin, used only by a few administrators;
- several Laravel pages, exposed via custom routes, that do require authentication (thousands of users) but could use Laravel’s auth and session management.
My thoughts are that the system would be more secure and performant if I only used Laravel’s auth features and left regular users anonymous on WP, because I would avoiding any privilege escalation attacks on WP and I could serve all WP pages (excluding the Laravel routes) from a static cache to all users.
If so, I would need to sync the admin’s sessions from Laravel to WP, so that when they log into / out of Laravel, they are also logged into / out of WP Admin, because I don’t want them to log in twice. How would I do that?
Currently I have set up the application in the opposite way, reading WP’s session from Laravel:
# config/auth.php:
'guards' => [
'web' => [
'driver' => 'wordpress', // custom driver, see AuthServiceProvider
'provider' => 'users',
],
],
# app/Providers/AuthServiceProvider.php, function boot():
Auth::viaRequest('wordpress', function ($request) {
$wpUser = wp_get_current_user();
if (!$wpUser || $wpUser->ID === 0) {
return null;
}
$user = User::query()->findOrFail($wpUser->ID);
$user->wpUser = $wpUser;
return $user;
});
Where User is a model that reads WP’s users table directly.