• English

      • Security

      XinAdmin is built on Laravel's security foundation, implementing a complete authentication, authorization, and API permission control mechanism.

      XinAdmin's security foundation relies on the Laravel framework. For more details on Laravel's security mechanisms, please refer to the Laravel Security Documentation.

      Security Architecture Overview

      XinAdmin's security architecture is structured in three layers:

      ┌──────────────────────────────────────────────────────────┐
│  Frontend UI Layer                                       │
│  AuthButton / useAuth / accessName                       │
│  Controls UI element visibility based on permission array │
└────────────────────────┬─────────────────────────────────┘
                         │  Bearer Token (Authorization Header)
┌────────────────────────▼─────────────────────────────────┐
│  API Authentication Layer                                │
│  Laravel Sanctum + AuthGuardMiddleware                   │
│  Validates Token validity and tokenable type matching     │
└────────────────────────┬─────────────────────────────────┘

┌────────────────────────▼─────────────────────────────────┐
│  Permission Check Layer                                  │
│  Sanctum CheckAbilities                                  │
│  Verifies the token's abilities array contains the       │
│  required permission key for the route                   │
└──────────────────────────────────────────────────────────┘

      Core Features

      FeatureDescription
      Token AuthLaravel Sanctum Personal Access Token
      RBACUser → Role → Permission three-tier model
      Super AdminUser ID=1 hardcoded, bypasses all permission checks
      Annotation RoutingPHP 8 attributes auto-register routes and permission middleware
      Frontend ControlAuthButton / useAuth / accessName
      Login AuditingRecords login IP, browser, geolocation
      Request ValidationBaseFormRequest unified form validation

      Laravel Security References

      XinAdmin's security mechanisms are built on the Laravel framework. The following documentation provides deeper security knowledge: