# System Credentials ## Test Users The following users have been seeded in the database for testing: ### 1. System Administrator **Full Access - Can manage users and access all features** - **Username:** `sysadmin` - **Password:** `Admin@123` - **Email:** `sysadmin@repsis.com` - **Role:** `system_admin` - **Permissions:** - Full system access - User management - Finance operations - All admin features ### 2. Finance Manager **Finance Access - Can access finance module** - **Username:** `finance` - **Password:** `Finance@123` - **Email:** `finance@repsis.com` - **Role:** `finance` - **Permissions:** - Finance dashboard - Finance operations - Limited admin access ### 3. Regular User **Basic Access - Standard user** - **Username:** `user` - **Password:** `User@123` - **Email:** `user@repsis.com` - **Role:** `user` - **Permissions:** - User dashboard - Basic features ## Role Hierarchy 1. **system_admin** - Full access to everything 2. **finance** - Access to finance module + limited admin features 3. **user** - Basic user access ## API Authentication ### Login Endpoint ``` POST /api/auth/login Content-Type: application/json { "username": "sysadmin", "password": "Admin@123" } ``` ### Response ```json { "user": { "id": 1, "name": "System Administrator", "username": "sysadmin", "email": "sysadmin@repsis.com", "role": "system_admin", "full_name": "System Administrator", ... }, "token": "1|xxxxxxxxxxxxxxxxxxxxxxxxxxxxx", "menu_profile": 1, "message": "Login successful" } ``` ### Token Usage The token is automatically: - Stored in httpOnly cookie (`auth_token`) - Returned in JSON response (for localStorage/js-cookie) - Valid for 30 days ### Protected Routes #### System Admin Only ``` POST /api/users - Create user PUT /api/users/:id - Update user DELETE /api/users/:id - Delete user ``` #### System Admin & Finance ``` GET /api/users - List users GET /api/users/:id - Get user details ``` ## Middleware Usage ### In Routes (api.php) ```php // System admin only Route::middleware(['auth:sanctum', 'role:system_admin'])->group(function () { Route::post('/users', [UserController::class, 'store']); Route::put('/users/{id}', [UserController::class, 'update']); Route::delete('/users/{id}', [UserController::class, 'destroy']); }); // System admin & Finance Route::middleware(['auth:sanctum', 'role:system_admin,finance'])->group(function () { Route::get('/users', [UserController::class, 'index']); Route::get('/users/{id}', [UserController::class, 'show']); }); ``` ## Security Features ✅ **JWT Token Authentication** ✅ **httpOnly Cookies** ✅ **CSRF Protection** (Sanctum) ✅ **Role-Based Access Control** ✅ **Password Hashing** (bcrypt) ✅ **Failed Login Tracking** ✅ **Access Logging** ✅ **Token Expiration** (30 days) ## Password Policy **Production Recommendations:** - Minimum 8 characters - At least one uppercase letter - At least one number - At least one special character (@, !, #, $, etc.) **Current Test Passwords:** - Format: `Role@123` - Easy to remember for testing - **CHANGE IN PRODUCTION!** ## Database Migration The role column has been added to the users table: ```sql ALTER TABLE users ADD COLUMN role VARCHAR(255) DEFAULT 'user' AFTER email; ALTER TABLE users ADD INDEX role_index (role); ``` ## Quick Start 1. **Login as System Admin:** ```bash curl -X POST http://localhost:8000/api/auth/login \ -H "Content-Type: application/json" \ -d '{"username":"sysadmin","password":"Admin@123"}' ``` 2. **Use the token:** ```bash curl -X GET http://localhost:8000/api/users \ -H "Authorization: Bearer YOUR_TOKEN_HERE" ``` 3. **Test Role Protection:** - Try accessing `/api/users` with each role - System admin → Full access - Finance → Read access - User → Access denied ## Support For issues or questions: - Check Laravel logs: `storage/logs/laravel.log` - Check access logs in database: `tbl_access_logs` - Verify user roles in database: `SELECT id, username, role FROM users;` --- **Last Updated:** December 3, 2025 **Version:** 1.0.0