If you have a Laravel web application that is not applicable to the entire world, you may want to limit access to it based on your location. Perhaps your application is being bombarded with login attempts from abroad and you want to block a specific region. There are two approaches to limiting access — 1) Allow a list of countries access, or 2) Block a list of countries from having access.

This example is going to allow a list of countries access. You will need an ipstack.com account (free if you have fewer than 10,000 requests per month), and a middleware class in your Laravel application.  Here are the steps:

  1. Setup your ipstack.com account and get an API key
  2. Add middleware to your Laravel app in app/Http/Middleware
  3. Make the middleware global in the app/Http/Kernel.php file

Allowing a List of Countries

1) Go to ipstack.com and get an API key by setting up a free account. You will need the API key to make your query.

2) In Laravel applications, middleware is used to execute code before a HTTP request is completed. In this example, we will use php artisan to make a middleware file called “GeoLocation”. Running the following command from the root of your application will create the file in your AppName\Http\Middleware directory.

php artisan make:middleware GeoLocation

Edit GeoLocation.php so the class function has the following code:


public function handle($request, Closure $next)
{
//Allowed countries by two character code
//See https://www.iso.org/obp/ui/#search for country codes
$allowed_countries = ['US','CA','MX'];
//ipstack.com API
$access_key = 'your_access_key_from_ipstack';
//IP of site visitor
$ip = $_SERVER['REMOTE_ADDR'];
//API URL (See documentation at ipstack)
$url = 'http://api.ipstack.com/'.$ip.'?access_key='.$access_key.'&fields=country_code';
$json = file_get_contents($url);
// Decode JSON response:
$api_result = json_decode($json, true);
// The country code of your visitor
$country_code = $api_result['country_code'];

//If the visitor's country code is NOT in your array of permitted countries

//then redirect to some other URL
if (! in_array($country_code, $allowed_countries )) {
return redirect('http://www.somesite.com');
}

//Must be allowed, continue with HTTP request
return $next($request);
}

3) Now register your middleware class so that it will run across your entire site. In the file AppName\Http\Kernel.php, add the following line in the $middleware array: (In our example, we called the class file “GeoLocation.php”)

protected $middleware = [
...
\AppName\Http\Middleware\GeoLocation::class,
];

 

Blocking Countries Instead

To block a few countries instead of allowing them, you simply change the logic in your middleware a little.

...

//Blocked countries by two character code
$blocked_countries = ['US','CA','MX'];

...

//then redirect to some other URL
if (in_array($country_code, $blocked_countries )) {
return redirect('http://www.somesite.com');
}

...

 

You have probably heard that you should not use passwords on more than one site. Do you know why? The short answer is a compromised password will potentially allow someone access to any account you have that uses that password. Even if passwords are stored in a database in a scrambled form, hackers can sometimes figure out which password belongs to the stored value. Here’s how…

After you enter a password, it is “hashed” to create a long string of characters which cannot be reversed to figure out the password. Every time you log in, the password you enter is hashed again and the result is compared to the stored value. If they match, then you are allowed to access your account.

You decide to use the word Chevrolet because you think it is a clever password you will remember easily. Let’s pretend that the hashed value for Chevrolet is mQENBFGnn6EBCACi2lUKqiwQ2hlQPgixA/yIjg8seAedjM3RwddiUaWHZPRm3A8c and that is what is stored in the site database. Hackers can hash every word in a dictionary and compare their results to values from real accounts they have managed to access. If any of their hashed values matches the one in your account, then it is obvious your password is the same as the word they used to create that value. This is why using words from the dictionary is a really bad idea.

Even passwords that are made up from random characters can be cracked using various techniques. So, your goal is to have a password you can remember but is very hard to guess. One of my favorite sites which uses cartoons to make a point says it best.

Password Strength Cartoon
Image Source: xkcd.com

 

When you go to an ATM machine, you are required to insert your card and enter a PIN. The card is “something you have” and the PIN is “something you know.” This is called multi-factor authentication. Because of the ever increasing incidents of hacking on the Internet, it is vital to use this kind of login for important websites such as your email or social media. Some sites call it Two-factor Login, 2-step Verification, etc. Gmail, Facebook, LinkedIn, Amazon and many others allow you to setup two-step verification. Each of those sites will provide instructions on how to set it up, but it is usually done with your account settings and a smart phone or token generator. Some sites don’t use an app but instead will text you the one-time code to your phone number. This is so important that I wouldn’t use these sites if they didn’t provide 2-Step Verification.

The most common way to use two-step verification is with an app on your smart phone or by receiving a text message. Two popular apps are Google Authenticator and DUO. When you log in to a site, you will input your username and password (something you know) as usual. Then, the site will ask you for your verification code. You will need your phone or token generator (something you have) to get the code and enter it. In Google Authenticator, for example, these numbers change every minute.

IMPORTANT: If you plan on changing your mobile phone number and you receive login codes using text messages, you must change the phone number in your various online account settings or you will not be able to login to your web sites.

Gmail: I recommend Gmail as a personal email provider. Even though 2-Step Verification is important to use with Gmail, it is tricky to find the settings in your account. Here is how to find the Gmail 2-Step settings.

  • Log in to your Gmail account
  • Click on the gear icon near the top right and select Settings
  • On the Accounts tab next to Change account settings: click on Google Account settings
  • On the My Account page under Sign-in & Security, click on Signing in to Google
  • Then click on 2-Step Verification to enter the settings and follow the instructions

Remember, never lose control of your phone or mobile devices, trust nobody with your login information, and always keep your personal information in a safe and secure place.

Copyright 2017, Randal Carr, Autolycus Technology LLC, Carefree AZ