Autentikasi
Sistem login, manajemen sesi, refresh token, dan audit trail akses. Backend menggunakan Laravel Sanctum untuk API authentication. Frontend Next.js mengelola session dengan httpOnly cookie.
UI Mockup — Halaman Login
BP
Bengkel Pintar
Masuk ke akun Anda
Email / Username
admin@bengkelpintar.app
Password
••••••••••
Ingat saya
Lupa password?
Masuk
Bengkel
Pintar
Pintar
Dashboard
Audit Log
Sesi Aktif
| Waktu | User | Aksi | IP | Status |
|---|---|---|---|---|
| 09:14:22 | admin@... | LOGIN | 180.252.x.x | OK |
| 09:18:05 | kasir@... | LOGIN | 180.252.x.x | OK |
| 09:22:31 | mekanik1@... | LOGIN | 192.168.x.x | OK |
| 09:45:18 | unknown | LOGIN_FAIL | 103.x.x.x | FAIL |
| 10:02:44 | admin@... | LOGOUT | 180.252.x.x | OK |
Flow Diagram — Authentication Flow
Login & Session Management
Alur autentikasi menggunakan Laravel Sanctum + Next.js
flowchart TD
A([User: Buka\nHalaman Login]) --> B[Input Email\n& Password]
B --> C[Frontend: POST\n/api/auth/login]
C --> D[Backend: Validasi\nKredensial]
D --> E{Valid?}
E -->|Tidak| F[Return 401\nTampil Error]
F --> B
E -->|Ya| G[Cek Status\nUser Aktif?]
G -->|Non-Aktif| H[Return 403\nAkun Dinonaktifkan]
G -->|Aktif| I[Generate Sanctum\nAPI Token]
I --> J[Set httpOnly Cookie\nRefresh Token]
J --> K[Return Access Token\n+ User Data + Role]
K --> L[Frontend: Store Token\ndi Memory]
L --> M[Redirect ke\nDashboard sesuai Role]
M --> N{Sesi Aktif}
N -->|Request API| O[Attach Bearer Token\ndi Header]
O --> P[Backend Validasi\nToken & Permission]
P -->|Valid| Q[Proses Request]
P -->|Invalid/Expired| R[Return 401]
R --> S[Frontend: Auto Refresh\nToken via httpOnly Cookie]
S -->|Berhasil| O
S -->|Gagal / Expired| A
N -->|Logout| T[POST /api/auth/logout\nRevoke Token]
T --> A
style A fill:#dbeafe,stroke:#3b82f6
style M fill:#dcfce7,stroke:#16a34a
style F fill:#fee2e2,stroke:#ef4444
style H fill:#fee2e2,stroke:#ef4444
Keamanan & Konfigurasi
🔑 Token Management
- Access token expire: 15 menit
- Refresh token expire: 7 hari (httpOnly cookie)
- Token di-revoke saat logout
- Token berbeda untuk setiap device/session
🛡 Proteksi Brute Force
- Lockout setelah 5x gagal login (15 menit)
- Rate limiting pada endpoint login
- IP suspicious dicatat dan bisa di-block
- Alert ke Super Admin jika anomali terdeteksi
📱 Multi Device
- User bisa login dari beberapa device
- Super Admin bisa revoke sesi spesifik
- Daftar sesi aktif terlihat di profil user
- "Logout from all devices" tersedia
📋 Audit Trail
- Semua login/logout/gagal login tercatat
- IP address dan user-agent tersimpan
- Retensi audit log: 90 hari
- Hanya Super Admin yang bisa akses audit log