With the application now running, Phase 3 of the custom hosting control panel build focuses on authentication, panel layout, and core structure.
Phase 2 gave us a working Laravel environment, connected to MariaDB and served through Nginx.
This phase builds directly on Phase 2, where the application layer was first established.
Which was great — but let’s be honest, at that stage it was still basically a framework sitting there politely waiting for instructions.
Phase 3 is where that changes.
This phase focuses on building the foundation layer of the control panel itself: authentication, protected routing, and a structured UI shell that everything else will sit on top of.
🧩 What This Phase Does in the Custom Hosting Control Panel Build
This phase introduces the core building blocks required for a real control panel:
- Secure authentication system
- Protected panel routes
- Reusable UI layout (sidebar + top navigation)
- Initial dashboard
- Clean routing structure
There’s no hosting logic yet. No provisioning. No system interaction.
This is purely about structure, access control, and UI foundation.
Not the flashy part of the build — but definitely the part that stops everything becoming a mess later.
🔐 Authentication System
The first step was implementing a secure authentication layer using Laravel’s built-in tooling, following the official Laravel authentication documentation.
The goal was simple:
- Login-only access
- No public registration
- All panel routes protected
🚪 Login-Only Access
Out of the box, Laravel makes it very easy to enable full authentication scaffolding.
Useful… but this panel is not a public-facing app where random people should be able to wander in and make themselves an account.
Registration was deliberately disabled so that only manually created users can access the system.
This keeps the panel locked down and avoids unnecessary exposure.
🛡️ Middleware Protection
All panel routes are protected using Laravel’s auth middleware.
This ensures:
- Unauthenticated users are redirected to /login
- Authenticated users gain access to panel routes
Authentication is now enforced at the framework level — not manually stitched together route by route like a future headache.
👤 User System
The default Laravel users table is used as the base for the panel.
No over-engineering here.
At this stage, the goal is simply to have a reliable user model that supports authentication properly.
Minor preparation has been made for future expansion, such as:
- Admin flag or role field
- Scalability for future permission systems
Full role-based access control (RBAC) is intentionally deferred to a later phase.
Because before building a permissions empire, it helps to first have a login screen that works.
🖥️ Panel Layout
This is one of the most important parts of Phase 3.
The panel UI is built using a reusable Blade layout, designed to act as the shell for the entire system.
🧱 Layout Structure
The layout introduces a consistent structure across all panel pages:
- Left sidebar navigation
- Top navigation bar
- Main content area
This is not just visual dressing.
It defines how every future feature will be structured, displayed, and navigated.
📚 Sidebar Navigation
The sidebar provides a central navigation system, with sections for:
- Core (Dashboard)
- Future modules (Sites, Domains, Users, Services)
Even though these modules don’t exist yet, placeholders are included to define the intended structure early.
It’s a lot easier to build properly now than bolt it on later while pretending that was always the plan.
📌 Top Navigation
The top bar displays:
- Current page context
- Logged-in user information
- Logout action
This creates a consistent user experience across the panel and gives the interface an actual sense of structure instead of just looking like a collection of pages.
♻️ Reusable Design
The layout is built to be reused across all future pages.
This ensures:
- Consistency
- Maintainability
- Scalability as features are added
Every new page will extend this layout rather than reinventing the wheel every time.
Because rebuilding the same structure on every page is a brilliant way to waste time and create bugs for free.
📊 Dashboard
The first panel page is the dashboard, accessible at:
/dashboard
🔒 Protected Access
The dashboard is fully protected by authentication middleware.
It cannot be accessed without logging in.
Which is generally a good quality to have in a control panel.
🧩 Layout Integration
The dashboard uses the panel layout, confirming that the UI shell works as intended.
This was the first real proof that the panel structure was no longer theoretical — it was actually working in practice.
📝 Placeholder Content
For now, the dashboard includes basic placeholder data:
- Panel status
- Logged-in user information
- Placeholder stats for hosting accounts and sites
No real data yet — just enough to validate structure and confirm that the plumbing underneath is doing what it should.
🛣️ Routing Structure
Routes have been cleaned up and organised properly.
The application now clearly separates:
- Guest routes (login)
- Authenticated routes (panel)
📦 Middleware Groups
Panel routes are grouped under the auth middleware.
This avoids repetition and ensures consistent protection across the application.
One rule, applied properly, beats remembering to protect every route individually and eventually missing one.
🚦 Clean Entry Point
The root route (/) now intelligently redirects:
- Authenticated users → dashboard
- Guests → login page
This creates a clean and predictable entry flow.
No dead-end landing page. No confusing behaviour. Just the right place for the right user.
🚪 Logout System
Logout functionality is implemented using Laravel’s standard approach.
📨 POST-Based Logout
The logout action is handled via a POST request, not a GET request.
This is important for security and aligns with best practices.
Because “clicking a link to destroy a session” is one of those ideas that sounds convenient right up until it isn’t.
🛡️ CSRF Protection
The logout request is protected with Laravel’s built-in CSRF system.
This prevents cross-site request forgery attacks and keeps session handling properly locked down.
🧹 Session Handling
On logout:
- The user session is destroyed
- The user is redirected back to the login page
Simple, clean, and secure.
Exactly the kind of boring behaviour you want from authentication.
⚠️ Challenges & Decisions
🚫 Disabling Registration
Laravel makes it easy to enable registration — but in this case, it had to go.
This panel is not public-facing, so user creation will always be controlled internally.
Letting people self-register for a hosting control panel would be… adventurous.
🎯 Keeping It Simple
There’s no RBAC system yet.
No permissions matrix.
No role hierarchy.
That’s intentional.
The focus here is on building a stable foundation before layering complexity on top.
There’s no prize for making Phase 3 unnecessarily complicated.
🧱 Structure Before Features
It’s tempting to jump straight into hosting logic and provisioning.
That’s the exciting bit.
But without a solid structure, everything becomes harder to maintain later.
This phase is about getting the architecture right first — so future features have somewhere sensible to live.
🧠 Why This Phase Matters
This is the point where the project stops being just a Laravel app and starts becoming a control panel.
We now have:
- Secure access control
- A defined UI structure
- Protected routes
- A working panel shell
Every future feature — hosting accounts, sites, provisioning — will plug into what was built here.
This phase may not be the loudest one in the series, but it’s one of the most important.
🔜 What’s Next – Phase 4
Phase 4 moves into the actual hosting layer.
This includes:
- Hosting account system
- Site management
- Database relationships for hosting structure
- Preparation for provisioning logic
This is where the panel starts interacting with real hosting concepts instead of just preparing for them.
🏁 Final Thoughts
Phase 3 is a turning point.
The system now has structure, security, and a clear direction.
It’s no longer just an application — it’s the beginning of a platform.
Everything from here builds on top of this foundation.
And now it’s time to make it actually manage something.