Laravel Authentication [In-Depth Tutorial]

Written By - Muhammad Azeem
Advertisement

Getting started with Laravel Authentication

Laravel is a widely popular PHP web application framework known for its elegant syntax, simplicity, and powerful features. One of the core components of any web application is user authentication, and Laravel provides a robust, flexible, and out-of-the-box solution for handling user authentication with minimal effort. Laravel's built-in authentication system simplifies the process of adding secure user registration, login, password reset, and other authentication-related functionalities to your web application.

The Laravel authentication system is based on the concept of guards and providers. Guards are responsible for managing the user authentication state, while providers define how users are retrieved from persistent storage, such as a database. Laravel ships with a default guard called web, which uses session-based authentication, and a users provider that retrieves user data using Eloquent, Laravel's built-in ORM.

Additionally, Laravel provides a scaffolding package called Laravel Breeze or Laravel Jetstream, which includes pre-built user interfaces, routes, and controllers for authentication. These scaffolding packages offer a quick and easy way to get started with authentication in Laravel, allowing you to focus on building your application's unique features.

Laravel also supports social authentication through its Socialite package, which enables your application to authenticate users using their social media accounts, such as Google, Facebook, or Twitter.

 

Guards and Providers

In Laravel, authentication is managed using two key concepts: guards and providers. These components work together to handle user authentication and retrieval of user data from persistent storage.

 

Guards

Guards are responsible for managing the user authentication state. They define how users are authenticated, such as using sessions or tokens, and handle tasks like user login, logout, and checking if the user is authenticated. Laravel ships with a few built-in guards, such as web (session-based) and api (token-based), but you can also create custom guards to suit your application's specific needs.

For example, the default web guard uses the session driver to maintain the user's authentication state:

'guards' => [
    'web' => [
        'driver' => 'session',
        'provider' => 'users',
    ],
    // ...
],

You can create a custom guard using the extend method on the Auth facade. In this example, a custom guard named custom is created:

Advertisement
use Illuminate\Auth\SessionGuard;

Auth::extend('custom', function ($app, $name, array $config) {
    // Return an instance of the custom guard
    return new SessionGuard(
        $name,
        $app['auth']->createUserProvider($config['provider']),
        $app['session.store']
    );
});

 

Providers

Providers define how users are retrieved from persistent storage, such as a database or an external API. They are responsible for getting user data based on the user's credentials or identifier. Laravel ships with a few built-in providers, such as the users provider which retrieves user data using Eloquent, Laravel's built-in ORM.

For example, the default users provider uses the Eloquent driver and the App\Models\User model:

'providers' => [
    'users' => [
        'driver' => 'eloquent',
        'model' => App\Models\User::class,
    ],
    // ...
],

You can create a custom user provider by implementing the Illuminate\Contracts\Auth\UserProvider interface. In this example, a custom user provider named custom is created:

use Illuminate\Contracts\Auth\UserProvider;

class CustomUserProvider implements UserProvider
{
    // Implement the required methods, such as retrieveById, retrieveByToken, updateRememberToken, and so on
}

To register the custom user provider, you can use the provider method on the Auth facade:

Auth::provider('custom', function ($app, array $config) {
    // Return an instance of the custom user provider
    return new CustomUserProvider($config['model']);
});

Finally, you need to update the config/auth.php file to use the custom guard and provider:

'guards' => [
    'web' => [
        'driver' => 'custom',
        'provider' => 'custom',
    ],
    // ...
],

'providers' => [
    'custom' => [
        'driver' => 'custom',
        'model' => App\Models\User::class,
    ],
    // ...
],

 

Routes and Controllers

Laravel Breeze provides predefined routes and controllers for handling authentication. You can find the routes in the routes/web.php file or the routes/auth.php file (depending on your Laravel version) after running the breeze:install command.

The routes include:

  • Registration: Route::get('/register', [RegisteredUserController::class, 'create']); and Route::post('/register', [RegisteredUserController::class, 'store']);
  • Login: Route::get('/login', [AuthenticatedSessionController::class, 'create']); and Route::post('/login', [AuthenticatedSessionController::class, 'store']);
  • Logout: Route::post('/logout', [AuthenticatedSessionController::class, 'destroy']);
  • Password Reset: Route::get('/forgot-password', [PasswordResetLinkController::class, 'create']); and Route::post('/forgot-password', [PasswordResetLinkController::class, 'store']);
  • Password Reset Confirmation: Route::get('/reset-password/{token}', [NewPasswordController::class, 'create']); and Route::post('/reset-password', [NewPasswordController::class, 'store']);

These routes map to corresponding controller methods responsible for rendering views, validating input, and performing the necessary actions for user registration, login, and password reset.

For example, in the RegisteredUserController, the create method renders the registration view, and the store method handles the user registration process:

class RegisteredUserController extends Controller
{
    public function create()
    {
        return view('auth.register');
    }

    public function store(Request $request)
    {
        $request->validate([
            'name' => 'required|string|max:255',
            'email' => 'required|string|email|max:255|unique:users',
            'password' => 'required|string|confirmed|min:8',
        ]);

        Auth::login($user = User::create([
            'name' => $request->name,
            'email' => $request->email,
            'password' => Hash::make($request->password),
        ]));

        event(new Registered($user));

        return redirect(RouteServiceProvider::HOME);
    }
}

By utilizing the predefined routes and controllers provided by Laravel Breeze, you

can quickly set up and manage user registration, login, and password reset functionalities in your Laravel application without having to write all the code from scratch.

In addition to the routes and controllers mentioned above, Laravel Breeze also provides middleware for protecting routes that should only be accessible by authenticated users. The auth middleware is used for this purpose, and it is applied to routes by adding it to the route definition:

Route::middleware(['auth'])->group(function () {
    Route::get('/dashboard', function () {
        return view('dashboard');
    })->name('dashboard');
});

In this example, the /dashboard route is protected by the auth middleware, meaning that only authenticated users can access the dashboard page. If an unauthenticated user tries to access the route, they will be redirected to the login page.

 

Views and User Interface

Laravel Breeze provides a set of pre-built Blade templates for the authentication views, which include user registration, login, password reset, and email verification. These templates are located in the resources/views/auth directory after installing Laravel Breeze. They are built using the Tailwind CSS framework, making them responsive and easily customizable.

For example, the register.blade.php file contains the following code for rendering the registration form:

<x-guest-layout>
    <x-auth-card>
        <x-slot name="logo">
            <a href="/">
                <x-application-logo class="w-20 h-20 fill-current text-gray-500" />
            </a>
        </x-slot>

        <!-- Registration form contents -->
    </x-auth-card>
</x-guest-layout>

The x-guest-layout, x-auth-card, and x-application-logo are custom Blade components that help structure and style the authentication views. You can customize these components or create new ones to match your application's design and requirements.

 

Authentication Middlewares

Middleware plays an important role in the authentication process. Middleware are classes that can filter and manipulate HTTP requests and responses in your application. In the context of authentication, Laravel provides built-in middleware to handle access control and user redirections.

 

auth middleware

This middleware ensures that only authenticated users can access protected routes. If an unauthenticated user tries to access a protected route, they will be redirected to the login page. You can apply this middleware to your routes using the following syntax:

Route::middleware(['auth'])->group(function () {
    // Your protected routes
});

 

guest middleware

This middleware is used to restrict access to certain routes for authenticated users, such as the login and registration pages. If an authenticated user tries to access a guest-only route, they will be redirected to a specified location, usually the home or dashboard page. You can apply this middleware to your routes using the following syntax:

Route::middleware(['guest'])->group(function () {
    // Your guest-only routes
});

 

User Model

In Laravel, the User model plays a crucial role in authentication. The User model is an Eloquent model representing the users in your application, and it is typically stored in the app/Models/User.php file. By default, the User model extends the Illuminate\Foundation\Auth\User class, which itself extends the Illuminate\Database\Eloquent\Model class.

The User model implements the Illuminate\Contracts\Auth\Authenticatable contract, which defines methods required for user authentication, such as getAuthIdentifier, getAuthPassword, and getRememberToken. These methods are used by the authentication system to retrieve and store user data.

Here's an example of a basic User model:

namespace App\Models;

use Illuminate\Contracts\Auth\Authenticatable as AuthenticatableContract;
use Illuminate\Database\Eloquent\Factories\HasFactory;
use Illuminate\Database\Eloquent\Model;
use Illuminate\Foundation\Auth\User as Authenticatable;
use Illuminate\Notifications\Notifiable;

class User extends Authenticatable
{
    use HasFactory, Notifiable;

    protected $fillable = [
        'name',
        'email',
        'password',
    ];

    protected $hidden = [
        'password',
        'remember_token',
    ];

    protected $casts = [
        'email_verified_at' => 'datetime',
    ];
}

By understanding the role of views, middleware, and the User model in Laravel authentication, you can effectively manage and customize the authentication process in your application.

 

Social Authentication

Password Hashing and Verification

When dealing with user authentication, it's essential to securely store user passwords. Laravel provides a built-in hashing mechanism that utilizes the Bcrypt or Argon2 password hashing algorithms to store passwords securely. You should never store plaintext passwords in your database.

To hash a password, you can use the Hash facade, as shown in the example below:

use Illuminate\Support\Facades\Hash;

$password = 'my-plain-text-password';
$hashedPassword = Hash::make($password);

When authenticating users, Laravel automatically verifies the provided password against the hashed password stored in the database. You can also manually check if a given password matches a hash using the Hash::check method:

$providedPassword = 'user-provided-password';
$hashedPassword = 'hashed-password-from-database';

if (Hash::check($providedPassword, $hashedPassword)) {
    // The provided password is correct
}

 

Password Reset and Email Verification

Laravel has built-in support for handling password resets and email verification through the use of tokens. Laravel Breeze provides a set of pre-built views, routes, and controllers for handling these functionalities.

To enable password reset functionality, you need to set up your application's mail configuration (usually located in the .env file) and create a password reset table in your database by running the following Artisan command:

php artisan migrate

Laravel Breeze handles the logic for sending password reset emails, generating tokens, and resetting the user's password.

Similarly, you can enable email verification functionality by implementing the MustVerifyEmail interface on your User model and configuring your email settings. The email verification process involves sending an email with a unique signed URL that users can click to verify their email address.

 

Setting up Laravel authentication with Laravel Breeze

In this explanation, we will go through setting up Laravel authentication using Laravel Breeze as an example and discuss the predefined routes and controllers it provides for authentication.

Laravel Breeze is a scaffolding package that provides a minimal starting point for building a Laravel application with authentication. It includes pre-built views, routes, and controllers for user registration, login, and password reset. To set up Laravel Breeze, follow these steps:

First, make sure you have a fresh Laravel installation. If you don't, you can create one using Composer:

composer create-project --prefer-dist laravel/laravel my-app

Replace my-app with your preferred project name.

Navigate to your Laravel project directory:

cd my-app

Install Laravel Breeze using Composer:

composer require laravel/breeze --dev

Run the Breeze installation command:

php artisan breeze:install

This command will install the authentication scaffolding, including views, routes, and controllers.

Finally, compile the front-end assets using NPM:

npm install && npm run dev

Now, Laravel authentication is set up, and you can access the registration, login, and password reset pages at /register, /login, and /forgot-password respectively.

 

Access the registration page

Visit /register in your browser, and you should see a registration form. The form will contain fields such as name, email, and password. Fill in the required details and submit the form to create a new user account.

<!-- resources/views/auth/register.blade.php -->

<form action="{{ route('register') }}" method="post">
    @csrf
    <!-- Add input fields for name, email, and password -->
    <button type="submit">Register</button>
</form>

 

Access the login page

Visit /login in your browser, and you should see a login form. Enter the email address and password you used during registration and submit the form to log in.

<!-- resources/views/auth/login.blade.php -->

<form action="{{ route('login') }}" method="post">
    @csrf
    <!-- Add input fields for email and password -->
    <button type="submit">Login</button>
</form>

 

Access the password reset page

If you have forgotten your password, visit /forgot-password in your browser. You will see a form that prompts you to enter your email address. After submitting the form, you will receive an email with a password reset link.

<!-- resources/views/auth/forgot-password.blade.php -->

<form action="{{ route('password.email') }}" method="post">
    @csrf
    <!-- Add input field for email -->
    <button type="submit">Send Password Reset Link</button>
</form>

Clicking the password reset link in the email will take you to the password reset page, where you can enter a new password.

<!-- resources/views/auth/reset-password.blade.php -->

<form action="{{ route('password.update') }}" method="post">
    @csrf
    <!-- Add input fields for email, password, and password confirmation -->
    <button type="submit">Reset Password</button>
</form>

By using Laravel Breeze, you have set up a functional authentication system, complete with registration, login, and password reset functionality. You can now customize these views, routes, and controllers as needed to suit your application's requirements.

 

Benefits of Authentication in Laravel

Authentication is a process by which an application can identify an individual user. This process is necessary for applications that require user data to be secure and private. Authentication is especially important for web applications, where users must be able to reliably identify themselves.

Laravel is a popular, open-source PHP framework that simplifies the development of web applications. It provides a number of tools and features that help developers create secure applications quickly and easily. One of the most important features of Laravel is its authentication system, which makes it easy to implement user authentication.

The authentication system in Laravel is designed to be simple and intuitive. It provides several different ways to authenticate users, including using passwords, social media accounts, and third-party services. Once the user has been authenticated, Laravel provides several ways to store user data securely.

Using the authentication system in Laravel, developers can easily and quickly implement user login functionalities. This includes the ability to create accounts, reset passwords, and create secure sessions. By using Laravel's authentication system, developers can ensure that user data is kept secure and private.

In addition, the authentication system in Laravel is highly customizable. Developers can easily create their own authentication rules and policies. This allows developers to customize the authentication system to fit their specific needs. For example, developers can restrict access to certain pages or resources based on user roles or permissions.

Lastly, the authentication system in Laravel integrates with other popular frameworks and libraries. This allows developers to quickly and easily integrate authentication protocols into their applications. For example, developers can integrate authentication protocols such as OAuth, SAML, and OpenID Connect into their applications.

In conclusion, the authentication system in Laravel is an essential tool for creating secure web applications. It provides a quick and easy way to implement user authentication and store user data securely. Additionally, the authentication system in Laravel is highly customizable and integrates with other popular frameworks and libraries. By using the authentication system in Laravel, developers can create secure applications quickly and easily.

 

Didn't find what you were looking for? Perform a quick search across GoLinuxCloud

If my articles on GoLinuxCloud has helped you, kindly consider buying me a coffee as a token of appreciation.

Buy GoLinuxCloud a Coffee

For any other feedbacks or questions you can either use the comments section or contact me form.

Thank You for your support!!

Leave a Comment