Laravel Authentication: Getting Started and HTTP Auth Tutorial.

What Is Laravel Authentication? 

Laravel is a PHP web application framework which includes authentication built into it. The framework aims to simplify the many steps and tools it traditionally took to build a modern fullstack web application, including adding a basic level of security for users. The built-in authentication of Laravel automates tasks like handling login, registration, password reset, and session management, allowing developers to focus on building application features. Laravel achieves this through its syntax and built-in functionalities that address most standard authentication requirements.

Laravel’s authentication system integrates with its routing and templating systems, providing a cohesive development experience. Its configuration files and controllers help manage user sessions, handle login events, and ensure that only authenticated users can access protected routes. This saves time for developers and helps secure applications.

In this article:

• What Is Laravel Authentication? 
• Types of Laravel Authentication methods 
• Setting up authentication in Laravel 
• Tutorial: HTTP basic authentication in Laravel
• Best practices for secure authentication in Laravel 
• Laravel SSO with Frontegg 

Types of Laravel Authentication methods 

There are several types of authentication supported by Laravel.

Password-based authentication

Password-based authentication is the most common method in Laravel. It involves users providing a username and password combination to access the application. Laravel provides features to handle user registration, login, and password resets.

The process relies on the users table, which stores hashed passwords using the bcrypt hashing algorithm by default. During authentication, Laravel compares the hashed password in the database with the hash of the password provided by the user. 

To make use of these capabilities, install the laravel/ui package using composer: 

composer require laravel/ui

Then run the following command:

php artisan ui:auth

This scaffolding sets up views, controllers, and routes needed for password-based authentication, making the implementation process secure. Developers can customize this behavior by adjusting the corresponding controller methods or modifying the authentication views.

Token-based authentication

Token-based authentication in Laravel is commonly used for APIs where a token is issued to the client upon successful authentication. This token is then passed with a request when requiring authentication, typically in the Authorization header, allowing the server to verify the user’s identity.

Laravel supports token-based authentication through its Laravel Sanctum and Laravel Passport packages:

• Laravel Sanctum is for simpler use cases, such as single-page applications (SPAs) or mobile apps, providing an easy way to manage API tokens with minimal setup.
• Laravel Passport offers a more feature-rich OAuth 2 implementation, suitable for large-scale applications that require advanced authentication flows, such as client credentials or authorization codes.

Tokens issued by either package are stored securely and can be revoked when necessary, ensuring that only authorized users can interact with the API.

Multi-factor authentication

Multi-factor Authentication (MFA) adds an extra layer of security by requiring users to authenticate via different factors, such as a password, biometric, or one-time password (OTP) sent via email, SMS, or generated by an authenticator app. This improves security by making it more challenging for malicious agents to compromise different methods.

Laravel supports MFA by integrating with packages such as Laravel Fortify or third-party solutions. Laravel Fortify provides support for two-factor authentication (2FA), allowing users to enable and configure MFA from their account settings. Once activated, users will be prompted to enter the OTP during the login process after providing their password.

With these additional security measures, Laravel ensures that applications remain protected against common threats like phishing and brute-force attacks.

Setting up authentication in Laravel 

Here’s a walkthrough of how to get started with Laravel authentication. The instructions in this section and the tutorial below are adapted from the Laravel documentation.

Installing a starter kit

To quickly set up authentication in a new Laravel application, it is recommended to use a starter kit. Laravel provides two main starter kits:

• Laravel Breeze is a minimal setup that implements essential authentication features such as login, registration, password reset, and email verification. It uses Blade templates styled with Tailwind CSS and supports optional scaffolding with Livewire or Inertia, giving developers the flexibility to choose between Vue.js or React for the front end.
• Laravel Jetstream is a more comprehensive solution. It offers features like two-factor authentication (2FA), teams, profile management, API support with Laravel Sanctum, and more. Like Breeze, Jetstream also supports scaffolding with Livewire or Inertia.

To install one of these starter kits, run the following Artisan command:

composer require laravel/breeze --dev
php artisan breeze:install
npm install && npm run dev
php artisan migrate

This command sets up the authentication system, generates the necessary routes, views, and controllers, and prepares the Laravel application for user authentication.

Retrieving an authenticated user

Once authentication is set up, admins often need to retrieve the authenticated user for various operations, such as accessing user-specific data. Laravel provides a few simple methods to do this.

1. You can retrieve the authenticated user using the Auth facade:

use Illuminate\Support\Facades\Auth;
$user = Auth::user();

2. Alternatively, within controller methods, you can access the authenticated user via the Illuminate\Http\Request object. This can be done by type-hinting the Request object in the controller:




Verifying that the current user Is authenticated

To check if a user is authenticated, use the check method provided by the Auth facade. This method returns true if a user is authenticated, and false otherwise:

Securing routes

Laravel allows admins to protect routes by ensuring that only authenticated users can access them. This is done by applying the auth middleware to routes. For example, to restrict access to a route, use the middleware method: