Advanced Laravel Authentication Customizations and Tips
This article provides a comprehensive guide to customizing Laravel's built‑in authentication system, covering route parameters, controller generation, password confirmation, device logout, redirect logic, user creation via Tinker and factories, login throttling, and additional credential checks, all with practical code examples.
Tip 1. Auth::routes() Parameters
Laravel includes a ready‑made authentication system. The Auth::routes() method, originally part of the Laravel UI package (included in the core before Laravel 7), can accept an array to enable or disable specific auth routes.
Auth::routes([
'login' => true,
'logout' => true,
'register' => true,
'reset' => true, // password reset
'confirm' => false, // password confirmation
'verify' => false, // email verification
]);These parameters simply turn routes on or off. The implementation can be found in the AuthRouteMethods class of Laravel UI.
return function ($options = []) {
// login routes
if ($options['login'] ?? true) {
$this->get('login', 'Auth\LoginController@showLoginForm')->name('login');
$this->post('login', 'Auth\LoginController@login');
}
// logout routes
if ($options['logout'] ?? true) {
$this->post('logout', 'Auth\LoginController@logout')->name('logout');
}
// register routes
if ($options['register'] ?? true) {
$this->get('register', 'Auth\RegisterController@showRegistrationForm')->name('register');
$this->post('register', 'Auth\RegisterController@register');
}
// password reset routes
if ($options['reset'] ?? true) {
$this->resetPassword();
}
// password confirmation routes
if ($options['confirm'] ?? false && class_exists($this->prependGroupNamespace('Auth\ConfirmPasswordController'))){
$this->confirmPassword();
}
// email verification routes
if ($options['verify'] ?? false) {
$this->emailVerification();
}
};Tip 2. Laravel UI: Generate Only Controllers
The official documentation suggests using php artisan ui vue --auth to scaffold UI and auth scaffolding. For API‑only projects without a front‑end, you can generate only the authentication controllers: php artisan ui:controllers This command creates the app/Http/Controllers/Auth directory without any Blade or Vue files.
Tip 3. Re‑authenticate Sensitive Actions
Since Laravel 6.2 the framework includes a password‑confirmation middleware. Apply the password.confirm middleware to any route that requires extra verification:
Route::get('/secrets', 'SecretsController@show')->middleware('password.confirm');After confirming the password, a timestamp is stored in the session for three hours by default. The duration can be customized via the password_timeout option in config/auth.php.
Tip 4. Logout Other Devices
From Laravel 5.6 onward you can log out all other sessions after a successful login: Auth::logoutOtherDevices($password); Override the authenticated() method in LoginController and ensure the AuthenticateSession middleware is enabled in app/Http/Kernel.php.
Redirect After Login / Registration: Custom Logic
Both LoginController and RegisterController use the $redirectTo property, which points to RouteServiceProvider::HOME (default /home). To implement dynamic redirects based on user roles, define a redirectTo() method:
class RegisterController extends Controller {
protected $redirectTo = RouteServiceProvider::HOME;
protected function redirectTo() {
if (auth()->user()->role_id == 1) {
return '/admin';
}
return '/home';
}
}Tip 5. Quickly Create New Users
Use Laravel Tinker to create a single user:
php artisan tinker
\App\User::create([
'name' => 'Admin',
'email' => '[email protected]',
'password' => bcrypt('somesecurepassword')
]);For bulk creation, define a factory in database/factories/UserFactory.php and run a seeder:
$factory->define(User::class, function (Faker $faker) {
return [
'name' => $faker->name,
'email' => $faker->unique()->safeEmail,
'email_verified_at' => now(),
'password' => '$2y$10$92IXUNpkjO0rOQ5byMi.Ye4oKoEa3Ro9llC/.og/at2.uheWG/igi', // password
'remember_token' => Str::random(10),
];
});
// Seeder
public function run() {
factory(App\User::class, 100)->create();
}
php artisan db:seed --class=UsersSeederTip 6. Login with Email or Username
Override the username() method in LoginController to allow either email or username:
public function username() {
return filter_var(request('email'), FILTER_VALIDATE_EMAIL) ? 'email' : 'username';
}Remember to change the login form input type from email to text.
Tip 7. Login Throttling Custom Parameters
The ThrottlesLogins trait controls the maximum attempts and decay minutes. Override these properties in LoginController:
class LoginController extends Controller {
protected $maxAttempts = 3; // default 5
protected $decayMinutes = 2; // default 1
}Tip 8. Disable Automatic Login After Registration
Override the register() method in RegisterController to prevent the default auto‑login and redirect to a custom success page:
public function register(Request $request) {
$this->validator($request->all())->validate();
event(new Registered($user = $this->create($request->all())));
return redirect()->route('your_success_page_route_name');
}Tip 9. Additional Credential Checks on Login
To require extra fields (e.g., is_active) during authentication, override the credentials() method in LoginController:
protected function credentials(Request $request) {
return $request->only($this->username(), 'password') + ['is_active' => 1];
}For more complex validation, consider creating a dedicated middleware instead of modifying the credential array directly.
Signed-in readers can open the original source through BestHub's protected redirect.
This article has been distilled and summarized from source material, then republished for learning and reference. If you believe it infringes your rights, please contactand we will review it promptly.
php Courses
php中文网's platform for the latest courses and technical articles, helping PHP learners advance quickly.
How this landed with the community
Was this worth your time?
0 Comments
Thoughtful readers leave field notes, pushback, and hard-won operational detail here.