Skip to main content

Overview

The authentication system is built using Laravel Breeze and provides a complete authentication scaffold including login, password reset, email verification, and session management.
Registration routes are currently disabled in this application. New users must be created through the admin panel.

Guest Routes

These routes are only accessible to unauthenticated users. Authenticated users will be redirected away from these routes. Middleware: guest

Login Routes

Display Login Form

Route::get('login', [AuthenticatedSessionController::class, 'create'])
    ->name('login');
MethodURIRoute NameControllerDescription
GET/loginloginAuthenticatedSessionController@createDisplay the login form
Response: Returns the login view with email and password fields.

Process Login

Route::post('login', [AuthenticatedSessionController::class, 'store']);
MethodURIRoute NameControllerDescription
POST/login-AuthenticatedSessionController@storeAuthenticate user and create session
Request Parameters:
  • email (string, required) - User’s email address
  • password (string, required) - User’s password
  • remember (boolean, optional) - Remember me checkbox
Response:
  • Success: Redirect to intended page or dashboard
  • Failure: Redirect back with validation errors

Registration Routes (Disabled)

Registration routes are currently commented out. Users must be created by administrators through the admin panel.
// Route::get('register', [RegisteredUserController::class, 'create'])
//     ->name('register');

// Route::post('register', [RegisteredUserController::class, 'store']);
If you need to enable registration, uncomment these routes in routes/auth.php.

Password Reset Routes

// Route::get('forgot-password', [PasswordResetLinkController::class, 'create'])
//     ->name('password.request');

// Route::post('forgot-password', [PasswordResetLinkController::class, 'store'])
//     ->name('password.email');
Password reset request routes are currently commented out. Contact your administrator for password resets.

Reset Password Form

Route::get('reset-password/{token}', [NewPasswordController::class, 'create'])
    ->name('password.reset');
MethodURIRoute NameControllerDescription
GET/reset-password/{token}password.resetNewPasswordController@createDisplay password reset form
URL Parameters:
  • token (string) - Password reset token from email
Query Parameters:
  • email (string) - User’s email address

Process Password Reset

Route::post('reset-password', [NewPasswordController::class, 'store'])
    ->name('password.store');
MethodURIRoute NameControllerDescription
POST/reset-passwordpassword.storeNewPasswordController@storeReset user password
Request Parameters:
  • token (string, required) - Password reset token
  • email (string, required) - User’s email address
  • password (string, required) - New password
  • password_confirmation (string, required) - Password confirmation
Response:
  • Success: Redirect to login with success message
  • Failure: Redirect back with validation errors

Authenticated Routes

These routes require authentication and are only accessible to logged-in users. Middleware: auth

Email Verification Routes

Email Verification Notice

Route::get('verify-email', [EmailVerificationPromptController::class, '__invoke'])
    ->name('verification.notice');
MethodURIRoute NameControllerDescription
GET/verify-emailverification.noticeEmailVerificationPromptController@__invokeDisplay email verification notice
Purpose: Shows a notice to users who have not yet verified their email address.

Verify Email

Route::get('verify-email/{id}/{hash}', [VerifyEmailController::class, '__invoke'])
    ->middleware(['signed', 'throttle:6,1'])
    ->name('verification.verify');
MethodURIRoute NameControllerMiddlewareDescription
GET/verify-email/{id}/{hash}verification.verifyVerifyEmailController@__invokesigned, throttle:6,1Verify user’s email address
URL Parameters:
  • id (integer) - User ID
  • hash (string) - Verification hash
Additional Middleware:
  • signed - Ensures the URL has a valid signature
  • throttle:6,1 - Limits to 6 attempts per minute
Response:
  • Success: Redirect to dashboard
  • Failure: Redirect to verification notice

Resend Verification Email

Route::post('email/verification-notification', [EmailVerificationNotificationController::class, 'store'])
    ->middleware('throttle:6,1')
    ->name('verification.send');
MethodURIRoute NameControllerMiddlewareDescription
POST/email/verification-notificationverification.sendEmailVerificationNotificationController@storethrottle:6,1Resend verification email
Additional Middleware:
  • throttle:6,1 - Limits to 6 attempts per minute
Response:
  • Success: Redirect back with status message
  • Already verified: Redirect to dashboard

Password Confirmation Routes

Show Password Confirmation Form

Route::get('confirm-password', [ConfirmablePasswordController::class, 'show'])
    ->name('password.confirm');
MethodURIRoute NameControllerDescription
GET/confirm-passwordpassword.confirmConfirmablePasswordController@showDisplay password confirmation form
Purpose: Used before sensitive operations to confirm the user’s identity.

Process Password Confirmation

Route::post('confirm-password', [ConfirmablePasswordController::class, 'store']);
MethodURIRoute NameControllerDescription
POST/confirm-password-ConfirmablePasswordController@storeConfirm user’s password
Request Parameters:
  • password (string, required) - User’s current password
Response:
  • Success: Redirect to intended page
  • Failure: Redirect back with validation errors

Update Password Route

Route::put('password', [PasswordController::class, 'update'])->name('password.update');
MethodURIRoute NameControllerDescription
PUT/passwordpassword.updatePasswordController@updateUpdate user’s password
Request Parameters:
  • current_password (string, required) - User’s current password
  • password (string, required) - New password
  • password_confirmation (string, required) - Password confirmation
Response:
  • Success: Redirect back with success message
  • Failure: Redirect back with validation errors

Logout Route

Route::post('logout', [AuthenticatedSessionController::class, 'destroy'])
    ->name('logout');
MethodURIRoute NameControllerDescription
POST/logoutlogoutAuthenticatedSessionController@destroyLog user out and destroy session
Response: Redirect to login pageSecurity Note: Logout is a POST request to prevent CSRF attacks.

Authentication Flow

1

User Login

User submits email and password via POST to /login. Laravel authenticates credentials and creates a session.
2

Email Verification

If email is not verified, user is redirected to /verify-email notice. User must click the verification link sent to their email.
3

Access Protected Routes

Authenticated and verified users can access routes protected by auth and verified middleware.
4

Session Management

Laravel maintains the user session. Session expires after inactivity or when user logs out.

Middleware Details

Guest Middleware

Route::middleware('guest')->group(function () {
    // Login, registration, password reset routes
});
The guest middleware:
  • Allows only unauthenticated users
  • Redirects authenticated users to the dashboard
  • Applied to login and registration routes

Auth Middleware

Route::middleware('auth')->group(function () {
    // Email verification, password management, logout routes
});
The auth middleware:
  • Requires user authentication
  • Redirects unauthenticated users to login page
  • Applied to all protected routes

Signed Middleware

Used on email verification routes to ensure URLs have valid signatures: 
->middleware(['signed', 'throttle:6,1'])

Throttle Middleware

Rate limits requests to prevent abuse: 
->middleware('throttle:6,1')  // 6 attempts per 1 minute

Session Configuration

Laravel Breeze uses session-based authentication:
  • Driver: Configured in config/session.php
  • Lifetime: Default 120 minutes
  • Remember Me: Extends session to 2 weeks
  • CSRF Protection: All POST routes require CSRF token
Always include the @csrf directive in your forms to prevent CSRF attacks:
<form method="POST" action="{{ route('login') }}">
    @csrf
    <!-- form fields -->
</form>

Common Authentication Examples

Login Form Example

<form method="POST" action="{{ route('login') }}">
    @csrf
    
    <input type="email" name="email" value="{{ old('email') }}" required>
    @error('email')
        <span>{{ $message }}</span>
    @enderror
    
    <input type="password" name="password" required>
    @error('password')
        <span>{{ $message }}</span>
    @enderror
    
    <input type="checkbox" name="remember">
    
    <button type="submit">Log in</button>
</form>

Logout Form Example

<form method="POST" action="{{ route('logout') }}">
    @csrf
    <button type="submit">Log Out</button>
</form>

Checking Authentication in Controllers

use Illuminate\Support\Facades\Auth;

// Check if user is authenticated
if (Auth::check()) {
    // User is authenticated
}

// Get authenticated user
$user = Auth::user();

// Get user ID
$userId = Auth::id();

Protecting Routes in Blade Templates

@auth
    <!-- Shown only to authenticated users -->
@endauth

@guest
    <!-- Shown only to guests -->
@endguest

Security Best Practices

CSRF Protection

All POST, PUT, PATCH, and DELETE requests must include a CSRF token using the @csrf directive.

Password Hashing

Passwords are automatically hashed using bcrypt. Never store plain text passwords.

Rate Limiting

Sensitive routes like email verification and password reset are rate limited to prevent abuse.

Signed URLs

Email verification links use signed URLs to prevent tampering.

Troubleshooting

Common causes:
  • Incorrect credentials
  • Email not verified (check verified middleware requirement)
  • Account disabled or deleted
  • Session configuration issues
Solution: Check user status in admin panel and verify email verification status.
Common causes:
  • Email not configured properly in .env
  • Mail queue not running
  • Spam folder
  • Signed URL expired
Solution:
  1. Check mail configuration in .env
  2. Run php artisan queue:work if using queue
  3. Manually verify user in database if needed
Solution:
  1. Increase session lifetime in config/session.php
  2. Ensure user checks “Remember Me” during login
  3. Check if server time is synchronized
Common causes:
  • Missing @csrf directive in form
  • Session expired
  • Multiple browser tabs
Solution:
  1. Add @csrf to all forms
  2. Increase session lifetime
  3. Clear browser cookies and cache

Web Routes

Application routes with role-based access control

User Authentication

Learn about user authentication flows and session management

Roles & Permissions

Understand role-based access control and permissions

User Types

Explore different user roles and their capabilities

Build docs developers (and LLMs) love

Get started for freeTalk to us