Skip to main content
VIP2CARS uses Laravel Fortify to handle authentication, providing a robust and secure authentication backend without the need for views or frontend scaffolding included in the package.

Overview

The authentication system is configured in config/fortify.php:5 and includes:
  • User registration
  • Login with rate limiting
  • Email verification
  • Password reset
  • Two-factor authentication (2FA)
  • Profile management

Fortify Configuration

Authentication Guard

The system uses the standard web guard defined at config/fortify.php:18: 
'guard' => 'web',

Username Field

Authentication is performed using email addresses: 
'username' => 'email',
'email' => 'email',
'lowercase_usernames' => true,
Usernames (email addresses) are automatically converted to lowercase before storage to ensure consistency.

Home Path

After successful authentication, users are redirected to the dashboard: 
'home' => '/dashboard',

User Model

The User model is located at app/Models/User.php:12 and extends Laravel’s Authenticatable class.

Traits

use HasFactory, Notifiable, TwoFactorAuthenticatable;
  • HasFactory: Enables model factories for testing
  • Notifiable: Allows sending notifications to users
  • TwoFactorAuthenticatable: Adds two-factor authentication capabilities

Fillable Fields

protected $fillable = [
    'name',
    'email',
    'password',
];

Hidden Fields

Sensitive data hidden from serialization: 
protected $hidden = [
    'password',
    'two_factor_secret',
    'two_factor_recovery_codes',
    'remember_token',
];
These fields are automatically hidden when converting the user model to JSON or arrays to prevent sensitive data exposure.

Field Casting

protected function casts(): array
{
    return [
        'email_verified_at' => 'datetime',
        'password' => 'hashed',
    ];
}

Authentication Features

Registration

User registration is enabled in config/fortify.php:147: 
Features::registration(),
Required Fields:
  • Name (string)
  • Email (unique, valid email format)
  • Password (hashed automatically)
New users must verify their email address before accessing protected routes due to the verified middleware.

Login

Login functionality with rate limiting: 
'limiters' => [
    'login' => 'login',
    'two-factor' => 'two-factor',
],
Rate Limiting: The default Fortify configuration throttles login attempts to 5 requests per minute per email and IP address combination.
Excessive failed login attempts will result in temporary account lockout to prevent brute force attacks.

Email Verification

Email verification is required and enabled at config/fortify.php:149: 
Features::emailVerification(),
Protected Routes: Routes using the verified middleware (like /dashboard, /clientes, /vehiculos) require email verification: 
Route::middleware(['auth', 'verified'])->group(function () {
    Route::view('dashboard', 'dashboard')->name('dashboard');
    Route::resource('clientes', ClienteController::class);
    Route::resource('vehiculos', VehiculoController::class);
});

Password Reset

Password reset functionality is enabled at config/fortify.php:148: 
Features::resetPasswords(),
Configuration: 
'passwords' => 'users',
The password broker named users handles password reset tokens and notifications.
  1. User requests password reset via email
  2. System sends reset link to registered email
  3. User clicks link and provides new password
  4. Password is hashed and updated in database
  5. User is redirected to dashboard upon success

Two-Factor Authentication

Two-factor authentication (2FA) is enabled with password confirmation at config/fortify.php:150: 
Features::twoFactorAuthentication([
    'confirm' => true,
    'confirmPassword' => true,
]),
Configuration Options:
  • confirm: Requires user confirmation to enable 2FA
  • confirmPassword: Requires password confirmation before managing 2FA settings
User Model Support: The TwoFactorAuthenticatable trait at app/Models/User.php:15 provides:
  • QR code generation
  • Recovery code management
  • 2FA challenge handling
Recovery codes are automatically generated when enabling 2FA and should be stored securely by the user.

Middleware Protection

Authentication Middleware

The auth middleware ensures users are logged in: 
Route::middleware(['auth'])->group(function () {
    Route::redirect('settings', 'settings/profile');
    Route::livewire('settings/profile', 'pages::settings.profile')->name('profile.edit');
});

Verification Middleware

The verified middleware ensures email addresses are verified: 
Route::middleware(['auth', 'verified'])->group(function () {
    // Protected routes here
});
Attempting to access routes protected by the verified middleware without email verification will redirect users to an email verification notice.

Profile Management

Profile management routes are defined in routes/settings.php:6:

Profile Settings

Route: /settings/profile Middleware: auth Description: Edit user profile information (name, email)

Password Management

Route: /settings/password Middleware: auth, verified Description: Change user password

Two-Factor Authentication

Route: /settings/two-factor Middleware: auth, verified, password.confirm (conditional) Description: Enable, disable, and manage 2FA settings 
Route::livewire('settings/two-factor', 'pages::settings.two-factor')
    ->middleware(
        when(
            Features::canManageTwoFactorAuthentication()
            && Features::optionEnabled(Features::twoFactorAuthentication(), 'confirmPassword'),
            ['password.confirm'],
            [],
        ),
    )
    ->name('two-factor.show');
Password confirmation is conditionally applied based on the Fortify configuration.

Appearance Settings

Route: /settings/appearance Middleware: auth, verified Description: Customize UI preferences (likely theme, display options)

User Utility Methods

The User model includes a custom initials() method at app/Models/User.php:56: 
public function initials(): string
{
    return Str::of($this->name)
        ->explode(' ')
        ->take(2)
        ->map(fn ($word) => Str::substr($word, 0, 1))
        ->implode('');
}
Usage: 
$user = Auth::user();
echo $user->initials(); // Returns "JD" for "John Doe"
This method is typically used for displaying user avatars or profile badges in the UI.

Security Features

Password Hashing

Passwords are automatically hashed using Laravel’s secure hashing via the hashed cast

Rate Limiting

Login attempts are throttled to 5 per minute per email/IP combination

Email Verification

Required for accessing sensitive features and data

Two-Factor Auth

Optional additional security layer with TOTP authentication

CSRF Protection

All forms protected by Laravel’s CSRF middleware

Remember Token

Secure persistent login sessions with token rotation

Fortify Routes

Fortify automatically registers the following routes with the web middleware:
MethodURIDescription
GET/loginDisplay login form
POST/loginProcess login
POST/logoutLogout user
GET/registerDisplay registration form
POST/registerProcess registration
GET/email/verifyEmail verification notice
GET/email/verify//Verify email address
POST/email/verification-notificationResend verification email
GET/forgot-passwordDisplay forgot password form
POST/forgot-passwordSend password reset link
GET/reset-password/Display reset password form
POST/reset-passwordProcess password reset
GET/two-factor-challengeDisplay 2FA challenge
POST/two-factor-challengeVerify 2FA code
All Fortify routes use the prefix and middleware defined in config/fortify.php:89 and config/fortify.php:104.

Build docs developers (and LLMs) love

Get started for freeTalk to us