Skip to main content

Overview

SYNTIweb uses Laravel Breeze with session-based authentication. All authentication endpoints use Laravel’s built-in session management with CSRF token protection. The system provides:
  • User registration and login
  • Password reset functionality
  • Email verification
  • Session management
  • Rate limiting on authentication attempts

Authentication Type

Session-based authentication using Laravel’s web guard with database session storage.
Session Driver
string
default:"database"
Sessions are stored in the database by default
Session Lifetime
integer
default:"120"
Session lifetime in minutes (2 hours)
Session Cookie
string
Cookie name: {APP_NAME}-session (e.g., syntiweb-session)

CSRF Protection

All state-changing requests (POST, PUT, DELETE) require a valid CSRF token. Laravel automatically handles CSRF protection for web routes.

Getting a CSRF Token

CSRF tokens are automatically included in forms when using Blade templates. For JavaScript applications: 
// The CSRF token is available in the page meta tag
const token = document.querySelector('meta[name="csrf-token"]').content;

// Include it in fetch requests
fetch('/login', {
  method: 'POST',
  headers: {
    'Content-Type': 'application/json',
    'X-CSRF-TOKEN': token
  },
  credentials: 'include',
  body: JSON.stringify({
    email: '[email protected]',
    password: 'password'
  })
});

Registration

Create a new user account. Endpoint: POST /register Middleware: guest (unauthenticated users only)

Request Parameters

name
string
required
User’s full name (max 255 characters)
email
string
required
User’s email address (must be unique, lowercase, valid email format)
password
string
required
User’s password (must meet Laravel’s default password requirements)
password_confirmation
string
required
Password confirmation (must match password)
industry_segment
string
required
Business industry segment. Must be one of:
  • FOOD_BEVERAGE
  • RETAIL
  • HEALTH_WELLNESS
  • PROFESSIONAL_SERVICES
  • ON_DEMAND

Example Request

curl -X POST https://app.syntiweb.com/register \
  -H "Content-Type: application/json" \
  -H "X-CSRF-TOKEN: your-csrf-token" \
  --cookie-jar cookies.txt \
  -d '{
    "name": "John Doe",
    "email": "[email protected]",
    "password": "SecurePassword123!",
    "password_confirmation": "SecurePassword123!",
    "industry_segment": "RETAIL"
  }'

Response

redirect
string
Redirects to /dashboard on success
session
object
Session data including:
  • Authenticated user session
  • pending_industry_segment stored for tenant creation flow

Implementation Details

The registration process (routes/auth.php:15-18, app/Http/Controllers/Auth/RegisteredUserController.php:32-55):
  1. Validates input fields
  2. Creates user with hashed password
  3. Stores industry_segment in session for tenant setup
  4. Fires Registered event
  5. Automatically logs in the user
  6. Redirects to dashboard

Login

Authenticate an existing user. Endpoint: POST /login Middleware: guest (unauthenticated users only)

Request Parameters

email
string
required
User’s email address
password
string
required
User’s password
remember
boolean
default:"false"
Enable “remember me” functionality to extend session lifetime

Example Request

curl -X POST https://app.syntiweb.com/login \
  -H "Content-Type: application/json" \
  -H "X-CSRF-TOKEN: your-csrf-token" \
  --cookie-jar cookies.txt \
  -d '{
    "email": "[email protected]",
    "password": "SecurePassword123!",
    "remember": true
  }'

Response

redirect
string
Redirects to intended URL or /dashboard on success
session
object
Authenticated user session with regenerated session ID

Rate Limiting

Login attempts are rate-limited to prevent brute force attacks (app/Http/Requests/Auth/LoginRequest.php:62-78):
max_attempts
integer
default:"5"
Maximum login attempts allowed
throttle_key
string
Based on email address and IP address
After 5 failed attempts, the user must wait before trying again.

Example Error Response

{
  "message": "Too many login attempts. Please try again in 60 seconds.",
  "errors": {
    "email": [
      "These credentials do not match our records."
    ]
  }
}

Logout

Destroy the authenticated session. Endpoint: POST /logout Middleware: auth (authenticated users only)

Example Request

curl -X POST https://app.syntiweb.com/logout \
  -H "X-CSRF-TOKEN: your-csrf-token" \
  --cookie cookies.txt

Response

redirect
string
Redirects to / (homepage)

Implementation Details

The logout process (app/Http/Controllers/Auth/AuthenticatedSessionController.php:39-48):
  1. Logs out the user from the web guard
  2. Invalidates the session
  3. Regenerates the CSRF token
  4. Redirects to homepage

Password Reset

Send a password reset link to the user’s email. Endpoint: POST /forgot-password Middleware: guest

Request Parameters

email
string
required
User’s email address

Example Request

curl -X POST https://app.syntiweb.com/forgot-password \
  -H "Content-Type: application/json" \
  -H "X-CSRF-TOKEN: your-csrf-token" \
  -d '{
    "email": "[email protected]"
  }'

Response

status
string
Success message: “We have emailed your password reset link!”

Reset Password

Reset the user’s password using the token from the email. Endpoint: POST /reset-password Middleware: guest

Request Parameters

token
string
required
Password reset token from email link
email
string
required
User’s email address
password
string
required
New password (must meet Laravel’s password requirements)
password_confirmation
string
required
Password confirmation (must match password)

Example Request

curl -X POST https://app.syntiweb.com/reset-password \
  -H "Content-Type: application/json" \
  -H "X-CSRF-TOKEN: your-csrf-token" \
  -d '{
    "token": "reset-token-from-email",
    "email": "[email protected]",
    "password": "NewSecurePassword123!",
    "password_confirmation": "NewSecurePassword123!"
  }'

Response

redirect
string
Redirects to /login with success status

Configuration

Password reset tokens expire after 60 minutes (config/auth.php:97).

Update Password

Update the password for an authenticated user. Endpoint: PUT /password Middleware: auth (authenticated users only)

Request Parameters

current_password
string
required
User’s current password
password
string
required
New password (must meet Laravel’s password requirements)
password_confirmation
string
required
Password confirmation (must match password)

Example Request

curl -X PUT https://app.syntiweb.com/password \
  -H "Content-Type: application/json" \
  -H "X-CSRF-TOKEN: your-csrf-token" \
  --cookie cookies.txt \
  -d '{
    "current_password": "OldPassword123!",
    "password": "NewSecurePassword123!",
    "password_confirmation": "NewSecurePassword123!"
  }'

Response

status
string
Returns “password-updated” on success

Email Verification

Check Verification Status

Display the email verification prompt. Endpoint: GET /verify-email Middleware: auth

Verify Email

Verify the user’s email address using the signed URL from the verification email. Endpoint: GET /verify-email/{id}/{hash} Middleware: auth, signed, throttle:6,1

URL Parameters

id
integer
required
User ID
hash
string
required
Hash of the user’s email address

Rate Limiting

Limited to 6 attempts per minute.

Resend Verification Email

Send a new verification email to the user. Endpoint: POST /email/verification-notification Middleware: auth, throttle:6,1

Example Request

curl -X POST https://app.syntiweb.com/email/verification-notification \
  -H "X-CSRF-TOKEN: your-csrf-token" \
  --cookie cookies.txt

Rate Limiting

Limited to 6 attempts per minute.

Middleware & Protected Routes

Authentication Middleware

To protect routes, use the auth middleware: 
// In routes/web.php
Route::middleware('auth')->group(function () {
    Route::get('/dashboard', [DashboardController::class, 'index']);
    Route::get('/profile', [ProfileController::class, 'show']);
});

Middleware Configuration

Authentication middleware is automatically configured in Laravel 11 (bootstrap/app.php:14-19).

Guest Middleware

Redirect authenticated users away from guest-only pages: 
Route::middleware('guest')->group(function () {
    Route::get('/login', [LoginController::class, 'show']);
    Route::get('/register', [RegisterController::class, 'show']);
});

Checking Authentication Status

In controllers or routes: 
use Illuminate\Support\Facades\Auth;

// Check if user is authenticated
if (Auth::check()) {
    // User is logged in
}

// Get the authenticated user
$user = Auth::user();

// Get specific user property
$email = Auth::user()->email;

Middleware in Blade Views

@auth
    {{-- User is authenticated --}}
    <p>Welcome, {{ Auth::user()->name }}</p>
@endauth

@guest
    {{-- User is not authenticated --}}
    <a href="/login">Login</a>
@endguest

Session Management

Session Configuration

Sessions are configured in config/session.php:
driver
string
default:"database"
Session storage driver
lifetime
integer
default:"120"
Session lifetime in minutes
expire_on_close
boolean
default:"false"
Expire session when browser closes
encrypt
boolean
default:"false"
Encrypt session data
http_only
boolean
default:"true"
Prevent JavaScript access to session cookie
same_site
string
default:"lax"
SameSite cookie attribute for CSRF protection

Session Regeneration

Sessions are automatically regenerated on login to prevent session fixation attacks (app/Http/Controllers/Auth/AuthenticatedSessionController.php:31).

Accessing Session Data

// Store data in session
session(['key' => 'value']);

// Retrieve data from session
$value = session('key');

// Check if session has key
if (session()->has('key')) {
    //
}

// Flash data (available only for next request)
session()->flash('status', 'Profile updated!');

Security Considerations

CSRF Protection

All POST, PUT, PATCH, and DELETE requests must include a valid CSRF token. Laravel automatically verifies CSRF tokens for all routes.

Password Requirements

Passwords must meet Laravel’s default requirements:
  • Minimum 8 characters (configurable)
  • Mix of letters, numbers, and symbols recommended

Rate Limiting

  • Login: 5 attempts per email+IP combination
  • Email verification: 6 attempts per minute
  • Password reset: 60 second throttle between requests

Session Security

  • HttpOnly cookies prevent XSS attacks
  • SameSite attribute set to “lax” for CSRF protection
  • Session ID regenerated on login
  • Session invalidated on logout

Additional Security

  • Content Security Policy middleware enabled (bootstrap/app.php:15)
  • Passwords hashed using bcrypt
  • Remember tokens regenerated on password reset

Authentication Guard

SYNTIweb uses the default web guard configured for session-based authentication (config/auth.php:38-43): 
'guards' => [
    'web' => [
        'driver' => 'session',
        'provider' => 'users',
    ],
],
The user provider uses Eloquent with the App\Models\User model.

Common Integration Examples

JavaScript/Fetch Example

// Include CSRF token in all requests
const csrfToken = document.querySelector('meta[name="csrf-token"]').content;

// Login request
async function login(email, password) {
  const response = await fetch('/login', {
    method: 'POST',
    headers: {
      'Content-Type': 'application/json',
      'X-CSRF-TOKEN': csrfToken,
      'Accept': 'application/json'
    },
    credentials: 'include', // Important for cookies
    body: JSON.stringify({ email, password })
  });
  
  return response.json();
}

// Authenticated request
async function fetchDashboard() {
  const response = await fetch('/dashboard', {
    credentials: 'include' // Include session cookie
  });
  
  return response.json();
}

Axios Example

// Configure Axios to include CSRF token and credentials
import axios from 'axios';

axios.defaults.withCredentials = true;
axios.defaults.headers.common['X-CSRF-TOKEN'] = 
  document.querySelector('meta[name="csrf-token"]').content;

// Login
await axios.post('/login', {
  email: '[email protected]',
  password: 'password'
});

// Logout
await axios.post('/logout');

cURL Example with Session Persistence

# Step 1: Get CSRF token and session cookie
curl -c cookies.txt https://app.syntiweb.com/login

# Step 2: Extract CSRF token from the page
# (In practice, parse the HTML or use a headless browser)

# Step 3: Login with session cookie
curl -b cookies.txt -c cookies.txt \
  -X POST https://app.syntiweb.com/login \
  -H "X-CSRF-TOKEN: your-csrf-token" \
  -d "[email protected]&password=password"

# Step 4: Make authenticated requests
curl -b cookies.txt https://app.syntiweb.com/dashboard

# Step 5: Logout
curl -b cookies.txt -X POST https://app.syntiweb.com/logout \
  -H "X-CSRF-TOKEN: your-csrf-token"

Build docs developers (and LLMs) love

Get started for freeTalk to us