📌 What is Authentication & Authorization?
- Authentication → Verifying who the user is (login/register)
- Authorization → Checking what the user can do (roles/permissions)
Laravel provides built-in tools to handle both securely and efficiently.
⚙️ Step 1: Install Laravel Breeze (Simple Authentication)
Laravel Breeze provides minimal authentication scaffolding.
composer require laravel/breeze --dev
php artisan breeze:install
npm install
npm run dev
php artisan migrate
This sets up:
- Registration
- Login
- Password reset
- Email verification (optional)
Visit http://127.0.0.1:8000/register to see the form.
🔹 Step 2: Register Users
Registration form fields:
- Name
- Password
- Confirm Password
Laravel automatically validates:
$request->validate([
'name' => 'required|string|max:255',
'email' => 'required|email|unique:users',
'password' => 'required|string|min:8|confirmed'
]);
🔹 Step 3: Login Users
Login form requires:
- Password
Controller handles login:
if (Auth::attempt($request->only('email', 'password'))) {
return redirect()->intended('dashboard');
}
Auth::attempt()→ verifies credentialsredirect()->intended()→ redirects to intended page after login
🔹 Step 4: Protect Routes (Middleware)
Use auth middleware to protect routes:
Route::get('/dashboard', function () {
return view('dashboard');
})->middleware('auth');
- Only logged-in users can access
/dashboard - Non-authenticated users are redirected to login page
🔹 Step 5: Authorization with Gates & Policies
Authorization determines what actions a user can perform.
Using Gates
use Illuminate\Support\Facades\Gate;
Gate::define('update-post', function ($user, $post) {
return $user->id === $post->user_id;
});
Check in Blade:
@can('update-post', $post)
<a href="{{ route('posts.edit', $post->id) }}">Edit</a>
@endcan
Using Policies
Policies are classes to organize authorization logic.
Generate Policy:
php artisan make:policy PostPolicy --model=Post
Example: PostPolicy.php
public function update(User $user, Post $post) {
return $user->id === $post->user_id;
}
Register Policy in AuthServiceProvider.php:
protected $policies = [
Post::class => PostPolicy::class,
];
Check in Blade:
@can('update', $post)
<a href="{{ route('posts.edit', $post->id) }}">Edit</a>
@endcan
🔹 Step 6: Role-Based Access Control (RBAC)
Example: Add a role column in users table:
$table->string('role')->default('user'); // roles: user, admin
Use middleware:
Route::middleware(['auth','role:admin'])->group(function() {
Route::get('/admin', [AdminController::class,'index']);
});
Create custom middleware:
php artisan make:middleware RoleMiddleware
In middleware:
public function handle($request, Closure $next, $role)
{
if($request->user()->role !== $role) {
abort(403);
}
return $next($request);
}
🔹 Step 7: Email Verification (Optional)
Laravel Breeze supports email verification:
Route::get('/email/verify', function () {
return view('auth.verify-email');
})->middleware('auth')->name('verification.notice');
- Only verified users can access protected routes
📌 Key Takeaways
This week you learned:
- How to setup authentication using Laravel Breeze
- How to protect routes with
authmiddleware - How to implement authorization with Gates and Policies
- How to create role-based access control
- Optional email verification for secure apps