home / skills / fusengine / agents / laravel-auth

laravel-auth skill

safe

/plugins/laravel-expert/skills/laravel-auth

This skill helps you implement secure Laravel authentication and authorization using Sanctum, Passport, Fortify, and policies across modules.

npx playbooks add skill fusengine/agents --skill laravel-auth

Review the files below or copy the command above to add this skill to your agents.

Files (22)

SKILL.md

9.1 KB

---
name: laravel-auth
description: Use when implementing user authentication, API tokens, social login, or authorization. Covers Sanctum, Passport, Socialite, Fortify, policies, and gates for Laravel 12.
versions:
  laravel: "12.x"
  sanctum: "4.0"
  php: "8.4"
user-invocable: true
references: references/authentication.md, references/authorization.md, references/sanctum.md, references/passport.md, references/fortify.md, references/socialite.md, references/starter-kits.md, references/verification.md, references/passwords.md, references/session.md, references/csrf.md, references/encryption.md, references/hashing.md, references/templates/LoginController.php.md, references/templates/GatesAndPolicies.php.md, references/templates/PostPolicy.php.md, references/templates/sanctum-setup.md, references/templates/PassportSetup.php.md, references/templates/FortifySetup.php.md, references/templates/SocialiteController.php.md, references/templates/PasswordResetController.php.md
related-skills: laravel-api, laravel-permission, fusecore
---

# Laravel Authentication & Authorization

## Agent Workflow (MANDATORY)

Before ANY implementation, use `TeamCreate` to spawn 3 agents:

1. **fuse-ai-pilot:explore-codebase** - Check existing auth setup, guards, policies
2. **fuse-ai-pilot:research-expert** - Verify latest Laravel 12 auth docs via Context7
3. **mcp__context7__query-docs** - Query specific patterns (Sanctum, Passport, etc.)

After implementation, run **fuse-ai-pilot:sniper** for validation.

---

## Overview

Laravel provides a complete authentication and authorization ecosystem. Choose based on your needs:

| Package | Best For | Complexity |
|---------|----------|------------|
| **Starter Kits** | New projects, quick setup | Low |
| **Sanctum** | API tokens, SPA auth | Low |
| **Fortify** | Custom UI, headless backend | Medium |
| **Passport** | OAuth2 server, third-party access | High |
| **Socialite** | Social login (Google, GitHub) | Low |

---

## Critical Rules

1. **Use policies for model authorization** - Not inline `if` checks
2. **Always hash passwords** - `Hash::make()` or `'hashed'` cast
3. **Regenerate session after login** - Prevents fixation attacks
4. **Use HTTPS in production** - Required for secure cookies
5. **Define token abilities** - Principle of least privilege

---

## Architecture

```
app/
├── Http/
│   ├── Controllers/
│   │   └── Auth/              ← Auth controllers (if manual)
│   └── Middleware/
│       └── Authenticate.php   ← Redirects unauthenticated
├── Models/
│   └── User.php               ← HasApiTokens trait (Sanctum)
├── Policies/                  ← Authorization policies
│   └── PostPolicy.php
├── Providers/
│   └── AppServiceProvider.php ← Gate definitions
└── Actions/
    └── Fortify/               ← Fortify actions (if used)
        ├── CreateNewUser.php
        └── ResetUserPassword.php

config/
├── auth.php                   ← Guards & providers
├── sanctum.php                ← API token config
└── fortify.php                ← Fortify features
```

---

## FuseCore Integration

When working in a **FuseCore project**, authentication follows the modular structure:

```
FuseCore/
├── Core/                      # Infrastructure (priority 0)
│   └── App/Contracts/
│       └── AuthServiceInterface.php  ← Auth contract
│
├── User/                      # Auth module (existing)
│   ├── App/
│   │   ├── Models/User.php    ← HasApiTokens trait
│   │   ├── Http/
│   │   │   ├── Controllers/
│   │   │   │   ├── AuthController.php
│   │   │   │   └── TokenController.php
│   │   │   ├── Requests/
│   │   │   │   ├── LoginRequest.php
│   │   │   │   └── RegisterRequest.php
│   │   │   └── Resources/UserResource.php
│   │   ├── Policies/UserPolicy.php
│   │   └── Services/AuthService.php
│   ├── Config/
│   │   └── sanctum.php        ← Sanctum config (module-level)
│   ├── Database/Migrations/
│   ├── Routes/api.php         ← Auth routes
│   └── module.json            # dependencies: []
│
└── {YourModule}/              # Depends on User module
    ├── App/Policies/          ← Module-specific policies
    └── module.json            # dependencies: ["User"]
```

### FuseCore Auth Checklist

- [ ] Auth code in `/FuseCore/User/` module
- [ ] Policies in module's `/App/Policies/`
- [ ] Auth routes in `/FuseCore/User/Routes/api.php`
- [ ] Sanctum config in `/FuseCore/User/Config/sanctum.php`
- [ ] Declare `"User"` dependency in other modules' `module.json`
- [ ] Use `auth:sanctum` middleware in module routes

### Cross-Module Authorization

```php
// In FuseCore/{Module}/Routes/api.php
Route::middleware(['api', 'auth:sanctum'])->group(function () {
    Route::apiResource('posts', PostController::class);
});

// In FuseCore/{Module}/App/Http/Controllers/PostController.php
public function update(UpdatePostRequest $request, Post $post)
{
    $this->authorize('update', $post);  // Uses PostPolicy
    // ...
}
```

→ See [fusecore skill](../fusecore/SKILL.md) for complete module patterns.

---

## Decision Guide

### Authentication Method

```
Need auth scaffolding? → Starter Kit
├── Yes → Use React/Vue/Livewire starter kit
└── No → Building custom frontend?
    ├── Yes → Use Fortify (headless)
    └── No → API only?
        ├── Yes → Sanctum (tokens)
        └── No → Session-based
```

### Token Type

```
Third-party apps need access? → Passport (OAuth2)
├── No → Mobile app?
│   ├── Yes → Sanctum API tokens
│   └── No → SPA on same domain?
│       ├── Yes → Sanctum SPA auth (cookies)
│       └── No → Sanctum API tokens
```

---

## Key Concepts

| Concept | Description | Reference |
|---------|-------------|-----------|
| **Guards** | Define HOW users authenticate (session, token) | [authentication.md](references/authentication.md) |
| **Providers** | Define WHERE users are retrieved from (database) | [authentication.md](references/authentication.md) |
| **Gates** | Closure-based authorization for simple checks | [authorization.md](references/authorization.md) |
| **Policies** | Class-based authorization tied to models | [authorization.md](references/authorization.md) |
| **Abilities** | Token permissions (Sanctum/Passport scopes) | [sanctum.md](references/sanctum.md) |

---

## Reference Guide

### Concepts (WHY & Architecture)

| Topic | Reference | When to Consult |
|-------|-----------|-----------------|
| **Authentication** | [authentication.md](references/authentication.md) | Guards, providers, login flow |
| **Authorization** | [authorization.md](references/authorization.md) | Gates vs policies, access control |
| **Sanctum** | [sanctum.md](references/sanctum.md) | API tokens, SPA authentication |
| **Passport** | [passport.md](references/passport.md) | OAuth2 server, third-party access |
| **Fortify** | [fortify.md](references/fortify.md) | Headless auth, 2FA |
| **Socialite** | [socialite.md](references/socialite.md) | Social login providers |
| **Starter Kits** | [starter-kits.md](references/starter-kits.md) | Auth scaffolding |
| **Email Verification** | [verification.md](references/verification.md) | MustVerifyEmail, verified middleware |
| **Password Reset** | [passwords.md](references/passwords.md) | Forgot password flow |
| **Session** | [session.md](references/session.md) | Session drivers, flash data |
| **CSRF** | [csrf.md](references/csrf.md) | Form protection, AJAX tokens |
| **Encryption** | [encryption.md](references/encryption.md) | Data encryption (not passwords) |
| **Hashing** | [hashing.md](references/hashing.md) | Password hashing |

### Templates (Complete Code)

| Template | When to Use |
|----------|-------------|
| [LoginController.php.md](references/templates/LoginController.php.md) | Manual authentication controllers |
| [GatesAndPolicies.php.md](references/templates/GatesAndPolicies.php.md) | Gates and policy examples |
| [PostPolicy.php.md](references/templates/PostPolicy.php.md) | Complete policy class with before filter |
| [sanctum-setup.md](references/templates/sanctum-setup.md) | Sanctum configuration + testing |
| [PassportSetup.php.md](references/templates/PassportSetup.php.md) | OAuth2 server setup |
| [FortifySetup.php.md](references/templates/FortifySetup.php.md) | Fortify configuration + 2FA |
| [SocialiteController.php.md](references/templates/SocialiteController.php.md) | Social login + testing |
| [PasswordResetController.php.md](references/templates/PasswordResetController.php.md) | Password reset flow |

---

## Best Practices

### DO
- Use starter kits for new projects
- Define policies for all models
- Set token expiration
- Rate limit login attempts
- Use `verified` middleware for sensitive actions
- Prune expired tokens regularly

### DON'T
- Store plain text passwords
- Skip session regeneration on login
- Use Passport when Sanctum suffices
- Forget to prune expired tokens
- Ignore HTTPS in production
- Put authorization logic in controllers

Overview

This skill guides implementing authentication and authorization for Laravel 12 projects, covering Sanctum, Passport, Fortify, Socialite, policies, and gates. It provides a clear decision flow, FuseCore module patterns, and a checklist to enforce secure defaults. Use it to choose the right package and apply consistent, auditable access control across modules.

How this skill works

The skill inspects project structure, config, and module dependencies to locate auth code and policies. It recommends a workflow that spawns agents to explore the codebase, validate docs, and query patterns before changes, then runs a validation agent after implementation. It maps guards, providers, token abilities, and FuseCore module wiring into practical tasks and templates for setup and testing.

When to use it

Setting up API tokens, SPA auth, or mobile token auth (Sanctum).
Building a headless backend or custom frontend authentication (Fortify).
Providing third-party OAuth2 access for external apps (Passport).
Adding social login (Socialite) or starter kit scaffolding for new projects.
Implementing model-level authorization with policies and gates.
Integrating authentication into FuseCore modular projects.

Best practices

Always hash passwords (Hash::make or hashed cast) and never store plain text.
Use policies for model authorization; avoid inline if checks in controllers.
Regenerate session after login to prevent session fixation.
Define token abilities and apply least-privilege to API tokens.
Enable HTTPS and secure cookies in production; rate limit login attempts.

Example use cases

Configure Sanctum for an SPA on the same domain with cookie-based authentication.
Use Fortify for a headless API that handles custom registration and 2FA flows.
Set up Passport to expose OAuth2 scopes for third-party integrations.
Add Socialite to support Google and GitHub login for quick social onboarding.
Place user auth and policies into a FuseCore User module and declare dependencies for other modules.

FAQ

When should I choose Sanctum over Passport?

Use Sanctum for first-party APIs, SPA auth, or mobile apps where you control client and server. Choose Passport only when you need a full OAuth2 server for third-party access.

Where should authorization logic live?

Put authorization in policies and gates. Call authorize() in controllers or authorizeResource in resource controllers; avoid embedding access checks directly in controller actions.