evansims/openfga-laravel

Stop writing authorization logic. Start asking questions. OpenFGA high performance relationship-based access control for Laravel.


README

OpenFGA Laravel SDK

Stop writing authorization logic. Start asking questions.


Every app needs permissions. Most developers end up with authorization logic scattered across controllers, middleware, and business logic. Changes break things. New features require touching dozens of files.

OpenFGA solves this. Define your authorization rules once, query them anywhere. This package provides complete integration of OpenFGA and Auth0 FGA for Laravel applications.

  • Eloquent Integration - Authorization methods on your models
  • Middleware Protection - Secure routes with permission checks
  • Blade Directives - Show/hide UI based on permissions
  • Testing Utilities - Fake permissions in your tests
  • Performance Optimized - Built-in caching and batch operations
  • Queue Support - Async permission operations
  • Multi-tenancy Ready - Multiple stores and connections
  • Type Safe - PHP 8.3+ with strict typing and comprehensive generics
  • Developer Friendly - Enhanced IDE support with detailed PHPDoc annotations


Installation

composer require evansims/openfga-laravel

Publish the configuration:

php artisan vendor:publish --tag="openfga-config"

Set your environment variables:

OPENFGA_URL=http://localhost:8080
OPENFGA_STORE_ID=your-store-id


Usage Patterns

// Controllers - Type-safe permission checks
if (cannot('edit', $document)) {
    abort(403);
}

// Middleware - Strict parameter validation
Route::put('/documents/{document}', [DocumentController::class, 'update'])
    ->middleware('openfga:editor,document:{document}');

// Blade Views - Enhanced type safety
@can('edit', 'document:' . $document->id)
    <button>Edit</button>
@endcan

// Eloquent Models - Comprehensive type annotations
$document->grant($user, 'editor');  // Grant permission
$document->check($user, 'editor');  // Check permission
$document->revoke($user, 'editor'); // Revoke permission

// Query by permissions - Generic return types
$myDocuments = Document::whereUserCan($user, 'edit')->get();


Quickstart

Let's implement a simple document sharing system with enhanced type safety.

<?php

declare(strict_types=1);

use App\Models\Document;

class DocumentController extends Controller
{
    /**
     * Share a document with another user.
     */
    public function share(Request $request, Document $document): RedirectResponse
    {
        // Ensure user can share (only owners can share)
        $this->authorize('owner', $document);

        // Grant permission to new user
        $document->grant($request->user_email, $request->permission);

        return back()->with('success', 'Document shared successfully!');
    }

    /**
     * List documents the user can view.
     */
    public function index(): View
    {
        $documents = Document::whereUserCan(auth()->user(), 'viewer')
            ->latest()
            ->paginate();

        return view('documents.index', compact('documents'));
    }
}


Documentation


Related


Contributing

Contributions are welcome—have a look at our contributing guidelines.