evansims / openfga-laravel
Stop writing authorization logic. Start asking questions. OpenFGA high performance relationship-based access control for Laravel.
Requires
- php: ^8.3
- evansims/openfga-php: ^1
- illuminate/contracts: ^12
- illuminate/support: ^12
Requires (Dev)
- barryvdh/laravel-ide-helper: ^3.5
- ergebnis/composer-normalize: ^2
- friendsofphp/php-cs-fixer: ^3
- orchestra/testbench: ^10.4.0
- pestphp/pest: ^3
- pestphp/pest-plugin-arch: ^3.1
- pestphp/pest-plugin-laravel: ^3
- phpstan/phpstan: ^2
- phpstan/phpstan-strict-rules: ^2
- rector/rector: ^2
- vimeo/psalm: ^6
- wikimedia/composer-merge-plugin: ^2
README
OpenFGA Laravel SDK
Stop writing authorization logic. Start asking questions.
Every app needs permissions. Most developers end up with authorization logic scattered across controllers, middleware, and business logic. Changes break things. New features require touching dozens of files.
OpenFGA solves this. Define your authorization rules once, query them anywhere. This package provides complete integration of OpenFGA and Auth0 FGA for Laravel applications.
- Eloquent Integration - Authorization methods on your models
- Middleware Protection - Secure routes with permission checks
- Blade Directives - Show/hide UI based on permissions
- Testing Utilities - Fake permissions in your tests
- Performance Optimized - Built-in caching and batch operations
- Queue Support - Async permission operations
- Multi-tenancy Ready - Multiple stores and connections
- Type Safe - PHP 8.3+ with strict typing and comprehensive generics
- Developer Friendly - Enhanced IDE support with detailed PHPDoc annotations
Installation
composer require evansims/openfga-laravel
Publish the configuration:
php artisan vendor:publish --tag="openfga-config"
Set your environment variables:
OPENFGA_URL=http://localhost:8080 OPENFGA_STORE_ID=your-store-id
Usage Patterns
// Controllers - Type-safe permission checks if (cannot('edit', $document)) { abort(403); } // Middleware - Strict parameter validation Route::put('/documents/{document}', [DocumentController::class, 'update']) ->middleware('openfga:editor,document:{document}'); // Blade Views - Enhanced type safety @can('edit', 'document:' . $document->id) <button>Edit</button> @endcan // Eloquent Models - Comprehensive type annotations $document->grant($user, 'editor'); // Grant permission $document->check($user, 'editor'); // Check permission $document->revoke($user, 'editor'); // Revoke permission // Query by permissions - Generic return types $myDocuments = Document::whereUserCan($user, 'edit')->get();
Quickstart
Let's implement a simple document sharing system with enhanced type safety.
<?php declare(strict_types=1); use App\Models\Document; class DocumentController extends Controller { /** * Share a document with another user. */ public function share(Request $request, Document $document): RedirectResponse { // Ensure user can share (only owners can share) $this->authorize('owner', $document); // Grant permission to new user $document->grant($request->user_email, $request->permission); return back()->with('success', 'Document shared successfully!'); } /** * List documents the user can view. */ public function index(): View { $documents = Document::whereUserCan(auth()->user(), 'viewer') ->latest() ->paginate(); return view('documents.index', compact('documents')); } }
Documentation
- Installation
- Quickstart
- Configuration
- Eloquent Integration
- Middleware
- Performance & Optimization
- Testing
- API Reference
- Cookbook & Recipes - Real-world implementation patterns
Related
Contributing
Contributions are welcome—have a look at our contributing guidelines.