jimbojsb/laravel-cloudflare-access

Laravel authentication and authorization via Cloudflare Access

Maintainers

Details

github.com/jimbojsb/laravel-cloudflare-access

Source

Issues

Installs: 9

Dependents: 0

Suggesters: 0

Security: 0

Stars: 0

Watchers: 1

Forks: 0

Open Issues: 0

pkg:composer/jimbojsb/laravel-cloudflare-access

v0.1.3 2025-12-09 04:38 UTC

Requires

Requires (Dev)

MIT 97361f95d674050535772b07d5cae12d0080f2c2

  • Josh Butts

Authenticationaccesslaravelcloudflarejwt

This package is auto-updated.

Last update: 2025-12-09 04:38:53 UTC

README

Authentication via Cloudflare Access JWT validation for Laravel.

Requirements

  • PHP 8.3+
  • Laravel 11.0+ or 12.0+

Installation

composer require jimbojsb/cloudflare-access-laravel

Publish Configuration

php artisan vendor:publish --tag=cloudflare-access-config

Publish Migration (Optional)

php artisan vendor:publish --tag=cloudflare-access-migrations
php artisan migrate

The migration creates a users table with id, name, email, groups (nullable json), and timestamps.

Configuration

Add to your .env:

CLOUDFLARE_ACCESS_SUBDOMAIN=yourcompany
CLOUDFLARE_ACCESS_AUDIENCE=your-application-audience-tag
CLOUDFLARE_ACCESS_POPULATE_GROUPS=false
  • CLOUDFLARE_ACCESS_SUBDOMAIN: Your team domain subdomain (e.g., if your domain is yourcompany.cloudflareaccess.com, use yourcompany)
  • CLOUDFLARE_ACCESS_AUDIENCE: The Application Audience (AUD) Tag from Cloudflare Zero Trust dashboard
  • CLOUDFLARE_ACCESS_POPULATE_GROUPS: Set to true to sync groups from Cloudflare Access JWT to the user model (default: false)

User Model

Your User model needs name, email, and groups columns. Update config/cloudflare-access.php if using a different model:

'user_model' => App\Models\User::class,

Ensure your model casts groups as an array:

protected $casts = [
    'groups' => 'array',
];

Usage

Add Login Route

Register the login route in your routes/web.php:

use Jimbojsb\CloudflareAccess\Http\Controllers\LoginController;

Route::get('/login', [LoginController::class, 'login']);

Authentication Flow

  1. User visits your app behind Cloudflare Access
  2. Cloudflare Access sends a JWT in the Cf-Access-Jwt-Assertion header
  3. The package validates the JWT against Cloudflare's public keys
  4. A user is created or updated with name, email, and groups from the JWT
  5. The user is logged into Laravel's session

Protecting Routes

Use Laravel's built-in auth middleware:

Route::middleware('auth')->group(function () {
    Route::get('/dashboard', [DashboardController::class, 'index']);
});

Local Development

For local development without Cloudflare Access, create a user.json file in your project root:

{
    "name": "Local Developer",
    "email": "dev@example.com",
    "groups": ["admin"]
}

This only works when APP_ENV is not production. Note that groups will only be populated if CLOUDFLARE_ACCESS_POPULATE_GROUPS is set to true. For safety, you should add this file to your .gitinore.

Testing

composer test

License

MIT License. See LICENSE.