nylo / laravel-nylo-auth
Laravel authentication for Nylo apps
Maintainers
Fund package maintenance!
Requires
- php: ^8.2
- illuminate/contracts: ^11.0|^12.0
- illuminate/support: ^11.0|^12.0
- laravel/sanctum: ^4.0
- spatie/laravel-package-tools: ^1.16.1
Requires (Dev)
- laravel/pint: ^1.0
- nunomaduro/collision: ^8.0
- orchestra/testbench: ^9.0|^10.0
- pestphp/pest: ^3.0
- pestphp/pest-plugin-arch: ^3.0
- pestphp/pest-plugin-laravel: ^3.0
README
This package provides API authentication endpoints for Nylo Flutter apps, powered by Laravel Sanctum.
Check out the Flutter package here: laravel_auth_slate
Requirements
- PHP ^8.1
- Laravel 10, 11, 12, or 13
- Laravel Sanctum
- Your
Usermodel must use theHasApiTokenstrait:
use Laravel\Sanctum\HasApiTokens; class User extends Authenticatable { use HasApiTokens, Notifiable; // ... }
Installation
composer require nylo/laravel-nylo-auth
Publish the config and controllers:
php artisan vendor:publish --provider="Nylo\LaravelNyloAuth\LaravelNyloAuthServiceProvider"
This publishes:
config/laravel-nylo-auth.phpapp/Http/Controllers/AuthController.phpapp/Http/Controllers/ApiController.php
API Endpoints
All routes are prefixed with /app/v1.
| Method | URI | Name | Description |
|---|---|---|---|
| POST | /app/v1/login |
nylo.api.v1.login |
Login and receive a Sanctum token |
| POST | /app/v1/register |
nylo.api.v1.register |
Register a new user and receive a token |
| POST | /app/v1/forgot-password |
nylo.api.v1.forgot-password |
Send a password reset link |
| GET | /app/v1/user |
nylo.api.v1.auth.user |
Get the authenticated user (requires Sanctum token) |
Configuration
// config/laravel-nylo-auth.php return [ // The Eloquent model used for authentication 'user_model' => \App\Models\User::class, // Rate limiter classes for each route group 'rate_limits' => [ 'public' => \Nylo\LaravelNyloAuth\RateLimiters\PublicRateLimiter::class, // 5 req/min by IP 'authenticated' => \Nylo\LaravelNyloAuth\RateLimiters\AuthenticatedRateLimiter::class, // 60 req/min by user ], ];
Rate Limiting
Rate limiting is applied to all routes via named Laravel rate limiters:
nylo-public— applies to login, register, and forgot-password (default: 5 requests/min per IP)nylo-auth— applies to authenticated routes (default: 60 requests/min per user)
Custom Rate Limiters
Create a class that implements RateLimiterContract and update the config:
use Nylo\LaravelNyloAuth\Contracts\RateLimiterContract; use Illuminate\Cache\RateLimiting\Limit; class MyPublicRateLimiter implements RateLimiterContract { public function configure(): Limit|array { return Limit::perMinute(10)->by(request()->ip())->response(function () { return response()->json(['message' => 'Too many requests'], 429); }); } }
Then in config/laravel-nylo-auth.php:
'rate_limits' => [ 'public' => \App\RateLimiters\MyPublicRateLimiter::class, 'authenticated' => \Nylo\LaravelNyloAuth\RateLimiters\AuthenticatedRateLimiter::class, ],
Custom Middleware
You can append your own middleware to the package's route groups via config/laravel-nylo-auth.php. Entries are merged after the built-in throttle:* and auth:sanctum middleware, so rate limiting and authentication still run first.
'middleware' => [ 'public' => ['locale'], // login, register, forgot-password 'authenticated' => ['log.requests'], // authenticated endpoints (e.g. /user) // Target individual routes by their full name 'routes' => [ 'nylo.api.v1.register' => ['captcha'], 'nylo.api.v1.auth.user' => ['log.user.access'], ], ],
Use any middleware alias registered in your app or a fully-qualified middleware class name. Per-route middleware runs after the built-in and group-level middleware for that route.
Changelog
Please see CHANGELOG for more information on what has changed recently.
Contributing
Please see CONTRIBUTING for details.
Security Vulnerabilities
Please review our security policy on how to report security vulnerabilities.
Credits
License
The MIT License (MIT). Please see License File for more information.