patrikjak / auth
Simple auth package for laravel apps
Maintainers
Requires
- php: ^8.4
- laravel/framework: ^12.1.1
- laravel/socialite: ^5.16
- patrikjak/utils: ^2.10.0
Requires (Dev)
- larastan/larastan: ^3.0
- orchestra/testbench: ^10.0.0
- phpstan/phpstan: ^2.1.0
- phpunit/phpunit: ^11.0
- slevomat/coding-standard: ~8.0
- spatie/phpunit-snapshot-assertions: ^5.1
README
Simple auth package for Laravel apps. Requires patrikjak/utils.
Installation
composer require patrikjak/auth
Setup
Register both service providers in bootstrap/providers.php:
use Patrikjak\Auth\AuthServiceProvider; use Patrikjak\Utils\UtilsServiceProvider; return [ // ... UtilsServiceProvider::class, AuthServiceProvider::class, ];
Run the install command to publish all assets, config, migrations, and translations, remove default Laravel auth migrations, run fresh migrations, and seed default roles:
php artisan install:pjauth
Or publish individually:
php artisan vendor:publish --tag="pjauth-assets" --force php artisan vendor:publish --tag="pjauth-config" php artisan vendor:publish --tag="pjauth-migrations" --force php artisan vendor:publish --tag="pjauth-translations" --force php artisan vendor:publish --tag="pjauth-views" --force # optional
To keep config up to date on every composer update, add to your composer.json:
"scripts": { "post-update-cmd": [ "@php artisan vendor:publish --tag=pjauth-config --force" ] }
Laravel cannot merge multidimensional arrays in config files, so the config must be re-published after updates.
Configuration
All options live in config/pjauth.php.
Custom User model
AUTH_MODEL=App\Models\User
Default is Patrikjak\Auth\Models\User.
Custom repository
// config/pjauth.php 'repositories' => [ 'user' => \App\Repositories\UserRepository::class, ],
The custom implementation must implement Patrikjak\Auth\Repositories\Interfaces\UserRepository.
Redirects
'redirect_after_login' => env('REDIRECT_AFTER_LOGIN', '/dashboard'), 'redirect_after_logout' => env('REDIRECT_AFTER_LOGOUT', '/'),
Feature flags
All features are enabled by default except register_via_invitation:
'features' => [ 'register' => true, 'login' => true, 'password_reset' => true, 'change_password' => true, 'register_via_invitation' => false, ],
Routes are only registered when their respective feature is enabled.
Routes
Web routes use ['web', 'guest'] middleware. API routes use ['web', 'guest'] for unauthenticated endpoints and ['web', 'auth'] for authenticated ones.
Middleware
Use VerifyRole to protect routes by role:
use Patrikjak\Auth\Http\Middlewares\VerifyRole; use Patrikjak\Auth\Models\RoleType; Route::middleware(['web', 'auth', VerifyRole::withRole(RoleType::ADMIN)]);
Super admins pass all role checks.
Roles
Default roles: SUPERADMIN = 1, ADMIN = 2, USER = 3 (defined in RoleType enum).
Seed default roles:
php artisan seed:user-roles # or with a custom enum: php artisan seed:user-roles --enum=App\\Enums\\MyRoleType
The custom enum must use the Patrikjak\Utils\Common\Traits\EnumValues trait.
Artisan Commands
Create users interactively
php artisan create:users
Prompts for name, email, password, and role. Loops until you decline to add another user.
Socialite (Google)
Enable in config (enabled by default) and add credentials:
GOOGLE_CLIENT_ID= GOOGLE_CLIENT_SECRET=
Add to config/services.php:
'google' => [ 'client_id' => env('GOOGLE_CLIENT_ID'), 'client_secret' => env('GOOGLE_CLIENT_SECRET'), 'redirect' => sprintf('%s/auth/google/callback', env('APP_URL')), ],
Register via Invitation
Enable the feature flag:
'features' => [ 'register_via_invitation' => true, ],
Send an invite from the command line:
php artisan send:register-invite user@example.com
The invite email contains a tokenised link to GET /register/{token}?email=.... On submission it calls POST /api/invite/register.
Change Password
Enable the feature flag (enabled by default):
'features' => [ 'change_password' => true, ],
Call the authenticated endpoint:
PATCH api/change-password
Request body:
{
"old_password": "current_password",
"password": "new_password",
"password_confirmation": "new_password"
}
Old password validation is on by default. To skip it (e.g. admin resetting another user's password):
{
"password": "new_password",
"password_confirmation": "new_password",
"validate_old_password": false
}
reCAPTCHA
Enabled by default on register, login, and password reset API endpoints. Disable globally:
'recaptcha' => [ 'enabled' => false, ],
Or provide the keys:
RECAPTCHA_SITE_KEY= RECAPTCHA_SECRET_KEY=