PHP Development | Tutorial 15 | Laravel Authentication & Authorization

by | Oct 11, 2025 | PHP Development, Web App Development | 0 comments

PHP Development Tutorial 15 Laravel Authentication & Authorization

Almost every web application requires user authentication (login, signup) and authorization (permissions, roles, access control). Laravel provides a ready-to-use authentication system along with powerful tools for defining who can access what in your app.

For interviews, Laravel Authentication & Authorization are frequent questions because they test both your Laravel knowledge and your understanding of security in web applications.

Authentication in Laravel

Authentication is about verifying who the user is. Laravel provides multiple ways to implement authentication:

1. Starter Kits (Recommended)

Laravel offers Breeze, Jetstream, and Fortify as starter kits for auth.

  • Laravel Breeze β†’ Minimal, simple login & registration.
  • Laravel Jetstream β†’ Advanced features like 2FA, teams, sessions.
  • Laravel Fortify β†’ Backend implementation for custom auth.

πŸ‘‰ Example (Breeze Installation):

composer require laravel/breeze --dev
php artisan breeze:install
npm install && npm run dev
php artisan migrate

You instantly get:

  • Login / Register
  • Password reset
  • Email verification

2. Manual Authentication (Quick Example)

Controller method:

public function login(Request $request) {
    $credentials = $request->only('email', 'password');

    if (Auth::attempt($credentials)) {
        return redirect()->intended('dashboard');
    }

    return back()->withErrors(['email' => 'Invalid credentials']);
}

Auth::attempt() β†’ Verifies user credentials. Redirects to the intended page if successful.

Authorization in Laravel

Authorization is about deciding what an authenticated user can do. Laravel provides:

1. Gates (simple checks)

Gate::define('edit-post', function ($user, $post) {
    return $user->id === $post->user_id;
});

if (Gate::allows('edit-post', $post)) {
    // User can edit
}

2. Policies (structured authorization for models)

Generate a policy:

php artisan make:policy PostPolicy --model=Post

Inside PostPolicy.php:

public function update(User $user, Post $post) {
    return $user->id === $post->user_id;
}

Usage in controller:

$this->authorize('update', $post);

πŸ‘‰ Cleaner and reusable compared to Gates.

3. Middleware for Role-Based Access

php artisan make:middleware AdminMiddleware

Example middleware:

public function handle($request, Closure $next) {
    if (auth()->user()->role !== 'admin') {
        abort(403, 'Unauthorized');
    }
    return $next($request);
}

Apply to route:

Route::get('/admin', [AdminController::class, 'index'])->middleware('admin');

Laravel Guards

Laravel uses guards to define how users are authenticated:

  • web β†’ For session-based authentication.
  • api β†’ For token-based authentication.

Configurable in config/auth.php.

Security Features in Laravel Authentication

  • Password Hashing β†’ Uses bcrypt or argon2 by default.
  • CSRF Protection β†’ Auto-handled in forms with @csrf.
  • Email Verification β†’ Built-in support with starter kits.
  • Rate Limiting β†’ Prevents brute force login attempts.

Common Beginner Mistakes

  • Not running php artisan migrate before testing auth.
  • Forgetting to use @csrf in forms β†’ leads to 419 errors.
  • Putting business logic inside middleware instead of policies.
  • Not defining roles properly in multi-user systems.
  • Using plain text passwords instead of Hash::make().

Sample Interview Questions & Answers

Q: What’s the difference between authentication and authorization?
A: Authentication is about verifying who the user is; authorization decides what they can do.

Q: What are Gates and Policies in Laravel?
A: Gates are simple closures for authorization logic, while Policies are organized classes tied to models for structured access control.

Q: How does Laravel store passwords?
A: Laravel uses hashing (bcrypt, argon2) with the Hash facade, never storing plain text passwords.

Q: What are Guards in Laravel?
A: Guards define how users are authenticated (e.g., web guard for sessions, api guard for tokens).

Q: How do you restrict a route to admin users only?
A: Using middleware (e.g., AdminMiddleware) or Gates/Policies.

Q: How does Laravel protect against CSRF attacks?
A: By automatically including CSRF tokens in forms via the @csrf Blade directive.

Mini Project Idea

πŸ‘‰ Build a Role-Based Blog System:

  • Users can register & login (using Breeze).
  • Admins can create, update, delete posts.
  • Regular users can only read posts.
  • Use policies for post ownership checks.

Closing Note

Laravel Authentication & Authorization are at the heart of every secure web app. Laravel makes them fast to implement, yet flexible enough for complex role-based systems.

Laravel Framework Mastery

Blade Templating in Laravel
β†’ Create dynamic, reusable, and clean front-end layouts effortlessly using Laravel’s powerful Blade templating engine

Laravel Migrations & Database Management
β†’ Manage your database schema efficiently with Laravel migrations, seeders, and factories for smooth development and testing

Laravel Validation & Form Requests
β†’ Ensure secure and reliable user input by leveraging Laravel’s robust validation rules and custom form request classes

0 Comments

Submit a Comment

Your email address will not be published. Required fields are marked *

Tutorial - Table of Content