Forem: ashrakt

Building API Authentication System with Laravel 12 & Sanctum: Register, Login, OTP & Password Reset

ashrakt — Tue, 04 Nov 2025 15:02:41 +0000

Laravel Sanctum provides an authentication system for SPAs (single page applications), mobile applications, and simple, token based APIs. Sanctum allows each user of your application to generate multiple API tokens for their account. These tokens may be granted abilities / scopes which specify which actions the tokens are allowed to perform.

folders

App->[
     Http->[
           Controllers\Api\Auth->[
                                AuthController,
                                OTPController,
                                PasswordResetController
         ],Requests\Auth->[
                         LoginUserRequest,
                         RegisterUserRequest,
                         ResetPasswordRequest,
                         SendOTPRequest,
                         VerifyOTPRequest
        ],Resources->[
                      SuccessResource,
                      ErrorResource,
                      User->[
                            AuthResource,
                            UserResource]
    ],Jobs->[SendMailJob],
      Mail->[OTPMail],
      Services->[OTPService]

1: Install Laravel 12 and Sanctum

# Create new Laravel 12 project
laravel new sanctum-auth
cd sanctum-auth

# Install Sanctum
php artisan install:api

# Run migrations (creates personal_access_tokens table)
php artisan migrate

2: Configure Sanctum

config/sanctum.php

  'stateful' => explode(',', env('SANCTUM_STATEFUL_DOMAINS', sprintf(
        '%s%s',
        'localhost,localhost:3000,127.0.0.1,127.0.0.1:8000,::1',
        Sanctum::currentApplicationUrlWithPort(),
    ))),

Stateful domains tell Sanctum which domains can use cookies and sessions for authentication, allowing the frontend to communicate with the API seamlessly!

.env
SANCTUM_STATEFUL_DOMAINS=localhost,127.0.0.1,127.0.0.1:3000

3: Update User Model

app/Models/User.php

<?php

namespace App\Models;

// use Illuminate\Contracts\Auth\MustVerifyEmail;
use Illuminate\Database\Eloquent\Factories\HasFactory;
use Illuminate\Foundation\Auth\User as Authenticatable;
use Illuminate\Notifications\Notifiable;
use Laravel\Sanctum\HasApiTokens;


class User extends Authenticatable
{
    use HasApiTokens, HasFactory, Notifiable;

    protected $fillable = [
        'name',
        'email',
        'password',
        'phone',
        'email_verified_at',
        'otp',
        'otp_expires_at',
        'otp_verified_at'
    ];

    protected $hidden = [
        'password',
        'remember_token',
        'otp'

    ];


    protected function casts(): array
    {
        return [
            'email_verified_at' => 'datetime',
            'password' => 'hashed',
            'otp_expires_at' => 'datetime',
            'otp_verified_at' => 'datetime',
        ];
    }
}

4: Create Auth Controller, Register And Login Request, Auth And User Resource

Auth Controller
php artisan make:controller Api/Auth/AuthController

app/Http/Controllers/AuthController.php

<?php

namespace App\Http\Controllers\Api\Auth;

use App\Http\Controllers\Controller;
use App\Http\Requests\Auth\LoginUserRequest;
use App\Http\Requests\Auth\RegisterUserRequest;
use App\Http\Resources\User\AuthResource;
use App\Http\Resources\ErrorResource;
use App\Http\Resources\SuccessResource;
use App\Http\Resources\User\UserResource;
use App\Models\User;
use Illuminate\Http\Request;
use Illuminate\Support\Facades\Hash;

class AuthController extends Controller
{
    public function register(RegisterUserRequest $request)
    {
        $validated = $request->validated();

        $user = User::create([
            'name' => $validated['name'],
            'email' => $validated['email'],
            'password' => Hash::make($validated['password']),
            'phone' => $validated['phone'],
        ]);

        $token = $user->createToken('auth_token')->plainTextToken;

        $authData = [
            'user' => $user,
            'token' => $token,
            'token_type' => 'Bearer'
        ];

        return new AuthResource($authData);
    }

    public function login(LoginUserRequest $request)
    {
        $validated = $request->validated();

        $user = User::where('email', $validated['email'])->first();

        if (!$user || !Hash::check($validated['password'], $user->password)) {
            return new ErrorResource([
                'message' => 'Invalid credentials',
                'status_code' => 401
            ]);
        }

        $token = $user->createToken('auth_token')->plainTextToken;

        $authData = [
            'user' => $user,
            'token' => $token,
            'token_type' => 'Bearer'
        ];

        return new AuthResource($authData);
    }

    public function logout(Request $request)
    {
        $request->user()->currentAccessToken()->delete();

        return new SuccessResource([
            'message' => 'Logged out successfully'
        ]);
    }


//The user() function retrieves the authenticated user's profile data using their Bearer token.

    public function user(Request $request)
    {
        return new SuccessResource([
            'message' => 'User data retrieved successfully',
            'data' => new UserResource($request->user())
        ]);
    }
}

$token = $user->createToken('auth_token');
        return $token;

the json respone

Create RegisterUserRequest class

php artisan make:request Auth/RegisterUserRequest

-app/Http/Requests/Auth/RegisterUserRequest.php

<?php

namespace App\Http\Requests;

use Illuminate\Foundation\Http\FormRequest;
use Illuminate\Contracts\Validation\Validator;
use Illuminate\Http\Exceptions\HttpResponseException;

class RegisterUserRequest extends FormRequest
{
    /**
     * Determine if the user is authorized to make this request.
     */
    public function authorize(): bool
    {
        return true; // Set to true to allow all users
    }

    /**
     * Get the validation rules that apply to the request.
     */
    public function rules(): array
    {
        return [
            'name' => 'required|string|max:255',
            'email' => 'required|string|email|max:255|unique:users',
            'password' => 'required|string|min:8|confirmed',
            'phone' => 'required|string|max:20'
        ];
    }

    /**
     * Get custom messages for validator errors.
     *
     * @return array<string, string>
     */
    public function messages(): array
    {
        return [
            'name.required' => 'The name field is required.',
            'name.string' => 'The name must be a string.',
            'name.max' => 'The name may not be greater than 255 characters.',

            'email.required' => 'The email field is required.',
            'email.email' => 'Please enter a valid email address.',
            'email.unique' => 'This email is already registered.',

            'password.required' => 'The password field is required.',
            'password.min' => 'The password must be at least 8 characters.',
            'password.confirmed' => 'Password confirmation does not match.',

            'phone.required' => 'The phone field is required.',
            'phone.string' => 'The phone must be a string.',
            'phone.max' => 'The phone may not be greater than 20 characters.',
        ];
    }



    protected function failedValidation(Validator $validator)
    {
        throw new HttpResponseException(
            response()->json([
                'status' => 'error',
                'message' => 'Validation failed',
                'errors' => $validator->errors()
            ], 422)
        );
    }
}

Login Request

-php artisan make:request Auth/LoginUserRequest

<?php

namespace App\Http\Requests\Auth;

use Illuminate\Foundation\Http\FormRequest;
use Illuminate\Contracts\Validation\Validator;
use Illuminate\Http\Exceptions\HttpResponseException;


class LoginUserRequest extends FormRequest
{
    public function authorize(): bool
    {
        return true;
    }

    public function rules(): array
    {
        return [
            'email' => 'required|email',
            'password' => 'required'
        ];
    }

    public function messages(): array
    {
        return [
            'email.required' => 'The email field is required.',
            'email.email' => 'Please enter a valid email address.',
            'password.required' => 'The password field is required.',
        ];
    }


    protected function failedValidation(Validator $validator)
    {
        throw new HttpResponseException(
            response()->json([
                'status' => 'error',
                'message' => 'Validation failed',
                'errors' => $validator->errors()
            ], 422)
        );
    }
}

Auth Resource

php artisan make:resource User/AuthResource
app/Http/Resources/User/AuthResource.php

<?php

namespace App\Http\Resources\User;

use Illuminate\Http\Request;
use Illuminate\Http\Resources\Json\JsonResource;

class AuthResource extends JsonResource
{
    public function toArray(Request $request): array
    {
        return [
            'user' => new UserResource($this['user']),
            'access_token' => $this['token'],
            'token_type' => $this['token_type'] ?? 'Bearer',
        ];
    }
}

User Resource

php artisan make:resource USer/UserResource
app/Http/Resources/User/UserResource.php

<?php

namespace App\Http\Resources\User;

use Illuminate\Http\Request;
use Illuminate\Http\Resources\Json\JsonResource;

class UserResource extends JsonResource
{
    public function toArray(Request $request): array
    {
        return [
            'id' => $this->id,
            'name' => $this->name,
            'email' => $this->email,
            'phone' => $this->phone,
            'email_verified_at' => $this->email_verified_at?->toDateTimeString(),
            'created_at' => $this->created_at?->toDateTimeString(),
            'updated_at' => $this->updated_at?->toDateTimeString(),
        ];
    }
}

Success Resource

php artisan make:resource SuccessResource

app/Http/Resources/SuccessResource.php

<?php

namespace App\Http\Resources;

use Illuminate\Http\Request;
use Illuminate\Http\Resources\Json\JsonResource;

class SuccessResource extends JsonResource
{
    public function toArray(Request $request): array
    {
        return [
            'status' => 'success',
            'message' => $this['message'],
            'data' => $this['data'] ?? null,
        ];
    }

    public function withResponse($request, $response)
    {
        $response->setStatusCode($this['status_code'] ?? 200);
    }
}

Error Resource

php artisan make:resource ErrorResource
-app/Http/Resources/ErrorResource.php

<?php

namespace App\Http\Resources;

use Illuminate\Http\Request;
use Illuminate\Http\Resources\Json\JsonResource;

class ErrorResource extends JsonResource
{
    public function toArray(Request $request): array
    {
        return [
            'status' => 'error',
            'message' => $this['message'],
            'errors' => $this['errors'] ?? null,
        ];
    }

    public function withResponse($request, $response)
    {
        $response->setStatusCode($this['status_code'] ?? 400);
    }
}

*Create OTP Controller, OTP Requests *

OTP Controller

This OTPController class is a One-Time Password (OTP) authentication controller for a Laravel application. Here's what it does:

Main Purpose

1- Email verification during registration
2- Two-factor authentication (2FA)
3- Password reset verification
4- Account recovery

-php artisan make:controller Api/Auth/OTPController

<?php

namespace App\Http\Controllers\Api\Auth;

use App\Http\Controllers\Controller;
use App\Http\Requests\Auth\SendOTPRequest;
use App\Http\Requests\Auth\VerifyOTPRequest;
use App\Http\Resources\ErrorResource;
use App\Http\Resources\SuccessResource;
use App\Jobs\SendMailJob;
use App\Models\User;
use App\Services\OTPService;

class OTPController extends Controller
{

    protected $otpService;

    public function __construct(OTPService $otpService)
    {
        $this->otpService = $otpService;
    }

    public function sendOTP(SendOTPRequest $request)
    {
        $validated = $request->validated();

        $user = User::where('email', $validated['email'])->first();

        // Generate OTP using service
        $otpData = $this->otpService->generateOTP();

        try {
            // Send OTP via Email
            SendMailJob::dispatch(
                $user->name,
                $user->email,
                $otpData['otp']
            );


            // Update user with OTP data
            $user->update([
                'otp' => $otpData['otp'],
                'otp_expires_at' => $otpData['otp_expires_at']
            ]);


            return new SuccessResource([
                'message' => 'OTP sent successfully to your email',
                'data' => [
                    'expires_in' => 10,
                    'email' => $user->email
                ]
            ]);
        } catch (\Exception $e) {
            return new ErrorResource([
                'message' => 'Failed to send OTP. Please try again.',
                'error_code' => 'EMAIL_SEND_FAILED',
                'status_code' => 500
            ]);
        }
    }


    public function verifyOTP(VerifyOTPRequest $request)
    {
        $validated = $request->validated();

         // Use email verification method for OTP verification
        $user = $this->otpService->verifyOTPAndVerifyEmail(
              $validated['email'], 
              $validated['otp']
          );

        if (!$user) {
            return new ErrorResource([
                'message' => 'Invalid or expired OTP',
                'status_code' => 400
            ]);
        }

        // Clear OTP and mark email as verified
        $this->otpService->clearOTP($user);

        return new SuccessResource([
            'message' => 'OTP verified successfully'
        ]);
    }
}

OTP Requests

php artisan make:request Auth/SendOTPRequest
php artisan make:request Auth/VerifyOTPRequest

-app/Http/Requests/Auth/SendOTPRequest.php

<?php

namespace App\Http\Requests\Auth;

use Illuminate\Foundation\Http\FormRequest;
use Illuminate\Contracts\Validation\Validator;
use Illuminate\Http\Exceptions\HttpResponseException;


class SendOTPRequest extends FormRequest
{
    public function authorize(): bool
    {
        return true;
    }

    public function rules(): array
    {
        return [
            'email' => 'required|email|exists:users,email'
        ];
    }


      public function messages(): array
    {
        return [
            'email.required' => 'The email field is required.',
            'email.email' => 'Please enter a valid email address.',
            'email.exists' => 'No account found with this email address.',
        ];
    }


    protected function failedValidation(Validator $validator)
    {
        throw new HttpResponseException(
            response()->json([
                'status' => 'error',
                'message' => 'Validation failed',
                'errors' => $validator->errors()
            ], 422)
        );
    }
}

-app/Http/Requests/Auth/VerifyOTPRequest.php

<?php

namespace App\Http\Requests\Auth;

use Illuminate\Foundation\Http\FormRequest;
use Illuminate\Contracts\Validation\Validator;
use Illuminate\Http\Exceptions\HttpResponseException;

class VerifyOTPRequest extends FormRequest
{
    public function authorize(): bool
    {
        return true;
    }

    public function rules(): array
    {
        return [
            'email' => 'required|email|exists:users,email',
            'otp' => 'required|digits:6'
        ];
    }


    public function messages(): array
    {
        return [
            // Email field messages
            'email.required' => 'Email address is required.',
            'email.email' => 'Please provide a valid email address.',
            'email.exists' => 'This email address is not registered in our system.',

            // OTP field messages
            'otp.required' => 'OTP code is required.',
            'otp.digits' => 'OTP code must be exactly 6 digits.',
        ];
    }


    protected function failedValidation(Validator $validator)
    {
        throw new HttpResponseException(
            response()->json([
                'status' => 'error',
                'message' => 'Validation failed',
                'errors' => $validator->errors()
            ], 422)
        );
    }
}

OTP Service

The OTP Service prevents duplication in code and prepares for future changes, Even though the logic is simple now, having it in one place means:
- One change affects all OTP usage
- Easy to test and maintain
- Ready for evolution when requirements change

php artisan make:class Services/OTPService

<?php

namespace App\Services;

use App\Models\User;
use Illuminate\Support\Carbon;

class OTPService
{
    public function generateOTP(): array
    {
        return [
            'otp' => rand(100000, 999999),
            'otp_expires_at' => Carbon::now()->addMinutes(10)
        ];
    }

    public function verifyOTP(string $email, string $otp): ?User
    {
        return User::where('email', $email)
            ->where('otp', $otp)
            ->where('otp_expires_at', '>', Carbon::now())
            ->first();
    }

    public function verifyOTPAndVerifyEmail(string $email, string $otp): ?User
    {
        $user = $this->verifyOTP($email, $otp);

        if ($user) {
            $user->update([
                'otp' => null,
                'otp_expires_at' => null,
                'email_verified_at' => Carbon::now()
            ]);
        }

        return $user;
    }

    public function clearOTP(User $user): void
    {
        $user->update([
            'otp' => null,
            'otp_expires_at' => null,
        ]);
    }
}

Queue for Sending Email With Database Driver

Benefits:

-Improved Application Performance -> User doesn't wait for email to send

Automatic Retries -> If sending fails, it retries automatically
Error Handling -> Failed jobs are logged and can be retried
Data Safety -> Jobs are stored even if server restarts

Complete Setup

i: Environment Setup
.env
QUEUE_CONNECTION=database

ii: create queue tables if they don't exist:

php artisan queue:table
php artisan queue:failed-table
php artisan migrate

php artisan make:job SendMailJob

<?php

namespace App\Jobs;

use App\Mail\OTPMail;
use Illuminate\Bus\Queueable;
use Illuminate\Contracts\Queue\ShouldQueue;
use Illuminate\Foundation\Bus\Dispatchable;
use Illuminate\Queue\InteractsWithQueue;
use Illuminate\Queue\SerializesModels;
use Illuminate\Support\Facades\Log;
use Illuminate\Support\Facades\Mail;

class SendMailJob implements ShouldQueue
{
    use Dispatchable, InteractsWithQueue, Queueable, SerializesModels;

    protected $name;
    protected $email;
    protected $otp;


    public function __construct($name, $email, $otp)
    {
        $this->name = $name;
        $this->email = $email;
        $this->otp = $otp;
    }



    public function handle(): void
    {
        Mail::to($this->email)->send(new OTPMail(
            otp: $this->otp,
            userName: $this->name,
            expiresIn: 10,
            purpose: 'verification'
        ));
    }

    public function failed(\Throwable $exception): void
    {
        Log::error('SendMailJob failed: ' . $exception->getMessage());
        Log::error('Exception details: ', [
            'file' => $exception->getFile(),
            'line' => $exception->getLine(),
            'trace' => $exception->getTraceAsString()
        ]);
    }
}

Running the Queue Worker

php artisan queue:work

Complete SendGrid Setup Guide

1: Create SendGrid Account

Go to SendGrid.com
Sign up for a free account (100 emails/day)
Verify your email address
Complete account setup

2: Get SendGrid API Key

Login to SendGrid dashboard
Go to Settings → API Keys
Click Create API Key
Give it a name (e.g., "Laravel App")
Choose Full Access or Restricted Access
Copy the API key (you won't see it again!)
.env file

MAIL_MAILER=smtp
MAIL_HOST=smtp.sendgrid.net
MAIL_PORT=587
MAIL_USERNAME=apikey
MAIL_PASSWORD=your_sendgrid_api_key_here
MAIL_ENCRYPTION=tls
MAIL_FROM_ADDRESS=from@example.com
MAIL_FROM_NAME="Your App"

4: Sender Authentication

Option A: Single Sender Verification (Quick Start)

1- Go to Settings → Sender Authentication
2- Click Verify a Single Sender
3-Fill in the form:
From Email: your-email@example.com
From Name: Your Name
Reply To: your-email@example.com
Address: Your physical address (required by law)
Click Create
4-Check your email and click verification link

Option B: Domain Authentication (Recommended for Production)

1- Go to Settings → Sender Authentication
2- Click Authenticate Your Domain
3- Enter your domain (e.g., example.com)
4- Choose Default Link Branding
5- SendGrid provides DNS records - add these to your domain's DNS
6- Wait for verification (can take 24-48 hours)

5: Create Mail Class in Laravel

php artisan make:mail OTPMail

<?php

namespace App\Mail;

use Illuminate\Bus\Queueable;
use Illuminate\Contracts\Queue\ShouldQueue;
use Illuminate\Mail\Mailable;
use Illuminate\Mail\Mailables\Content;
use Illuminate\Mail\Mailables\Envelope;
use Illuminate\Queue\SerializesModels;

class OTPMail extends Mailable
{
    use Queueable, SerializesModels;

    public $otp;
    public $userName;
    public $expiresIn;
    public $purpose;

    public function __construct($otp, $userName = null, $expiresIn = 10, $purpose = 'verification')
    {
        $this->otp = $otp;
        $this->userName = $userName;
        $this->expiresIn = $expiresIn;
        $this->purpose = $purpose;
    }



    public function content(): Content
    {
        return new Content(
            view: 'emails.otp',
        );
    }

    public function attachments(): array
    {
        return [];
    }
}

Create Email Template

<!DOCTYPE html>
<html>

<head>
    <meta charset="utf-8">
    <meta name="viewport" content="width=device-width, initial-scale=1">
    <title>OTP Verification - {{ config('app.name') }}</title>
    <style>
        * {
            margin: 0;
            padding: 0;
            box-sizing: border-box;
        }

        body {
            font-family: 'Segoe UI', Tahoma, Geneva, Verdana, sans-serif;
            line-height: 1.6;
            color: #333;
            background: linear-gradient(135deg, #667eea 0%, #764ba2 100%);
            min-height: 100vh;
            padding: 20px;
        }

        .container {
            max-width: 500px;
            margin: 0 auto;
        }

        .email-wrapper {
            background: white;
            border-radius: 15px;
            overflow: hidden;
            box-shadow: 0 20px 40px rgba(0, 0, 0, 0.1);
        }

        .content {
            padding: 40px 30px;
        }

        .greeting {
            font-size: 18px;
            margin-bottom: 25px;
            color: #4B5563;
        }

        .otp-container {
            text-align: center;
            margin: 30px 0;
        }

        .otp-label {
            font-size: 16px;
            color: #6B7280;
            margin-bottom: 15px;
        }

        .otp-code {
            font-size: 48px;
            font-weight: bold;
            color: #4F46E5;
            letter-spacing: 8px;
            font-family: 'Courier New', monospace;
            background: #F8FAFC;
            padding: 20px;
            border-radius: 10px;
            border: 2px dashed #E5E7EB;
            margin: 15px 0;
        }

        .info-box {
            background: #F0F9FF;
            border: 1px solid #BAE6FD;
            border-radius: 10px;
            padding: 20px;
            margin: 25px 0;
        }

        .info-item {
            display: flex;
            align-items: center;
            margin-bottom: 10px;
        }

        .info-item:last-child {
            margin-bottom: 0;
        }

        .info-icon {
            font-size: 18px;
            margin-right: 12px;
        }

        .footer {
            text-align: center;
            padding: 30px;
            background: #F8FAFC;
            border-top: 1px solid #E5E7EB;
        }

        .footer p {
            color: #6B7280;
            font-size: 14px;
            margin-bottom: 5px;
        }

        .app-name {
            color: #4F46E5;
            font-weight: 600;
        }

        @media (max-width: 600px) {
            .content {
                padding: 30px 20px;
            }

            .otp-code {
                font-size: 36px;
                letter-spacing: 6px;
                padding: 15px;
            }

        }
    </style>
</head>

<body>
    <div class="container">
        <div class="email-wrapper">
            <div class="content">
                <div class="greeting">
                    @if ($userName)
                        Hello <strong>{{ $userName }}</strong>,
                    @else
                        Hello,
                    @endif
                </div>

                <p>You're just one step away! Use the following verification code to complete your request:</p>

                <div class="otp-container">
                    <div class="otp-label">Your verification code:</div>
                    <div class="otp-code">{{ $otp }}</div>
                </div>

                <div class="info-box">
                    <div class="info-item">
                        <span class="info-icon">⏰</span>
                        <span><strong>Expires in:</strong> {{ $expiresIn }} minutes</span>
                    </div>
                    <div class="info-item">
                        <span class="info-icon">🚀</span>
                        <span><strong>Purpose:</strong>
                            @if ($purpose === 'verification')
                                Account Verification
                            @elseif($purpose === 'password_reset')
                                Password Reset
                            @elseif($purpose === 'login')
                                Login Verification
                            @else
                                Security Verification
                            @endif
                        </span>
                    </div>
                </div>
            </div>

            <div class="footer">
                <p>&copy; {{ date('Y') }} <span class="app-name">{{ config('app.name') }}</span>. All rights
                    reserved.</p>
                <p>This email was sent via Secure OTP System</p>
            </div>
        </div>
    </div>
</body>

</html>

Password Reset Controller, Send OTP And Reset password Request

php artisan make:controller Api/Auth/PasswordResetController

app/Http/Controllers/Api/Auth/PasswordResetController.php

<?php

namespace App\Http\Controllers\Api\Auth;

use App\Http\Controllers\Controller;
use App\Http\Requests\Auth\ResetPasswordRequest;
use App\Http\Requests\Auth\SendOTPRequest;
use App\Http\Resources\ErrorResource;
use App\Http\Resources\SuccessResource;
use App\Jobs\SendMailJob;
use App\Models\User;
use App\Services\OTPService;
use Illuminate\Support\Carbon;
use Illuminate\Support\Facades\Hash;

class PasswordResetController extends Controller
{

    protected $otpService;

    public function __construct(OTPService $otpService)
    {
        $this->otpService = $otpService;
    }


    public function forgotPassword(SendOTPRequest $request)
    {
        $validated = $request->validated();

        $user = User::where('email', $validated['email'])->first();

        // Generate OTP using service
        $otpData = $this->otpService->generateOTP();

        try {
            // Send OTP via Email
            SendMailJob::dispatch(
                $user->name,
                $user->email,
                $otpData['otp']
            );

            $user->update([
                'otp' => $otpData['otp'],
                'otp_expires_at' => $otpData['otp_expires_at']
            ]);

            return new SuccessResource([
                'message' => 'OTP sent successfully to your email',
                'data' => [
                    'expires_in' => 10,
                    'email' => $user->email
                ]
            ]);
        } catch (\Exception $e) {
            return new ErrorResource([
                'message' => 'Failed to send OTP. Please try again.',
                'error_code' => 'EMAIL_SEND_FAILED',
                'status_code' => 500
            ]);
        }
    }

    public function resetPassword(ResetPasswordRequest $request)
    {
        $validated = $request->validated();

  // Use basic OTP verification for password reset (no email verification)
        $user = $this->otpService->verifyOTP(
            $validated['email'],
            $validated['otp']
        );


        if (!$user) {
            return new ErrorResource([
                'message' => 'Invalid or expired OTP',
                'status_code' => 400
            ]);
        }

        // Clear OTP and mark email as verified
        $this->otpService->clearOTP($user);

        $user->tokens()->delete();

        return new SuccessResource([
            'message' => 'Password reset successfully'
        ]);
    }
}

Why $user->tokens()->delete();?

Security measure during password reset to:

Invalidate all active sessions
Force re-login with new password
Prevent token reuse if account was compromised
Log out all devices

Result:

User must login again on all devices
Old tokens become useless
Fresh start with new password

Reset Password Request

<?php
namespace App\Http\Requests\Auth;

use Illuminate\Foundation\Http\FormRequest;
use Illuminate\Contracts\Validation\Validator;
use Illuminate\Http\Exceptions\HttpResponseException;


class ResetPasswordRequest extends FormRequest
{
    public function authorize(): bool
    {
        return true;
    }


    public function rules(): array
    {
        return [
            'email'    => 'required|email|exists:users,email',
            'otp'      => 'required|digits:6',
            'password' => 'required|string|min:8|confirmed',
        ];
    }


    public function messages(): array
    {
        return [
            'email.required' => 'The email field is required.',
            'email.email' => 'Please enter a valid email address.',
            'email.exists' => 'No account found with this email address.',

            'password.required' => 'The password field is required.',
            'password.min' => 'The password must be at least 8 characters.',
            'password.confirmed' => 'Password confirmation does not match.',

            'otp.required' => 'OTP code is required.',
            'otp.digits' => 'OTP code must be exactly 6 digits.',
        ];
    }


    protected function failedValidation(Validator $validator)
    {
        throw new HttpResponseException(
            response()->json([
                'status' => 'error',
                'message' => 'Validation failed',
                'errors' => $validator->errors()
            ], 422)
        );
    }
}

Create API Routes

routes/api.php

// Include Authentication Routes
require __DIR__ . '/auth.php';

routes/auth.php

<?php

use App\Http\Controllers\Api\Auth\AuthController;
use App\Http\Controllers\Api\Auth\OTPController;
use App\Http\Controllers\Api\Auth\PasswordResetController;
use Illuminate\Support\Facades\Route;



// Public routes
Route::post('/register', [AuthController::class, 'register']);
Route::post('/login', [AuthController::class, 'login']);

// OTP routes
Route::post('/send-otp', [OTPController::class, 'sendOTP']);
Route::post('/verify-otp', [OTPController::class, 'verifyOTP']);

// Password reset routes
Route::post('/forgot-password', [PasswordResetController::class, 'forgotPassword']);
Route::post('/reset-password', [PasswordResetController::class, 'resetPassword']);

//Protected routes
Route::middleware('auth:sanctum')->group(function () {
    Route::delete('/logout', [AuthController::class, 'logout']);
    Route::get('/user', [AuthController::class, 'user']);
});

API Authentication System Implementation

Postman Automation Script

Postman Environment Variables
-Two key variables configured:

url: Base API endpoint for all requests
access-token: Authentication token automatically saved after login/register

register

login

logout

OTP

send OTP
verify OTP

password

forgot password
reset password

authenticated user

Laravel HTTP Sessions

ashrakt — Tue, 28 Oct 2025 16:00:38 +0000

1. What are Sessions?

Sessions are a core mechanism in web applications that allow a server to remember a user and maintain information about them across multiple visits or requests.

Since the fundamental nature of the HTTP protocol is stateless (meaning the server forgets everything between one request and the next), sessions are crucial for providing a continuous, personalized, and functional user experience.

ex:
Login Status
Remembering that a user is signed in without requiring them to re-enter credentials on every page.

Shopping Cart Items
Persisting the list of products a user has added to their cart, even as they navigate through the website. (This is crucial for Guest Users, where cart contents are temporarily stored in the session rather than the database).

Interface Preferences (Locale/Language)
Recalling the user's chosen language (e.g., English/Arabic) to ensure consistent content display across the entire application."

2. How Sessions Work

1- When you visit a site, Laravel creates a unique Session ID
2- This ID is stored in a cookie (small file in your browser) called laravel_session
3- Your actual data (username, cart items) is stored on the server, linked to your Session ID
4- Every time you click a new page, your browser sends the cookie back so the server remembers you

3. Where Session Data is Stored(Session Drivers)

The Session Driver is where the session data is stored on the server side (configured in config/session.php).

1- Files (default): stored in storage/framework/sessions.
2- Database: stored in a database table.
3- Redis/Memcached: fast memory storage.
4- Cookies: stored in secure, encrypted cookies.
5- array: stored in a PHP array and will not be persisted.

4. Key Session Methods

5. Session Security

CSRF Protection
Encryption
Session Regeneration

CSRF Protection(Cross-Site Request Forgery)

What it is
What it prevents: Bad websites tricking you into doing actions on other sites where you're logged in (like changing their email or buying an item).

How Laravel Protects You
Laravel uses a CSRF Token to ensure that any request trying to modify data (POST, PUT, DELETE, etc.) actually came from your application, not an external source.

Action
When a user loads a form on your site, Laravel generates a unique, secret token and stores it in two places:
In the user's Session (on the server).
In a hidden input field (_token) within the HTML form.

Verification
When the user submits the form, Laravel compares the token from the hidden field to the token stored in the server's session data.

If they match:
The request is safe and proceeds.

If they don't match (or the token is missing):
Laravel blocks the request with a 419 Page Expired error.

Encryption

What it is
Encryption ensures that any session information sent to the browser is unreadable to hackers, whether it's the session ID or actual session data.

How Laravel Protects You
1- Key Security:

Laravel uses a long, random and secret string defined in your .env file as the APP_KEY.
This secret key is the only key used to encrypt and decrypt the session contents.

2- The Process:
Depending on the session driver, Laravel encrypts either just the Session ID or the entire session data before storing it in the browser cookie.

3- Result:
Even if attacker:

Intercepts cookie → sees encrypted session ID
Accesses server files → sees encrypted session data
Steals session file → cannot read contents without APP_KEY

Session ID Regeneration (Preventing Session Fixation)

What it prevents
Session hijacking - when hackers steal your login session

How it works

When you login, Laravel creates a completely new session ID.
Old session ID becomes useless.
Hackers can't use old ID to access your account.

Result
Even if an attacker knew the old ID, that ID is now invalid and useless, as the user is authenticated under the new, secret ID. This makes hijacking the authenticated session impossible using the old ID.

Laravel Real-time

ashrakt — Sun, 14 Sep 2025 00:33:03 +0000

What Are Notifications in Laravel?
Laravel notification is a way to send a message to your users. Think of it as a central hub for all your app's alerts. Instead of writing separate code for emails, text messages, or in-app alerts, Laravel gives you a single, clean way to handle them all. You write the message once, and Laravel sends it through whatever channels you choose.

Types of Notifications
Laravel has several built-in notification types, each for a different purpose:

Mail Notifications:
These send a standard email. They're perfect for important updates like a new invoice or a password reset link.
Database Notifications:
This type saves a record of the notification in your database. It's used for the notifications you see inside an app. Users can see their notification history and mark them as read.
SMS Notifications:
send text messages directly to a user's phone. This is perfect for things that need immediate attention, like verification codes (OTP). Laravel supports this through services like Vonage and Twilio.
Slack Notifications:
send messages to Slack channels or to team members directly. This is great for sending internal alerts, like error logs or important system updates, helping development teams stay informed.
Broadcast Notifications: This is the key to real-time notifications. It sends the notification data to a service like Pusher or Laravel Echo. This allows a user's browser to get an instant alert without having to refresh the page. This is what makes real-time functionality possible.

How to Send a Notification to an Admin When a New User Registers

I- Prepare the Database
First, you need a table to save the notifications. Use this command to create a migration file:

php artisan notifications:table

Then, run the migration to create the table named notifications in your database:
php artisan migrate

Make Your Admin Model Notifiable By default, Laravel's User model is already notifiable. But if you have a separate Admin model, you need to add the Notifiable trait to it. This gives the Admin model the superpower to receive notifications.

Create the Notification class
Next, create the notification class that will define the content. This example will create a notification for when a new user signs up.
php artisan make:notification NewUserRegisteredNotification

Open the new file app/Notifications/NewUserRegisteredNotification.php.

<?php

namespace App\Notifications;

use Illuminate\Bus\Queueable;
use Illuminate\Contracts\Queue\ShouldQueue;
use Illuminate\Notifications\Messages\MailMessage;
use Illuminate\Notifications\Notification;

class NewUserRegisteredNotification extends Notification
{
    use Queueable;
    public $user;

    public function __construct($newUser)
    {
        $this->user = $newUser;
    }

    public function via(object $notifiable): array
    {
        return ['database'];
    }


    // public function toMail(object $notifiable): MailMessage
    // {
    //     return (new MailMessage)
    //         ->line('The introduction to the notification.')
    //         ->action('Notification Action', url('/'))
    //         ->line('Thank you for using our application!');
    // }


    public function toArray(object $notifiable): array
    {
        return [
            "name"    => $this->user->name,
            "email"   => $this->user->email,
            "message" => "new user registered",
        ];
    }
}

__construct()
This function is the "constructor" of the class. You use it to pass any data that the notification needs before it's sent.

via(object $notifiable): array
This function determines the channels the notification will be sent through. It simply returns an array with the names of the channels you want to use, like mail, database, or slack.

toMail(object $notifiable): MailMessage
This function is specifically for email notifications. If the via() function returns mail, this function will be used to build the email message. Here, you define the subject, the body text, and any buttons that will appear in the email.

toArray(object $notifiable): array
This function is a generic way to convert the notification into an array. It's used by different channels, like database and broadcast, to either save the notification or send it as data.

We want to store this notification in the database, so we'll use the database channel and define the data to be stored.

calling notification

If you have just one admin to notify.

public function store(Request $request): RedirectResponse
    {
        $request->validate([
            'name' => ['required', 'string', 'max:255'],
            'email' => ['required', 'string', 'email', 'max:255', 'unique:' . User::class],
            'password' => ['required', 'confirmed', Rules\Password::defaults()],
        ]);

        $user = User::create([
            'name' => $request->name,
            'email' => $request->email,
            'password' => Hash::make($request->password),
        ]);

        event(new Registered($user));

        $admin = Admin::find(1);
        $admin->notify(new NewUserRegisteredNotification($user));

        Auth::login($user);

        return redirect(RouteServiceProvider::HOME);
    }

register form
notifications table

you can use another way
Notification::send($admin, new NewUserRegisteredNotification($user));

displaying notification

<li class="nav-item nav-notif">
            <a class="nav-link text-muted my-2 notificationIcon" href="./#" data-toggle="modal"
                data-target=".modal-notif">
                <span class="fe fe-bell fe-16"></span>
                <span class="dot dot-md text-danger"
                    id="notificationIconCounter">{{ count(Auth::guard('admin')->user()->unreadNotifications) }}</span>
            </a>
        </li>
        {{-- Notification Modal --}}
        <div class="modal fade modal-notif modal-slide" tabindex="-1" role="dialog"
            aria-labelledby="defaultModalLabel" aria-hidden="true">
            <div class="modal-dialog modal-sm" role="document">
                <div class="modal-content">
                    <div class="modal-header">
                        <h5 class="modal-title" id="defaultModalLabel">Notifications</h5>
                        <button type="button" class="close" data-dismiss="modal" aria-label="Close">
                            <span aria-hidden="true">&times;</span>
                        </button>
                    </div>
                    <div class="modal-body" id="notificationIconModal">
                        @if (count(Auth::guard('admin')->user()->notifications) > 0)
                            <div class="list-group list-group-flush my-n3">
                                @foreach (Auth::guard('admin')->user()->notifications->take(5) as $notification)
                                    <div
                                        class="list-group-item @if ($notification->unread()) bg-light @else bg-transparent @endif ">
                                        <div class="row align-items-center">
                                            <div class="col-auto">
                                                <span class="fe fe-box fe-24"></span>
                                            </div>
                                            <div class="col">
                                                {{-- <small><strong>Package has uploaded successfull</strong></small> --}}
                                                <div class="my-0 text-muted small">
                                                    {{ $notification->data['message'] }}
                                                </div>
                                                <small
                                                    class="badge badge-pill badge-light text-muted">{{ $notification->created_at->diffForHumans() }}</small>
                                            </div>
                                        </div>
                                    </div>
                                @endforeach
                            </div>
                        @endif <!-- / .list-group -->
                    </div>
                    <div class="modal-footer" id="clearNotification">
                        <button type="button" class="btn btn-secondary btn-block" data-dismiss="modal">Clear
                            All</button>
                    </div>
                </div>
            </div>
        </div>

<script>
    $("document").ready(function() {
        // mark all notifications to read
        $(document).on('click', ".notificationIcon", function() {
            $.ajax({
                url: {{ Illuminate\Support\Js::from(route('admin.notifications.read')) }},
                method: 'get',
                success: function(data) {
                    $("#notificationIconCounter").load(" #notificationIconCounter > *");
                    $("#notificationIconModal").load(" #notificationIconModal > *");
                },
                error: function() {
                    alert("please try again");
                }
            });
        });



        // clear all notification
        $(document).on('click', "#clearNotification", function() {
            $.ajax({
                url: {{ Illuminate\Support\Js::from(route('admin.notifications.clear')) }},
                method: 'get',
                success: function(data) {
                    $("#notificationIconCounter").load(" #notificationIconCounter > *");
                    $("#notificationIconModal").load(" #notificationIconModal > *");
                },
                error: function() {
                    alert("please try again");
                }
            });
        });
    });
</script>

basic configurations
Before broadcasting any events, you will first need to register the App\Providers\BroadcastServiceProvider. In new Laravel applications, you only need to uncomment this provider in the providers array of your config/app.php configuration file. This BroadcastServiceProvider contains the code necessary to register the broadcast authorization routes and callbacks.

The config/broadcasting.php file is the central configuration hub for Laravel's broadcasting system. Its main role is to tell Laravel which broadcasting service to use and how to connect to it.

Getting Started with broadcast driver (Pusher):

These are the simple steps to set up your account and get your API keys.

Create Your Pusher Account
Go to the Pusher website (pusher.com).
Choose a Pusher Product
After signing up, you'll be asked to choose a product.

Select Channels (this is the service used for Laravel's real-time events).

Create a New Application You'll be prompted to Create a New App. Name your app (e.g., laravel-broadcast-app). Select a Cluster (a server region, like eu or us2)—choose one closest to your users for better performance.

Get Your App Keys Once the app is created, you'll be taken to the App Keys section

Copy these keys. You will need to paste them into your Laravel project's .env file to connect your application to Pusher.

Creating a Broadcast Event

1- Generate the Event Class
First, you need to create a new Event class using the Artisan command. We'll name this event NewUserRegisteredEvent.
php artisan make:event NewUserRegisteredEvent

This command creates a new file at app/Events/NewUserRegisteredEvent.php.

2- Implement the Broadcast Interface
Open the newly created file (app/Events/NewUserRegisteredEvent.php). To make any event broadcastable, its class must implement the ShouldBroadcast interface.

Use the Interface: Add use Illuminate\Contracts\Broadcasting\ShouldBroadcast;
Implement: Add implements ShouldBroadcast to the class definition.

public function broadcastOn(): array
{
    return [
        new Channel('new_user_channel'),
    ];
}

The core function of broadcastOn() is to determine and specify the channel(s) that the event's data will be published to via the broadcasting driver.

channels types

public : all users & guests (no Auth required).
private : Auth users only (any guard).
presence : Auth users only (any guard) , awareness of who is
subscribed to this channel.

3- Dispatch the Event
Finally, you need to fire the event from your Laravel code (e.g., from a Controller after a user register).

These two lines of code are the ways you trigger (or "fire") the broadcasting process for your event in Laravel.


    public function store(Request $request): RedirectResponse
    {
        $request->validate([
            'name' => ['required', 'string', 'max:255'],
            'email' => ['required', 'string', 'email', 'max:255', 'unique:' . User::class],
            'password' => ['required', 'confirmed', Rules\Password::defaults()],
        ]);

        $user = User::create([
            'name' => $request->name,
            'email' => $request->email,
            'password' => Hash::make($request->password),
        ]);

        event(new Registered($user));

        $admin = Admin::find(1);
        // $admin->notify(new NewUserRegisteredNotification($user));
        Notification::send($admin, new NewUserRegisteredNotification($user));


        // trigger (or "fire") the broadcasting process
        NewUserRegisteredEvent::dispatch($user);
        // broadcast(new NewUserRegisteredEvent($user));

        Auth::login($user);
        return redirect(RouteServiceProvider::HOME);
    }

recievers

pusher
Laravel Echo

using pusher

1- Install the Pusher PHP SDK

laravel pusher documentation

composer require pusher/pusher-php-server

pusher reciever

Subscribe to events on the client.

  <script src="https://js.pusher.com/8.2.0/pusher.min.js"></script>
    <script>
        // Enable pusher logging - don't include this in production
        Pusher.logToConsole = false;

        var pusher = new Pusher("{{ env('PUSHER_APP_KEY') }}", {
            cluster: 'eu'
        });

        var channel = pusher.subscribe('new_user_channel');
        channel.bind('App\\Events\\NewUserRegisteredEvent', function(data) {
            console.log(data['message']);
            let currentCount = parseInt($("#notificationIconCounter").text()) || 0;
            let newCount = currentCount + 1;
            $("#notificationIconCounter").text(newCount);
        });
    </script>

-You will need to update your Laravel project's .env file BROADCAST_DRIVER=pusher.

test your code:

using Laravel Echo

Laravel Echo is a JavaScript library that makes it painless to subscribe to channels and listen for events broadcast by your server-side broadcasting driver. You may install Echo via the NPM package manager.

To successfully switch to Laravel Echo, you must comment out or remove the direct Pusher client initialization script from your HTML or Blade files.

1- install package
npm install --save-dev laravel-echo pusher-js

2- Configure .env
Add your Pusher credentials (Keys, Secret, and Cluster) to your .env file.

BROADCAST_DRIVER=pusher
PUSHER_APP_ID=YOUR_APP_ID
PUSHER_APP_KEY=YOUR_APP_KEY
PUSHER_APP_SECRET=YOUR_APP_SECRET
PUSHER_APP_CLUSTER=eu or mt1 or ap2

3- Configure Echo
Open the file resources/js/bootstrap.js (or app.js) and uncomment the Echo block, using your .env variables via the VITE_ prefix:

4- Load the compiled and necessary assets for the primary entry point file located at resources/js/app.js."

In Development run npm run dev
In Production run npm run build

5- Listening for Events
you are ready to start listening for events that are broadcast from your Laravel application. First, use the channel method to retrieve an instance of a channel, then call the listen method to listen for a specified event.

update this example using private channel

1- event

<?php

namespace App\Events;

use App\Models\User;
use Illuminate\Broadcasting\Channel;
use Illuminate\Broadcasting\InteractsWithSockets;
use Illuminate\Broadcasting\PresenceChannel;
use Illuminate\Broadcasting\PrivateChannel;
use Illuminate\Contracts\Broadcasting\ShouldBroadcast;
use Illuminate\Foundation\Events\Dispatchable;
use Illuminate\Queue\SerializesModels;
use Illuminate\Support\Facades\Auth;

class NewUserRegisteredEvent implements ShouldBroadcast
{
    use Dispatchable, InteractsWithSockets, SerializesModels;

    public $message;

    public function __construct(public User $user)
    {
        $this->message = "new user registered called $user->name";
    }

    // public channel
    // public function broadcastOn(): array
    // {
    //     return [
    //         new Channel('new_user_channel'),
    //     ];
    // }

    // private channel
    public function broadcastOn(): array
    {
        return [
            new PrivateChannel('new_user_channel'),
        ];
    }
}

2- bootstap.js

import Echo from 'laravel-echo';

import Pusher from 'pusher-js';

window.Pusher = Pusher;

window.Echo = new Echo({
    broadcaster: 'pusher',
    key: import.meta.env.VITE_PUSHER_APP_KEY,
    cluster: import.meta.env.VITE_PUSHER_APP_CLUSTER ?? 'mt1',
    wsHost: import.meta.env.VITE_PUSHER_HOST ? import.meta.env.VITE_PUSHER_HOST : `ws-${import.meta.env.VITE_PUSHER_APP_CLUSTER}.pusher.com`,
    wsPort: import.meta.env.VITE_PUSHER_PORT ?? 80,
    wssPort: import.meta.env.VITE_PUSHER_PORT ?? 443,
    forceTLS: (import.meta.env.VITE_PUSHER_SCHEME ?? 'https') === 'https',
    enabledTransports: ['ws', 'wss'],
});

 // private
   window.Echo.private('new_user_channel')
    .listen('NewUserRegisteredEvent', (e) => {
        console.log(e);

         let currentCount = parseInt($("#notificationIconCounter").text()) || 0;
         let newCount = currentCount + 1;
         $("#notificationIconCounter").text(newCount);
    });

3- authorization

the boot() method in the BroadcastServiceProvider activates the entire authorization layer for your private real-time channels. Without it, your private channels would not work because clients couldn't be authenticated to listen.

route/channels.php

a. Broadcast::channel('new_user_channel', ...)
Broadcast::channel(): This static method tells Laravel's broadcasting system to register a new authorization rule for the channel specified in the first argument, 'new_user_channel'.

b. The Authorization Callback (function ($user) { ... })
This is the function that performs the actual security check.

$user: This variable automatically contains the authenticated user model attempting to subscribe to the channel.

return $user->type == "super_admin";: It returns true only if the authenticated user's type attribute matches the string "super_admin".

If it returns true: The user is authorized, and the broadcasting service allows them to subscribe.

If it returns false: The user is denied access, and the subscription request fails with a 403 Forbidden error.

c. Guard Specification (['guards' => ['admin']])
this is an optional security enhancement that specifies which authentication guard(s) should be used to retrieve the authenticated user.

example using presence channel

All presence channels are also private channels; therefore, users must be authorized to access them. However, when defining authorization callbacks for presence channels, you will not return true if the user is authorized to join the channel. Instead, you should return an array of data about the user.

steps Who's Online for Admins

This example allows any admin to see which other admins are currently viewing the dashboard in real-time.

1- Generate the Event Class
php artisan make:event NewAdminRoomEvent

2- Implement the Broadcast Interface

3-Dispatch the Event

 public function store(AdminLoginRequest $request)
    {
        $request->authenticate('admin');

        $request->session()->regenerate();

        // fire broadcast event
        NewAdminRoomEvent::dispatch();

        return \to_route('admin.index');
    }

4-Listening for Events using laravel echo


  // presence
   window.Echo.join(`admin-room-channel`)
    .here((users) => {
         console.log("here");
        console.log(users);
    })
    .joining((user) => {
        console.log("joining");
        console.log(user);
    })
    .leaving((user) => {
        console.log("leaving");
        console.log(user);
    })
    .error((error) => {
        console.error("error");
        console.log(user);
    });

The Channel Class

A Channel Class moves your channel authorization logic from the routes/channels.php file into a dedicated PHP class. This follows Laravel's philosophy of separation of concerns.

The Steps to Create a Channel Class (3 Steps)
Step 1: Create the Class
Use the Artisan command-line tool to generate a new Channel Class. We'll use 'new user' scenario as an example:

php artisan make:channel NewUserChannel

This command will create a file at app/Broadcasting/NewUserChannel.php.

Step 2: Implement the Authorization Logic
Open the newly created file (app/Broadcasting/NewUserChannel.php). You'll find a single method, join. This is where you put your authorization logic.

<?php

namespace App\Broadcasting;

use App\Models\Admin;

class NewUserChannel
{

    public function __construct()
    {
        //
    }


    public function join(Admin $admin): array|bool
    {
        return $admin->type == "super_admin";
    }
}

Step 3: Register the Class in Routes
Now, open your channel routes file (routes/channels.php). Instead of using a closure (anonymous function), you register the class using the static ::class syntax.

Your original code:

Broadcast::channel('new_user_channel', function ($user) {
    return $user->type == "super_admin";
}, ['guards' => ['admin']]);

Becomes:

use Illuminate\Support\Facades\Broadcast;

Broadcast::channel('new_user_channel', NewUserChannel::class , ['guards' => ['admin']]);

The Benefit of Using a Channel Class 🌟

Broadcast Event Options

broadcastas()
broadcastWith()
broadcastWhen()

1- The broadcastAs() Method: Custom Event Naming
When an event is broadcast, Laravel automatically sends it with the class name (e.g., App\Events\UserRegistered).

You can override this default name using the broadcastAs() method:


    public function broadcastAs(): string
    {
        return 'New_User_Registered_Event';
    }

Frontend Listener: On the client side, you then listen using the custom name, preceded by a dot (.):


window.Echo.channel('new_user_channel')
    .listen(".New_User_Registered_Event", (e) => {
        console.log(e);

         let currentCount = parseInt($("#notificationIconCounter").text()) || 0;
         let newCount = currentCount + 1;
         $("#notificationIconCounter").text(newCount);
    });

2- The broadcastWith() Method: Controlling Data
By default, Laravel broadcasts all the public properties of your Event class. However, you often don't want to expose all data.

To control exactly which data is sent , you can define the broadcastWith() method:

 public $message;

    public function __construct(public User $user)
    {
        $this->message = "new user registered called $user->name";
    }

public function broadcastWith(): array
    {
        return [
            'name' => $this->user->name,
            'email' => $this->user->email,
        ];
    }

3- The broadcastWhen() method in a Laravel Event class lets you define a condition that must be true for the event to be broadcast at all. If the method returns false, the event won't be broadcast to any listeners, saving processing time and resources.

 public function broadcastWhen(): bool
    {
        return $this->user->name === 'ashrakt';
    }

model broadcasting

You use Model Broadcasting when you need a real-time notification specifically because an Eloquent model was directly created, updated, or deleted in the database.

Here are the steps for setting up Model Broadcasting for the Post model to handle Create, Update, and Delete events, covering both the backend (Laravel) and frontend (JavaScript) configurations.

Laravel Backend

The Post Model (app/Models/Post.php)

<?php

namespace App\Models;

use App\Models\User;
use Illuminate\Database\Eloquent\Model;
use Illuminate\Database\Eloquent\Relations\BelongsTo;
use Illuminate\Contracts\Broadcasting\ShouldBroadcast;
use Illuminate\Broadcasting\Channel;
use Illuminate\Database\Eloquent\BroadcastsEvents;


class Post extends Model
{
    use BroadcastsEvents;
    protected $fillable = ['user_id', 'title', 'body'];


    public function user(): BelongsTo
    {
        return $this->belongsTo(User::class);
    }


    public function broadcastOn(): array
    {
        return [
            new Channel('posts'),
        ];
    }


    public function broadcastAs(string $event): string
    {
        // This will produce: 'post.created', 'post.updated', or 'post.deleted'
        return 'post.' . $event;
    }


    public function broadcastWith(): array
    {
        return [
            'id' => $this->id,
            'title' => $this->title,
            'user_name' => $this->user->name ?? 'N/A',
            'updated_at' => $this->updated_at->diffForHumans(),
        ];
    }
}

<?php

namespace App\Http\Controllers;

use App\Models\Post;
use Illuminate\Http\Request;
use App\Http\Controllers\Controller;
use Illuminate\Support\Facades\Auth;

class PostController extends Controller
{

    public function index()
    {
        $posts = Post::all();
        return view('posts.index', compact('posts'));
    }


    public function store(Request $request)
    {
        $validated = $request->validate([
            'title' => 'required|string|max:150',
            'body' => 'required|string',
        ]);

        $post = Post::create([
            'user_id' => Auth::id(),
            'title' => $validated['title'],
            'body' => $validated['body'],
        ]);

        return redirect()->route('posts.index')->with('success', 'تم إنشاء المنشور بنجاح.');
    }

    public function edit(Post $post)
    {
        return view('posts.edit', compact('post'));
    }

    public function update(Request $request, Post $post)
    {
        $validated = $request->validate([
            'title' => 'required|string|max:150',
            'body' => 'required|string',
        ]);

        if (Auth::id() !== $post->user_id) {
            return back()->with('error', 'ليس لديك صلاحية لتعديل هذا المنشور.');
        }

        $post->update($validated);

        return redirect()->route('posts.index')->with('success', 'تم تحديث المنشور بنجاح.');
    }


    public function destroy(Post $post)
    {
        if (Auth::id() !== $post->user_id) {
            return back()->with('error', 'ليس لديك صلاحية لحذف هذا المنشور.');
        }

        $post->delete();

        return redirect()->route('posts.index')->with('success', 'تم حذف المنشور بنجاح.');
    }
}

*Frontend Configuration (JavaScript/Echo) *

You must set up Laravel Echo to listen to the common channel ('posts') and handle each specific event type differently.

Echo Listener Setup (Your Blade View or JS File) This JavaScript code listens for all three distinct events (.post.created, .post.updated, .post.deleted).

bootstrap.js file


import Echo from 'laravel-echo';

import Pusher from 'pusher-js';

window.Pusher = Pusher;

window.Echo = new Echo({
    broadcaster: 'pusher',
    key: import.meta.env.VITE_PUSHER_APP_KEY,
    cluster: import.meta.env.VITE_PUSHER_APP_CLUSTER ?? 'mt1',
    wsHost: import.meta.env.VITE_PUSHER_HOST ? import.meta.env.VITE_PUSHER_HOST : `ws-${import.meta.env.VITE_PUSHER_APP_CLUSTER}.pusher.com`,
    wsPort: import.meta.env.VITE_PUSHER_PORT ?? 80,
    wssPort: import.meta.env.VITE_PUSHER_PORT ?? 443,
    forceTLS: (import.meta.env.VITE_PUSHER_SCHEME ?? 'https') === 'https',
    enabledTransports: ['ws', 'wss'],
});


// model broadcasting

        // Listen to the common public channel 'posts'
window.Echo.channel('posts')
    // A. LISTEN FOR CREATE EVENT (post.created)
    .listen(".post.created", (event) => {
                console.log('New Post Created:', event.title);
    // B. LISTEN FOR UPDATE EVENT (post.updated)
    }).listen('.post.updated', (event) => {
                console.log('Post Updated:', event.id, event.title);
    })
    // C. LISTEN FOR DELETE EVENT (post.deleted)
   .listen('.post.deleted', (event) => {
                console.log('Post Deleted:', event.id);
    });

-create post

-update post

-delete post

Authorization in Laravel

ashrakt — Wed, 03 Sep 2025 14:46:09 +0000

What Is Authorization?
First, think about a website with different types of users, like a regular user and an admin. Authorization is the system that checks what a logged-in user is allowed to do.
Authorization happens after a user has already logged in and been authenticated (proven who they are).

In Laravel, authorization is the process of determining if a user has permission to perform a specific action.

Laravel provides two main tools for this: Gates and Policies.

1) Gates are the simplest way to check a user's permissions. They are perfect for general permissions that don't relate to a specific data item (model). For example, checking if a user is an "admin" or "editor".

I- How to Use a Gate
Open the app/Providers/AuthServiceProvider.php file and define your gate inside the boot() method.
You define a Gate in your app/Providers/AuthServiceProvider.php file. It's a simple function that returns true or false.

Here, access-admin-panel is the name of the gate, and the function inside checks if the user's is_admin property is true.

II- Use the Gate
You can use the gate anywhere in your application, like in a Controller or a Blade view.

In a Controller:

2) Policies
Policies are used for more specific permissions that are tied to a particular data model. They are the best way to manage permissions for actions like "updating a post" or "deleting a post".

Let's say you want to allow a user to only update the posts they have created themselves.

I- Create the Policy:
Use the Artisan command to create a policy for your Post model.

php artisan make:policy PostPolicy --model=Post

This command creates a new file at app/Policies/PostPolicy.php with built-in methods like view, create, update, and delete.

II- Write the Policy Logic:
In PostPolicy.php, add your logic to the update method to check if the user is the owner of the post.

The update method receives the User and the Post, returns true only if the user's ID matches the post's user_id.

III- Register the Policy:

Tell Laravel to use this policy for the Post model in app/Providers/AuthServiceProvider.php.

IIII- Use the Policy:

-In a Controller:

if the policy return true

if return false

Spatie Laravel Permission package:

If you need to manage different user roles (admin, editor, subscriber,...) and assign permissions to those roles.
When you have many permissions (create posts, edit posts, delete posts, publish posts, unpublish posts), managing them in a Policy becomes repetitive. Packages allow you to define and manage these permissions in the database, making them easier to add, remove, and assign.
If your application needs to allow an admin to create and manage custom roles and permissions through a user interface, a package is a must. Policies are static PHP classes that must be updated manually by a developer. A package stores all permissions in the database, allowing for dynamic management without touching the code.
---------------------------------------------

how to use:

I- Install the Package

composer require spatie/laravel-permission

After the package is installed, you need to publish the migration file and run it to create the necessary database tables.

php artisan vendor:publish --provider="Spatie\Permission\PermissionServiceProvider" --tag="permission-migrations"
php artisan migrate

This will create new tables:

permissions: This table stores all your permissions (e.g., edit posts, delete users).
roles: This table stores all your roles (e.g., admin, writer, subscriber).
model_has_permissions: This is a pivot table that links users directly to permissions. This allows you to give a user a permission without assigning them a role.
model_has_roles: This is a pivot table that links users to roles. A user can have many roles, and a role can be assigned to many users.
role_has_permissions: This is a pivot table that links roles to permissions. It allows a role to have many permissions and a permission to be assigned to many roles.

II- Prepare the User Model
Open the app/Models/User.php file and add the HasRoles trait.

III- Create Roles and Permissions
you need to create your roles and permissions. You can do this with a seeder file.

Run this command to make a seeder:

php artisan make:seeder RolesAndPermissionsSeeder

Open the new seeder file at database/seeders/RolesAndPermissionsSeeder.php and add your code to create roles like admin and permissions like edit posts.

After you write the code, run the seeder:

php artisan db:seed --class=RolesAndPermissionsSeeder

-permissions table

-roles table

-role_has_permissions table

-model_has_roles table

IIII- Use Permissions in Your API

Go to your routes/api.php file. You can protect a route by adding the permission or role middleware. This middleware checks the user's permissions before the code even runs.

The 'auth:sanctum' part makes sure the user is logged in first. The 'permission:...' part then checks if they have the right to do that action.

you need to register the role and permission middleware aliases.
Open the app/Http/Kernel.php file in your project.
Find the $middlewareAliases array.
Add the following two lines to the array. They link the middleware aliases to the correct classes from the Spatie package.

if user writer :

if admin :

You can also check permissions inside controller.

If the authenticated user doesn't have edit posts permission.

else

if you have both admin and writer roles that should have the same edit permission, the best way to protect your API is with a single middleware check on the route.

You should use your code (specifically, a seeder) for the initial setup of your main roles and permissions.
However, for managing roles and permissions daily from a UI, you should not edit your code. Instead, you'll manage everything through a dedicated API. This is one of the main reasons to use a package like Spatie.

Managing from a UI via an API

Here’s a simple example of what a controller method for your API would look like to assign a role to a user based on a UI request.

I- api

II- Update User's Role

III- Update Role's Permissions

IIII- Update User's Permissions

model_has_permissions table

thanks...

Laravel Export and download Excel File

ashrakt — Sat, 28 Sep 2024 20:31:41 +0000

1: Install maatwebsite/excel Package :

composer require maatwebsite/excel

2: php artisan vendor:publish --provider="Maatwebsite\Excel\ExcelServiceProvider" --tag=config

3: php artisan make:export UsersExport --model=User


<?php

namespace App\Exports;

use App\Models\User;
use Maatwebsite\Excel\Concerns\WithStyles;
use Maatwebsite\Excel\Concerns\WithHeadings;
use Maatwebsite\Excel\Concerns\FromCollection;
use Maatwebsite\Excel\Concerns\WithColumnWidths;
use PhpOffice\PhpSpreadsheet\Worksheet\Worksheet;
use Maatwebsite\Excel\Concerns\WithMapping;


class UsersExport implements FromCollection, WithHeadings, WithStyles  ,WithMapping ,WithColumnWidths
{

    public function collection()
    {
        return User::select("id", "name", "email")->get();

    }


 public function map($user): array
    {   
        return [
            $user->id,
            $user->name,
            $user->email,
        ];
    }


    public function headings(): array
    {
        return ["ID", "Name", "Email"];
    }




     public function columnWidths(): array
    {
        return [
            'A' => 5, 
            'B' => 5,
            'C' => 12, 
        ];
    }


    public function styles(Worksheet $sheet)
    {
        return [
            // Apply styles to the first row (headers)
            1 => [
                'font' => [
                    'bold' => true,
                    'color' => ['rgb' => '80000F'],
                    'size' => 12,
                ],
                'fill' => [
                    'fillType' => \PhpOffice\PhpSpreadsheet\Style\Fill::FILL_SOLID,
                    'startColor' => ['rgb' => 'EFE1E3'],
                ],
            ],
        ];
    }
}

5: Create Controller

<?php

namespace App\Http\Controllers;

use Illuminate\Http\Request;
use Maatwebsite\Excel\Facades\Excel;
use App\Models\User;
use App\Exports\UsersExport;
use Carbon\Carbon;
use Illuminate\Support\Facades\Response;


class UserController extends Controller
{

 public function downloadUser()
    {
        $currentDate = Carbon::now()->format('Y-m-d'); 

        $fileName = 'users_' . $currentDate . '.xlsx';

        Excel::store(new UsersExport, 'exports/' . $fileName);

        $filePath = storage_path('app/exports/' . $fileName);

        if (file_exists($filePath)) {

             $headers = array('Content-Type: application/vnd.openxmlformats-officedocument.spreadsheetml.sheet');

        return Response::download( $filePath, $fileName , $headers)->deleteFileAfterSend(true);

         }
    }
}

integrate Google Maps into a Laravel application using JavaScript

ashrakt — Mon, 06 May 2024 11:46:36 +0000

place controller

<?php

namespace App\Http\Controllers;

use App\Models\Place;
use Illuminate\Http\Request;

class PlaceController extends Controller
{
    public function index()
    {
        $places = Place::all();

        return view('places.index', compact('places'));
    }

    public function create()
    {
        return view('places.create');
    }

    public function store(Request $request)
    {
        // Validate the request data as per your requirements
        $validatedData = $request->validate([
            'name' => 'required',
            'latitude' => 'required',
            'longitude' => 'required',
        ]);

        Place::create($validatedData);

        return redirect()->route('places.index')->with('success', 'Location created successfully');
    }

    public function show(Place $place)
    {
        return view('places.show', compact('place'));
    }
}

index blade

@extends('layouts.app')

@section('content')

<a href="{{ route('places.create') }}" class="btn btn-primary mt-5 ml-5">Add Location</a>

<div class="container d-flex justify-content-center">
    <table class="table mt-1" style="width:60%">
        <thead>
            <tr>
                <th>Name</th>
                <th>Latitude</th>
                <th>Longitude</th>
                <th>Actions</th>
            </tr>
        </thead>
        <tbody>
            @foreach ($places as $place)
            <tr>
                <td>{{ $place->name }}</td>
                <td>{{ $place->latitude }}</td>
                <td>{{ $place->longitude }}</td>
                <td>
                    <a href="{{ route('places.show', $place->id) }}" class="btn btn-primary">View</a>
                </td>
            </tr>
            @endforeach
        </tbody>
    </table>
</div>
@endsection

create blade

@extends('layouts.app')

@section('content')
<h3 class="text-center m-3">Add Location</h3>

<div class="container">
    <form id="location-form" action="{{ route('places.store') }}" method="POST">
        @csrf
        <input type="hidden" name="latitude" id="latitude" required>
        <input type="hidden" name="longitude" id="longitude" required>

        <div class="form-group">
            <label for="place">Place</label>
            <input type="text" id="place" name="name" class="form-control" placeholder="Search for a place" required>
        </div>

        <button type="submit" class="btn btn-primary mb-3">Save</button>
    </form>

    <div id="map" style="height: 300px;"></div>

</div>

<script src="https://maps.googleapis.com/maps/api/js?key={{ env('GOOGLE_MAPS_API_KEY') }}&libraries=places&callback=initMap" async defer></script>
<script>
    function initMap() {
        var map = new google.maps.Map(document.getElementById('map'), {
            center: {
                lat: 0,
                lng: 0
            },
            zoom: 2
        });

        var input = document.getElementById('place');
        var searchBox = new google.maps.places.SearchBox(input);

        map.addListener('bounds_changed', function() {
            searchBox.setBounds(map.getBounds());
        });

        var marker;

        searchBox.addListener('places_changed', function() {
            var places = searchBox.getPlaces();

            if (places.length === 0) {
                return;
            }

            var bounds = new google.maps.LatLngBounds();

            places.forEach(function(place) {
                if (!place.geometry) {
                    console.log("Returned place contains no geometry");
                    return;
                }

                if (marker) {
                    marker.setMap(null);
                }

                marker = new google.maps.Marker({
                    map: map,
                    position: place.geometry.location,
                    draggable: true
                });

                google.maps.event.addListener(marker, 'dragend', function(event) {
                    document.getElementById('latitude').value = event.latLng.lat();
                    document.getElementById('longitude').value = event.latLng.lng();
                });

                google.maps.event.addListener(map, 'click', function(event) {
                    marker.setPosition(event.latLng);
                    document.getElementById('latitude').value = event.latLng.lat();
                    document.getElementById('longitude').value = event.latLng.lng();
                });

                if (place.geometry.viewport) {
                    bounds.union(place.geometry.viewport);
                } else {
                    bounds.extend(place.geometry.location);
                }
            });

            map.fitBounds(bounds);
        });
    }
</script>
@endsection

show blade

@extends('layouts.app')

@section('content')

<div class="container d-flex justify-content-center mt-5">
    <table class="table mt-3" style="width:50%">
        <tbody>
            <tr>
                <th>Name</th>
                <td>{{ $place->name }}</td>
            </tr>
            <tr>
                <th>Latitude</th>
                <td>{{ $place->latitude }}</td>
            </tr>
            <tr>
                <th>Longitude</th>
                <td>{{ $place->longitude }}</td>
            </tr>
        </tbody>
    </table>
    <div class="container d-flex justify-content-center mt-3">
        <div class="d-flex justify-content-center" id="map" style="height: 300px;width:50%;" data-latitude="{{ $place->latitude }}" data-longitude="{{ $place->longitude }}"></div>
    </div>
</div>

<script>
    function initMap() {
        var latitude = document.getElementById('map').dataset.latitude;
        var longitude = document.getElementById('map').dataset.longitude;
        var location = {
            lat: parseFloat(latitude),
            lng: parseFloat(longitude)
        };

        var map = new google.maps.Map(document.getElementById('map'), {
            center: location,
            zoom: 12
        });

        var marker = new google.maps.Marker({
            map: map,
            position: location
        });
    }
</script>

<script src="https://maps.googleapis.com/maps/api/js?key={{ env('GOOGLE_MAPS_API_KEY') }}&callback=initMap" async defer></script>

@endsection

Social Login with Laravel Socialite (Google , facebook , github)

ashrakt — Sat, 06 Apr 2024 13:34:15 +0000

Laravel Socialite is an official Laravel package that provides a simple and convenient way to authenticate users with third-party services, such as Facebook, GitHub, Google, Twitter, and more. It abstracts the complexities of the OAuth authentication process and provides a unified API for authentication with various social platforms.

create a new Laravel project via Composer's create-project
$ composer create-project laravel/laravel:^10.0 SocialLogin
Step 1: Install Laravel Socialite
Start by installing Laravel Socialite via Composer. Open your terminal and navigate to your Laravel project directory, then run the following command:
composer require laravel/socialite

Step 2: Socialite Providers
SocialiteProviders is a collection of OAuth 1 & 2 packages that extend Laravel Socialite.
The Observer Pattern is used by the Manager package to extend Socialite.
This allows numerous providers to be used in addition to the ones provided by Laravel Socialite

Google ,facebook ,github provider
1:
composer require socialiteproviders/google
composer require socialiteproviders/facebook
composer require socialiteproviders/github
2:Add configuration to config/services.php



'google' => [    
  'client_id' => env('GOOGLE_CLIENT_ID'),  
  'client_secret' => env('GOOGLE_CLIENT_SECRET'),  
  'redirect' => 'auth/google/callback'
],
'facebook' => [    
  'client_id' => env('FACEBOOK_CLIENT_ID'),  
  'client_secret' => env('FACEBOOK_CLIENT_SECRET'),  
  'redirect' => env('FACEBOOK_REDIRECT_URI') 
],
'github' => [    
  'client_id' => env('GITHUB_CLIENT_ID'),  
  'client_secret' => env('GITHUB_CLIENT_SECRET'),  
  'redirect' => env('GITHUB_REDIRECT_URI') 
],

3:Configure google API credentials

click
sava and continue
back to dashboard

4:add your client id and secret in env



GOOGLE_CLIENT_ID=##########
GOOGLE_CLIENT_SECRET=##########
GOOGLE_REDIRECT_URI=##########

GITHUB_CLIENT_ID=##########
GITHUB_CLIENT_SECRET=##########
GITHUB_REDIRECT_URI=##########

FACEBOOK_CLIENT_ID=##########
FACEBOOK_CLIENT_SECRET=##########
FACEBOOK_REDIRECT_URI=##########

5:create Social Login Controller
php artisan make:Controller Auth/SocialLoginController
6:web




Route::get('login', [LoginController::class, 'loginCreate']);
Route::post('login', [LoginController::class, 'login'])->name('login');

Route::get('auth/{provider}/redirect', [SocialLoginController::class , 'redirect'])->name('auth.socialite.redirect');
Route::get('auth/{provider}/callback', [SocialLoginController::class , 'callback'])->name('auth.socialite.callback');

Route::middleware("auth")->group(function () {
    Route::get('/', function () {
        return 'welcome ';
    })->name('home');
});

7:update user table
php artisan make:migration add_social_provider_columns_to_users_table



   public function up(): void
    {
        Schema::table('users', function (Blueprint $table) {
            $table->string('provider_name')->nullable();
            $table->string('provider_id')->nullable();
            $table->string('provider_token',500)->nullable();
        });
    }


    public function down(): void
    {
        Schema::table('users', function (Blueprint $table) {
            $table->dropColumn(['provider_name', 'provider_id', 'provider_token']);
        });
    }

8:update User model




class User extends Authenticatable
{
    use HasApiTokens, HasFactory, Notifiable;

    protected $fillable = [
        'name',
        'email',
        'password',
        'provider_name',
        'provider_id',
    ];


    protected $hidden = [
        'password',
        'remember_token',
        'provider_token'

    ];


    protected $casts = [
        'email_verified_at' => 'datetime',
        'password' => 'hashed',
    ];

    public function setProviderTokenAttribute($value){
        return $this->attributes['provider_token'] = Crypt::crypt($value);
    }

    public function getProviderTokenAttribute($value)
    {
        return Crypt::decrypt($value);
    }
}

9:Social Login Controller



<?php

namespace App\Http\Controllers\Auth;

use App\Models\User;
use Illuminate\Support\Str;
use Illuminate\Http\Request;
use App\Http\Controllers\Controller;
use Illuminate\Support\Facades\Auth;
use Illuminate\Support\Facades\Hash;
use Laravel\Socialite\Facades\Socialite;
use Nette\Utils\Random;

class SocialLoginController extends Controller
{
    public function redirect($provider)
    {
        return Socialite::driver($provider)->redirect();
    }

    public function callback($provider)
    {
        $user = Socialite::driver($provider)->user();
        $existingUser = User::where('email', $user->email)->first();
        // dd($user);
        if ($existingUser) {
            Auth::login($existingUser);
        } else {

            User::create([
                'name'          => $user->name,
                'email'         => $user->email,
                'password'      => Hash::make(Str::random(8)),
                'provider_name' => $provider,
                'provider_id'   => $user->id,
                'provider_token' => $user->token
            ]);
        }
        return view('welcome');
    }
}

10:login.blade.php



  <section class="vh-100">
    <div class="container-fluid h-custom">
        <div class="row d-flex justify-content-center align-items-center h-100">
            <div class="col-md-9 col-lg-6 col-xl-5">
                <img src="https://mdbcdn.b-cdn.net/img/Photos/new-templates/bootstrap-login-form/draw2.webp" class="img-fluid" alt="Sample image">
            </div>
            <div class="col-md-8 col-lg-6 col-xl-4 offset-xl-1">
                <div class="d-flex flex-row align-items-center justify-content-center justify-content-lg-start row mt-5">
                    <div class="col-5">
                        <p class="lead fw-normal mb-0 me-3">Sign in with</p>
                    </div>

                    <div class="col-2">
                        <a href="{{route('auth.socialite.redirect','google')}}">
                            <i class="fab fa-google"></i>
                        </a>
                    </div>

                    <div class="col-2">
                        <a href="{{route('auth.socialite.redirect','facebook')}}">
                            <i class="fab fa-facebook"></i>
                        </a>
                    </div>

                    <div class="col-2">
                        <a href="{{route('auth.socialite.redirect','github')}}">
                            <i class="fab fa-github"></i>
                        </a>
                    </div>
                </div>

                <div class="divider d-flex align-items-center my-4">
                    <p class="text-center fw-bold mx-3 mb-0">Or</p>
                </div>

                <form action="{{route('login')}}" method="POST">
                    @csrf
                    <!-- Email input -->
                    <div class="form-outline mb-4">
                        <input type="email" name="email" id="form3Example3" class="form-control form-control-lg" placeholder="Enter a valid email address" />
                    </div>

                    <!-- Password input -->
                    <div class="form-outline mb-3">
                        <input type="password" name="password" id="form3Example4" class="form-control form-control-lg" placeholder="Enter password" />
                    </div>

                    <div class="d-flex justify-content-between align-items-center">
                        <!-- Checkbox -->
                        <div class="form-check mb-0">
                            <input class="form-check-input me-2" type="checkbox" value="" id="form2Example3" />
                            <label class="form-check-label" for="form2Example3">
                                Remember me
                            </label>
                        </div>
                        <a href="#!" class="text-body">Forgot password?</a>
                    </div>

                    <div class="text-center text-lg-start mt-4 pt-2">
                        <button type="submit" class="btn btn-primary btn-lg" style="padding-left: 2.5rem; padding-right: 2.5rem;">Login</button>
                        <p class="small fw-bold mt-2 pt-1 mb-0">Don't have an account? <a href="#!" class="link-danger">Register</a></p>
                    </div>

                </form>
            </div>

        </div>
    </div>

</section>

create an Auth module with laravel using nwidart/laravel-modules package

ashrakt — Thu, 29 Feb 2024 07:33:05 +0000

nwidart/laravel-modules is a Laravel package which was created to manage your large Laravel app using modules.
A module is like a Laravel package, it has some views, controllers or models.

1) create project and install nwidart/laravel-modules package

create Laravel project
composer create-project laravel/laravel module
install nwidart through Composer, by run the following command:
composer require nwidart/laravel-modules
The package will automatically register a service provider and alias.
Optionally, publish the package's configuration file by running:
php artisan vendor:publish --provider="Nwidart\Modules\LaravelModulesServiceProvider"

2) Autoloading

By default the module classes are not loaded automatically. You can autoload your modules using psr-4. For example :



{
  "autoload": {
    "psr-4": {
      "App\\": "app/",
      "Modules\\": "Modules/"
    }
  }
}

run composer dump-autoload

3) Generate a new module using the Nwidart package
php artisan module:make <module-name>
php artisan module:make Auth



app/
bootstrap/
vendor/
Modules/
  ├── Auth/
      ├── Assets/
      ├── Config/
      ├── Console/
      ├── Database/
          ├── Migrations/
          ├── Seeders/
      ├── Entities/
      ├── Http/
          ├── Controllers/
          ├── Middleware/
          ├── Requests/
          ├── routes.php
      ├── Providers/
          ├── BlogServiceProvider.php
      ├── Resources/
          ├── lang/
          ├── views/
      ├── Repositories/
      ├── Tests/
      ├── composer.json
      ├── module.json
      ├── start.php

4) install sanctun
composer require laravel/sanctum

5) Publish the Laravel Sanctum configuration file.
php artisan vendor:publish --provider="Laravel\Sanctum\SanctumServiceProvider"

6) Create the authentication controllers within the Auth module.



php artisan module:controller LogoutController Auth
php artisan module:controller RegisterControl Auth
php artisan module:controller LoginController Auth
php artisan module:controller ForgotPasswordController Auth
php artisan module:controller ResetPasswordController Auth

7) Define the routes for authentication within the Auth module.
Create a file named routes/api.php within the Modules/Auth directory and add the following code:




Route::prefix('user')->group(function () {
    Route::post('register', [RegisterController::class,'register']);
    Route::post('login', [LoginController::class,'login']);
    Route::post('password/forgot ', [ForgotPasswordController::class, 'sendForgotLinkEmail']);
    Route::post('password/forgot/submit', [ForgotPasswordController::class, 'submitForgotPassword']);
    Route::post('password/reset', [ResetPasswordController::class, 'resetPassword'])->middleware(['auth:sanctum']);
    Route::post('logout', [LogoutController::class, 'logout'])->middleware(['auth:sanctum']);
});

8) add auth table in Migrations folder module

php artisan migrate
php artisan key:generate

10) Move the User model to the Auth module's model directory
mv app/Models/User.php Modules/Auth/Models/User.php

11)Update the namespace of the User model. Open Modules/Auth/Models/User.php and modify the namespace to:

12) Update the config/auth.php file to use the Auth module's User model. In the config/auth.php file, locate the 'providers' configuration and modify it as follows:



 'providers' => [
        'users' => [
            'driver' => 'eloquent',
            'model' => Modules\Auth\Models\User::class,
        ],

13) Open the RegisterController and add the code below in it to create the method to register a user:



use Illuminate\Support\Facades\Hash;

class RegisterController extends Controller
{

    public function register(Request $request)
    {
        $validatedData = $request->validate([
            'name' => 'required|string|max:255',
            'email' => 'required|string|email|max:255|unique:users',
            'password' => 'required|string|min:8',
        ]);

        $user = User::create([
            'name' => $validatedData['name'],
            'email' => $validatedData['email'],
            'password' => Hash::make($validatedData['password']),
        ]);

        $token = $user->createToken('auth_token')->plainTextToken;

        return response()->json([
            'access_token' => $token,
            'token_type' => 'Bearer',
        ]);
    }
}

First, we validate the incoming request to make sure all required variables are present. Once a user has been created, we create a new personal access token using the createToken() method and give the token a name of auth_token, we call the plainTextToken on the instance to access the plain-text value of the token. Finally, we return a JSON response containing the generated token as well as the type of the token.

14) Then add the login() method inside of the LoginController:



use Illuminate\Support\Facades\Auth;

class LoginController extends Controller
{

    public function login(Request $request)
    {
        if (!Auth::attempt($request->only('email', 'password'))) {
            return response()->json([
                'message' => 'Invalid login details'
            ], 401);
        }

        $user = User::where('email', $request['email'])->firstOrFail();
        $token = $user->createToken('auth_token')->plainTextToken;

        return response()->json([
            'user'         => $user,
            'access_token' => $token,
            'token_type'   => 'Bearer',
        ]);
    }
}

15) forgot password

make mail

php artisan module:make-mail ResetPassword Auth



<?php

namespace Modules\Auth\App\Emails;

use Illuminate\Bus\Queueable;
use Illuminate\Mail\Mailable;
use Illuminate\Queue\SerializesModels;

class ResetPassword extends Mailable
{
    use Queueable, SerializesModels;

    public $data;

    public function __construct($data)
    {
        $this->data = $data;
    }

    public function build()
    {
        return $this->subject('Mail from ashrakt')->view("auth::mails.resetPassword");
    }
}

make view



<!DOCTYPE html>
<html lang="en">

<head>
    <meta charset="UTF-8">
    <meta name="viewport" content="width=device-width, initial-scale=1.0">
    <title>Authentication</title>
</head>

<body>
    <h3>code : {{ $data }}</h3>
</body>

</html>

Forgot Password Controller



<?php

namespace Modules\Auth\App\Http\Controllers;

use Carbon\Carbon;
use Illuminate\Support\Str;
use Illuminate\Http\Request;
use Modules\Auth\Models\User;
use Illuminate\Support\Facades\DB;
use App\Http\Controllers\Controller;
use Illuminate\Support\Facades\Hash;
use Illuminate\Support\Facades\Mail;
use Modules\Auth\App\Emails\ResetPassword;


class ForgotPasswordController extends Controller
{

    public function sendResetLinkEmail(Request $request)
    {
        $request->validate([
            'email' => 'required|email|exists:users',
        ]);

        $token = Str::random(64);
        DB::table('password_reset_tokens')->insert([
            'email' => $request->email,
            'token' => $token,
            'created_at' => Carbon::now()
        ]);

        Mail::to($request->email)->send(new ResetPassword($token));


        return response()->json(['message' => 'We have e-mailed your password reset link!']);
    }



    public function submitResetPasswordForm(Request $request)
    {
        $request->validate([
            'email' => 'required|email|exists:users',
            'token' => 'required',
            'password' => 'required|string|min:6|confirmed',
            'password_confirmation' => 'required'
        ]);

        $updatePassword = DB::table('password_reset_tokens')
            ->where([
                'email' => $request->email,
                'token' => $request->token
            ])->first();

        if (!$updatePassword) {
            return response()->json(['message' => 'Invalid token!']);
        }

        User::where('email', $request->email)
            ->update(['password' => Hash::make($request->password)]);


        DB::table('password_reset_tokens')->where(['email' => $request->email])->delete();

        return response()->json(['message' => 'Your password has been changed!']);
    }
}

env file



MAIL_MAILER=smtp
MAIL_HOST=smtp.gmail.com
MAIL_PORT=465
MAIL_USERNAME=####
MAIL_PASSWORD=####
MAIL_ENCRYPTION=tls
MAIL_MAILER=smtp
MAIL_FROM_ADDRESS=####
MAIL_FROM_NAME="${APP_NAME}"

16) Reset password



<?php

namespace Modules\Auth\App\Http\Controllers;

use Illuminate\Http\Request;
use Modules\Auth\Models\User;
use App\Http\Controllers\Controller;
use Illuminate\Support\Facades\Hash;


class ResetPasswordController extends Controller
{

    public function resetPassword(Request $request)
    {
        $request->validate([
            'email' => 'required|email|exists:users',
            'password' => 'required|string|min:6|confirmed',
            'password_confirmation' => 'required'
        ]);

        User::where('email', $request->email)
            ->update(['password' => Hash::make($request->password)]);

        return response()->json(['message' => 'Your password has been changed!']);
    }
}

17) logout



<?php

namespace Modules\Auth\App\Http\Controllers;

use Illuminate\Http\Request;
use App\Http\Controllers\Controller;
use Laravel\Sanctum\PersonalAccessToken;

class LogoutController extends Controller
{

    public function logout(Request $request)
    {
        $logout = PersonalAccessToken::findToken($request->bearerToken())->delete();

        if ($logout) {
            return response()->json([
                'message' => 'Successfully logged out.',
            ]);
        } else {
            return response()->json([
                'message' => 'Error occurred while logging out.',
            ]);
        }
    }
}