Laravel Fortify Cheat Sheet

Getting authentication right is not a straightforward task. Thankfully, Laravel has released an official authentication package called Laravel Fortify that took care of everything about authentication for us.

Photo by Micah Williams on Unsplash

In summary, Fortify mainly consisted of 7 components:

  1. Login
  2. Logout
  3. Password confirmation
  4. Registration
  5. Password reset
  6. Email Verification
  7. 2-Factor Authentication

Laravel Fortify has preloaded a lot of API endpoints for us. Below is a brief overview on the endpoints that are available to us.

Login

GET /login

Returns the auth.login view.

POST /login

Request body:

  • email(string) — configurable in config/fortify.php
  • password(string)
  • remember(boolean)

Non XHR API:

On success, redirect to home route defined in fortify config.
On failure, redirect to login screen with errors.

XHR API:

On success, returns 200 HTTP response.

Sample success response

On failure, returns 422 HTTP response with validation errors.

Logout

POST /logout

XHR API:

On success, returns 204 HTTP response.

Password Confirmation

GET /user/confirm-password
Show the auth.confirm-password view. To prompt user to enter their password on certain action, eg when accessing sensitive information.

POST /user/confirm-password :

Request body:

  • password(string) — current user’s password

Non XHR API:

On success, redirect to the route user attempting to access.
On failure, redirect back to confirm password view with errors.

XHR API:

On success, returns 201 HTTP response.
On failure, returns 422 with validation errors.

Registration

GET /register

Returns the auth.register view.

POST /register

Request body:

  • name(string)
  • email(string)
  • password(string)
  • password_confirmation(string)

Non XHR API:

On success, redirects to home as defined in config.
On failure, redirect to registration screen with errors.

XHR API:

On success, returns a 201 HTTP response with empty body.
On failure, returns 422 HTTP response with errors

XHR registration error

Password Reset

GET /forgot-password

Returns the auth.forgot-password view.

POST /forgot-password

Request body:

  • email(string)

Send a password reset email to the user.

Non XHR:

On success, redirect user to /forgot-password .

Fortify will set session('status') to be the success message.

XHR API:

On success, receive HTTP 200 response.

XHR success response

On failure:

XHR Error response

POST /reset-password

Request body:

  • email(string)
  • password(string)
  • password_confirmation(string)
  • token(string) — should contain the value of request()->route('token')

Non XHR API:

On success, redirects to /login . Fortify will also set a status session variable. Eg:

session('status'); // expect success/failure

On failure, redirects back to /reset-password with validation errors.

XHR API:

On success, returns 200 HTTP response.

XHR success response

On failure, returns 422 HTTP response with validation errors.

XHR Error response

Email Verification

GET /email/verify

Returns the auth.verify-email view.

POST /email/verification-notification

Send email verification link to current logged in user.

Non XHR API:

On success, redirect the user to /email/verify . Fortify will set the status session variable. Eg:

session('status'); //expect Success

XHR API:

On success, returns 202 HTTP response.

Note: attach the verified middleware to routes that require users to verify their email.

Route::group([  'middleware' => ['verified']
], function(){
// ...
})

2 Factor Authentication

Requires Password Confirmation .

Enabling 2FA

POST /user/two-factor-authentication

Non XHR API:

On success, user will be redirected back to the previous URL. Fortify will set the status session variable to two-factor-authentication-enabled . Eg:

session('status'); // expect: two-factor-authentication-enabled

XHR API:
On success, returns 200 HTTP response.

Disabling 2FA

DELETE /user/two-factor-authentication

Displaying the 2FA QR code

Non XHR API:

$request->user()->twoFactorQrCodeSvg();

XHR API:

GET /user/two-factor-qr-code

This endpoint will return a JSON object with the SVG QR Code.

Note: The user must have an existing two-factor-secret . We can generate the secret and recovery codes by calling the EnableTwoFactorAuthentication class.

app(Laravel\Fortify\Actions\EnableTwoFactorAuthentication::class)($user);

Displaying the Recovery Codes

Recovery Codes are available in case users lost their access to the authenticator app.

Non XHR API:

(array) $request->user()->two_factor_recovery_codes

XHR API:

GET /user/two-factor-recovery-codes

Returns a JSON array of recovery codes.

Regenerating Recovery Codes

POST /user/two-factor-recovery-codes

Authenticating via 2FA

Non XHR API:
Fortify will automatically redirect the user to the 2FA QRCode page.

XHR API:
POST /login response will contain a two_factor boolean property, depending if user has enabled 2FA or not. You should redirect the user to the 2FA challenge screen.

The 2FA challenge screen

GET /two-factor-challenge

Return auth.two-factor-challenge view.

POST /two-factor-challenge

  • code(string) — the TOTP token
  • recovery_code(string) — one of user’s recovery code

Non XHR API:
On success, redirects to home url as defined in Fortify’s configuration.
On failure, redirects to Login screen with validation errors.

XHR API:
On success, returns a 204 HTTP response.
On failure, returns 422 with errors in response.

That’s it! Hope this help.

Web Development. https://acadea.io/learn . Follow me on Youtube: https://www.youtube.com/c/acadeaio

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store