intermediate
Step 6 of 15
Authentication and Authorization
Laravel Framework
Authentication and Authorization
Laravel provides several authentication starter kits that handle registration, login, password reset, email verification, and two-factor authentication out of the box. Laravel Breeze is the simplest option, providing Blade-based auth scaffolding. For authorization (controlling what authenticated users can do), Laravel offers Gates for simple checks and Policies for model-based authorization. Together, they provide a complete security layer for your application.
Authentication with Breeze
# Install Laravel Breeze
composer require laravel/breeze --dev
php artisan breeze:install blade
npm install && npm run dev
php artisan migrate
# This creates:
# - Registration, login, password reset pages
# - Email verification
# - Profile management
# - Auth middleware
# - All necessary routes
Authorization with Policies
<?php
// app/Policies/PostPolicy.php
namespace App\Policies;
use App\Models\Post;
use App\Models\User;
class PostPolicy
{
public function update(User $user, Post $post): bool
{
return $user->id === $post->user_id;
}
public function delete(User $user, Post $post): bool
{
return $user->id === $post->user_id || $user->isAdmin();
}
}
// In controller:
public function update(Request $request, Post $post)
{
$this->authorize('update', $post); // Throws 403 if unauthorized
$post->update($request->validated());
return redirect()->route('posts.show', $post);
}
// In Blade:
@can('update', $post)
<a href="{{ route('posts.edit', $post) }}">Edit</a>
@endcan
Pro tip: Use$this->authorize()in controllers and@can/@cannotin Blade templates to check permissions consistently. Register policies inAuthServiceProviderand Laravel will automatically resolve them based on model naming conventions.
Key Takeaways
- Laravel Breeze provides complete authentication scaffolding (login, register, password reset) in minutes.
- Policies define authorization logic for model operations (create, update, delete).
- Use
$this->authorize()in controllers and@canin Blade for permission checks. - The
authmiddleware protects routes from unauthenticated access. - Laravel handles password hashing, CSRF protection, and session management automatically.