noartem/developing-with-fortify

Laravel Fortify Development

Fortify is a headless authentication backend that provides authentication routes and controllers for Laravel applications.

Documentation

Use search-docs for detailed Laravel Fortify patterns and documentation.

Usage

• Routes: Use list-routes with only_vendor: true and action: "Fortify" to see all registered endpoints
• Actions: Check app/Actions/Fortify/ for customizable business logic (user creation, password validation, etc.)
• Config: See config/fortify.php for all options including features, guards, rate limiters, and username field
• Contracts: Look in Laravel\Fortify\Contracts\ for overridable response classes (LoginResponse, LogoutResponse, etc.)
• Views: All view callbacks are set in FortifyServiceProvider::boot() using Fortify::loginView(), Fortify::registerView(), etc.

Available Features

Enable in config/fortify.php features array:

• Features::registration() - User registration
• Features::resetPasswords() - Password reset via email
• Features::emailVerification() - Requires User to implement MustVerifyEmail
• Features::updateProfileInformation() - Profile updates
• Features::updatePasswords() - Password changes
• Features::twoFactorAuthentication() - 2FA with QR codes and recovery codes

Use search-docs for feature configuration options and customization patterns.

Setup Workflows

Two-Factor Authentication Setup

- [ ] Add TwoFactorAuthenticatable trait to User model
- [ ] Enable feature in config/fortify.php
- [ ] Run migrations for 2FA columns
- [ ] Set up view callbacks in FortifyServiceProvider
- [ ] Create 2FA management UI
- [ ] Test QR code and recovery codes

Use search-docs for TOTP implementation and recovery code handling patterns.

Email Verification Setup

- [ ] Enable emailVerification feature in config
- [ ] Implement MustVerifyEmail interface on User model
- [ ] Set up verifyEmailView callback
- [ ] Add verified middleware to protected routes
- [ ] Test verification email flow

Use search-docs for MustVerifyEmail implementation patterns.

Password Reset Setup

- [ ] Enable resetPasswords feature in config
- [ ] Set up requestPasswordResetLinkView callback
- [ ] Set up resetPasswordView callback
- [ ] Define password.reset named route (if views disabled)
- [ ] Test reset email and link flow

Use search-docs for custom password reset flow patterns.

SPA Authentication Setup

- [ ] Set 'views' => false in config/fortify.php
- [ ] Install and configure Laravel Sanctum
- [ ] Use 'web' guard in fortify config
- [ ] Set up CSRF token handling
- [ ] Test XHR authentication flows

Use search-docs for integration and SPA authentication patterns.

Best Practices

Custom Authentication Logic

Override authentication behavior using Fortify::authenticateUsing() for custom user retrieval or Fortify::authenticateThrough() to customize the authentication pipeline. Override response contracts in AppServiceProvider for custom redirects.

Registration Customization

Modify app/Actions/Fortify/CreateNewUser.php to customize user creation logic, validation rules, and additional fields.

Rate Limiting

Configure via fortify.limiters.login in config. Default configuration throttles by username + IP combination.

Key Endpoints

| Feature | Method | Endpoint | |------------------------|----------|---------------------------------------------| | Login | POST | /login | | Logout | POST | /logout | | Register | POST | /register | | Password Reset Request | POST | /forgot-password | | Password Reset | POST | /reset-password | | Email Verify Notice | GET | /email/verify | | Resend Verification | POST | /email/verification-notification | | Password Confirm | POST | /user/confirm-password | | Enable 2FA | POST | /user/two-factor-authentication | | Confirm 2FA | POST | /user/confirmed-two-factor-authentication | | 2FA Challenge | POST | /two-factor-challenge | | Get QR Code | GET | /user/two-factor-qr-code | | Recovery Codes | GET/POST | /user/two-factor-recovery-codes |