Skip to content

Commit 8509525

Browse files
committed
First commit
0 parents  commit 8509525

340 files changed

Lines changed: 49298 additions & 0 deletions

File tree

Some content is hidden

Large Commits have some content hidden by default. Use the searchbox below for content that may be hidden.
Lines changed: 151 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,151 @@
1+
---
2+
name: fortify-development
3+
description: 'ACTIVATE when the user works on authentication in Laravel. This includes login, registration, password reset, email verification, two-factor authentication (2FA/TOTP/QR codes/recovery codes), passkeys, profile updates, password confirmation, or any auth-related routes and controllers. Activate when the user mentions Fortify, auth, authentication, login, register, signup, forgot password, verify email, 2FA, passkeys, WebAuthn, or references app/Actions/Fortify/, CreateNewUser, UpdateUserProfileInformation, FortifyServiceProvider, config/fortify.php, or auth guards. Fortify is the frontend-agnostic authentication backend for Laravel that registers all auth routes and controllers. Also activate when building SPA or headless authentication, customizing login redirects, overriding response contracts like LoginResponse, or configuring login throttling. Do NOT activate for Laravel Passport (OAuth2 API tokens), Socialite (OAuth social login), or non-auth Laravel features.'
4+
license: MIT
5+
metadata:
6+
author: laravel
7+
---
8+
9+
# Laravel Fortify Development
10+
11+
Fortify is a headless authentication backend that provides authentication routes and controllers for Laravel applications.
12+
13+
## Documentation
14+
15+
Use `search-docs` for detailed Laravel Fortify patterns and documentation.
16+
17+
## Usage
18+
19+
- **Routes**: Use `list-routes` with `only_vendor: true` and `action: "Fortify"` to see all registered endpoints
20+
- **Actions**: Check `app/Actions/Fortify/` for customizable business logic (user creation, password validation, etc.)
21+
- **Config**: See `config/fortify.php` for all options including features, guards, rate limiters, and username field
22+
- **Contracts**: Look in `Laravel\Fortify\Contracts\` for overridable response classes (`LoginResponse`, `LogoutResponse`, etc.)
23+
- **Views**: All view callbacks are set in `FortifyServiceProvider::boot()` using `Fortify::loginView()`, `Fortify::registerView()`, etc.
24+
25+
## Available Features
26+
27+
Enable in `config/fortify.php` features array:
28+
29+
- `Features::registration()` - User registration
30+
- `Features::resetPasswords()` - Password reset via email
31+
- `Features::emailVerification()` - Requires User to implement `MustVerifyEmail`
32+
- `Features::updateProfileInformation()` - Profile updates
33+
- `Features::updatePasswords()` - Password changes
34+
- `Features::twoFactorAuthentication()` - 2FA with QR codes and recovery codes
35+
- `Features::passkeys()` - Passwordless authentication with WebAuthn passkeys
36+
37+
> Use `search-docs` for feature configuration options and customization patterns.
38+
39+
## Setup Workflows
40+
41+
### Two-Factor Authentication Setup
42+
43+
```
44+
- [ ] Add TwoFactorAuthenticatable trait to User model
45+
- [ ] Enable feature in config/fortify.php
46+
- [ ] If the `*_add_two_factor_columns_to_users_table.php` migration is missing, publish via `php artisan vendor:publish --tag=fortify-migrations` and migrate
47+
- [ ] Set up view callbacks in FortifyServiceProvider
48+
- [ ] Create 2FA management UI
49+
- [ ] Test QR code and recovery codes
50+
```
51+
52+
> Use `search-docs` for TOTP implementation and recovery code handling patterns.
53+
54+
### Passkeys Setup
55+
56+
```
57+
- [ ] Add PasskeyAuthenticatable trait to User model and implement PasskeyUser
58+
- [ ] Enable passkeys feature in config/fortify.php
59+
- [ ] If the passkeys table migration is missing, publish via `php artisan vendor:publish --tag=fortify-migrations` and migrate
60+
- [ ] Configure passkeys relying_party_id, allowed_origins, user_handle_secret, and timeout if defaults are not suitable
61+
- [ ] Build UI with @laravel/passkeys for registration, login, confirmation, and deletion
62+
```
63+
64+
> Use `search-docs` for passkey configuration options. For `@laravel/passkeys` frontend usage, refer to the package's README on npm.
65+
66+
### Email Verification Setup
67+
68+
```
69+
- [ ] Enable emailVerification feature in config
70+
- [ ] Implement MustVerifyEmail interface on User model
71+
- [ ] Set up verifyEmailView callback
72+
- [ ] Add verified middleware to protected routes
73+
- [ ] Test verification email flow
74+
```
75+
76+
> Use `search-docs` for MustVerifyEmail implementation patterns.
77+
78+
### Password Reset Setup
79+
80+
```
81+
- [ ] Enable resetPasswords feature in config
82+
- [ ] Set up requestPasswordResetLinkView callback
83+
- [ ] Set up resetPasswordView callback
84+
- [ ] Define password.reset named route (if views disabled)
85+
- [ ] Test reset email and link flow
86+
```
87+
88+
> Use `search-docs` for custom password reset flow patterns.
89+
90+
### SPA Authentication Setup
91+
92+
```
93+
- [ ] Set 'views' => false in config/fortify.php
94+
- [ ] Install and configure Laravel Sanctum for session-based SPA authentication
95+
- [ ] Use the 'web' guard in config/fortify.php (required for session-based authentication)
96+
- [ ] Set up CSRF token handling
97+
- [ ] Test XHR authentication flows
98+
```
99+
100+
> Use `search-docs` for integration and SPA authentication patterns.
101+
102+
#### Two-Factor Authentication in SPA Mode
103+
104+
When `views` is set to `false`, Fortify returns JSON responses instead of redirects.
105+
106+
If a user attempts to log in and two-factor authentication is enabled, the login request will return a JSON response indicating that a two-factor challenge is required:
107+
108+
```json
109+
{
110+
"two_factor": true
111+
}
112+
```
113+
114+
## Best Practices
115+
116+
### Custom Authentication Logic
117+
118+
Override authentication behavior using `Fortify::authenticateUsing()` for custom user retrieval or `Fortify::authenticateThrough()` to customize the authentication pipeline. Override response contracts in `AppServiceProvider` for custom redirects.
119+
120+
### Registration Customization
121+
122+
Modify `app/Actions/Fortify/CreateNewUser.php` to customize user creation logic, validation rules, and additional fields.
123+
124+
### Rate Limiting
125+
126+
Configure via `fortify.limiters.login` in config. Default configuration throttles by username + IP combination.
127+
128+
## Key Endpoints
129+
130+
| Feature | Method | Endpoint |
131+
|------------------------|----------|---------------------------------------------|
132+
| Login | POST | `/login` |
133+
| Logout | POST | `/logout` |
134+
| Register | POST | `/register` |
135+
| Password Reset Request | POST | `/forgot-password` |
136+
| Password Reset | POST | `/reset-password` |
137+
| Email Verify Notice | GET | `/email/verify` |
138+
| Resend Verification | POST | `/email/verification-notification` |
139+
| Password Confirm | POST | `/user/confirm-password` |
140+
| Enable 2FA | POST | `/user/two-factor-authentication` |
141+
| Confirm 2FA | POST | `/user/confirmed-two-factor-authentication` |
142+
| 2FA Challenge | POST | `/two-factor-challenge` |
143+
| Get QR Code | GET | `/user/two-factor-qr-code` |
144+
| Recovery Codes | GET/POST | `/user/two-factor-recovery-codes` |
145+
| Passkey Login Options | GET | `/passkeys/login/options` |
146+
| Passkey Login | POST | `/passkeys/login` |
147+
| Passkey Confirm Options| GET | `/passkeys/confirm/options` |
148+
| Passkey Confirm | POST | `/passkeys/confirm` |
149+
| Passkey Options | GET | `/user/passkeys/options` |
150+
| Register Passkey | POST | `/user/passkeys` |
151+
| Delete Passkey | DELETE | `/user/passkeys/{passkey}` |

0 commit comments

Comments
 (0)