Weave Code
Code Weaver
Helps Laravel developers discover, compare, and choose open-source packages. See popularity, security, maintainers, and scores at a glance to make better decisions.
Feedback
Share your thoughts, report bugs, or suggest improvements.
Subject
Message
Log in Register
Home
Packages
Fortify
Assessments

Fortify Laravel Package

laravel/fortify

Frontend-agnostic authentication backend for Laravel. Provides endpoints and services for registration, login, password reset, email verification, and two-factor authentication. Used by Laravel Starter Kits; you bring the UI (Blade, Inertia, SPA, etc.).

View on GitHub
Deep Wiki
Context7

Technical Evaluation

Architecture Fit

Laravel Fortify is a highly specialized, opinionated authentication backend designed for Laravel applications. It excels in:

  • Frontend-agnostic architecture: Works seamlessly with SPAs (via Sanctum), traditional Blade views, or custom frontend stacks (e.g., React, Vue).
  • Modularity: Provides pre-built controllers, policies, and middleware for core auth flows (login, registration, password resets, 2FA, passkeys), reducing boilerplate.
  • Laravel ecosystem integration: Leverages Laravel’s authentication contracts, events, and policies, ensuring consistency with Laravel’s security patterns.
  • Extensibility: Supports custom guards, user models, and validation rules via configuration or overrides.

Key Fit Criteria: ✅ Ideal for: Greenfield Laravel projects, SPAs needing backend auth, or teams prioritizing security and rapid development. ❌ Less ideal for: Legacy systems with deeply custom auth logic or non-Laravel stacks.

Integration Feasibility

Fortify’s integration hinges on three pillars:

  1. Laravel Compatibility:

    • Requires Laravel 11+ (as of v1.37.x) and PHP 8.2+ (PHP 8.1 dropped in v1.37.0).
    • No database migrations: Uses Laravel’s built-in users table (or custom models) with minimal schema requirements (e.g., two_factor_secret for 2FA).
    • Route/Controller Overrides: Fortify registers routes via Laravel’s service provider, but conflicts can arise with existing auth routes (e.g., LoginController).

  2. Frontend Agnosticism:

    • SPA Support: Requires Sanctum for token-based auth (Fortify includes Sanctum scaffolding).
    • Traditional Views: Includes Blade views but can be disabled in favor of custom frontend logic.
    • API-First: Designed for JSON responses (e.g., POST /login returns a token), but can be adapted for hybrid setups.

  3. Security Features:

    • 2FA: Uses TOTP (Time-based OTP) with Laravel’s pragmarx/google2fa package.
    • Passkeys: Added in v1.37.0 (WebAuthn support).
    • Passwordless Auth: Optional via email/magic links.
    • Rate Limiting: Built-in throttling for brute-force protection.

Feasibility Risks:

  • Middleware Conflicts: Fortify’s VerifyCsrfToken and EnsureEmailIsVerified middleware may clash with existing middleware.
  • Custom User Models: Requires extending Fortify’s User contract or configuring custom providers.
  • Session Handling: SPAs must manage session regeneration (Fortify handles this for Blade apps).

Technical Risk

Risk Area Severity Mitigation
Version Lock-in Medium Fortify evolves with Laravel; breaking changes are rare but require updates.
SPA-Specific Quirks High Sanctum misconfigurations (e.g., CORS, token expiry) can break auth flows.
2FA Implementation Medium Requires pragmarx/google2fa; database schema must support two_factor_secret.
Passkey Support Low New in v1.37.0; may need additional browser/OS support testing.
Customization Overhead Low Fortify’s policies/controllers can be overridden, but deep customization may require forking.
Performance Low Minimal overhead; rate limiting and encryption are optimized.

Critical Questions for TPM:

  1. Frontend Stack: Is the app an SPA, traditional Blade app, or hybrid? This dictates Sanctum vs. session-based auth.
  2. Custom Auth Logic: Are there existing auth controllers/policies that conflict with Fortify’s defaults?
  3. 2FA/Passkey Requirements: Does the project need TOTP, passkeys, or both? This affects database schema and frontend support.
  4. Legacy Compatibility: Is the app using Laravel <11 or PHP <8.2? If so, Fortify may require a major upgrade.
  5. Third-Party Auth: Will Fortify integrate with OAuth (e.g., Google, GitHub)? Fortify is auth-agnostic but doesn’t include OAuth providers.

Integration Approach

Stack Fit

Fortify is optimized for the following Laravel stacks:

  • Backend: Laravel 11+ with PHP 8.2+.
  • Frontend:
    • SPAs: React/Vue/Angular with Sanctum for token-based auth.
    • Traditional: Blade templates with session-based auth.
    • APIs: JSON endpoints for mobile/web apps.
  • Database: MySQL/PostgreSQL/SQLite (Fortify uses Eloquent; no ORM-specific constraints).
  • Security: Sanctum for API tokens, Laravel’s built-in encryption for passwords.

Non-Fit Scenarios:

  • Non-Laravel backends (e.g., Node.js, Django).
  • Apps requiring custom auth protocols (e.g., OAuth2 server, SAML).
  • Projects with pre-existing auth systems (e.g., Casbin, custom RBAC).

Migration Path

Phase Steps Tools/Commands
Prerequisites Ensure Laravel 11+ and PHP 8.2+. Update dependencies (composer.json). composer require laravel/fortify
Installation Publish Fortify’s config/views and run migrations (if using custom user model). php artisan vendor:publish --provider="Laravel\Fortify\FortifyServiceProvider"
Configuration Configure fortify.php for guards, user model, and frontend (SPA/Blade). Edit config/fortify.php
Route Overrides Replace existing auth routes (e.g., Auth::routes()) with Fortify’s registered routes. Remove Auth::routes() from routes/web.php
Middleware Ensure VerifyCsrfToken, EnsureEmailIsVerified, and RedirectIfAuthenticated are correctly applied. Check app/Http/Kernel.php
Frontend Setup For SPAs: Install Sanctum and configure CORS. For Blade: Use Fortify’s views or custom templates. composer require laravel/sanctum
Testing Test all auth flows (registration, login, 2FA, password resets) in staging. Laravel’s php artisan test
Deployment Deploy with database migrations (if applicable) and cache configuration. php artisan migrate --force

Rollback Plan:

  • Fortify’s routes/controllers can be disabled by removing the service provider from config/app.php.
  • Backup existing auth logic before integration to revert if conflicts arise.

Compatibility

Component Compatibility Notes
Laravel Versions Officially supports Laravel 11–13 (as of v1.37.x). Laravel 10 requires v1.34.x or lower.
PHP Versions PHP 8.2+ (PHP 8.1 dropped in v1.37.0). PHP 8.5+ requires v1.32.1+.
Database Works with any Eloquent-supported database. Custom user models require FortifyUser contract implementation.
Frontend Frameworks Agnostic; works with any framework that can make HTTP requests (SPAs, mobile apps, etc.).
Third-Party Packages Conflicts possible with packages that override Auth or Route services (e.g., custom auth middleware).
Octane Compatible via scoped bindings (added in v1.35.0).

Key Compatibility Checks:

  • Run composer why-not laravel/fortify to detect version conflicts.
  • Test with php artisan fortify:check (if available) or manually verify route/middleware conflicts.

Sequencing

Recommended integration sequence for minimal disruption:

  1. Isolate Auth: Temporarily disable existing auth routes/controllers.
  2. Install Fortify: Add to composer.json and publish assets.
  3. Configure Guard: Set guard in fortify.php to match your user model.
  4. Frontend First: Implement login/registration in the frontend before testing other flows.
  5. Incremental Testing:
    • Test registration/loginpassword resets2FApasskeys (if enabled).
  6. Middleware Audit: Ensure `VerifyCsrf
Weaver

How can I help you explore Laravel packages today?

Conversation history is not saved when not logged in.
Prompt
Add packages to context
No packages found.
hexters/coinpayment
rjcodes/rjcms
act-training/laravel-permissions-manager
alimarchal/laravel-chart-of-accounts
babenkoivan/elastic-scout-driver
mkwebdesign/filament-watchdog-v5
renatomarinho/laravel-page-speed
zedmagdy/filament-business-hours
renatovdemoura/blade-elements-ui
devgeek/beacon-admin
benjamin-rqt/data-watcher-bundle
atriumphp/atrium
sandermuller/package-boost-laravel
sandermuller/boost-skills
redaxo/core
yusufgenc/filament-api-forge
l3aro/rating-star-for-filament
leek/filament-subtenant-scope
anil/file-picker
broqit/fields-ai