Laravel Authentication Log Laravel Package

Getting Started

Start by installing the package and adding the AuthenticationLoggable trait to your User model. Then publish and run the migrations to set up the authentication_log table. After that, publish the config to customize behavior like notifications, suspicious thresholds, and webhooks. The first real-world use case is monitoring login activity — after authentication, logs are recorded automatically with device fingerprints and location data (if GeoIP is configured). Check user statistics via $user->getLoginStats() or view recent logins via the AuthenticationLog model.

composer require rappasoft/laravel-authentication-log
php artisan vendor:publish --provider="Rappasoft\LaravelAuthenticationLog\LaravelAuthenticationLogServiceProvider" --tag="authentication-log-migrations"
php artisan migrate
php artisan vendor:publish --provider="Rappasoft\LaravelAuthenticationLog\LaravelAuthenticationLogServiceProvider" --tag="authentication-log-config"

Implementation Patterns

Integrate authentication logging passively — no code changes to login controllers are required; the trait hooks into Laravel’s authentication lifecycle. Use query scopes (successful(), failed(), suspicious(), fromIp(), recent()) in admin dashboards to surface security insights. For session management, expose UI controls to users to revoke sessions (revokeAllOtherSessions()) or manage trusted devices (trustDevice(), updateDeviceName()). Configure webhook receivers for external alerting (e.g., Slack, SOAR platforms) and use detectSuspiciousActivity() in background jobs for proactive threat monitoring. Leverage middleware (RequireTrustedDevice::class) to protect sensitive endpoints.

Gotchas and Tips

• Version 6.x breaks compatibility with Laravel <11 — ensure your project meets the PHP 8.1+ and Laravel version requirements before upgrading.
• Device fingerprinting prevents false positives by normalizing browser versions in the hash; avoid manually editing device_id in logs.
• Session restoration prevention (v6+) suppresses duplicate log entries on refreshes or remember-me logins — disable only if you need every browser reload logged (via config prevent_session_restoration).
• GeoIP data requires a provider like geoip — if not configured, location fields will be null even when logging succeeds.
• Webhooks won’t block authentication if they timeout — configure timeouts and log_failures to avoid blind spots.
• When migrating from v3/v4, the upgrade migration adds new columns safely, but always run php artisan migrate:fresh --seed in staging first.
• Use AuthenticationLog::active() scope to list currently active sessions — but note it uses last_activity_at (requires recent Laravel session handling).