Auth Http Laravel Package
spiral/auth-http
Spiral auth-http provides HTTP authentication middleware and token transports for Spiral apps. Integrate auth into request pipelines and pass credentials via headers or other HTTP mechanisms, with strong typing, tests, and framework-friendly setup.
Getting Started
-
Install the package via Composer (note: last release was in 2020; verify compatibility with your Spiral framework version):
composer require spiral/auth-http -
Register middleware in your HTTP kernel (
config/http.phporapp.php), typically in themiddlewaressection:Spiral\AuthHttp\Middleware\Authenticate::class,or per-route using route groups.
-
Configure guards in
config/auth.php(or equivalent), mapping guard names to transport strategies (e.g.,header,cookie,query).
Example:'guards' => [ 'api' => [ 'transport' => 'header', 'header' => 'Authorization', 'prefix' => 'Bearer', ], ], -
First use case: Protect a route/controller with authentication:
$router->get('/secure', [SecureController::class, 'index']) ->middleware(Authenticate::class . ':api');
Implementation Patterns
-
Middleware-based guards: Use
Authenticatemiddleware with guard configuration to enforce auth per-route. Chain withAuthorize(if available in related packages) for RBAC/ABAC checks. -
Transport abstraction: Leverage built-in transport strategies (
header,cookie,query) or write a custom one implementingSpiral\AuthHttp\Transport\TransportInterface. Example:class CustomTokenTransport implements TransportInterface { public function extract(Request $request): ?TokenInterface { return $request->getHeaderLine('X-Custom-Token') ? new BearerToken($request->getHeaderLine('X-Custom-Token')) : null; } } -
Guard composition: Define guards with multiple fallback transports (e.g., fallback to cookie if header missing):
'fallback' => [ 'transport' => 'cookie', 'name' => 'auth_token', ] -
Response consistency: Utilize the framework’s built-in
UnauthorizedHttpExceptionandForbiddenHttpExceptionthrown by the middleware—no manual401/403handling needed. -
Integration with domain auth: Inject your application’s auth service (e.g.,
UserProvider,TokenValidator) into guards via DI. Let the middleware only coordinate—your domain validates credentials.
Gotchas and Tips
-
Legacy status warning: This package is read-only and last updated in 2020. Spiral 3+ may use
spiral/auth+ middleware split differently. Verify ifspiral/authsuffices or ifauth-httpadds non-duplicate value. -
Token parsing quirks: If using
headertransport withprefix(e.g.,Bearer), the prefix must match exactly (case-sensitive). A mismatch causes silent auth failures—log or debug with custom middleware wrapping. -
Middleware order matters: Place
Authenticatebefore action-specific logic (e.g., validation, controller), but after session/middleware that populates request data. -
Customizing responses: Override default
401/403handlers by extendingAuthenticatemiddleware and overridingonUnauthorized()/onForbidden(), or binding custom handlers inconfig/auth.php. -
Testing tip: Mock the
GuardInterfaceandTransportInterfacein unit tests. For feature tests, injectAuthorizationCheckerInterface(if present) to assert access decisions directly. -
Extensibility: The package exposes hooks like
GuardInterface::authenticate(TokenInterface $token)—implement custom guards (e.g., JWT, API key, session) by conforming to this interface and wiring them via config.
How can I help you explore Laravel packages today?