How to use multiple authentication guards in a Laravel app

Introduction

If you have used Laravel for a while, you should have heard a lot about multiple authentications. You should have also heard the term “guards” used frequently. But if you are fairly new to Laravel, yiou may not yet understand these concepts.

Multiple authentications make it possible for you to direct different classes of users to differing parts of the same application.

There are many reasons why you may want to use multiple authentications in your Laravel application. For example:

  • If you have a large application that runs an enterprise with many departments.
  • If customers and employees interact with the product and services of the company through the same application.
  • If the application also has a blog and there is a department in the company responsible for handling the blog.

Let's assume all of the above examples are relevant. In this application there are three sets of users:

  • Customers: these users will need a specific authentication process to access the system.
  • Blog writers: these users will likely need a totally different authentication process and may even have roles to enable a more robust content management process.
  • The rest of the company: these roles can be split up to represent different functions with different duties and administrative allowances.

Now, let us look at how to create multiple authentications for our different classes of users.

Prerequisites

  • Knowledge of PHP (version >= 7.1.3).
  • Knowledge of Laravel (version 5.6.x).
  • Composer is installed on your computer (version >= 1.3.2).
  • Laravel installer is installed on your computer.

Getting started

If you checked off all the items on the prerequisites list, then this tutorial is already looking solid for you. We will create a Laravel app that has three user classes — admin, writer, user. We will make guards for the three user classes and restrict different parts of our application based on those guards.

Create the application

We need to create a new Laravel application. Run the following command on your terminal to create a new Laravel application:

1$ laravel new multi-auth
2    $ cd multi-auth

Create the database

We will use SQLite database for our application. It is lightweight, fast and uses a simple flat file. Create a database file with the following command:

    $ touch database/database.sqlite

Open the .env file in your application directory and change the following section:

1DB_CONNECTION=mysql
2    DB_HOST=127.0.0.1
3    DB_PORT=3306
4    DB_DATABASE=homestead
5    DB_USERNAME=homestead
6    DB_PASSWORD=secret

To:

    DB_CONNECTION=/absolute/path/to/database.sqlite

This will ensure our application uses the SQLite driver for database connections.

Creating migrations

We will make migrations for the admins and writers tables as Laravel comes with a users migration. They will be as simple as the users table, but you can extend them further based on your specific needs.

Create migration for admins

To make the admins table, run the following command:

    $ php artisan make:migration create_admins_table

From the database/migrations directory, open the admins migrations file and edit it as follows:

1// database/migrations/<timestamp>_create_admins_table.php
2
3    [...]
4    public function up()
5    {
6        Schema::create('admins', function (Blueprint $table) {
7            $table->increments('id');
8            $table->string('name');
9            $table->string('email')->unique();
10            $table->string('password');
11            $table->boolean('is_super')->default(false);
12            $table->rememberToken();
13            $table->timestamps();
14        });
15    }
16    [...]

We have created a simple migration and defined the columns we want the admin table to have. Eloquent provides methods that represent datatypes of our database table. We use them to define the datatypes of our table columns.

Remember, you can always configure your table how you please.

Create migration for writers

To make the writers table, run the following command:

    $ php artisan make:migration create_writers_table

Now, open the writers migrations file and edit it as follows:

1database/migrations/<timestamp>_create_writers_table.php
2    [...]
3    public function up()
4    {
5        Schema::create('writers', function (Blueprint $table) {
6            $table->increments('id');
7            $table->string('name');
8            $table->string('email')->unique();
9            $table->string('password');
10            $table->boolean('is_editor')->default(false);
11            $table->rememberToken();
12            $table->timestamps();
13        });
14    }
15    [...]

We just created a simple migration and defined the columns we want the writers table to have. Eloquent provides methods that represent datatypes of our database table, so it is easy to decide what we want each one to be.

Migrate the database

Now that we have defined our tables, let us migrate the database:

    $ php artisan migrate

Set up the models

We have different classes of users for our application, and they use different database tables. To use these different tables for authentication, we have to define models for them. These models will be like the user model and extends the Authenticable class.

Admin model

To make the model for the admins, run the following command:

    $ php artisan make:model Admin

Open the Admin model in app/Admin.php and add the following:

1// app/Admin.php
2    <?php
3
4    namespace App;
5
6    use Illuminate\Notifications\Notifiable;
7    use Illuminate\Foundation\Auth\User as Authenticatable;
8
9    class Admin extends Authenticatable
10    {
11        use Notifiable;
12
13        protected $guard = 'admin';
14
15        protected $fillable = [
16            'name', 'email', 'password',
17        ];
18
19        protected $hidden = [
20            'password', 'remember_token',
21        ];
22    }

When you intend to use a model for authentication, and you plan to not use the default user guard, it is important you specify the guard it will use. In our case, it will use the admin guard.

We also defined some of our database columns as fillable by putting them in the fillable array. This tells Laravel the following about the model:

When I call your create or update method and I pass you an array, take only these items (read: items in the fillable array).

This way, we will prevent a scenario where a user can bypass any of our checks and insert or update a record we do not wish for them to update.

For the hidden array, we tell Laravel not to return those columns when we return the model to either our API or view.

Writers model

To make the model for the writers, run the following command:

    $ php artisan make:model Writer

Then open the Writer model and replace with the following:

1// app/Writer.php
2    <?php
3
4    namespace App;
5
6    use Illuminate\Notifications\Notifiable;
7    use Illuminate\Foundation\Auth\User as Authenticatable;
8
9    class Writer extends Authenticatable
10    {
11        use Notifiable;
12
13        protected $guard = 'writer';
14
15        protected $fillable = [
16            'name', 'email', 'password',
17        ];
18
19        protected $hidden = [
20            'password', 'remember_token',
21        ];
22    }

Define the guards

Laravel guards define how users are authenticated for each request. Laravel comes with some guards for authentication, but we can also create ours as well. This will enable us to use Laravel’s default authentication system with our Admin and Writer models as well.

Open config/auth.php and add the new guards edit as follows:

1// config/auth.php
2
3    <?php
4
5    [...]
6    'guards' => [
7        [...]
8        'admin' => [
9            'driver' => 'session',
10            'provider' => 'admins',
11        ],
12        'writer' => [
13            'driver' => 'session',
14            'provider' => 'writers',
15        ],
16    ],
17    [...]

We added two new guards admin and writer and set their providers. These providers tell Laravel what to use for authentication or validation when we try to use the guard.

Now, add the following to the providers array:

1// config/auth.php
2
3    [...]
4    'providers' => [
5        [...]
6        'admins' => [
7            'driver' => 'eloquent',
8            'model' => App\Admin::class,
9        ],
10        'writers' => [
11            'driver' => 'eloquent',
12            'model' => App\Writer::class,
13        ],
14    ],
15    [...]

Now, we have set up the providers we defined along with the guards above. We set the driver to be eloquent since we are using Eloquent ORM as our database manager.

Let’s say we wish to use another ORM like RedBeanPHP for managing our database, we can then set the driver to say redbeanphp instead of eloquent. For the model, we pass the model we want that provider to use.

Set up the controllers

To use our guards for authentication, we can either modify the existing authentication controllers or create new ones. You can choose which to use based on your specific needs. In this tutorial, we will modify these controllers.

Modify LoginController

Open the LoginController in app/Http/Controllers/Auth and edit as follows:

1// app/Http/Controllers/Auth/LoginController.php
2
3    <?php
4
5    namespace App\Http\Controllers\Auth;
6
7    use App\Http\Controllers\Controller;
8    use Illuminate\Foundation\Auth\AuthenticatesUsers;
9    [...]
10    use Illuminate\Http\Request;
11    use Auth;
12    [...]
13    class LoginController extends Controller
14    {
15        [...]
16        public function __construct()
17        {
18            $this->middleware('guest')->except('logout');
19            $this->middleware('guest:admin')->except('logout');
20            $this->middleware('guest:writer')->except('logout');
21        }
22        [...]
23    }

We set the middleware to restrict access to this controller or its methods. It is important we defined all the different types of guests in the controller. This way, if one type of user is logged in and you try to use another user type to log in, it will redirect you to a predefined authentication page.

See it this way: If I log in on my computer as an administrator, and my colleague who is a writer also tries to log into his account as a writer, he will not be able to.

This check is important, so we do not mess up session information and potentially corrupt our application data.

Now, define the login for admins:

1// app/Http/Controllers/Auth/LoginController.php
2
3    [...]
4    public function showAdminLoginForm()
5    {
6        return view('auth.login', ['url' => 'admin']);
7    }
8
9    public function adminLogin(Request $request)
10    {
11        $this->validate($request, [
12            'email'   => 'required|email',
13            'password' => 'required|min:6'
14        ]);
15
16        if (Auth::guard('admin')->attempt(['email' => $request->email, 'password' => $request->password], $request->get('remember'))) {
17
18            return redirect()->intended('/admin');
19        }
20        return back()->withInput($request->only('email', 'remember'));
21    }
22    [...]

We have set up a method to return the login page for an admin. We will use the same page for all the user types and only change the URL they get sent to. Saves us a lot of code we could avoid writing.

We also defined the adminLogin method which checks that the right credentials are supplied. Then we attempt to log a user in with the admin guard. It is important we set this guard when attempting a login so that the Auth facade will check the right table matching credentials. It will also set up our authentication so we can restrict pages based on the type of user who is logged in.

We redirect an authenticated user to a specific URL and send an unauthenticated user back to the login page.

Now, let us do the same thing but for the writers:

1// app/Http/Controllers/Auth/LoginController.php
2
3    [...]
4    public function showWriterLoginForm()
5    {
6        return view('auth.login', ['url' => 'writer']);
7    }
8
9    public function writerLogin(Request $request)
10    {
11        $this->validate($request, [
12            'email'   => 'required|email',
13            'password' => 'required|min:6'
14        ]);
15
16        if (Auth::guard('writer')->attempt(['email' => $request->email, 'password' => $request->password], $request->get('remember'))) {
17
18            return redirect()->intended('/writer');
19        }
20        return back()->withInput($request->only('email', 'remember'));
21    }
22    [...]

And our login is set. Hurray!!!

Modify RegisterController

Open the RegisterController and edit as follows:

1// app/Http/Controllers/Auth/RegisterController.php
2
3    <?php
4    [...]
5    namespace App\Http\Controllers\Auth;
6    use App\User;
7    use App\Admin;
8    use App\Writer;
9    use App\Http\Controllers\Controller;
10    use Illuminate\Support\Facades\Hash;
11    use Illuminate\Support\Facades\Validator;
12    use Illuminate\Foundation\Auth\RegistersUsers;
13    use Illuminate\Http\Request;
14    [...]
15    class RegisterController extends Controller
16    {
17        [...]
18        public function __construct()
19        {
20            $this->middleware('guest');
21            $this->middleware('guest:admin');
22            $this->middleware('guest:writer');
23        }
24      [...]
25    }

We have set up the middleware the controller will use, just like we did with the LoginController.

Now, let us set up the methods to return the registration pages for the different users:

1// app/Http/Controllers/Auth/RegisterController.php
2
3    [...]
4    public function showAdminRegisterForm()
5    {
6        return view('auth.register', ['url' => 'admin']);
7    }
8
9    public function showWriterRegisterForm()
10    {
11        return view('auth.register', ['url' => 'writer']);
12    }
13    [...]

This is similar to what we did for showing different login pages.

Now, we can define our methods for creating an admin:

1// app/Http/Controllers/Auth/RegisterController.php
2
3    [...] 
4    protected function createAdmin(Request $request)
5    {
6        $this->validator($request->all())->validate();
7        $admin = Admin::create([
8            'name' => $request['name'],
9            'email' => $request['email'],
10            'password' => Hash::make($request['password']),
11        ]);
12        return redirect()->intended('login/admin');
13    }
14    [...]

Next, let us define methods for creating a writer:

1// app/Http/Controllers/Auth/RegisterController.php
2
3    [...] 
4    protected function createWriter(Request $request)
5    {
6        $this->validator($request->all())->validate();
7        $writer = Writer::create([
8            'name' => $request['name'],
9            'email' => $request['email'],
10            'password' => Hash::make($request['password']),
11        ]);
12        return redirect()->intended('login/writer');
13    }
14    [...]

And registration is complete.

Set up authentication pages

We will use Laravel’s auth scaffolding to generate pages and controllers for our authentication system. Run the following command to generate the authentication pages:

    $ php artisan make:auth

This will generate view files in resources/views/auth along with routes to handle basic authentication for our application. Is that cool or what?

Open the login.blade.php file and edit as follows:

1// resources/views/auth/login.blade.php
2    [...]
3    <div class="container">
4        <div class="row justify-content-center">
5            <div class="col-md-8">
6                <div class="card">
7                    <div class="card-header"> {{ isset($url) ? ucwords($url) : ""}} {{ __('Login') }}</div>
8
9                    <div class="card-body">
10                        @isset($url)
11                        <form method="POST" action='{{ url("login/$url") }}' aria-label="{{ __('Login') }}">
12                        @else
13                        <form method="POST" action="{{ route('login') }}" aria-label="{{ __('Login') }}">
14                        @endisset
15                            @csrf
16        [...]
17    </div>

We are checking if we passed a url parameter to the page when we called it. If we did, we modify the forms action to use the url parameter. We also modified the header of the form so that it shows the type of user based on their login parameter.

Open the register.blade.php file and edit as follows:

1// resources/views/auth/register.blade.php
2
3    [...]
4    <div class="container">
5        <div class="row justify-content-center">
6            <div class="col-md-8">
7                <div class="card">
8                    <div class="card-header"> {{ isset($url) ? ucwords($url) : ""}} {{ __('Register') }}</div>
9
10                    <div class="card-body">
11                        @isset($url)
12                        <form method="POST" action='{{ url("register/$url") }}' aria-label="{{ __('Register') }}">
13                        @else
14                        <form method="POST" action="{{ route('register') }}" aria-label="{{ __('Register') }}">
15                        @endisset
16                            @csrf
17        [...]
18    </div>

We replicated what we did for login page here.

Create the pages authenticated users will access

Now that we are done setting up the login and register page, let us make the pages the admin and writers will see when they are authenticated. Open the terminal and run the following commands to create new files. Next, we will insert the corresponding code snippets to the files.

1$ touch resources/views/layouts/auth.blade.php
2    $ touch resources/views/admin.blade.php
3    $ touch resources/views/writer.blade.php
4    $ touch resources/views/home.blade.php

Insert this code block into the auth.blade.php file:

1// resources/views/layouts/auth.blade.php
2
3    <!DOCTYPE html>
4    <html lang="{{ str_replace('_', '-', app()->getLocale()) }}">
5    <head>
6        <meta charset="utf-8">
7        <meta http-equiv="X-UA-Compatible" content="IE=edge">
8        <meta name="viewport" content="width=device-width, initial-scale=1">
9
10        <!-- CSRF Token -->
11        <meta name="csrf-token" content="{{ csrf_token() }}">
12
13        <title>{{ config('app.name', 'Laravel') }}</title>
14
15        <!-- Scripts -->
16        <script src="{{ asset('js/app.js') }}" defer></script>
17
18        <!-- Fonts -->
19        <link rel="dns-prefetch" href="https://fonts.gstatic.com">
20        <link href="https://fonts.googleapis.com/css?family=Raleway:300,400,600" rel="stylesheet" type="text/css">
21
22        <!-- Styles -->
23        <link href="{{ asset('css/app.css') }}" rel="stylesheet">
24    </head>
25    <body>
26        <div id="app">
27            <nav class="navbar navbar-expand-md navbar-light navbar-laravel">
28                <div class="container">
29                    <a class="navbar-brand" href="{{ url('/') }}">
30                        {{ config('app.name', 'Laravel') }}
31                    </a>
32                    <button class="navbar-toggler" type="button" data-toggle="collapse" data-target="#navbarSupportedContent" aria-controls="navbarSupportedContent" aria-expanded="false" aria-label="{{ __('Toggle navigation') }}">
33                        <span class="navbar-toggler-icon"></span>
34                    </button>
35
36                    <div class="collapse navbar-collapse" id="navbarSupportedContent">
37                        <!-- Left Side Of Navbar -->
38                        <ul class="navbar-nav mr-auto">
39
40                        </ul>
41
42                        <!-- Right Side Of Navbar -->
43                        <ul class="navbar-nav ml-auto">
44                            <!-- Authentication Links -->
45                           <li class="nav-item dropdown">
46                                <a id="navbarDropdown" class="nav-link dropdown-toggle" href="#" role="button" data-toggle="dropdown" aria-haspopup="true" aria-expanded="false" v-pre>
47                                    Hi There <span class="caret"></span>
48                                </a>
49
50                                <div class="dropdown-menu dropdown-menu-right" aria-labelledby="navbarDropdown">
51                                    <a class="dropdown-item" href="{{ route('logout') }}"
52                                       onclick="event.preventDefault();
53                                                     document.getElementById('logout-form').submit();">
54                                        {{ __('Logout') }}
55                                    </a>
56
57                                    <form id="logout-form" action="{{ route('logout') }}" method="POST" style="display: none;">
58                                        @csrf
59                                    </form>
60                                </div>
61                            </li>
62                        </ul>
63                    </div>
64                </div>
65            </nav>
66
67            <main class="py-4">
68                @yield('content')
69            </main>
70        </div>
71    </body>
72    </html>

Next, insert this code block into the admin.blade.php file:

1// resources/views/admin.blade.php
2
3    @extends('layouts.auth')
4
5    @section('content')
6    <div class="container">
7        <div class="row justify-content-center">
8            <div class="col-md-8">
9                <div class="card">
10                    <div class="card-header">Dashboard</div>
11
12                    <div class="card-body">
13                        Hi boss!
14                    </div>
15                </div>
16            </div>
17        </div>
18    </div>
19    @endsection

Open the writer.blade.php file and edit as follows:

1// resources/views/writer.blade.php
2
3    @extends('layouts.auth')
4
5    @section('content')
6    <div class="container">
7        <div class="row justify-content-center">
8            <div class="col-md-8">
9                <div class="card">
10                    <div class="card-header">Dashboard</div>
11
12                    <div class="card-body">
13                        Hi there, awesome writer
14                    </div>
15                </div>
16            </div>
17        </div>
18    </div>
19    @endsection

Finally, open the home.blade.php file and replace with the following:

1// resources/views/home.blade.php
2
3    @extends('layouts.auth')
4
5    @section('content')
6    <div class="container">
7        <div class="row justify-content-center">
8            <div class="col-md-8">
9                <div class="card">
10                    <div class="card-header">Dashboard</div>
11
12                    <div class="card-body">
13                         Hi there, regular user
14                    </div>
15                </div>
16            </div>
17        </div>
18    </div>
19    @endsection

Set up the routes

Our application is almost ready. Let us define the routes to access all the pages we have created so far. Open the routes/web.php file and replace with the following:

1// routes/web.php
2
3    <?php
4    Route::view('/', 'welcome');
5    Auth::routes();
6
7    Route::get('/login/admin', 'Auth\LoginController@showAdminLoginForm');
8    Route::get('/login/writer', 'Auth\LoginController@showWriterLoginForm');
9    Route::get('/register/admin', 'Auth\RegisterController@showAdminRegisterForm');
10    Route::get('/register/writer', 'Auth\RegisterController@showWriterRegisterForm');
11
12    Route::post('/login/admin', 'Auth\LoginController@adminLogin');
13    Route::post('/login/writer', 'Auth\LoginController@writerLogin');
14    Route::post('/register/admin', 'Auth\RegisterController@createAdmin');
15    Route::post('/register/writer', 'Auth\RegisterController@createWriter');
16
17    Route::view('/home', 'home')->middleware('auth');
18    Route::view('/admin', 'admin');
19    Route::view('/writer', 'writer');

Modify how our users are redirected if authenticated

It is important you modify how users are redirected when they are authenticated. Laravel by default redirects all authenticated users to /home. We will get the error below if we do not modify the redirection.

So, to solve that, open the app/Http/Controllers/Middleware/RedirectIfAuthenticated.php file and replace with this:

1// app/Http/Controllers/Middleware/RedirectIfAuthenticated.php
2
3    <?php
4
5    namespace App\Http\Middleware;
6
7    use Closure;
8    use Illuminate\Support\Facades\Auth;
9
10    class RedirectIfAuthenticated
11    {
12        public function handle($request, Closure $next, $guard = null)
13        {
14            if ($guard == "admin" && Auth::guard($guard)->check()) {
15                return redirect('/admin');
16            }
17            if ($guard == "writer" && Auth::guard($guard)->check()) {
18                return redirect('/writer');
19            }
20            if (Auth::guard($guard)->check()) {
21                return redirect('/home');
22            }
23
24            return $next($request);
25        }
26    }

The RedirectIfAuthenticated middleware receives the auth guard as a parameter. This middleware is triggered when we try to visit any page meant for authenticated users. We can then determine the type of authentication the user has and redirect them accordingly.

Modify authentication exception handler

There is a little annoying thing that would happen when a user is redirected. You would expect that if a user tries to access say /writer but is not authenticated, that the user is redirected to /login/writer, yes? Well, they don’t. They get redirected to /login which is not what we want.

To ensure that when a user tries to visit /writer they are redirected to /login/writer or the same for /admin, we have to modify the exception handler. Open the handler file in app/Exceptions and add the following:

1// app/Exceptions/Handler.php
2
3    <?php
4
5    namespace App\Exceptions;
6
7    use Exception;
8    use Illuminate\Foundation\Exceptions\Handler as ExceptionHandler;
9    [...]
10    use Illuminate\Auth\AuthenticationException;
11    use Auth; 
12    [...]
13    class Handler extends ExceptionHandler
14    {
15       [...] 
16        protected function unauthenticated($request, AuthenticationException $exception)
17        {
18            if ($request->expectsJson()) {
19                return response()->json(['error' => 'Unauthenticated.'], 401);
20            }
21            if ($request->is('admin') || $request->is('admin/*')) {
22                return redirect()->guest('/login/admin');
23            }
24            if ($request->is('writer') || $request->is('writer/*')) {
25                return redirect()->guest('/login/writer');
26            }
27            return redirect()->guest(route('login'));
28        }
29    }

The unauthenticated method we just added resolves this issue we have. It receives an AuthenticationExpection exception by default which carries that guard information. Sadly, we cannot access that, because it is protected (hopefully, Laravel 5.7 will come with a way to access it).

Our workaround is to use request→is(). This checks the URL we are trying to access. It can also check the URL pattern if we do not have an absolute URL or if we have a route group.

In our case, we first check if we received a JSON request and handle the exception separately. Then we check if we are trying to access /admin or any URL preceded by admin. We redirect the user to the appropriate login page. We also do the check for writer as well.

This is a good workaround for us, but it means we must know the absolute URL we want to access, or at least have the same prefix for all routes that will be protected by our guard.

Run the application

Now that our application is ready, run the following command to get it up:

    $ php artisan serve

It should typically be available on http://localhost:8000.

Remember to visit http://localhost:8000/register/writer and http://localhost:8000/register/admin to register writers and admins respectively. Then visit http://localhost:8000/login/writer and http://localhost:8000/login/admin to login the writers and admins respectively.

Conclusion

In this tutorial, we dived deep into Laravel authentication. We defined multiple guards to handle multiple authentications and access control. We also handle redirection for authenticated user and redirection for an unauthenticated user.

If you followed this guide thoroughly, you will be able to set up the base authentication for an application with different user classes (possibly a multitenant application). Be that as it may, try extending what you have seen and share what you come up with.

The source code to the application in this article is available on GitHub.