You’ve learned a lot.
You should earn a lot.

Find a Job

Build a Laravel Application with User Authentication

Build a Laravel Application with User Authentication

With over 100,000 downloads per month, Laravel has quickly become one of the most popular web frameworks for PHP. Laravel makes it incredibly simple to build PHP applications by providing a huge number of built-in functionalities that you no longer need to build yourself.

One of those functionalities is robust authentication and authorization. I think it is safe to say that all great web applications built today need a robust authentication system. That's where Stormpath comes in. You never have to build auth again with Stormpath's Laravel integration, which handles all the authentication needs for you so you can focus on building an amazing web application. Plus, you don't even have to manage user data and security.

With only a few lines of code to your new Laravel application, you will instantly have access to all the views and logic you need to secure your application. This tutorial will go through the steps to get up and running in no time with features such as:

  • User registration and login.
  • Account verification via email.
  • Password reset via email.
  • Hosted and pre-built user interface screens

So, let’s dive in.

If you don’t already have a Stormpath account and application, you’ll need to create one now — you can do so here: https://api.stormpath.com/register

The rest of this article assumes you have a Stormpath account and API key pair.

Set up Your Laravel Application

We're going to start by building a simple Laravel application. This application will have a Login, Logout, and Register functionalities. After we get all of the basics installed, we will enable the Forgot Password workflows and work with middleware.

Install the Necessary Tools

The first step is to install all the tools needed to start this project. The following tools will be required:

Install Composer

Composer is a dependency manager for PHP. It is how Stormpath distributes all PHP Packages. Visit http://getcomposer.org and follow the instructions here to fully install composer. Once you have this installed, you should be able to type composer in terminal and see the output:

    > composer
      / ____/___  ____ ___  ____  ____  ________  _____
     / /   / __ \/ __ `__ \/ __ \/ __ \/ ___/ _ \/ ___/
    / /___/ /_/ / / / / / / /_/ / /_/ (__  )  __/ /
    \____/\____/_/ /_/ /_/ .___/\____/____/\___/_/
    Composer version 1.0-dev (dc0627617935da9208124e580b9f0e39dd214ae5) 2015-12-01 14:57:35

The following message may appear. You can ignore it as this is just a notice about performance if you are using xdebug.

You are running composer with xdebug enabled. This has a major impact on runtime performance. See https://getcomposer.org/xdebug

Install Your Laravel Project

In this example, I use a tool called the Laravel Installer. It is a simple command line tool that lets you quickly install a new project. There are a few other ways you can install Laravel but they all require composer. Install the Laravel Installer by running composer global require "laravel/installer" Next, run the following to install the project.

laravel new my-stormpath-project

If you don’t want to use the installer, another option to install Laravel is with composer. Visit https://laravel.com/docs/5.2/#installing-laravel

You can now cd into my-stormpath-project and run php artisan. If everything installed correctly, you should see something like the following:

~/Sites/my-stormpath-project>  php artisan
Laravel Framework version 5.2.6

  command [options] [arguments]

Require the Stormpath Laravel Package

Requiring the Stormpath Laravel package is very simple with Composer. Open your composer.json file and add the following line to the require block:

"stormpath/laravel": "0.1.*"

At the time of writing this post, The package version is 0.1.0.

There are a few more settings that have to be configured to enable this package before you can run it. The first step is to take your API keys from Stormpath and put them into your .env file of your project. From the root of your project, open up .env and place the following at the end of the file replacing the necessary values.


After saving this file, We have to initialize the package. Open config/app.php and add the following to your providers section.

"providers" => [

You should now be able to start up the server using php artisan serve from the command line and visit http://localhost:8000/login. You should see the following login screen


Congratulations, you have installed stormpath/laravel! You now have basic login and registration capabilities without needing to build any logic or views at all.

Protect a Route with Stormpath

Out of the box, we provide you with a few different middleware options to protect your routes. We have stormpath.guest and stormpath.auth

stormpath.guest is set up so only un-authenticated users can see the route. This is useful for registration pages and pricing/upgrade pages. These are pages that registered users may not need to see.

stormpath.auth is the inverse of stormpath.guest. This middleware requires a user to be logged into the system to be able to view the route.

To set up a route, all you need to do is add the middleware to the route.

// This route is only accessible by a logged in user 
Route::get('protected', ['middleware' => ['stormpath.auth'], function() {
    return 'These are all the secrets!';

// This route is only accessible by a guest
Route::get('guests', ['middleware' => ['stormpath.guest'], function() {
    return 'You are a guest!';

By default. stormpath.guest middleware is enabled for login, register, forgot-password, and change-password routes.

Configure Your Laravel Integration

So far, we have touched on the basics of what this integration is able to do. We have built in many more features that can be enabled and configured within the Stormpath Configuration of the Package. In order to access and modify these, you will need to publish the vendor files. In Laravel, there is an artisan command to do this for us. From the root of your project in terminal, run php artisan vendor:publish and this will create a new file located at config/stormpath.php with all the configuration options that are available.

Enable Forgot/Reset Password Workflows

When building an application, a lot of people will either forget or incorrectly set up the forgot password and reset password workflows. If a developer does not want to manually reset user passwords all the time, they will want to offer a way for the user to do so. This can be a very insecure part of an application if it is not correctly set up.

We have made this easier for you and integrated it as part of the core package. By default, these workflows are turned off, but it is just a configuration option in the config/stormpath.php file that you need to enable. Find the forgotPassword key in the array and set enabled to true. You now have access to the Forgot password workflow by going to /forgot in your browser.

Forgot Password

This will begin the email flow for the forgot password workflow. The user will receive an email if the account is found. The email will include a link for them to reset their password. No crazy code is needed for you to set this up correctly and it is secure.

Set up Pre-Built Workflows

If you know about Stormpath, you may already know about ID Site. If you are unaware of what ID Site is, it is a set of hosted and pre-built user interface screens that take care of common identity functions for your applications — login, registration, and password reset. ID Site can be accessed via your own custom domain like id.mydomain.com and shared across multiple applications to create centralized authentication as needed.

We wanted to make an easy way for you to use ID Site in Laravel. There are a couple of things that need to be done to enabled ID Site. Steps for setting up ID Site can be found in the Stormpath docs.

To enable the package to use ID site for all your requests, open up the file config/stormpath.php and you will see a full list of available options. The one we are looking for can be found towards the bottom of the file in the web->idsite setting. We want to mark it as enabled for ID Site to work. Now, any of the features that are enabled will use ID site by default.

Wrapping Up

By completing the steps above, you should now be able to create a secure application quickly without much work to do. Let's review what we accomplished in this tutorial:

  • Added Login, Logout, and Register functionalities to your Larvel application.
  • Customized middleware options to protect your routes.
  • Enabled hosted and pre-built user interface screens for password reset.

If you have questions or want to learn more catch me on Twitter @bretterer or drop a line over to support anytime.

Brian Retterer

Brian Retterer has been working with PHP since the release of PHP 5. He has contributed to a number of private projects and consulted on many others. Brian is now working as the PHP Developer Evangelist for Stormpath where his roles include creating integrations in other frameworks to allow the use of the SDK, and managing the development of the Stormpath PHP SDK.