PHPackages                             ghostcompiler/laravel-auth - PHPackages - PHPackages  [Skip to content](#main-content)[PHPackages](/)[Directory](/)[Categories](/categories)[Trending](/trending)[Leaderboard](/leaderboard)[Changelog](/changelog)[Analyze](/analyze)[Collections](/collections)[Log in](/login)[Sign up](/register)

1. [Directory](/)
2. /
3. [Authentication &amp; Authorization](/categories/authentication)
4. /
5. ghostcompiler/laravel-auth

ActiveLibrary[Authentication &amp; Authorization](/categories/authentication)

ghostcompiler/laravel-auth
==========================

Headless Laravel authentication security with TOTP 2FA, passkeys, trusted devices, recovery codes, and Socialite-powered social login helpers.

v1.0.2(1mo ago)1424MITPHPPHP ^8.2CI passing

Since Apr 18Pushed 1mo agoCompare

[ Source](https://github.com/ghostcompiler/laravel-auth)[ Packagist](https://packagist.org/packages/ghostcompiler/laravel-auth)[ RSS](/packages/ghostcompiler-laravel-auth/feed)WikiDiscussions main Synced 1w ago

READMEChangelog (3)Dependencies (8)Versions (4)Used By (0)

 [![Laravel Auth Logo](assets/logo/logo.png)](assets/logo/logo.png)

 [![Laravel](https://camo.githubusercontent.com/04ac196cc9d1ede920f94387cae5075133cbd568d7b69f7b11f953f0e45e1281/68747470733a2f2f696d672e736869656c64732e696f2f62616467652f4c61726176656c2d3130253230746f25323031332d4646324432303f7374796c653d666f722d7468652d6261646765266c6f676f3d6c61726176656c266c6f676f436f6c6f723d7768697465)](https://camo.githubusercontent.com/04ac196cc9d1ede920f94387cae5075133cbd568d7b69f7b11f953f0e45e1281/68747470733a2f2f696d672e736869656c64732e696f2f62616467652f4c61726176656c2d3130253230746f25323031332d4646324432303f7374796c653d666f722d7468652d6261646765266c6f676f3d6c61726176656c266c6f676f436f6c6f723d7768697465) [![PHP](https://camo.githubusercontent.com/dff57f35e05ba5bb847a182b0de56ce00f5b33eb4bfb86b371e2c69de0accee0/68747470733a2f2f696d672e736869656c64732e696f2f62616467652f5048502d382e322532422d3737374242343f7374796c653d666f722d7468652d6261646765266c6f676f3d706870266c6f676f436f6c6f723d7768697465)](https://camo.githubusercontent.com/dff57f35e05ba5bb847a182b0de56ce00f5b33eb4bfb86b371e2c69de0accee0/68747470733a2f2f696d672e736869656c64732e696f2f62616467652f5048502d382e322532422d3737374242343f7374796c653d666f722d7468652d6261646765266c6f676f3d706870266c6f676f436f6c6f723d7768697465) [![Laravel Auth](https://camo.githubusercontent.com/446c8558e13d7949457abce6ac90bd9b1d9b061132e8e8b82b0f912c102cbcb3/68747470733a2f2f696d672e736869656c64732e696f2f62616467652f4275696c74253230576974682d4c61726176656c253230417574682d3046313732413f7374796c653d666f722d7468652d6261646765)](https://camo.githubusercontent.com/446c8558e13d7949457abce6ac90bd9b1d9b061132e8e8b82b0f912c102cbcb3/68747470733a2f2f696d672e736869656c64732e696f2f62616467652f4275696c74253230576974682d4c61726176656c253230417574682d3046313732413f7374796c653d666f722d7468652d6261646765)

LaravelAuth
===========

[](#laravelauth)

Headless Laravel authentication hardening with:

- TOTP 2FA
- recovery codes
- passkeys via WebAuthn
- email, SMS, and WhatsApp OTP
- trusted devices
- Socialite-based social account linking
- runtime tenant OAuth credentials for social login

This package does not replace your login system. It adds security layers on top of your existing auth flow.

Requirements
------------

[](#requirements)

- PHP 8.2+
- Laravel 10, 11, 12, or 13
- database access for package tables
- HTTPS for browser passkey flows
- `laravel/socialite` support for social login helpers

Installation
------------

[](#installation)

```
composer require ghostcompiler/laravel-auth
php artisan ghost:laravel-auth
php artisan migrate
```

Force republishing if you want to overwrite previously published files:

```
php artisan ghost:laravel-auth --force
```

What `ghost:laravel-auth` publishes:

- `config/laravel-auth.php`
- one package migration file
- package OTP views to `resources/views/vendor/laravel-auth`
- SMS and WhatsApp transport stubs to `app/LaravelAuth`

Publish only OTP assets later if needed:

```
php artisan laravel-auth:otp:publish
```

Local Package Development
-------------------------

[](#local-package-development)

To test this package from another Laravel app through a local path repository:

```
{
  "repositories": [
    {
      "type": "path",
      "url": "/Users/ghostcompiler/Desktop/GhostCompiler/laravel-auth",
      "options": {
        "symlink": true
      }
    }
  ],
  "require": {
    "ghostcompiler/laravel-auth": "*"
  }
}
```

Then in the app:

```
composer require ghostcompiler/laravel-auth
php artisan ghost:laravel-auth
php artisan migrate
php artisan optimize:clear
```

If the app does not pick up local changes automatically:

```
composer update ghostcompiler/laravel-auth
composer dump-autoload
php artisan optimize:clear
```

What The Package Adds
---------------------

[](#what-the-package-adds)

Middleware aliases:

- `2fa`
- `laravel-auth.2fa`
- `laravel-auth.enforce`
- `laravel-auth.throttle`

Published config:

- [config/laravel-auth.php](/Users/ghostcompiler/Desktop/GhostCompiler/laravel-auth/config/laravel-auth.php:1)

Main facade contract:

- `src/Contracts/LaravelAuthManager.php`

Single package migration:

- [database/migrations/2026\_04\_12\_000001\_create\_laravel\_auth\_schema.php](/Users/ghostcompiler/Desktop/GhostCompiler/laravel-auth/database/migrations/2026_04_12_000001_create_laravel_auth_schema.php:1)

Database objects created:

- user table columns:
    - `laravel_auth_totp_secret`
    - `laravel_auth_two_factor_enabled`
    - `laravel_auth_confirmed_at`
- `laravel_auth_recovery_codes`
- `laravel_auth_trusted_devices`
- `laravel_auth_passkeys`
- `laravel_auth_webauthn_challenges`
- `laravel_auth_social_accounts`
- `laravel_auth_otp_challenges`

Current Defaults
----------------

[](#current-defaults)

From the package config:

- `enforce_2fa` is `true`
- 2FA enforcement is pushed into the `web` middleware group
- OTP TTL is 300 seconds
- OTP max attempts is 5
- rate limit decay is 60 seconds
- TOTP uses 6 digits, 30-second period, 1-step window
- trusted devices are bound to user agent by default
- trusted-device IP binding is off by default
- WhatsApp OTP is disabled by default
- social runtime stateless mode defaults to `false`

Recommended Base Route Protection
---------------------------------

[](#recommended-base-route-protection)

```
use Illuminate\Support\Facades\Route;

Route::middleware(['auth', 'laravel-auth.2fa'])->group(function () {
    Route::get('/billing', fn () => 'protected');
    Route::get('/settings/security', fn () => 'security');
});
```

Add throttling to sensitive verification endpoints:

```
Route::post('/security/otp/verify', [SecurityController::class, 'verifyOtp'])
    ->middleware(['auth', 'laravel-auth.throttle:otp']);

Route::post('/security/passkey/verify', [SecurityController::class, 'verifyPasskey'])
    ->middleware(['auth', 'laravel-auth.throttle:passkey']);
```

TOTP 2FA Setup
--------------

[](#totp-2fa-setup)

Enable 2FA for a user:

```
$setup = LaravelAuth::enable2FA(auth()->user());

return response()->json([
    'secret' => $setup['secret'],
    'otpauth_uri' => $setup['otpauth_uri'],
]);
```

Confirm setup:

```
$result = LaravelAuth::confirmTwoFactorSetup(
    auth()->user(),
    $request->string('code')
);

return response()->json([
    'recovery_codes' => $result['recovery_codes'],
]);
```

Disable 2FA:

```
LaravelAuth::disable2FA(auth()->user());
```

Demo 2FA Controller
-------------------

[](#demo-2fa-controller)

```