Authentication

Architecture decisions

• ADR 0004: Authentication strategy (session, Sanctum, magic links)
• ADR 0006: Low-friction account creation from enquiries

Multi-Strategy Authentication

Wedissimo supports three authentication strategies:

1. Session-Based (Web)

For Livewire/Blade interfaces using the web guard.

2. Sanctum Tokens (API)

For API authentication using bearer tokens via auth:sanctum middleware.

Remember Me Functionality

API clients can request long-lived authentication tokens by passing a remember parameter during login or OAuth flows.

Token Lifetimes:

• Regular tokens: 120 minutes (2 hours)
• Remember me tokens: 43,200 minutes (30 days)

Regular Email/Password Login:

POST /api/login
{
  "email": "user@example.com",
  "password": "secure-password",
  "remember": true
}

Google OAuth Flow:

1. Request OAuth URL with remember preference:

GET /api/auth/google?remember=true

Response:

{
  "data": {
    "auth_url": "https://accounts.google.com/o/oauth2/auth?state=..."
  }
}

2. After user authorizes, Google redirects to callback with the remember preference encoded in the state parameter

3. The callback returns a token with appropriate expiration

Token Response:

{
  "data": {
    "id": "user-uuid",
    "email": "user@example.com",
    "token": "1|abc123...",
    ...
  }
}

Token Identification:

Remember me tokens are prefixed with remember_ in the personal_access_tokens table for easy identification in logs and security audits.

Security Considerations:

• Rate limiting: OAuth endpoints are limited to 5 requests per minute per IP
• Activity logging: Remember token creation is logged for security monitoring
• User validation: Soft-deleted users cannot create tokens
• Token revocation: Users should be able to revoke long-lived tokens through account settings

Environment Configuration:

# Regular token lifetime (minutes)
TOKEN_LIFETIME=120

# Remember me token lifetime (minutes) - 30 days
SANCTUM_REMEMBER_EXPIRATION=43200

3. Magic Links (Passwordless)

Signed URLs for passwordless authentication via the MagicLink module.

User Roles

Using Spatie Permission package:

• super_admin - Full system access
• wedissimo_admin - Platform administration
• wedissimo_user - Platform user
• vendor - Service provider
• couple - Wedding couple
• user - Basic authenticated user

Middleware

// API routes requiring authentication
Route::middleware(['api', 'auth:sanctum'])->group(function () {
    // Protected routes
});

// Web routes requiring authentication
Route::middleware(['web', 'auth'])->group(function () {
    // Protected routes
});

Role Checking

// Check role
if ($user->hasRole('vendor')) {
    // Vendor-specific logic
}

// Check permission
if ($user->can('edit-listing')) {
    // Allow editing
}

For complete authentication details, see Architecture.