Authentication Guide
Last Updated: 2026-01-14
Status: Implemented
Plan Reference: 003-authentication-system.md, 114-marketing-site.md
Overview
The authentication system provides secure user login, registration, password management, email verification, and two-factor authentication (2FA). Built on Laravel Breeze with multi-domain support, all authentication happens at the marketing site (scopeforged.com) with role-based redirects to the appropriate subdomain:
- Admin users →
admin.scopeforged.com
- Client users →
portal.scopeforged.com
Sessions are shared across all subdomains via SESSION_DOMAIN=.scopeforged.com.
Table of Contents
- Accessing Authentication
- Features
- How to Use
- Two-Factor Authentication
- Technical Architecture
- Related Features
Accessing Authentication
Public Routes (Guest Only) - Marketing Domain
All authentication routes are hosted on the marketing domain (scopeforged.com):
| Page | URL | Route Name |
|---|
| Login | scopeforged.com/login | login |
| Signup | scopeforged.com/signup | marketing.signup |
| Forgot Password | scopeforged.com/forgot-password | password.request |
| Reset Password | scopeforged.com/reset-password/{token} | password.reset |
| 2FA Challenge | scopeforged.com/two-factor-challenge | two-factor.challenge |
Authenticated Routes
| Page | URL | Route Name |
|---|
| Email Verification | /verify-email | verification.notice |
| Confirm Password | /confirm-password | password.confirm |
| Update Password | /password (PUT) | password.update |
| Logout | /logout (POST) | logout |
| 2FA Settings | /two-factor | two-factor.show |
Features
Core Authentication
- Login: Email/password authentication with "Remember Me" option
- Logout: Secure session termination
- Registration: New user signup (defaults to client role)
- Password Reset: Email-based password recovery
- Email Verification: Verify email addresses before full access
Security Features
- Two-Factor Authentication: TOTP-based 2FA with recovery codes
- Rate Limiting: Throttling on sensitive endpoints
- Session Management: Secure session handling
- Password Confirmation: Re-confirm password for sensitive actions
Role-Based Redirects
After login at scopeforged.com/login, users are redirected based on their role:
- Admin users →
admin.scopeforged.com (Admin Dashboard)
- Client users →
portal.scopeforged.com (Client Portal Dashboard)
Unauthenticated Access Handling
When an unauthenticated user attempts to access protected routes:
- Portal routes (
portal.scopeforged.com/*) → Redirect to scopeforged.com/login
- Admin routes (
admin.scopeforged.com/*) → Redirect to scopeforged.com/login
This is configured in bootstrap/app.php:
$middleware->redirectGuestsTo(fn () => marketing_url('/login'));
How to Use
Logging In
- Navigate to
/login
- Enter your email address
- Enter your password
- Optionally check "Remember me" to stay logged in
- Click "Log in"
- If 2FA is enabled, enter your authentication code
- You'll be redirected to your dashboard
Registering a New Account
- Navigate to
/register
- Enter your name
- Enter your email address
- Create a password (min 8 characters)
- Confirm your password
- Click "Register"
- Check your email for verification link
- Click the verification link to activate your account
Resetting Your Password
- Navigate to
/forgot-password
- Enter your email address
- Click "Email Password Reset Link"
- Check your email for the reset link
- Click the link and enter your new password
- Confirm the new password
- Click "Reset Password"
Updating Your Password
- Log in to your account
- Navigate to your profile settings
- Enter your current password
- Enter your new password
- Confirm the new password
- Click "Update Password"
Two-Factor Authentication
Enabling 2FA
- Navigate to
/two-factor
- Click "Enable Two-Factor Authentication"
- Scan the QR code with your authenticator app (Google Authenticator, Authy, etc.)
- Enter the 6-digit code from your app
- Save your recovery codes in a secure location
Using 2FA at Login
- Enter your email and password
- You'll be redirected to the 2FA challenge page
- Enter the 6-digit code from your authenticator app
- Or use a recovery code if you don't have access to your app
Disabling 2FA
- Navigate to
/two-factor
- Click "Disable Two-Factor Authentication"
- Confirm your password if prompted
Regenerating Recovery Codes
- Navigate to
/two-factor
- Click "Regenerate Recovery Codes"
- Save the new codes in a secure location
- Old codes will no longer work
Technical Architecture
Controllers
Marketing Domain (Primary Auth)
| Controller | Purpose |
|---|
Marketing\AuthController | Login, signup, logout, password reset with role-based redirects |
Legacy Breeze Controllers (for 2FA and email verification)
| Controller | Purpose |
|---|
AuthenticatedSessionController | Login/logout handling (legacy) |
RegisteredUserController | User registration (legacy) |
PasswordResetLinkController | Send password reset emails |
NewPasswordController | Process password resets |
VerifyEmailController | Email verification |
EmailVerificationPromptController | Show verification notice |
EmailVerificationNotificationController | Resend verification |
ConfirmablePasswordController | Password confirmation |
PasswordController | Update password |
TwoFactorController | 2FA setup and management |
TwoFactorChallengeController | 2FA login challenge |
Routes Summary
# Guest Routes
GET|POST /login - Login
GET|POST /register - Registration
GET|POST /forgot-password - Password reset request
GET|POST /reset-password - Password reset
# Authenticated Routes
POST /logout - Logout
GET /verify-email - Verification notice
GET /verify-email/{id} - Verify email
POST /email/verification-notification - Resend verification
GET|POST /confirm-password - Password confirmation
PUT /password - Update password
# Two-Factor Routes
GET /two-factor - 2FA settings
POST /two-factor/setup - Enable 2FA
POST /two-factor/confirm - Confirm 2FA setup
DELETE /two-factor - Disable 2FA
POST /two-factor/regenerate-codes - New recovery codes
GET|POST /two-factor-challenge - 2FA login challenge
Database Tables
| Table | Purpose |
|---|
users | User accounts with role, email, password |
password_reset_tokens | Password reset tokens |
sessions | Active user sessions |
Key User Model Methods
// Check if user is admin
$user->isAdmin(): bool
// Check if user is client
$user->isClient(): bool
// Check if email is verified
$user->hasVerifiedEmail(): bool
Middleware
| Middleware | Alias | Purpose |
|---|
Authenticate | auth | Require authentication |
RedirectIfAuthenticated | guest | Redirect logged-in users |
EnsureEmailIsVerified | verified | Require email verification |
ValidateSignature | signed | Validate signed URLs |
Dependencies
| Feature | Relationship |
|---|
| Database Schema | Users table structure |
| Mail System | Sends verification and reset emails |
Complementary Features
Configuration
Environment Variables
# Session Configuration
SESSION_DRIVER=database
SESSION_LIFETIME=120
# Mail Configuration (for verification/reset emails)
MAIL_MAILER=smtp
MAIL_HOST=smtp.example.com
MAIL_PORT=587
MAIL_USERNAME=your-username
MAIL_PASSWORD=your-password
MAIL_FROM_ADDRESS=noreply@example.com
MAIL_FROM_NAME="${APP_NAME}"
Security Settings
- Password minimum: 8 characters
- Login throttle: 5 attempts per minute
- 2FA throttle: 5 attempts per minute
- Session lifetime: 120 minutes (configurable)
- Remember me: 2 weeks
Troubleshooting
| Issue | Solution |
|---|
| Can't login | Check email/password; verify account is not locked |
| Not receiving emails | Check spam folder; verify mail configuration |
| 2FA code not working | Ensure device time is synced; try recovery code |
| Session expires quickly | Check SESSION_LIFETIME in .env |
| "Email not verified" error | Click verification link in email |
See Also