However, you may use middleware to verify that the user is authenticated before allowing the user access to certain routes / controllers. To learn more about this, check out the documentation on
Protecting Routes
Route middleware can be used to allow only authenticated users to access a given route. Laravel ships with the auth middleware, which is defined in appHttpMiddlewareAuthenticate.php. All you need to do is attach the middleware to a route definition:
Of course, if you are using controller classes, you may call the middleware method from the controller's constructor instead of attaching it in the route definition directly:
Authentication Throttling
If you are using Laravel's built-in AuthController class, the IlluminateFoundationAuthThrottlesLogins trait may be used to throttle login attempts to your application. By default, the user will not be able to login for one minute if they fail to provide the correct credentials after several attempts. The throttling is unique to the user's username / e-mail address and their IP address:
Of course, you are not required to use the authentication controllers included with Laravel. If you choose to remove these controllers, you will need to manage user authentication using the Laravel authentication classes directly. Don't worry, it's a cinch!
We will access Laravel's authentication services via the Auth facade, so we'll need to make sure to import the Auth facade at the top of the class. Next, let's check out the attempt method:
The attempt method accepts an array of key / value pairs as its first argument. The values in the array will be used to find the user in your database table. So, in the example above, the user will be retrieved by the value of the email column. If the user is found, the hashed password stored in the database will be compared with the hashed password value passed to the method via the array. If the two hashed passwords match an authenticated session will be started for the user.
The attempt method will return true if authentication was successful. Otherwise, false will be returned.
The intended method on the redirector will redirect the user to the URL they were attempting to access before being caught by the authentication filter. A fallback URI may be given to this method in case the intended destination is not available.
If you wish, you also may add extra conditions to the authentication query in addition to the user's e-mail and password. For example, we may verify that user is marked as "active":