To secure routes in a Laravel application, use authentication and middleware. First, apply the built-in auth middleware to restrict access to authenticated users via route definitions or controller constructors. Second, create custom middleware like EnsureUserIsAdmin for role-based restrictions, register it in Kernel.php, and apply it to routes alongside auth. Third, secure API routes using Laravel Sanctum by assigning API tokens and applying the auth:sanctum middleware, ensuring tokens are included in the Authorization header during requests.

When building a Laravel application, securing routes is essential to protect sensitive functionality and data. This typically involves using authentication and middleware — two powerful tools Laravel provides out of the box. Let’s break down how to use them effectively.

How Authentication Protects Routes

Laravel comes with a built-in authentication system that makes it easy to verify users before allowing access to certain parts of your app. The most straightforward way to secure a route is by using the auth middleware.

For example, if you have a dashboard page that should only be visible to logged-in users, you can apply the middleware directly in your route definition:

Route::get('/dashboard', function () {
    return view('dashboard');
})->middleware('auth');

Behind the scenes, this checks whether the user is authenticated. If not, they’ll be redirected to the login page. No need for extra checks — Laravel handles it all.

You can also apply this in a controller constructor, which is cleaner when dealing with multiple methods:

public function __construct()
{
    $this->middleware('auth');
}

This ensures that any method in the controller is only accessible to authenticated users.

Using Custom Middleware for Specific Access Rules

Sometimes just being logged in isn’t enough — you might want to restrict access based on roles or permissions. That’s where custom middleware comes in handy.

Let’s say you have an admin area that only users with the “admin” role can access. First, create the middleware:

php artisan make:middleware EnsureUserIsAdmin

Then, in the generated file under app/Http/Middleware, add your logic:

public function handle($request, $next)
{
    if (! $request->user()->isAdmin()) {
        abort(403, 'Unauthorized action.');
    }

    return $next($request);
}

Register the middleware in app/Http/Kernel.php under $routeMiddleware:

'admin' => \App\Http\Middleware\EnsureUserIsAdmin::class,

Now you can apply it like any other middleware:

Route::get('/admin', function () {
    return view('admin.dashboard');
})->middleware(['auth', 'admin']);

This way, only authenticated users who pass the admin check can access the route.

• You can stack multiple middleware layers.
• Order matters: the request goes through them from left to right.
• Always test unauthorized access scenarios during development.

Securing API Routes with Token or Sanctum Authentication

If you're building an API with Laravel, traditional session-based auth won’t cut it. Instead, you can use Laravel Sanctum or Passport for token-based authentication.

With Sanctum, each user gets an API token. When defining API routes, use the auth:sanctum guard:

Route::middleware('auth:sanctum')->get('/user', function (Request $request) {
    return $request->user();
});

To generate tokens, you can do something like this in your controller:

$token = $user->createToken('API Token Name')->plainTextToken;

Make sure to include this token in the Authorization header when making requests:

Authorization: Bearer [your-token-here]

Sanctum is lightweight and perfect for SPAs or mobile apps that communicate with your Laravel backend.

That covers the main ways to secure Laravel routes — using built-in auth, creating custom middleware for specific rules, and handling API access. It's not complicated once you understand how the pieces fit together, but it’s easy to miss small details like middleware order or token setup.

The above is the detailed content of Securing Laravel routes with authentication and middleware. For more information, please follow other related articles on the PHP Chinese website!