Laravel Stateless Authentication with Auth::once(): Secure Single-Request Login
Laravel's Auth::once() method provides a powerful way to authenticate users for a single request without creating persistent sessions. This stateless authentication approach is perfect for API endpoints, temporary access scenarios, and situations where you need authentication without the overhead of session management.
Understanding Auth::once()
Unlike traditional authentication that creates sessions and cookies, Auth::once() authenticates a user only for the current request. Once the request completes, the authentication state is lost.
Basic Usage
Route::post('/api/temporary-access', function (Request $request) {
$credentials = $request->validate([
'email' => 'required|email',
'password' => 'required',
]);
if (Auth::once($credentials)) {
return response()->json([
'user' => auth()->user(),
'message' => 'Authenticated for this request only'
]);
}
return response()->json(['error' => 'Invalid credentials'], 401);
});
API Authentication Without Tokens
RESTful API with Credentials
// API routes using Auth::once()
Route::prefix('api/auth-once')->group(function() {
Route::post('user/profile', function(Request $request) {
$credentials = $request->validate([
'email' => 'required|email',
'password' => 'required',
]);
if (!Auth::once($credentials)) {
return response()->json(['error' => 'Unauthorized'], 401);
}
$user = auth()->user();
return response()->json([
'id' => $user->id,
'name' => $user->name,
'email' => $user->email,
'profile' => $user->profile,
'preferences' => $user->preferences,
'last_login' => $user->last_login_at,
]);
});
Route::post('user/orders', function(Request $request) {
$credentials = $request->validate([
'email' => 'required|email',
'password' => 'required',
]);
if (!Auth::once($credentials)) {
return response()->json(['error' => 'Unauthorized'], 401);
}
$user = auth()->user();
$orders = $user->orders()
->with(['items.product', 'shipping', 'payment'])
->latest()
->paginate(20);
return response()->json([
'orders' => $orders,
'total_orders' => $user->orders()->count(),
'total_spent' => $user->orders()->sum('total'),
]);
});
Route::post('user/update-profile', function(Request $request) {
$credentials = $request->validate([
'email' => 'required|email',
'password' => 'required',
]);
if (!Auth::once($credentials)) {
return response()->json(['error' => 'Unauthorized'], 401);
}
$user = auth()->user();
$profileData = $request->validate([
'name' => 'sometimes|string|max:255',
'phone' => 'sometimes|string|max:20',
'bio' => 'sometimes|string|max:1000',
'avatar' => 'sometimes|image|max:2048',
]);
if (isset($profileData['avatar'])) {
$profileData['avatar_url'] = $request->file('avatar')
->store('avatars', 'public');
unset($profileData['avatar']);
}
$user->update($profileData);
return response()->json([
'message' => 'Profile updated successfully',
'user' => $user->fresh(),
]);
});
});
Advanced API Authentication Service
// app/Services/StatelessAuthService.php
<?php
namespace App\Services;
use Illuminate\Support\Facades\Auth;
use Illuminate\Support\Facades\Hash;
use Illuminate\Support\Facades\RateLimiter;
use App\Models\User;
use Carbon\Carbon;
class StatelessAuthService
{
public function authenticateOnce(array $credentials, array $options = [])
{
$email = $credentials['email'] ?? null;
if (!$email) {
return false;
}
// Rate limiting
$rateLimitKey = 'auth-once:' . $email . ':' . request()->ip();
if (RateLimiter::tooManyAttempts($rateLimitKey, 5)) {
$seconds = RateLimiter::availableIn($rateLimitKey);
throw new \Exception("Too many attempts. Try again in {$seconds} seconds.");
}
// Attempt authentication
$authenticated = Auth::once($credentials);
if (!$authenticated) {
RateLimiter::hit($rateLimitKey, 300); // 5 minute decay
return false;
}
// Clear rate limit on successful authentication
RateLimiter::clear($rateLimitKey);
$user = auth()->user();
// Additional security checks
if (!$this->performSecurityChecks($user, $options)) {
Auth::logout(); // Clear the authentication for this request
return false;
}
// Log the authentication event
$this->logAuthenticationEvent($user);
return true;
}
public function authenticateWithToken($email, $token)
{
$user = User::where('email', $email)->first();
if (!$user || !$user->hasValidApiToken($token)) {
return false;
}
// Use Auth::once() with user ID for token-based auth
return Auth::once(['id' => $user->id]);
}
public function authenticateTemporaryUser($tempUserId, $signature)
{
$expectedSignature = hash_hmac('sha256', $tempUserId, config('app.key'));
if (!hash_equals($expectedSignature, $signature)) {
return false;
}
$tempUser = $this->createOrRetrieveTempUser($tempUserId);
return Auth::once(['id' => $tempUser->id]);
}
private function performSecurityChecks($user, $options)
{
// Check if user is active
if (!$user->is_active) {
return false;
}
// Check for IP restrictions if enabled
if ($options['check_ip'] ?? false) {
$allowedIps = $user->allowed_ips ?? [];
if (!empty($allowedIps) && !in_array(request()->ip(), $allowedIps)) {
return false;
}
}
// Check for time-based restrictions
if ($options['business_hours_only'] ?? false) {
$now = Carbon::now($user->timezone ?? 'UTC');
if ($now->hour < 9 || $now->hour > 17 || $now->isWeekend()) {
return false;
}
}
// Check for two-factor authentication requirement
if ($user->two_factor_enabled && ($options['require_2fa'] ?? false)) {
$twoFactorCode = request()->input('2fa_code');
if (!$twoFactorCode || !$this->verifyTwoFactorCode($user, $twoFactorCode)) {
return false;
}
}
return true;
}
private function logAuthenticationEvent($user)
{
$user->authentication_logs()->create([
'type' => 'auth_once',
'ip_address' => request()->ip(),
'user_agent' => request()->userAgent(),
'authenticated_at' => now(),
'additional_data' => [
'endpoint' => request()->path(),
'method' => request()->method(),
],
]);
}
private function createOrRetrieveTempUser($tempUserId)
{
// Create or retrieve a temporary user for guest operations
return User::firstOrCreate(
['temp_user_id' => $tempUserId],
[
'name' => 'Temporary User',
'email' => "temp_{$tempUserId}@temp.local",
'password' => Hash::make(str()->random(32)),
'is_temporary' => true,
'expires_at' => now()->addHours(24),
]
);
}
}
Guest Checkout System
E-commerce Guest Authentication
// Guest checkout with temporary authentication
Route::prefix('checkout/guest')->name('checkout.guest.')->group(function() {
Route::post('start', function(Request $request) {
$guestData = $request->validate([
'email' => 'required|email',
'name' => 'required|string|max:255',
'phone' => 'required|string|max:20',
]);
// Create or find guest user
$guestUser = User::firstOrCreate(
['email' => $guestData['email']],
[
'name' => $guestData['name'],
'phone' => $guestData['phone'],
'password' => Hash::make(str()->random(32)),
'is_guest' => true,
'email_verified_at' => null,
]
);
// Generate secure token for guest session
$guestToken = hash_hmac('sha256', $guestUser->id . now()->timestamp, config('app.key'));
// Store token temporarily
cache()->put("guest_token_{$guestUser->id}", $guestToken, now()->addHours(2));
return response()->json([
'guest_id' => $guestUser->id,
'guest_token' => $guestToken,
'expires_at' => now()->addHours(2)->toISOString(),
]);
});
Route::post('place-order', function(Request $request) {
$guestId = $request->input('guest_id');
$guestToken = $request->input('guest_token');
// Verify guest token
$storedToken = cache()->get("guest_token_{$guestId}");
if (!$storedToken || !hash_equals($storedToken, $guestToken)) {
return response()->json(['error' => 'Invalid guest session'], 401);
}
// Authenticate guest user for this request only
if (!Auth::once(['id' => $guestId])) {
return response()->json(['error' => 'Authentication failed'], 401);
}
$user = auth()->user();
// Validate order data
$orderData = $request->validate([
'items' => 'required|array',
'items.*.product_id' => 'required|exists:products,id',
'items.*.quantity' => 'required|integer|min:1',
'shipping_address' => 'required|array',
'billing_address' => 'required|array',
'payment_method' => 'required|string',
]);
// Create order for guest user
$order = $user->orders()->create([
'status' => 'pending',
'total' => $this->calculateOrderTotal($orderData['items']),
'shipping_address' => $orderData['shipping_address'],
'billing_address' => $orderData['billing_address'],
'payment_method' => $orderData['payment_method'],
'is_guest_order' => true,
]);
// Add order items
foreach ($orderData['items'] as $itemData) {
$product = Product::find($itemData['product_id']);
$order->items()->create([
'product_id' => $product->id,
'quantity' => $itemData['quantity'],
'price' => $product->price,
'total' => $product->price * $itemData['quantity'],
]);
}
// Clear guest token after successful order
cache()->forget("guest_token_{$guestId}");
return response()->json([
'message' => 'Order placed successfully',
'order_id' => $order->id,
'order_number' => $order->order_number,
]);
});
Route::post('order-status', function(Request $request) {
$request->validate([
'order_id' => 'required|integer',
'email' => 'required|email',
]);
// Find guest user and authenticate for this request
$guestUser = User::where('email', $request->email)
->where('is_guest', true)
->first();
if (!$guestUser) {
return response()->json(['error' => 'Order not found'], 404);
}
// Authenticate guest for this request
if (!Auth::once(['id' => $guestUser->id])) {
return response()->json(['error' => 'Authentication failed'], 401);
}
$order = auth()->user()->orders()
->with(['items.product', 'tracking'])
->find($request->order_id);
if (!$order) {
return response()->json(['error' => 'Order not found'], 404);
}
return response()->json([
'order' => $order,
'status' => $order->status,
'tracking' => $order->tracking,
'estimated_delivery' => $order->estimated_delivery_date,
]);
});
});
Webhook Authentication
Secure Webhook Processing
// Webhook routes with Auth::once() for security
Route::prefix('webhooks')->group(function() {
Route::post('payment/stripe', function(Request $request) {
// Verify Stripe signature
$signature = $request->header('Stripe-Signature');
$payload = $request->getContent();
if (!$this->verifyStripeSignature($payload, $signature)) {
return response()->json(['error' => 'Invalid signature'], 401);
}
// Create temporary system user for webhook processing
$systemUser = User::where('email', 'system@webhooks.local')->first();
if (!$systemUser) {
$systemUser = User::create([
'name' => 'System Webhook User',
'email' => 'system@webhooks.local',
'password' => Hash::make(str()->random(32)),
'is_system' => true,
]);
}
// Authenticate system user for webhook processing
Auth::once(['id' => $systemUser->id]);
$webhookData = json_decode($payload, true);
// Process webhook based on event type
switch ($webhookData['type']) {
case 'payment_intent.succeeded':
$this->handlePaymentSuccess($webhookData['data']['object']);
break;
case 'payment_intent.payment_failed':
$this->handlePaymentFailure($webhookData['data']['object']);
break;
case 'customer.subscription.updated':
$this->handleSubscriptionUpdate($webhookData['data']['object']);
break;
}
return response()->json(['message' => 'Webhook processed successfully']);
});
Route::post('integration/slack', function(Request $request) {
$token = $request->input('token');
if (!$this->verifySlackToken($token)) {
return response()->json(['error' => 'Invalid token'], 401);
}
// Create integration user context
$integrationUser = User::where('email', 'integration@slack.local')->first();
if (!$integrationUser) {
$integrationUser = User::create([
'name' => 'Slack Integration',
'email' => 'integration@slack.local',
'password' => Hash::make(str()->random(32)),
'is_integration' => true,
]);
}
// Authenticate for this request
Auth::once(['id' => $integrationUser->id]);
$command = $request->input('command');
$text = $request->input('text');
// Process Slack command
$response = $this->processSlackCommand($command, $text);
return response()->json($response);
});
});
class WebhookAuthService
{
private function verifyStripeSignature($payload, $signature)
{
$secret = config('services.stripe.webhook_secret');
$computedSignature = hash_hmac('sha256', $payload, $secret);
return hash_equals($computedSignature, $signature);
}
private function verifySlackToken($token)
{
return hash_equals(config('services.slack.verification_token'), $token);
}
private function handlePaymentSuccess($paymentIntent)
{
$order = Order::where('payment_intent_id', $paymentIntent['id'])->first();
if ($order) {
$order->update([
'status' => 'paid',
'paid_at' => now(),
]);
// Send order confirmation
Mail::to($order->customer->email)->send(new OrderConfirmed($order));
}
}
private function processSlackCommand($command, $text)
{
switch ($command) {
case '/status':
return $this->getSystemStatus();
case '/deploy':
return $this->triggerDeployment($text);
case '/users':
return $this->getUserStats();
default:
return ['text' => 'Unknown command'];
}
}
}
Administrative Tools
Secure Admin Actions
// Admin tools using Auth::once() for enhanced security
Route::prefix('admin/tools')->middleware(['auth', 'role:super-admin'])->group(function() {
Route::post('impersonate', function(Request $request) {
$request->validate([
'user_id' => 'required|exists:users,id',
'password' => 'required',
]);
// Require password confirmation using Auth::once()
$admin = auth()->user();
if (!Auth::once(['email' => $admin->email, 'password' => $request->password])) {
return response()->json(['error' => 'Invalid password'], 401);
}
$targetUser = User::find($request->user_id);
// Log impersonation
activity()
->causedBy($admin)
->performedOn($targetUser)
->withProperties([
'ip_address' => request()->ip(),
'user_agent' => request()->userAgent(),
])
->log('admin_impersonation_started');
// Start impersonation session
session(['impersonating' => $targetUser->id, 'original_admin' => $admin->id]);
return response()->json([
'message' => 'Impersonation started',
'target_user' => $targetUser->only(['id', 'name', 'email']),
]);
});
Route::post('bulk-action', function(Request $request) {
$request->validate([
'action' => 'required|in:delete,suspend,activate,reset_password',
'user_ids' => 'required|array',
'user_ids.*' => 'exists:users,id',
'password' => 'required',
]);
// Require password confirmation for bulk actions
$admin = auth()->user();
if (!Auth::once(['email' => $admin->email, 'password' => $request->password])) {
return response()->json(['error' => 'Invalid password'], 401);
}
$users = User::whereIn('id', $request->user_ids)->get();
$results = [];
foreach ($users as $user) {
try {
switch ($request->action) {
case 'delete':
$user->delete();
break;
case 'suspend':
$user->update(['is_active' => false, 'suspended_at' => now()]);
break;
case 'activate':
$user->update(['is_active' => true, 'suspended_at' => null]);
break;
case 'reset_password':
$newPassword = str()->random(12);
$user->update(['password' => Hash::make($newPassword)]);
Mail::to($user->email)->send(new PasswordResetByAdmin($user, $newPassword));
break;
}
$results[] = ['user_id' => $user->id, 'status' => 'success'];
} catch (Exception $e) {
$results[] = ['user_id' => $user->id, 'status' => 'error', 'message' => $e->getMessage()];
}
}
// Log bulk action
activity()
->causedBy($admin)
->withProperties([
'action' => $request->action,
'user_ids' => $request->user_ids,
'results' => $results,
])
->log('admin_bulk_action');
return response()->json(['results' => $results]);
});
});
Testing Auth::once()
Unit Tests
// tests/Unit/StatelessAuthTest.php
<?php
namespace Tests\Unit;
use Tests\TestCase;
use App\Models\User;
use Illuminate\Support\Facades\Auth;
use Illuminate\Support\Facades\Hash;
class StatelessAuthTest extends TestCase
{
public function test_auth_once_authenticates_valid_credentials()
{
$user = User::factory()->create([
'password' => Hash::make('password123')
]);
$result = Auth::once([
'email' => $user->email,
'password' => 'password123'
]);
$this->assertTrue($result);
$this->assertEquals($user->id, auth()->id());
}
public function test_auth_once_fails_invalid_credentials()
{
$user = User::factory()->create([
'password' => Hash::make('password123')
]);
$result = Auth::once([
'email' => $user->email,
'password' => 'wrongpassword'
]);
$this->assertFalse($result);
$this->assertNull(auth()->user());
}
public function test_auth_once_does_not_create_session()
{
$user = User::factory()->create([
'password' => Hash::make('password123')
]);
Auth::once([
'email' => $user->email,
'password' => 'password123'
]);
// Auth::once should not create sessions
$this->assertEmpty(session()->all());
$this->assertNull(request()->session());
}
}
Feature Tests
// tests/Feature/StatelessApiTest.php
<?php
namespace Tests\Feature;
use Tests\TestCase;
use App\Models\User;
use Illuminate\Support\Facades\Hash;
class StatelessApiTest extends TestCase
{
public function test_api_auth_once_endpoint()
{
$user = User::factory()->create([
'password' => Hash::make('password123')
]);
$response = $this->postJson('/api/temporary-access', [
'email' => $user->email,
'password' => 'password123'
]);
$response->assertOk()
->assertJsonStructure([
'user' => ['id', 'name', 'email'],
'message'
]);
}
public function test_guest_checkout_flow()
{
$response = $this->postJson('/checkout/guest/start', [
'email' => 'guest@example.com',
'name' => 'Guest User',
'phone' => '1234567890'
]);
$response->assertOk()
->assertJsonStructure([
'guest_id',
'guest_token',
'expires_at'
]);
$guestData = $response->json();
$orderResponse = $this->postJson('/checkout/guest/place-order', [
'guest_id' => $guestData['guest_id'],
'guest_token' => $guestData['guest_token'],
'items' => [
['product_id' => 1, 'quantity' => 2]
],
'shipping_address' => ['street' => '123 Main St'],
'billing_address' => ['street' => '123 Main St'],
'payment_method' => 'credit_card'
]);
$orderResponse->assertOk()
->assertJsonStructure([
'message',
'order_id',
'order_number'
]);
}
}
Best Practices
1. Always Validate Credentials
// ✅ Good: Always validate input
$credentials = $request->validate([
'email' => 'required|email',
'password' => 'required|min:8',
]);
if (Auth::once($credentials)) {
// Proceed with authenticated logic
}
// ❌ Bad: Using unvalidated input
if (Auth::once($request->only('email', 'password'))) {
// Potential security risk
}
2. Implement Rate Limiting
// Rate limit Auth::once attempts
$rateLimitKey = 'auth-once:' . $email . ':' . request()->ip();
if (RateLimiter::tooManyAttempts($rateLimitKey, 5)) {
abort(429, 'Too many authentication attempts');
}
3. Log Authentication Events
// Always log Auth::once usage for security auditing
if (Auth::once($credentials)) {
Log::info('Stateless authentication successful', [
'user_id' => auth()->id(),
'ip' => request()->ip(),
'endpoint' => request()->path(),
]);
}
Conclusion
Laravel's Auth::once() method provides a secure, efficient way to handle stateless authentication scenarios. It's perfect for:
- API endpoints that need authentication without session overhead
- Guest checkout processes with temporary user contexts
- Webhook processing with secure system authentication
- Administrative tools requiring password re-confirmation
- Temporary access scenarios
By mastering Auth::once(), you can build more secure, scalable applications that handle authentication elegantly without the complexity of session management. Remember to always implement proper validation, rate limiting, and logging for production use.