Skip to main content

Overview

NutriFit implements a robust authentication system powered by Laravel Fortify, providing secure user registration, login, password management, and two-factor authentication (2FA).
All authentication features follow Laravel’s best security practices and include protection against common vulnerabilities.

Features

The authentication system includes:
  • User registration with email verification
  • Secure login with rate limiting
  • Password reset and recovery
  • Two-factor authentication (2FA)
  • Email validation with DNS/MX checking
  • Data consent tracking
  • Social authentication (Google OAuth)

Registration

User Registration Flow

New users register as patients by default (role_id: 3). The registration process includes:
  1. Email and password validation
  2. Data consent agreement
  3. Email verification requirement
  4. Welcome email after verification
public function create(array $input): User
{
    Validator::make($input, [
        'name' => ['required', 'string', 'max:255'],
        'email' => [
            'required',
            'string',
            'email',
            'max:255',
            Rule::unique(User::class),
            new ValidEmailDomain(), // Validación DNS/MX
        ],
        'password' => $this->passwordRules(),
        'data_consent' => ['required', 'accepted'],
    ])->validate();

    $user = User::create([
        'name' => $input['name'],
        'email' => $input['email'],
        'password' => $input['password'],
        'role_id' => 3,
        'data_consent' => true,
        'data_consent_at' => now(),
    ]);

    return $user;
}

Email Validation

NutriFit uses the ValidEmailDomain rule to verify that email addresses have valid DNS and MX records, preventing fake or disposable email addresses.

Email Verification

Email verification is required for all users before accessing protected features.
1

User Registers

User completes registration form with email and password
2

Verification Email Sent

System sends verification email using VerifyEmailNotification
3

User Clicks Link

User clicks verification link in email
4

Email Confirmed

Account is verified and welcome email is sent

Route Protection

Routes requiring verified email use the verified middleware:
routes/web.php
Route::middleware(['auth', 'verified', 'role:paciente'])
    ->prefix('paciente')
    ->name('paciente.')
    ->group(function () {
        Route::get('/dashboard', [PacienteController::class, 'index'])
            ->name('dashboard');
        // More routes...
    });

Two-Factor Authentication (2FA)

Enabling 2FA

Users can enable two-factor authentication from their settings page at /settings/two-factor.
2FA uses TOTP (Time-based One-Time Password) compatible with apps like Google Authenticator, Authy, and 1Password.

2FA Configuration

config/fortify.php
'features' => [
    Features::registration(),
    Features::resetPasswords(),
    Features::emailVerification(),
    Features::twoFactorAuthentication([
        'confirm' => true,
        'confirmPassword' => true,
    ]),
],

2FA Setup Process

public function enable(EnableTwoFactorAuthentication $enableTwoFactorAuthentication): void
{
    $enableTwoFactorAuthentication(auth()->user());

    if (! $this->requiresConfirmation) {
        $this->twoFactorEnabled = auth()->user()->hasEnabledTwoFactorAuthentication();
    }

    $this->loadSetupData();
    $this->showModal = true;
}

public function confirmTwoFactor(ConfirmTwoFactorAuthentication $confirmTwoFactorAuthentication): void
{
    $this->validate();
    $confirmTwoFactorAuthentication(auth()->user(), $this->code);
    $this->closeModal();
    $this->twoFactorEnabled = true;
}

Recovery Codes

When 2FA is enabled, users receive recovery codes that can be used if they lose access to their authenticator app.
Recovery codes should be stored securely. Each code can only be used once.

Password Management

Password Reset Flow

  1. User requests password reset
  2. System sends reset email using ResetPasswordNotification
  3. User clicks link and sets new password
  4. System sends confirmation email using PasswordChangedNotification

Password Requirements

Passwords must meet Laravel’s default password rules:
  • Minimum 8 characters
  • Must be confirmed (entered twice)
  • Cannot be commonly used passwords

Forced Password Change

New patients created by administrators receive a default password and must change it on first login.
routes/web.php
// Ruta para cambiar contraseña por defecto (sin middleware password.changed)
Route::middleware(['auth', 'role:paciente'])->prefix('paciente')->name('paciente.')->group(function () {
    Route::get('/cambiar-contrasena', [PasswordController::class, 'showChangePassword'])
        ->name('change-default-password');
    Route::post('/cambiar-contrasena', [PasswordController::class, 'updatePassword'])
        ->name('change-default-password.update');
});

Social Authentication

Google OAuth

NutriFit supports Google OAuth for patient registration and login.
routes/web.php
Route::get('auth/google', [SocialiteController::class, 'redirectToGoogle'])
    ->name('google.login');
Route::get('auth/google/callback', [SocialiteController::class, 'handleGoogleCallback']);
Route::get('auth/google/consent', [SocialiteController::class, 'showConsentForm'])
    ->name('google.consent');

OAuth Flow

1

User Clicks Google Login

User is redirected to Google’s OAuth consent screen
2

Google Authentication

User authenticates with Google
3

Data Consent

User must accept NutriFit’s data processing consent
4

Account Creation

Account is created or linked and user is logged in

Rate Limiting

Login attempts are rate-limited to prevent brute force attacks:
config/fortify.php
'limiters' => [
    'login' => 'login',
    'two-factor' => 'two-factor',
],
Default: 5 login attempts per minute per email/IP combination.

Notifications

The authentication system sends several email notifications:

Welcome Email

Sent after email verification

Email Verification

Sent on registration

Password Reset

Sent when password reset requested

Password Changed

Sent after password change

Account Enabled

Sent when admin enables account

Account Disabled

Sent when admin disables account

Security Best Practices

All email addresses are validated against DNS/MX records to prevent fake emails.
Passwords are hashed using bcrypt with Laravel’s default cost factor.
All forms include CSRF token validation.
Login attempts are limited to prevent brute force attacks.
Secure session handling with httpOnly cookies.

User Roles

Learn about role-based access control

Notifications

Explore the notification system

Build docs developers (and LLMs) love

Get started for freeTalk to us