Frontend Support

Gateway Session Guard

The gateway guard provides session-based authentication for frontend applications. It stores the JWT token in the session and refreshes it transparently when expired. User information and permissions are retrieved from the API gateway.

Configuration

Publish the configuration file if you haven't already:

php artisan vendor:publish --provider="Kroderdev\LaravelMicroserviceCore\Providers\MicroserviceServiceProvider" --tag=config

Edit config/microservice.php and adjust the gateway_guard section:

'gateway_guard' => [
    // Class used for the authenticated user
    'user_model'  => App\Models\User::class,

    // Load roles & permissions automatically using `client->me()`
    'load_access' => true,

    // Seconds to cache `client->me()` responses
    'me_cache_ttl' => 300,
],

The TTL is in seconds. If the JWT token includes an exp claim, the cache duration is capped so it never exceeds the token's remaining lifetime.

Configure a guard in config/auth.php:

'guards' => [
    'gateway' => [
        'driver'   => 'gateway',
        'provider' => 'users',
    ],
],

The provider should match the user_model above.

Usage

Use the guard like any other Laravel guard:

Auth::guard('gateway')->attempt($credentials);

The token is stored in the session and automatically refreshed when needed.

Built-in Controllers

The package includes simple controllers for login, registration, logout and Socialite authentication. Typical routes look like this:

Route::post('/login', \Kroderdev\LaravelMicroserviceCore\Http\Auth\LoginController::class);
Route::post('/register', \Kroderdev\LaravelMicroserviceCore\Http\Auth\RegisterController::class);
Route::post('/logout', \Kroderdev\LaravelMicroserviceCore\Http\Auth\LogoutController::class);
Route::get('/socialite/{provider}/redirect', [\Kroderdev\LaravelMicroserviceCore\Http\Auth\SocialiteController::class, 'redirect']);
Route::get('/socialite/{provider}/callback', [\Kroderdev\LaravelMicroserviceCore\Http\Auth\SocialiteController::class, 'callback']);

Each controller uses AuthServiceClient to talk to your API Gateway. You may override any controller by registering your own class in the route definition or binding a new implementation in the service container.

Customization

User Model – set gateway_guard.user_model in config/microservice.php to use your application's user class.
Automatic Permission Loading – toggle gateway_guard.load_access to automatically populate roles and permissions from client->me().
Cache TTL – adjust gateway_guard.me_cache_ttl (in seconds) or via the GATEWAY_ME_CACHE_TTL environment variable. The TTL will never exceed the remaining lifetime of the JWT token.
AuthServiceClient – extend this class if your gateway uses different endpoints for login or registration.

With these hooks you can tailor the guard and controllers to match your authentication service.

Redirects

Authentication controllers support optional redirects. If the request includes a redirect parameter it is honored; otherwise, non\u2013JSON requests will redirect to the URL stored by redirect()->intended() or to the value of gateway_auth.default_redirect (default /). Configure this setting in config/microservice.php or via the GATEWAY_AUTH_DEFAULT_REDIRECT environment variable.

Maintained by @KroderDev

💬 Feedback? Open an issue
Last updated: July 1, 2025

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Frontend Support

Gateway Session Guard

Configuration

Usage

Built-in Controllers

Customization

Redirects

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Clone this wiki locally