Authentication & Authorization Interview Questions

Laravel provides a complete authentication system out of the box using the Auth facade. It includes features for user registration, login, password reset, and remember me functionality. Can be scaffolded using laravel/ui or breeze/jetstream packages.

Basic authentication can be implemented using Auth::attempt(['email' => $email, 'password' => $password]) for login, Auth::login($user) for manual login, and Auth::logout() for logging out. Session-based authentication is default.

Auth middleware (auth) protects routes by ensuring users are authenticated. Can be applied to routes or controllers using middleware('auth'). Redirects unauthenticated users to login page or returns 401 for API routes.

Use Auth::check() to verify authentication status, Auth::user() to get current user, or @auth/@guest Blade directives in views. Request object also provides auth()->user() helper.

Guards define how users are authenticated for each request. Laravel supports multiple authentication guards (web, api) configured in config/auth.php. Each guard specifies provider and driver for authentication.

Laravel includes password reset using Password facade. Uses notifications system to send reset links. Requires password_resets table. Can customize views, expiration time, and throttling.

Remember me allows users to stay logged in across sessions using secure cookie. Implemented by passing true as second parameter to Auth::attempt() or using remember() method. Requires remember_token column.

Email verification uses MustVerifyEmail interface and VerifiesEmails trait. Sends verification email on registration. Can protect routes with verified middleware. Customizable verification notice and email.

Sanctum provides lightweight authentication for SPAs and mobile applications. Issues API tokens, handles SPA authentication through cookies. Supports multiple tokens per user with different abilities.

Policies organize authorization logic around models or resources. Created using make:policy command. Methods correspond to actions (view, create, update, delete). Used with Gate facade or @can directive.

Role-based authorization can use Gates, Policies, or packages like Spatie permissions. Define roles and permissions in database. Check using can() method or middleware. Support multiple roles per user.

Passport provides OAuth2 server implementation. Install using composer, run migrations, generate encryption keys. Supports password grant, authorization code grant, and personal access tokens.

Gates are Closures that determine if user can perform action. Registered in AuthServiceProvider using Gate::define(). Can use Gate::allows() or $user->can() to check authorization. Support custom parameters.

Custom guards extend Guard contract. Register in AuthServiceProvider using Auth::extend(). Implement user() and validate() methods. Configure in auth.php. Useful for specialized authentication needs.

Multi-authentication uses different guards for different user types. Configure multiple providers and guards in auth.php. Use guard() method to specify guard. Support separate sessions and authentication logic.

Policy auto-discovery automatically registers policies based on naming conventions. Can be disabled in AuthServiceProvider. Override getPolicyFor() for custom mapping. Supports policy discovery in packages.

Authentication events (Login, Logout, Failed, etc.) are dispatched automatically. Can be listened to using Event facade or subscribers. Useful for logging, notifications, or additional security measures.

Resource authorization combines CRUD actions with policies. Use authorizeResource() in controllers. Maps controller methods to policy methods. Supports automatic authorization using middleware.

Policy filters run before other policy methods. Define before() method in policy. Can grant or deny all abilities. Useful for super-admin scenarios or global authorization rules.

Token abilities define permissions for API tokens. Specified when creating token. Check using tokenCan() method. Support multiple abilities per token. Can be combined with other authorization methods.

Policy responses can return Response objects instead of booleans. Use response() helper in policies. Support custom messages and status codes. Useful for detailed authorization feedback.

Custom user providers implement UserProvider contract. Register in AuthServiceProvider using Auth::provider(). Implement retrieveById, retrieveByToken, updateRememberToken methods. Support non-database authentication.

Rate limiting uses ThrottlesLogins trait or custom middleware. Configure attempts and lockout duration. Support IP-based and user-based throttling. Can customize decay time and storage.

Authorization code grant requires client registration, authorization endpoint, token endpoint. Handle redirect URI, state parameter, PKCE. Support refresh tokens and token revocation. Implement scope validation.

Contextual authorization considers additional parameters beyond user and model. Pass context to policy methods. Support complex authorization rules. Can use additional services or external APIs.

Passwordless auth uses signed URLs or tokens sent via email/SMS. Implement custom guard and provider. Handle token generation and verification. Support expiration and single-use tokens.

Hierarchical authorization handles nested permissions and inheritance. Implement tree structure for roles/permissions. Support permission propagation. Handle circular dependencies and performance.

Session authentication can be customized by extending guard, implementing custom user provider. Handle session storage, regeneration. Support custom session drivers and authentication logic.

Cross-domain authentication requires coordinating sessions across domains. Handle CORS, shared tokens. Implement single sign-on. Support token forwarding and validation across domains.

Dynamic policy resolution determines policy class at runtime. Override getPolicyFor in AuthServiceProvider. Support multiple policy implementations. Handle policy resolution cache.