DEV Community: Dmitry Isaenko The latest articles on DEV Community by Dmitry Isaenko (@d_isaenko_dev). https://dev.to/d_isaenko_dev https://media2.dev.to/dynamic/image/width=90,height=90,fit=cover,gravity=auto,format=auto/https:%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Fuser%2Fprofile_image%2F3698265%2F374d1b3f-447c-4153-bf1a-7b7bd53e8f6a.jpg DEV Community: Dmitry Isaenko https://dev.to/d_isaenko_dev en Building a Dual Notification System for a Multi-Tenant Laravel SaaS Dmitry Isaenko Mon, 11 May 2026 08:44:35 +0000 https://dev.to/d_isaenko_dev/building-a-dual-notification-system-for-a-multi-tenant-laravel-saas-40hh https://dev.to/d_isaenko_dev/building-a-dual-notification-system-for-a-multi-tenant-laravel-saas-40hh <p>Your SaaS needs to talk to users. Not just email - in-app notifications that persist, track reads, support multiple languages, and let admins target specific user segments.</p> <p>I built <a href="https://kohana.io" rel="noopener noreferrer">Kohana.io</a> - a production CRM/ERP for small businesses. The notification module evolved into a dual-architecture system: admin broadcasts and automated system notifications sharing the same table, the same UI, and the same read-tracking mechanism.</p> <p>Now I'm extracting it into <strong>LaraFoundry</strong>, an open-source SaaS framework for Laravel. This post covers the full implementation.</p> <h2> Table of Contents </h2> <ol> <li>Dual Architecture</li> <li>Database Schema</li> <li>Multilingual Content</li> <li>Recipient Segmentation</li> <li>Admin CRUD &amp; Workflow</li> <li>System Notifications</li> <li>Delivery &amp; Read Statistics</li> <li>Frontend UX</li> <li>Testing</li> <li>Design Decisions</li> </ol> <h2> Dual Architecture </h2> <p>LaraFoundry has two notification types that coexist in one system:</p> <p><strong>Admin notifications</strong> - created manually in the admin panel:</p> <ul> <li>Multilingual titles and bodies stored as JSON in the database</li> <li>Recipient filters: country, sex, age range, registration date, activity level, verification status</li> <li>Draft → Sent workflow with visibility scheduling</li> <li>Delivery and read statistics</li> </ul> <p><strong>System notifications</strong> - created programmatically by queued jobs:</p> <ul> <li>Laravel translation keys with dynamic parameters</li> <li>Auto-sent when events occur (company created, invitation accepted, payment failed)</li> <li>Auto-expire after 30 days</li> <li>Rich metadata for UI actions</li> </ul> <p>Both types appear in the same user notification panel. The user doesn't know or care where a notification came from.</p> <h2> Database Schema </h2> <h3> Notifications Table </h3> <div class="highlight js-code-highlight"> <pre class="highlight php"><code><span class="nc">Schema</span><span class="o">::</span><span class="nf">create</span><span class="p">(</span><span class="s1">'notifications'</span><span class="p">,</span> <span class="k">function</span> <span class="p">(</span><span class="kt">Blueprint</span> <span class="nv">$table</span><span class="p">)</span> <span class="p">{</span> <span class="nv">$table</span><span class="o">-&gt;</span><span class="nf">id</span><span class="p">();</span> <span class="nv">$table</span><span class="o">-&gt;</span><span class="nf">string</span><span class="p">(</span><span class="s1">'code'</span><span class="p">)</span><span class="o">-&gt;</span><span class="nf">index</span><span class="p">();</span> <span class="nv">$table</span><span class="o">-&gt;</span><span class="nf">enum</span><span class="p">(</span><span class="s1">'notification_type'</span><span class="p">,</span> <span class="p">[</span><span class="s1">'admin'</span><span class="p">,</span> <span class="s1">'system'</span><span class="p">]);</span> <span class="nv">$table</span><span class="o">-&gt;</span><span class="nf">enum</span><span class="p">(</span><span class="s1">'status'</span><span class="p">,</span> <span class="p">[</span><span class="s1">'draft'</span><span class="p">,</span> <span class="s1">'sent'</span><span class="p">]);</span> <span class="c1">// system notifications - translation keys</span> <span class="nv">$table</span><span class="o">-&gt;</span><span class="nf">string</span><span class="p">(</span><span class="s1">'title_key'</span><span class="p">)</span><span class="o">-&gt;</span><span class="nf">nullable</span><span class="p">();</span> <span class="nv">$table</span><span class="o">-&gt;</span><span class="nf">string</span><span class="p">(</span><span class="s1">'body_key'</span><span class="p">)</span><span class="o">-&gt;</span><span class="nf">nullable</span><span class="p">();</span> <span class="nv">$table</span><span class="o">-&gt;</span><span class="nf">json</span><span class="p">(</span><span class="s1">'params'</span><span class="p">)</span><span class="o">-&gt;</span><span class="nf">nullable</span><span class="p">();</span> <span class="c1">// admin notifications - stored translations</span> <span class="nv">$table</span><span class="o">-&gt;</span><span class="nf">json</span><span class="p">(</span><span class="s1">'title_translations'</span><span class="p">)</span><span class="o">-&gt;</span><span class="nf">nullable</span><span class="p">();</span> <span class="nv">$table</span><span class="o">-&gt;</span><span class="nf">json</span><span class="p">(</span><span class="s1">'body_translations'</span><span class="p">)</span><span class="o">-&gt;</span><span class="nf">nullable</span><span class="p">();</span> <span class="c1">// admin notifications - targeting</span> <span class="nv">$table</span><span class="o">-&gt;</span><span class="nf">json</span><span class="p">(</span><span class="s1">'recipient_filters'</span><span class="p">)</span><span class="o">-&gt;</span><span class="nf">nullable</span><span class="p">();</span> <span class="nv">$table</span><span class="o">-&gt;</span><span class="nf">json</span><span class="p">(</span><span class="s1">'data'</span><span class="p">)</span><span class="o">-&gt;</span><span class="nf">nullable</span><span class="p">();</span> <span class="c1">// scheduling</span> <span class="nv">$table</span><span class="o">-&gt;</span><span class="nf">timestamp</span><span class="p">(</span><span class="s1">'visible_from'</span><span class="p">)</span><span class="o">-&gt;</span><span class="nf">nullable</span><span class="p">();</span> <span class="nv">$table</span><span class="o">-&gt;</span><span class="nf">timestamp</span><span class="p">(</span><span class="s1">'visible_until'</span><span class="p">)</span><span class="o">-&gt;</span><span class="nf">nullable</span><span class="p">();</span> <span class="nv">$table</span><span class="o">-&gt;</span><span class="nf">timestamps</span><span class="p">();</span> <span class="p">});</span> </code></pre> </div> <p>One table with two sets of nullable columns. The <code>notification_type</code> enum determines which set is used. This is simpler than two tables because the user-facing side doesn't care about the source.</p> <h3> Notification-User Pivot </h3> <div class="highlight js-code-highlight"> <pre class="highlight php"><code><span class="nc">Schema</span><span class="o">::</span><span class="nf">create</span><span class="p">(</span><span class="s1">'notification_user'</span><span class="p">,</span> <span class="k">function</span> <span class="p">(</span><span class="kt">Blueprint</span> <span class="nv">$table</span><span class="p">)</span> <span class="p">{</span> <span class="nv">$table</span><span class="o">-&gt;</span><span class="nf">id</span><span class="p">();</span> <span class="nv">$table</span><span class="o">-&gt;</span><span class="nf">foreignId</span><span class="p">(</span><span class="s1">'notification_id'</span><span class="p">)</span><span class="o">-&gt;</span><span class="nf">constrained</span><span class="p">()</span><span class="o">-&gt;</span><span class="nf">cascadeOnDelete</span><span class="p">();</span> <span class="nv">$table</span><span class="o">-&gt;</span><span class="nf">foreignId</span><span class="p">(</span><span class="s1">'user_id'</span><span class="p">)</span><span class="o">-&gt;</span><span class="nf">constrained</span><span class="p">()</span><span class="o">-&gt;</span><span class="nf">cascadeOnDelete</span><span class="p">();</span> <span class="nv">$table</span><span class="o">-&gt;</span><span class="nf">timestamp</span><span class="p">(</span><span class="s1">'read_at'</span><span class="p">)</span><span class="o">-&gt;</span><span class="nf">nullable</span><span class="p">()</span><span class="o">-&gt;</span><span class="nf">index</span><span class="p">();</span> <span class="nv">$table</span><span class="o">-&gt;</span><span class="nf">timestamps</span><span class="p">();</span> <span class="nv">$table</span><span class="o">-&gt;</span><span class="nf">unique</span><span class="p">([</span><span class="s1">'notification_id'</span><span class="p">,</span> <span class="s1">'user_id'</span><span class="p">]);</span> <span class="p">});</span> </code></pre> </div> <p><code>read_at</code> is nullable. Null = unread. Timestamp = read (and you know exactly when). The unique constraint prevents duplicate attachments.</p> <h3> Model </h3> <div class="highlight js-code-highlight"> <pre class="highlight php"><code><span class="kd">class</span> <span class="nc">Notification</span> <span class="kd">extends</span> <span class="nc">Model</span> <span class="p">{</span> <span class="kn">use</span> <span class="nc">HasFactory</span><span class="p">;</span> <span class="k">protected</span> <span class="k">function</span> <span class="n">casts</span><span class="p">():</span> <span class="kt">array</span> <span class="p">{</span> <span class="k">return</span> <span class="p">[</span> <span class="s1">'params'</span> <span class="o">=&gt;</span> <span class="s1">'array'</span><span class="p">,</span> <span class="s1">'recipient_filters'</span> <span class="o">=&gt;</span> <span class="s1">'array'</span><span class="p">,</span> <span class="s1">'title_translations'</span> <span class="o">=&gt;</span> <span class="s1">'array'</span><span class="p">,</span> <span class="s1">'body_translations'</span> <span class="o">=&gt;</span> <span class="s1">'array'</span><span class="p">,</span> <span class="s1">'data'</span> <span class="o">=&gt;</span> <span class="s1">'array'</span><span class="p">,</span> <span class="s1">'visible_from'</span> <span class="o">=&gt;</span> <span class="s1">'datetime'</span><span class="p">,</span> <span class="s1">'visible_until'</span> <span class="o">=&gt;</span> <span class="s1">'datetime'</span><span class="p">,</span> <span class="p">];</span> <span class="p">}</span> <span class="k">public</span> <span class="k">function</span> <span class="n">users</span><span class="p">():</span> <span class="kt">BelongsToMany</span> <span class="p">{</span> <span class="k">return</span> <span class="nv">$this</span><span class="o">-&gt;</span><span class="nf">belongsToMany</span><span class="p">(</span><span class="nc">User</span><span class="o">::</span><span class="n">class</span><span class="p">)</span> <span class="o">-&gt;</span><span class="nf">withPivot</span><span class="p">(</span><span class="s1">'read_at'</span><span class="p">)</span> <span class="o">-&gt;</span><span class="nf">withTimestamps</span><span class="p">();</span> <span class="p">}</span> <span class="c1">// Scopes</span> <span class="k">public</span> <span class="k">function</span> <span class="n">scopeDraft</span><span class="p">(</span><span class="nv">$q</span><span class="p">)</span> <span class="p">{</span> <span class="nv">$q</span><span class="o">-&gt;</span><span class="nf">where</span><span class="p">(</span><span class="s1">'status'</span><span class="p">,</span> <span class="s1">'draft'</span><span class="p">);</span> <span class="p">}</span> <span class="k">public</span> <span class="k">function</span> <span class="n">scopeSent</span><span class="p">(</span><span class="nv">$q</span><span class="p">)</span> <span class="p">{</span> <span class="nv">$q</span><span class="o">-&gt;</span><span class="nf">where</span><span class="p">(</span><span class="s1">'status'</span><span class="p">,</span> <span class="s1">'sent'</span><span class="p">);</span> <span class="p">}</span> <span class="k">public</span> <span class="k">function</span> <span class="n">scopeAdmin</span><span class="p">(</span><span class="nv">$q</span><span class="p">)</span> <span class="p">{</span> <span class="nv">$q</span><span class="o">-&gt;</span><span class="nf">where</span><span class="p">(</span><span class="s1">'notification_type'</span><span class="p">,</span> <span class="s1">'admin'</span><span class="p">);</span> <span class="p">}</span> <span class="k">public</span> <span class="k">function</span> <span class="n">scopeSystem</span><span class="p">(</span><span class="nv">$q</span><span class="p">)</span> <span class="p">{</span> <span class="nv">$q</span><span class="o">-&gt;</span><span class="nf">where</span><span class="p">(</span><span class="s1">'notification_type'</span><span class="p">,</span> <span class="s1">'system'</span><span class="p">);</span> <span class="p">}</span> <span class="c1">// Helpers</span> <span class="k">public</span> <span class="k">function</span> <span class="n">isDraft</span><span class="p">():</span> <span class="kt">bool</span> <span class="p">{</span> <span class="k">return</span> <span class="nv">$this</span><span class="o">-&gt;</span><span class="n">status</span> <span class="o">===</span> <span class="s1">'draft'</span><span class="p">;</span> <span class="p">}</span> <span class="k">public</span> <span class="k">function</span> <span class="n">isSent</span><span class="p">():</span> <span class="kt">bool</span> <span class="p">{</span> <span class="k">return</span> <span class="nv">$this</span><span class="o">-&gt;</span><span class="n">status</span> <span class="o">===</span> <span class="s1">'sent'</span><span class="p">;</span> <span class="p">}</span> <span class="k">public</span> <span class="k">function</span> <span class="n">isAdmin</span><span class="p">():</span> <span class="kt">bool</span> <span class="p">{</span> <span class="k">return</span> <span class="nv">$this</span><span class="o">-&gt;</span><span class="n">notification_type</span> <span class="o">===</span> <span class="s1">'admin'</span><span class="p">;</span> <span class="p">}</span> <span class="k">public</span> <span class="k">function</span> <span class="n">isSystem</span><span class="p">():</span> <span class="kt">bool</span> <span class="p">{</span> <span class="k">return</span> <span class="nv">$this</span><span class="o">-&gt;</span><span class="n">notification_type</span> <span class="o">===</span> <span class="s1">'system'</span><span class="p">;</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </div> <h2> Multilingual Content </h2> <p>The same <code>getLocalizedTitle()</code> method handles both notification types:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight php"><code><span class="k">public</span> <span class="k">function</span> <span class="n">getLocalizedTitle</span><span class="p">(</span><span class="kt">string</span> <span class="nv">$locale</span> <span class="o">=</span> <span class="s1">'en'</span><span class="p">):</span> <span class="kt">string</span> <span class="p">{</span> <span class="k">if</span> <span class="p">(</span><span class="nv">$this</span><span class="o">-&gt;</span><span class="nf">isSystem</span><span class="p">())</span> <span class="p">{</span> <span class="k">return</span> <span class="nf">__</span><span class="p">(</span><span class="nv">$this</span><span class="o">-&gt;</span><span class="n">title_key</span><span class="p">,</span> <span class="nv">$this</span><span class="o">-&gt;</span><span class="n">params</span> <span class="o">??</span> <span class="p">[],</span> <span class="nv">$locale</span><span class="p">);</span> <span class="p">}</span> <span class="k">return</span> <span class="nv">$this</span><span class="o">-&gt;</span><span class="n">title_translations</span><span class="p">[</span><span class="nv">$locale</span><span class="p">]</span> <span class="o">??</span> <span class="nv">$this</span><span class="o">-&gt;</span><span class="n">title_translations</span><span class="p">[</span><span class="s1">'en'</span><span class="p">]</span> <span class="o">??</span> <span class="s1">''</span><span class="p">;</span> <span class="p">}</span> </code></pre> </div> <p><strong>System notifications</strong> use Laravel's <code>__()</code> helper. Translation files + parameters. Standard.</p> <p><strong>Admin notifications</strong> use JSON lookup with fallback: requested locale → English → empty string.</p> <h3> Auto-Translate in Admin Panel </h3> <p>The admin creation form has a language accordion. English is required. Other languages are optional. Each language tab has a "Translate" button:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight json"><code><span class="err">POST</span><span class="w"> </span><span class="err">/admin/translate</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"source_locale"</span><span class="p">:</span><span class="w"> </span><span class="s2">"en"</span><span class="p">,</span><span class="w"> </span><span class="nl">"text"</span><span class="p">:</span><span class="w"> </span><span class="s2">"System maintenance on Friday"</span><span class="p">,</span><span class="w"> </span><span class="nl">"target_locales"</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="s2">"uk"</span><span class="p">,</span><span class="w"> </span><span class="s2">"de"</span><span class="p">]</span><span class="w"> </span><span class="p">}</span><span class="w"> </span></code></pre> </div> <p>One click fills all empty language fields. The admin reviews and adjusts. Only empty fields are populated - already-filled translations are preserved.</p> <p>The body field supports up to 10,000 characters per language.</p> <h2> Recipient Segmentation </h2> <p>When creating an admin notification, the admin configures who receives it:</p> <div class="table-wrapper-paragraph"><table> <thead> <tr> <th>Filter</th> <th>Options</th> </tr> </thead> <tbody> <tr> <td>Country</td> <td>From available_countries config</td> </tr> <tr> <td>Sex</td> <td>Male / Female</td> </tr> <tr> <td>Age range</td> <td>16 - 100</td> </tr> <tr> <td>Registration date</td> <td>All / Today / This month / This year</td> </tr> <tr> <td>Recent activity</td> <td>All / More active / Less active</td> </tr> <tr> <td>Email verified</td> <td>All / Verified / Unverified</td> </tr> <tr> <td>Phone verified</td> <td>All / Verified / Unverified</td> </tr> </tbody> </table></div> <p>The form shows a live user count that updates as filters change:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>Recipients matching filters: 847 users </code></pre> </div> <p>Debounced at 500ms. The submit button is disabled if count is 0.</p> <h3> Filter Implementation </h3> <p>Filters are stored as JSON in <code>recipient_filters</code> and applied via <code>AdminUsersFilter</code>:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight php"><code><span class="k">public</span> <span class="k">function</span> <span class="n">send</span><span class="p">(</span> <span class="kt">Notification</span> <span class="nv">$notification</span><span class="p">,</span> <span class="kt">AdminUsersFilter</span> <span class="nv">$filter</span> <span class="p">):</span> <span class="kt">RedirectResponse</span> <span class="p">{</span> <span class="no">DB</span><span class="o">::</span><span class="nf">transaction</span><span class="p">(</span><span class="k">function</span> <span class="p">()</span> <span class="k">use</span> <span class="p">(</span><span class="nv">$notification</span><span class="p">,</span> <span class="nv">$filter</span><span class="p">)</span> <span class="p">{</span> <span class="nv">$users</span> <span class="o">=</span> <span class="nc">User</span><span class="o">::</span><span class="nf">query</span><span class="p">()</span> <span class="o">-&gt;</span><span class="nf">filter</span><span class="p">(</span><span class="nv">$filter</span><span class="p">)</span> <span class="o">-&gt;</span><span class="nf">where</span><span class="p">(</span><span class="s1">'email'</span><span class="p">,</span> <span class="s1">'!='</span><span class="p">,</span> <span class="nf">config</span><span class="p">(</span><span class="s1">'own.admin_email'</span><span class="p">))</span> <span class="o">-&gt;</span><span class="nf">pluck</span><span class="p">(</span><span class="s1">'id'</span><span class="p">);</span> <span class="nv">$notification</span><span class="o">-&gt;</span><span class="nf">users</span><span class="p">()</span><span class="o">-&gt;</span><span class="nf">attach</span><span class="p">(</span> <span class="nv">$users</span><span class="o">-&gt;</span><span class="nf">mapWithKeys</span><span class="p">(</span><span class="k">fn</span><span class="p">(</span><span class="nv">$id</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="p">[</span> <span class="nv">$id</span> <span class="o">=&gt;</span> <span class="p">[</span><span class="s1">'created_at'</span> <span class="o">=&gt;</span> <span class="nf">now</span><span class="p">(),</span> <span class="s1">'updated_at'</span> <span class="o">=&gt;</span> <span class="nf">now</span><span class="p">()]</span> <span class="p">])</span> <span class="p">);</span> <span class="nv">$notification</span><span class="o">-&gt;</span><span class="nf">update</span><span class="p">([</span><span class="s1">'status'</span> <span class="o">=&gt;</span> <span class="s1">'sent'</span><span class="p">]);</span> <span class="p">});</span> <span class="p">}</span> </code></pre> </div> <p>The <code>HasUserFilterRules</code> trait provides shared validation rules, reusable across any feature that needs user targeting.</p> <h2> Admin CRUD and Workflow </h2> <h3> Routes </h3> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>GET /admin/notifications → index GET /admin/notifications/create → create POST /admin/notifications → store (draft) GET /admin/notifications/{id}/edit → edit PUT /admin/notifications/{id} → update DELETE /admin/notifications/{id} → destroy POST /admin/notifications/{id}/send → send </code></pre> </div> <h3> Workflow </h3> <ol> <li> <strong>Create</strong> - Admin fills form, notification saved as draft</li> <li> <strong>Edit</strong> - Modify translations, filters, scheduling while in draft</li> <li> <strong>Send</strong> - Apply filters, attach matching users, set status to 'sent'</li> <li> <strong>Resend</strong> - Re-run filters on already-sent notification, attach new matches</li> <li> <strong>Delete</strong> - Detach all users, delete notification (transaction-wrapped)</li> </ol> <p>The form request validates everything:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight php"><code><span class="kd">class</span> <span class="nc">AdminNotificationStoreRequest</span> <span class="kd">extends</span> <span class="nc">FormRequest</span> <span class="p">{</span> <span class="kn">use</span> <span class="nc">HasUserFilterRules</span><span class="p">;</span> <span class="k">public</span> <span class="k">function</span> <span class="n">rules</span><span class="p">():</span> <span class="kt">array</span> <span class="p">{</span> <span class="nv">$rules</span> <span class="o">=</span> <span class="p">[</span> <span class="s1">'code'</span> <span class="o">=&gt;</span> <span class="p">[</span><span class="s1">'required'</span><span class="p">,</span> <span class="s1">'string'</span><span class="p">,</span> <span class="nc">Rule</span><span class="o">::</span><span class="nf">in</span><span class="p">(</span> <span class="nb">array_keys</span><span class="p">(</span><span class="nf">config</span><span class="p">(</span><span class="s1">'own.notification_types'</span><span class="p">))</span> <span class="p">)],</span> <span class="s1">'title_translations.en'</span> <span class="o">=&gt;</span> <span class="s1">'required|string|max:255'</span><span class="p">,</span> <span class="s1">'visible_from'</span> <span class="o">=&gt;</span> <span class="s1">'nullable|date'</span><span class="p">,</span> <span class="s1">'visible_until'</span> <span class="o">=&gt;</span> <span class="s1">'nullable|date'</span><span class="p">,</span> <span class="p">];</span> <span class="k">foreach</span> <span class="p">(</span><span class="nf">config</span><span class="p">(</span><span class="s1">'app.available_languages'</span><span class="p">)</span> <span class="k">as</span> <span class="nv">$locale</span> <span class="o">=&gt;</span> <span class="nv">$name</span><span class="p">)</span> <span class="p">{</span> <span class="k">if</span> <span class="p">(</span><span class="nv">$locale</span> <span class="o">!==</span> <span class="s1">'en'</span><span class="p">)</span> <span class="p">{</span> <span class="nv">$rules</span><span class="p">[</span><span class="s2">"title_translations.</span><span class="si">{</span><span class="nv">$locale</span><span class="si">}</span><span class="s2">"</span><span class="p">]</span> <span class="o">=</span> <span class="s1">'nullable|string|max:255'</span><span class="p">;</span> <span class="p">}</span> <span class="nv">$rules</span><span class="p">[</span><span class="s2">"body_translations.</span><span class="si">{</span><span class="nv">$locale</span><span class="si">}</span><span class="s2">"</span><span class="p">]</span> <span class="o">=</span> <span class="s1">'nullable|string|max:10000'</span><span class="p">;</span> <span class="p">}</span> <span class="k">return</span> <span class="nb">array_merge</span><span class="p">(</span><span class="nv">$rules</span><span class="p">,</span> <span class="nv">$this</span><span class="o">-&gt;</span><span class="nf">userFilterRules</span><span class="p">());</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </div> <p>English title required. Everything else optional. Filter rules mixed in from the trait.</p> <h2> System Notifications </h2> <p>System notifications are created by queued jobs when events happen:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight php"><code><span class="kd">class</span> <span class="nc">NotifyEmployeeAboutRejection</span> <span class="kd">implements</span> <span class="nc">ShouldQueue</span> <span class="p">{</span> <span class="k">public</span> <span class="k">function</span> <span class="n">handle</span><span class="p">():</span> <span class="kt">void</span> <span class="p">{</span> <span class="nv">$notification</span> <span class="o">=</span> <span class="nc">Notification</span><span class="o">::</span><span class="nf">create</span><span class="p">([</span> <span class="s1">'code'</span> <span class="o">=&gt;</span> <span class="s1">'invitation_rejected_employee_'</span> <span class="mf">.</span> <span class="nv">$this</span><span class="o">-&gt;</span><span class="n">id</span><span class="p">,</span> <span class="s1">'notification_type'</span> <span class="o">=&gt;</span> <span class="s1">'system'</span><span class="p">,</span> <span class="s1">'status'</span> <span class="o">=&gt;</span> <span class="s1">'sent'</span><span class="p">,</span> <span class="s1">'title_key'</span> <span class="o">=&gt;</span> <span class="s1">'Invitation Rejected'</span><span class="p">,</span> <span class="s1">'body_key'</span> <span class="o">=&gt;</span> <span class="s1">'You declined the invitation to join :company.'</span><span class="p">,</span> <span class="s1">'params'</span> <span class="o">=&gt;</span> <span class="p">[</span><span class="s1">'company'</span> <span class="o">=&gt;</span> <span class="nv">$this</span><span class="o">-&gt;</span><span class="n">company</span><span class="o">-&gt;</span><span class="n">name</span><span class="p">],</span> <span class="s1">'visible_from'</span> <span class="o">=&gt;</span> <span class="nf">now</span><span class="p">(),</span> <span class="s1">'visible_until'</span> <span class="o">=&gt;</span> <span class="nf">now</span><span class="p">()</span><span class="o">-&gt;</span><span class="nf">addDays</span><span class="p">(</span> <span class="nf">config</span><span class="p">(</span><span class="s1">'own.system_notification_lifetime_days'</span><span class="p">)</span> <span class="p">),</span> <span class="p">]);</span> <span class="nv">$notification</span><span class="o">-&gt;</span><span class="nf">users</span><span class="p">()</span><span class="o">-&gt;</span><span class="nf">attach</span><span class="p">(</span><span class="nv">$this</span><span class="o">-&gt;</span><span class="n">user</span><span class="o">-&gt;</span><span class="n">id</span><span class="p">);</span> <span class="nv">$this</span><span class="o">-&gt;</span><span class="n">user</span><span class="o">-&gt;</span><span class="nf">notify</span><span class="p">(</span> <span class="k">new</span> <span class="nc">InvitationRejectedEmployeeNotification</span><span class="p">(</span><span class="mf">...</span><span class="p">)</span> <span class="p">);</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </div> <p>Pattern: create → attach → optionally email. Unique <code>code</code> prevents duplicates.</p> <h3> System Notification Triggers </h3> <div class="table-wrapper-paragraph"><table> <thead> <tr> <th>Event</th> <th>Notification</th> </tr> </thead> <tbody> <tr> <td>Company created</td> <td>Owner gets in-app + email</td> </tr> <tr> <td>Company deleted</td> <td>Owner gets in-app + email</td> </tr> <tr> <td>Invitation sent</td> <td>Invitee gets email (+ in-app if registered)</td> </tr> <tr> <td>Invitation accepted</td> <td>Owner notified</td> </tr> <tr> <td>Invitation rejected</td> <td>Both sides notified differently</td> </tr> <tr> <td>Employee removed</td> <td>Employee notified</td> </tr> <tr> <td>Payment success</td> <td>Owner notified</td> </tr> <tr> <td>Payment failed</td> <td>Owner notified</td> </tr> <tr> <td>Admin login attempt</td> <td>Admin gets email + Telegram</td> </tr> </tbody> </table></div> <p>Each notification auto-expires after 30 days (<code>system_notification_lifetime_days</code> config). Old notifications disappear naturally without cleanup jobs.</p> <h2> Delivery and Read Statistics </h2> <p>The admin panel shows per-notification statistics:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight markdown"><code>| Type | Title | Received | Read | Status | |---------|----------------------------|----------|--------------|-----------| | info | System maintenance Friday | 847 | 312 (36.8%) | Active | | warning | New pricing March 1 | 1,204 | 891 (74.0%) | Scheduled | | info | Welcome to v2.0 | 2,100 | 2,034 (96.9%)| Expired | </code></pre> </div> <p>All computed from the pivot table:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight php"><code><span class="c1">// AdminNotificationResource</span> <span class="s1">'total_recipients'</span> <span class="o">=&gt;</span> <span class="nv">$this</span><span class="o">-&gt;</span><span class="n">users</span><span class="o">-&gt;</span><span class="nb">count</span><span class="p">(),</span> <span class="s1">'read_count'</span> <span class="o">=&gt;</span> <span class="nv">$this</span><span class="o">-&gt;</span><span class="n">users</span><span class="o">-&gt;</span><span class="nf">whereNotNull</span><span class="p">(</span><span class="s1">'pivot.read_at'</span><span class="p">)</span><span class="o">-&gt;</span><span class="nb">count</span><span class="p">(),</span> <span class="s1">'read_percentage'</span> <span class="o">=&gt;</span> <span class="nv">$total</span> <span class="o">&gt;</span> <span class="mi">0</span> <span class="o">?</span> <span class="nb">round</span><span class="p">((</span><span class="nv">$read</span> <span class="o">/</span> <span class="nv">$total</span><span class="p">)</span> <span class="o">*</span> <span class="mi">100</span><span class="p">,</span> <span class="mi">1</span><span class="p">)</span> <span class="o">:</span> <span class="mi">0</span><span class="p">,</span> </code></pre> </div> <h3> Visibility Status </h3> <p>Computed from timestamps, displayed as a colored badge:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight php"><code><span class="s1">'visibility_status'</span> <span class="o">=&gt;</span> <span class="k">match</span><span class="p">(</span><span class="kc">true</span><span class="p">)</span> <span class="p">{</span> <span class="nv">$this</span><span class="o">-&gt;</span><span class="n">visible_until</span><span class="o">?-&gt;</span><span class="nf">isPast</span><span class="p">()</span> <span class="o">=&gt;</span> <span class="s1">'expired'</span><span class="p">,</span> <span class="nv">$this</span><span class="o">-&gt;</span><span class="n">visible_from</span><span class="o">?-&gt;</span><span class="nf">isFuture</span><span class="p">()</span> <span class="o">=&gt;</span> <span class="s1">'scheduled'</span><span class="p">,</span> <span class="k">default</span> <span class="o">=&gt;</span> <span class="s1">'active'</span><span class="p">,</span> <span class="p">},</span> </code></pre> </div> <p>Drafts show "Not sent yet" instead of statistics. The <code>can_send</code> flag controls whether the send button appears.</p> <h2> Frontend UX </h2> <h3> User Notification Panel </h3> <p>The notification page shows both admin and system notifications in a unified list:</p> <ul> <li> <strong>Header</strong>: "Notifications (3 unread)" + "Mark all as read" button</li> <li> <strong>List</strong>: Paginated (25 per page), each item expandable</li> <li> <strong>Item</strong>: Type badge, title, timestamp, read indicator</li> <li> <strong>Expand</strong>: Body text appears, auto-marks as read </li> </ul> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="c1">// NotificationItem.vue</span> <span class="kd">const</span> <span class="nx">toggle</span> <span class="o">=</span> <span class="p">()</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="nx">expanded</span><span class="p">.</span><span class="nx">value</span> <span class="o">=</span> <span class="o">!</span><span class="nx">expanded</span><span class="p">.</span><span class="nx">value</span><span class="p">;</span> <span class="k">if </span><span class="p">(</span><span class="nx">expanded</span><span class="p">.</span><span class="nx">value</span> <span class="o">&amp;&amp;</span> <span class="o">!</span><span class="nx">notification</span><span class="p">.</span><span class="nx">read_at</span><span class="p">)</span> <span class="p">{</span> <span class="nf">markAsRead</span><span class="p">(</span><span class="nx">notification</span><span class="p">.</span><span class="nx">id</span><span class="p">);</span> <span class="p">}</span> <span class="p">};</span> </code></pre> </div> <h3> Real-Time Unread Count </h3> <p>Polling every 30 seconds updates the notification bell in the header:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="nx">GET</span> <span class="o">/</span><span class="nx">notifications</span><span class="o">/</span><span class="nx">unread</span> <span class="err">→</span> <span class="p">{</span> <span class="nl">unread</span><span class="p">:</span> <span class="kc">true</span><span class="p">,</span> <span class="nx">count</span><span class="p">:</span> <span class="mi">4</span> <span class="p">}</span> </code></pre> </div> <p>Synced to a global store. No WebSockets needed - polling is simple and reliable for non-chat notifications.</p> <h3> Bulk Operations </h3> <p>"Mark all as read" uses a direct DB update:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight php"><code><span class="nv">$count</span> <span class="o">=</span> <span class="nv">$request</span><span class="o">-&gt;</span><span class="nf">user</span><span class="p">()</span> <span class="o">-&gt;</span><span class="nf">notifications</span><span class="p">()</span> <span class="o">-&gt;</span><span class="nf">wherePivot</span><span class="p">(</span><span class="s1">'read_at'</span><span class="p">,</span> <span class="kc">null</span><span class="p">)</span> <span class="o">-&gt;</span><span class="nf">update</span><span class="p">([</span><span class="s1">'notification_user.read_at'</span> <span class="o">=&gt;</span> <span class="nf">now</span><span class="p">()]);</span> </code></pre> </div> <p>One query regardless of notification count.</p> <h3> User API Endpoints </h3> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>GET /notifications → paginated list GET /notifications/unread → unread count GET /notifications/unread-recent → last 5 unread (for dropdown) GET /notifications/recent → last 5 all (for widget) POST /notifications/{id}/read → mark single POST /notifications/mark-all-read → mark all </code></pre> </div> <h3> Admin Creation Form </h3> <p>Three sections:</p> <ol> <li> <strong>Main info</strong>: notification type (info/warning), visible_from, visible_until</li> <li> <strong>Translations</strong>: language accordion with auto-translate button</li> <li> <strong>Recipients</strong>: filter form with live user count</li> </ol> <p>The form is disabled for sent notifications except resend action.</p> <h2> Testing </h2> <p>Notifications get tested end-to-end with Pest:</p> <h3> CRUD </h3> <div class="highlight js-code-highlight"> <pre class="highlight php"><code><span class="nf">test</span><span class="p">(</span><span class="s1">'admin can create a draft notification'</span><span class="p">,</span> <span class="k">function</span> <span class="p">()</span> <span class="p">{</span> <span class="nf">actingAs</span><span class="p">(</span><span class="nv">$admin</span><span class="p">)</span> <span class="o">-&gt;</span><span class="nf">post</span><span class="p">(</span><span class="nf">route</span><span class="p">(</span><span class="s1">'admin.notifications.store'</span><span class="p">),</span> <span class="p">[</span> <span class="s1">'code'</span> <span class="o">=&gt;</span> <span class="s1">'info'</span><span class="p">,</span> <span class="s1">'title_translations'</span> <span class="o">=&gt;</span> <span class="p">[</span><span class="s1">'en'</span> <span class="o">=&gt;</span> <span class="s1">'Test notification'</span><span class="p">],</span> <span class="s1">'body_translations'</span> <span class="o">=&gt;</span> <span class="p">[</span><span class="s1">'en'</span> <span class="o">=&gt;</span> <span class="s1">'Test body'</span><span class="p">],</span> <span class="c1">// ... filter defaults</span> <span class="p">])</span> <span class="o">-&gt;</span><span class="nf">assertRedirect</span><span class="p">(</span><span class="nf">route</span><span class="p">(</span><span class="s1">'admin.notifications.index'</span><span class="p">));</span> <span class="nf">expect</span><span class="p">(</span><span class="nc">Notification</span><span class="o">::</span><span class="nf">first</span><span class="p">()</span><span class="o">-&gt;</span><span class="n">status</span><span class="p">)</span><span class="o">-&gt;</span><span class="nf">toBe</span><span class="p">(</span><span class="s1">'draft'</span><span class="p">);</span> <span class="p">});</span> </code></pre> </div> <h3> Segmentation </h3> <div class="highlight js-code-highlight"> <pre class="highlight php"><code><span class="nf">test</span><span class="p">(</span><span class="s1">'only matching users receive notification'</span><span class="p">,</span> <span class="k">function</span> <span class="p">()</span> <span class="p">{</span> <span class="nc">User</span><span class="o">::</span><span class="nf">factory</span><span class="p">()</span><span class="o">-&gt;</span><span class="nf">create</span><span class="p">([</span><span class="s1">'country'</span> <span class="o">=&gt;</span> <span class="s1">'DE'</span><span class="p">]);</span> <span class="nc">User</span><span class="o">::</span><span class="nf">factory</span><span class="p">()</span><span class="o">-&gt;</span><span class="nf">create</span><span class="p">([</span><span class="s1">'country'</span> <span class="o">=&gt;</span> <span class="s1">'DE'</span><span class="p">]);</span> <span class="nc">User</span><span class="o">::</span><span class="nf">factory</span><span class="p">()</span><span class="o">-&gt;</span><span class="nf">create</span><span class="p">([</span><span class="s1">'country'</span> <span class="o">=&gt;</span> <span class="s1">'US'</span><span class="p">]);</span> <span class="nv">$notification</span> <span class="o">=</span> <span class="nc">Notification</span><span class="o">::</span><span class="nf">factory</span><span class="p">()</span><span class="o">-&gt;</span><span class="nf">create</span><span class="p">([</span> <span class="s1">'recipient_filters'</span> <span class="o">=&gt;</span> <span class="p">[</span><span class="s1">'country'</span> <span class="o">=&gt;</span> <span class="s1">'DE'</span><span class="p">],</span> <span class="p">]);</span> <span class="nf">actingAs</span><span class="p">(</span><span class="nv">$admin</span><span class="p">)</span><span class="o">-&gt;</span><span class="nf">post</span><span class="p">(</span><span class="nf">route</span><span class="p">(</span><span class="s1">'admin.notifications.send'</span><span class="p">,</span> <span class="nv">$notification</span><span class="p">));</span> <span class="nf">expect</span><span class="p">(</span><span class="nv">$notification</span><span class="o">-&gt;</span><span class="n">users</span><span class="p">)</span><span class="o">-&gt;</span><span class="nf">toHaveCount</span><span class="p">(</span><span class="mi">2</span><span class="p">);</span> <span class="p">});</span> </code></pre> </div> <h3> Read Tracking </h3> <div class="highlight js-code-highlight"> <pre class="highlight php"><code><span class="nf">test</span><span class="p">(</span><span class="s1">'expanding notification marks it as read'</span><span class="p">,</span> <span class="k">function</span> <span class="p">()</span> <span class="p">{</span> <span class="nf">actingAs</span><span class="p">(</span><span class="nv">$user</span><span class="p">)</span><span class="o">-&gt;</span><span class="nf">post</span><span class="p">(</span><span class="nf">route</span><span class="p">(</span><span class="s1">'notifications.read'</span><span class="p">,</span> <span class="nv">$notification</span><span class="p">));</span> <span class="nf">expect</span><span class="p">(</span><span class="nv">$user</span><span class="o">-&gt;</span><span class="nf">notifications</span><span class="p">()</span><span class="o">-&gt;</span><span class="nf">first</span><span class="p">()</span><span class="o">-&gt;</span><span class="n">pivot</span><span class="o">-&gt;</span><span class="n">read_at</span><span class="p">)</span> <span class="o">-&gt;</span><span class="n">not</span><span class="o">-&gt;</span><span class="nf">toBeNull</span><span class="p">();</span> <span class="p">});</span> </code></pre> </div> <h3> System Notifications </h3> <div class="highlight js-code-highlight"> <pre class="highlight php"><code><span class="nf">test</span><span class="p">(</span><span class="s1">'rejection job creates notification and sends email'</span><span class="p">,</span> <span class="k">function</span> <span class="p">()</span> <span class="p">{</span> <span class="nc">NotifyEmployeeAboutRejection</span><span class="o">::</span><span class="nf">dispatch</span><span class="p">(</span><span class="nv">$user</span><span class="p">,</span> <span class="nv">$company</span><span class="p">);</span> <span class="nf">expect</span><span class="p">(</span><span class="nc">Notification</span><span class="o">::</span><span class="nb">system</span><span class="p">()</span><span class="o">-&gt;</span><span class="nb">count</span><span class="p">())</span><span class="o">-&gt;</span><span class="nf">toBe</span><span class="p">(</span><span class="mi">1</span><span class="p">);</span> <span class="nc">Mail</span><span class="o">::</span><span class="nf">assertSent</span><span class="p">(</span><span class="nc">InvitationRejectedEmployeeNotification</span><span class="o">::</span><span class="n">class</span><span class="p">);</span> <span class="p">});</span> </code></pre> </div> <p>Real requests. Real database. No mocking of notification creation.</p> <h2> Design Decisions </h2> <h3> Why One Table Instead of Two? </h3> <p>Admin and system notifications have different creation flows but identical consumption. The user sees a list of notifications - they don't care about the source. One table means one query, one resource, one component. The <code>notification_type</code> enum + nullable columns is simpler than polymorphism for this use case.</p> <h3> Why JSON Translations Instead of a Translations Table? </h3> <p>Admin notifications are write-once. Draft, translate, send, done. No one edits translations after sending. A flat JSON column avoids the complexity of a polymorphic translations table for something that's essentially immutable after creation.</p> <h3> Why Polling Instead of WebSockets? </h3> <p>Notifications aren't chat messages. A 30-second delay is acceptable. Polling is simpler to implement, deploy, and debug. No WebSocket server to maintain. No connection management. If the latency requirements change, switching to WebSockets is straightforward - the API endpoints stay the same.</p> <h3> Why Auto-Mark-as-Read on Expand? </h3> <p>Forcing users to click a separate "mark as read" button adds friction without adding value. If you expanded a notification to read it, you read it. The timestamp records when, which is useful for analytics.</p> <h3> Why Exclude Admin From Recipients? </h3> <p>The admin who creates and sends notifications doesn't need to receive their own broadcasts. Excluding <code>config('own.admin_email')</code> prevents self-notification without adding a "skip creator" flag to the schema.</p> <h2> What's Next </h2> <p>This module is part of LaraFoundry - an open-source SaaS framework for Laravel, extracted from a production CRM/ERP.</p> <p>GitHub: <a href="https://github.com/dmitryisaenko/larafoundry" rel="noopener noreferrer">github.com/dmitryisaenko/larafoundry</a><br> Previous modules: Registration, Authentication, Multi-Tenancy, Logging, Multilanguage, Navigation, Vue Frontend, Traits &amp; Middlewares, Admin Users, Admin Companies<br> Follow for the next module deep-dive.<br> <em>LaraFoundry: <a href="https://larafoundry.com" rel="noopener noreferrer">larafoundry.com</a></em></p> laravel php sass webdev Building an Admin Company Management System for a Multi-Tenant Laravel SaaS Dmitry Isaenko Mon, 04 May 2026 13:08:41 +0000 https://dev.to/d_isaenko_dev/building-an-admin-company-management-system-for-a-multi-tenant-laravel-saas-2063 https://dev.to/d_isaenko_dev/building-an-admin-company-management-system-for-a-multi-tenant-laravel-saas-2063 <p>Companies sign up. They pick a plan. They start paying. Some stop paying. Some owners get banned. Some trials expire and nobody notices.</p> <p>I built <a href="https://kohana.io" rel="noopener noreferrer">Kohana.io</a> - a production CRM/ERP for small businesses. The admin companies module became the financial nerve center of the whole system. Now I'm extracting it into <strong>LaraFoundry</strong>, an open-source SaaS framework for Laravel.</p> <p>This post covers the full implementation: company dashboard, subscription engine, blocking system, expiry notifications, payment model, frontend blocked pages, and testing.</p> <h2> Table of Contents </h2> <ol> <li>Company Dashboard</li> <li>Subscription Status Engine</li> <li>Blocking System</li> <li>Subscription Expiry Notifications</li> <li>Frontend Blocked Pages</li> <li>Payment Model</li> <li>Admin Filtering &amp; Search</li> <li>Testing</li> <li>Design Decisions</li> </ol> <h2> Company Dashboard </h2> <h3> What the Admin Sees </h3> <p>Every company row in the admin panel shows a complete operational picture:</p> <p><strong>Company info</strong> - name, logo, country, creation date<br> <strong>Owner info</strong> - full name, email, phone, age, companies count, last activity, blocked status badge<br> <strong>Subscription</strong> - plan name, status badge with color, billing period, expiry date<br> <strong>Finances</strong> - total payments sum, last payment date and amount, full payment history on hover<br> <strong>Activity</strong> - employee count (excluding soft-deleted), last activity across all users</p> <h3> The Query </h3> <div class="highlight js-code-highlight"> <pre class="highlight php"><code><span class="k">public</span> <span class="k">function</span> <span class="n">index</span><span class="p">(</span><span class="kt">AdminCompaniesFilterRequest</span> <span class="nv">$request</span><span class="p">,</span> <span class="kt">AdminCompaniesFilter</span> <span class="nv">$filter</span><span class="p">):</span> <span class="kt">Response</span> <span class="p">{</span> <span class="nv">$companies</span> <span class="o">=</span> <span class="nc">Company</span><span class="o">::</span><span class="nf">query</span><span class="p">()</span> <span class="o">-&gt;</span><span class="nf">with</span><span class="p">([</span><span class="s1">'createdBy'</span><span class="p">,</span> <span class="s1">'users'</span><span class="p">,</span> <span class="s1">'payments'</span><span class="p">])</span> <span class="o">-&gt;</span><span class="nf">withCount</span><span class="p">([</span><span class="s1">'users'</span> <span class="o">=&gt;</span> <span class="k">fn</span><span class="p">(</span><span class="nv">$q</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="nv">$q</span><span class="o">-&gt;</span><span class="nf">wherePivot</span><span class="p">(</span><span class="s1">'is_deleted'</span><span class="p">,</span> <span class="kc">false</span><span class="p">)])</span> <span class="o">-&gt;</span><span class="nf">addSelect</span><span class="p">([</span> <span class="s1">'total_payments'</span> <span class="o">=&gt;</span> <span class="nc">CompanyPayment</span><span class="o">::</span><span class="nf">selectRaw</span><span class="p">(</span><span class="s1">'SUM(amount)'</span><span class="p">)</span> <span class="o">-&gt;</span><span class="nf">whereColumn</span><span class="p">(</span><span class="s1">'company_id'</span><span class="p">,</span> <span class="s1">'companies.id'</span><span class="p">)</span> <span class="o">-&gt;</span><span class="nf">where</span><span class="p">(</span><span class="s1">'payment_status'</span><span class="p">,</span> <span class="s1">'success'</span><span class="p">),</span> <span class="s1">'last_payment_date'</span> <span class="o">=&gt;</span> <span class="nc">CompanyPayment</span><span class="o">::</span><span class="nf">select</span><span class="p">(</span><span class="s1">'paid_at'</span><span class="p">)</span> <span class="o">-&gt;</span><span class="nf">whereColumn</span><span class="p">(</span><span class="s1">'company_id'</span><span class="p">,</span> <span class="s1">'companies.id'</span><span class="p">)</span> <span class="o">-&gt;</span><span class="nf">where</span><span class="p">(</span><span class="s1">'payment_status'</span><span class="p">,</span> <span class="s1">'success'</span><span class="p">)</span> <span class="o">-&gt;</span><span class="nf">latest</span><span class="p">(</span><span class="s1">'paid_at'</span><span class="p">)</span> <span class="o">-&gt;</span><span class="nf">limit</span><span class="p">(</span><span class="mi">1</span><span class="p">),</span> <span class="p">])</span> <span class="o">-&gt;</span><span class="nf">filter</span><span class="p">(</span><span class="nv">$filter</span><span class="p">)</span> <span class="o">-&gt;</span><span class="nf">paginate</span><span class="p">(</span><span class="nf">config</span><span class="p">(</span><span class="s1">'own.admin_companies_per_page'</span><span class="p">));</span> <span class="k">return</span> <span class="nc">Inertia</span><span class="o">::</span><span class="nf">render</span><span class="p">(</span><span class="s1">'admin/companies/IndexCompanies'</span><span class="p">,</span> <span class="p">[</span> <span class="s1">'companies'</span> <span class="o">=&gt;</span> <span class="nc">AdminCompanyResource</span><span class="o">::</span><span class="nf">collection</span><span class="p">(</span><span class="nv">$companies</span><span class="p">),</span> <span class="s1">'pagination'</span> <span class="o">=&gt;</span> <span class="cm">/* pagination data */</span><span class="p">,</span> <span class="s1">'filters'</span> <span class="o">=&gt;</span> <span class="nv">$request</span><span class="o">-&gt;</span><span class="nf">validated</span><span class="p">(),</span> <span class="s1">'available_plans'</span> <span class="o">=&gt;</span> <span class="nf">config</span><span class="p">(</span><span class="s1">'own.company_plans'</span><span class="p">),</span> <span class="s1">'available_countries'</span> <span class="o">=&gt;</span> <span class="nf">config</span><span class="p">(</span><span class="s1">'app.available_countries'</span><span class="p">),</span> <span class="p">]);</span> <span class="p">}</span> </code></pre> </div> <p>Key decisions:</p> <ol> <li> <strong>Subqueries for aggregates</strong> - total payments and last payment calculated in SQL, not PHP. No N+1.</li> <li> <strong>Filter injection</strong> - <code>AdminCompaniesFilter</code> applied via scope. Controller doesn't know filtering internals.</li> <li> <strong>Config-driven everything</strong> - pagination, plans, countries all from config files.</li> <li> <strong>AdminCompanyResource</strong> - single transformation layer. The Vue frontend gets consistent, pre-formatted data.</li> </ol> <h3> AdminCompanyResource </h3> <p>The resource does heavy lifting:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight php"><code><span class="k">public</span> <span class="k">function</span> <span class="n">toArray</span><span class="p">(</span><span class="nv">$request</span><span class="p">):</span> <span class="kt">array</span> <span class="p">{</span> <span class="nv">$owner</span> <span class="o">=</span> <span class="nv">$this</span><span class="o">-&gt;</span><span class="n">createdBy</span><span class="p">;</span> <span class="k">return</span> <span class="p">[</span> <span class="c1">// Company</span> <span class="s1">'id'</span> <span class="o">=&gt;</span> <span class="nv">$this</span><span class="o">-&gt;</span><span class="n">id</span><span class="p">,</span> <span class="s1">'uuid'</span> <span class="o">=&gt;</span> <span class="nv">$this</span><span class="o">-&gt;</span><span class="n">uuid</span><span class="p">,</span> <span class="s1">'name'</span> <span class="o">=&gt;</span> <span class="nv">$this</span><span class="o">-&gt;</span><span class="n">name</span><span class="p">,</span> <span class="s1">'country_name'</span> <span class="o">=&gt;</span> <span class="nv">$this</span><span class="o">-&gt;</span><span class="nf">getCountryName</span><span class="p">(),</span> <span class="c1">// Owner</span> <span class="s1">'owner_fullname'</span> <span class="o">=&gt;</span> <span class="nv">$owner</span><span class="o">?-&gt;</span><span class="nf">getFullname</span><span class="p">(),</span> <span class="s1">'owner_email'</span> <span class="o">=&gt;</span> <span class="nv">$owner</span><span class="o">?-&gt;</span><span class="n">email</span><span class="p">,</span> <span class="s1">'owner_is_blocked'</span> <span class="o">=&gt;</span> <span class="nv">$owner</span><span class="o">?-&gt;</span><span class="n">user_blocked_at</span> <span class="o">!==</span> <span class="kc">null</span><span class="p">,</span> <span class="s1">'owner_last_activity'</span> <span class="o">=&gt;</span> <span class="nv">$this</span><span class="o">-&gt;</span><span class="nf">formatLastActivity</span><span class="p">(</span><span class="nv">$owner</span><span class="o">?-&gt;</span><span class="n">last_activity_at</span><span class="p">),</span> <span class="c1">// Subscription</span> <span class="s1">'plan_name'</span> <span class="o">=&gt;</span> <span class="nv">$this</span><span class="o">-&gt;</span><span class="nf">getPlanName</span><span class="p">(),</span> <span class="s1">'subscription_status'</span> <span class="o">=&gt;</span> <span class="nv">$this</span><span class="o">-&gt;</span><span class="nf">getSubscriptionStatus</span><span class="p">(),</span> <span class="s1">'subscription_status_text'</span> <span class="o">=&gt;</span> <span class="nv">$this</span><span class="o">-&gt;</span><span class="nf">getSubscriptionStatusText</span><span class="p">(),</span> <span class="s1">'subscription_ends_at_formatted'</span> <span class="o">=&gt;</span> <span class="nv">$this</span><span class="o">-&gt;</span><span class="n">subscription_ends_at</span><span class="o">?-&gt;</span><span class="nf">format</span><span class="p">(</span><span class="s1">'d-m-Y'</span><span class="p">),</span> <span class="c1">// Finances</span> <span class="s1">'total_payments_sum'</span> <span class="o">=&gt;</span> <span class="nv">$this</span><span class="o">-&gt;</span><span class="n">total_payments</span><span class="p">,</span> <span class="s1">'last_payment_date'</span> <span class="o">=&gt;</span> <span class="nv">$this</span><span class="o">-&gt;</span><span class="n">last_payment_date</span><span class="p">,</span> <span class="c1">// Activity</span> <span class="s1">'employees_count'</span> <span class="o">=&gt;</span> <span class="nv">$this</span><span class="o">-&gt;</span><span class="n">users_count</span><span class="p">,</span> <span class="p">];</span> <span class="p">}</span> </code></pre> </div> <p>Country names translated from config. Plan names resolved from config. Subscription status calculated with priority logic. Last activity formatted as "Recently", "Long time ago", or exact date.</p> <h2> Subscription Status Engine </h2> <p>A company can be in 5 states. The logic has a specific priority order:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight php"><code><span class="k">private</span> <span class="k">function</span> <span class="n">getSubscriptionStatus</span><span class="p">():</span> <span class="kt">string</span> <span class="p">{</span> <span class="nv">$company</span> <span class="o">=</span> <span class="nv">$this</span><span class="o">-&gt;</span><span class="n">resource</span><span class="p">;</span> <span class="c1">// Priority 1: Never started</span> <span class="k">if</span> <span class="p">(</span><span class="nv">$company</span><span class="o">-&gt;</span><span class="nf">isInSetup</span><span class="p">())</span> <span class="p">{</span> <span class="k">return</span> <span class="s1">'never_activated'</span><span class="p">;</span> <span class="p">}</span> <span class="c1">// Priority 2: Trial is running</span> <span class="k">if</span> <span class="p">(</span><span class="nv">$company</span><span class="o">-&gt;</span><span class="nf">isOnTrial</span><span class="p">())</span> <span class="p">{</span> <span class="k">return</span> <span class="s1">'trial'</span><span class="p">;</span> <span class="p">}</span> <span class="c1">// Priority 3: Subscription ended</span> <span class="k">if</span> <span class="p">(</span><span class="o">!</span><span class="nv">$company</span><span class="o">-&gt;</span><span class="n">subscription_ends_at</span> <span class="o">||</span> <span class="nv">$company</span><span class="o">-&gt;</span><span class="n">subscription_ends_at</span><span class="o">-&gt;</span><span class="nf">isPast</span><span class="p">())</span> <span class="p">{</span> <span class="k">return</span> <span class="s1">'expired'</span><span class="p">;</span> <span class="p">}</span> <span class="c1">// Priority 4: Expiring soon (within 7 days)</span> <span class="k">if</span> <span class="p">(</span><span class="nv">$company</span><span class="o">-&gt;</span><span class="n">subscription_ends_at</span><span class="o">-&gt;</span><span class="nf">diffInDays</span><span class="p">(</span><span class="nf">now</span><span class="p">())</span> <span class="o">&lt;=</span> <span class="mi">7</span><span class="p">)</span> <span class="p">{</span> <span class="k">return</span> <span class="s1">'expiring'</span><span class="p">;</span> <span class="p">}</span> <span class="c1">// Priority 5: All good</span> <span class="k">return</span> <span class="s1">'active'</span><span class="p">;</span> <span class="p">}</span> </code></pre> </div> <p>Each status gets a visual indicator in the admin panel:</p> <ul> <li> <code>active</code> - company is paying</li> <li> <code>expiring</code> - less than 7 days left (yellow flag - retention opportunity)</li> <li> <code>expired</code> - subscription ended, access restricted</li> <li> <code>trial</code> - free trial period running</li> <li> <code>never_activated</code> - signed up, never picked a plan</li> </ul> <h3> Company Model Access Methods </h3> <div class="highlight js-code-highlight"> <pre class="highlight php"><code><span class="k">public</span> <span class="k">function</span> <span class="n">isOnTrial</span><span class="p">():</span> <span class="kt">bool</span> <span class="p">{</span> <span class="k">return</span> <span class="nv">$this</span><span class="o">-&gt;</span><span class="n">trial_ends_at</span> <span class="o">&amp;&amp;</span> <span class="nv">$this</span><span class="o">-&gt;</span><span class="n">trial_ends_at</span><span class="o">-&gt;</span><span class="nf">isFuture</span><span class="p">();</span> <span class="p">}</span> <span class="k">public</span> <span class="k">function</span> <span class="n">hasActiveSubscription</span><span class="p">():</span> <span class="kt">bool</span> <span class="p">{</span> <span class="k">return</span> <span class="nv">$this</span><span class="o">-&gt;</span><span class="n">subscription_ends_at</span> <span class="o">&amp;&amp;</span> <span class="nv">$this</span><span class="o">-&gt;</span><span class="n">subscription_ends_at</span><span class="o">-&gt;</span><span class="nf">isFuture</span><span class="p">();</span> <span class="p">}</span> <span class="k">public</span> <span class="k">function</span> <span class="n">hasAccess</span><span class="p">():</span> <span class="kt">bool</span> <span class="p">{</span> <span class="k">return</span> <span class="nv">$this</span><span class="o">-&gt;</span><span class="nf">isOnTrial</span><span class="p">()</span> <span class="o">||</span> <span class="nv">$this</span><span class="o">-&gt;</span><span class="nf">hasActiveSubscription</span><span class="p">();</span> <span class="p">}</span> <span class="k">public</span> <span class="k">function</span> <span class="n">isInSetup</span><span class="p">():</span> <span class="kt">bool</span> <span class="p">{</span> <span class="k">return</span> <span class="o">!</span><span class="nv">$this</span><span class="o">-&gt;</span><span class="n">plan_id</span> <span class="o">&amp;&amp;</span> <span class="o">!</span><span class="nv">$this</span><span class="o">-&gt;</span><span class="n">trial_ends_at</span> <span class="o">&amp;&amp;</span> <span class="o">!</span><span class="nv">$this</span><span class="o">-&gt;</span><span class="n">subscription_ends_at</span><span class="p">;</span> <span class="p">}</span> </code></pre> </div> <p><code>hasAccess()</code> checks both trial and subscription. A company on trial with an expired subscription still has access. Trial takes priority.</p> <h2> Blocking System </h2> <p>A company can be blocked for three distinct reasons. Each one triggers a different user experience.</p> <h3> GetBlockStatusAction </h3> <p>The single source of truth for access status:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight php"><code><span class="kd">class</span> <span class="nc">GetBlockStatusAction</span> <span class="p">{</span> <span class="k">public</span> <span class="k">function</span> <span class="n">__invoke</span><span class="p">():</span> <span class="kt">array</span> <span class="p">{</span> <span class="nv">$user</span> <span class="o">=</span> <span class="nf">auth</span><span class="p">()</span><span class="o">-&gt;</span><span class="nf">user</span><span class="p">();</span> <span class="nv">$company</span> <span class="o">=</span> <span class="nv">$user</span><span class="o">?-&gt;</span><span class="nf">getActiveCompany</span><span class="p">();</span> <span class="nv">$status</span> <span class="o">=</span> <span class="p">[</span> <span class="s1">'user_blocked'</span> <span class="o">=&gt;</span> <span class="kc">false</span><span class="p">,</span> <span class="s1">'user_ban_reason'</span> <span class="o">=&gt;</span> <span class="kc">null</span><span class="p">,</span> <span class="s1">'company_blocked'</span> <span class="o">=&gt;</span> <span class="kc">false</span><span class="p">,</span> <span class="s1">'company_block_reason'</span> <span class="o">=&gt;</span> <span class="s1">''</span><span class="p">,</span> <span class="s1">'subscription_expires_soon'</span> <span class="o">=&gt;</span> <span class="kc">false</span><span class="p">,</span> <span class="s1">'days_until_expiry'</span> <span class="o">=&gt;</span> <span class="kc">null</span><span class="p">,</span> <span class="p">];</span> <span class="c1">// Level 1: User personally banned</span> <span class="k">if</span> <span class="p">(</span><span class="nv">$user</span><span class="o">-&gt;</span><span class="n">user_blocked_at</span> <span class="o">!==</span> <span class="kc">null</span><span class="p">)</span> <span class="p">{</span> <span class="nv">$status</span><span class="p">[</span><span class="s1">'user_blocked'</span><span class="p">]</span> <span class="o">=</span> <span class="kc">true</span><span class="p">;</span> <span class="nv">$status</span><span class="p">[</span><span class="s1">'user_ban_reason'</span><span class="p">]</span> <span class="o">=</span> <span class="cm">/* from config */</span><span class="p">;</span> <span class="k">return</span> <span class="nv">$status</span><span class="p">;</span> <span class="p">}</span> <span class="c1">// Level 2: Company owner banned</span> <span class="nv">$owner</span> <span class="o">=</span> <span class="nv">$company</span><span class="o">-&gt;</span><span class="n">createdBy</span><span class="p">;</span> <span class="k">if</span> <span class="p">(</span><span class="nv">$owner</span><span class="o">-&gt;</span><span class="n">user_blocked_at</span> <span class="o">!==</span> <span class="kc">null</span><span class="p">)</span> <span class="p">{</span> <span class="nv">$status</span><span class="p">[</span><span class="s1">'company_blocked'</span><span class="p">]</span> <span class="o">=</span> <span class="kc">true</span><span class="p">;</span> <span class="nv">$status</span><span class="p">[</span><span class="s1">'company_block_reason'</span><span class="p">]</span> <span class="o">=</span> <span class="s1">'owner_banned'</span><span class="p">;</span> <span class="k">return</span> <span class="nv">$status</span><span class="p">;</span> <span class="p">}</span> <span class="c1">// Level 3: Payment issue</span> <span class="k">if</span> <span class="p">(</span><span class="o">!</span><span class="nv">$company</span><span class="o">-&gt;</span><span class="nf">hasAccess</span><span class="p">())</span> <span class="p">{</span> <span class="nv">$status</span><span class="p">[</span><span class="s1">'company_blocked'</span><span class="p">]</span> <span class="o">=</span> <span class="kc">true</span><span class="p">;</span> <span class="nv">$status</span><span class="p">[</span><span class="s1">'company_block_reason'</span><span class="p">]</span> <span class="o">=</span> <span class="nv">$hadSubscriptionBefore</span> <span class="o">?</span> <span class="s1">'payment_expired'</span> <span class="o">:</span> <span class="s1">'first_payment_required'</span><span class="p">;</span> <span class="k">return</span> <span class="nv">$status</span><span class="p">;</span> <span class="p">}</span> <span class="c1">// Warning: subscription expiring within 10 days</span> <span class="k">if</span> <span class="p">(</span><span class="nv">$company</span><span class="o">-&gt;</span><span class="nf">hasActiveSubscription</span><span class="p">())</span> <span class="p">{</span> <span class="nv">$daysLeft</span> <span class="o">=</span> <span class="nf">now</span><span class="p">()</span><span class="o">-&gt;</span><span class="nf">diffInDays</span><span class="p">(</span><span class="nv">$company</span><span class="o">-&gt;</span><span class="n">subscription_ends_at</span><span class="p">,</span> <span class="kc">false</span><span class="p">);</span> <span class="k">if</span> <span class="p">(</span><span class="nv">$daysLeft</span> <span class="o">&lt;=</span> <span class="mi">10</span> <span class="o">&amp;&amp;</span> <span class="nv">$daysLeft</span> <span class="o">&gt;</span> <span class="mi">0</span><span class="p">)</span> <span class="p">{</span> <span class="nv">$status</span><span class="p">[</span><span class="s1">'subscription_expires_soon'</span><span class="p">]</span> <span class="o">=</span> <span class="kc">true</span><span class="p">;</span> <span class="nv">$status</span><span class="p">[</span><span class="s1">'days_until_expiry'</span><span class="p">]</span> <span class="o">=</span> <span class="nv">$daysLeft</span><span class="p">;</span> <span class="p">}</span> <span class="p">}</span> <span class="k">return</span> <span class="nv">$status</span><span class="p">;</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </div> <p>Three blocking scenarios with clear priority:</p> <p><strong>1. Owner banned</strong> - Admin blocked the owner. Every employee in the company is locked out. They see: "Your company owner's account has been restricted." Not their fault - different message.</p> <p><strong>2. First payment required</strong> - Company finished trial or skipped it. Never made a payment. Owner sees billing link. Non-owner sees "contact administrator".</p> <p><strong>3. Payment expired</strong> - Had a subscription, it ended. Same owner/employee split as above.</p> <h3> CheckAccessMiddleware </h3> <p>Enforces blocking at the request level:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight php"><code><span class="kd">class</span> <span class="nc">CheckAccessMiddleware</span> <span class="p">{</span> <span class="k">public</span> <span class="k">function</span> <span class="n">handle</span><span class="p">(</span><span class="nv">$request</span><span class="p">,</span> <span class="kt">Closure</span> <span class="nv">$next</span><span class="p">)</span> <span class="p">{</span> <span class="nv">$user</span> <span class="o">=</span> <span class="nv">$request</span><span class="o">-&gt;</span><span class="nf">user</span><span class="p">();</span> <span class="c1">// Priority 1: User personally banned</span> <span class="k">if</span> <span class="p">(</span><span class="nv">$user</span><span class="o">-&gt;</span><span class="n">user_blocked_at</span> <span class="o">!==</span> <span class="kc">null</span><span class="p">)</span> <span class="p">{</span> <span class="k">return</span> <span class="nv">$this</span><span class="o">-&gt;</span><span class="nf">handleBannedUser</span><span class="p">(</span><span class="nv">$request</span><span class="p">);</span> <span class="p">}</span> <span class="c1">// Priority 2: Company access check</span> <span class="k">if</span> <span class="p">(</span><span class="nv">$user</span><span class="o">-&gt;</span><span class="nf">getActiveCompany</span><span class="p">())</span> <span class="p">{</span> <span class="nv">$check</span> <span class="o">=</span> <span class="nv">$this</span><span class="o">-&gt;</span><span class="nf">checkCompanyAccess</span><span class="p">(</span><span class="nv">$user</span><span class="p">);</span> <span class="k">if</span> <span class="p">(</span><span class="o">!</span><span class="nv">$check</span><span class="p">[</span><span class="s1">'allowed'</span><span class="p">])</span> <span class="p">{</span> <span class="k">return</span> <span class="nv">$this</span><span class="o">-&gt;</span><span class="nf">handlePaymentRequired</span><span class="p">(</span><span class="nv">$request</span><span class="p">,</span> <span class="nv">$check</span><span class="p">);</span> <span class="p">}</span> <span class="p">}</span> <span class="k">return</span> <span class="nv">$next</span><span class="p">(</span><span class="nv">$request</span><span class="p">);</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </div> <p><strong>Banned user whitelist</strong> - even banned users can access:</p> <ul> <li>Support tickets (to appeal)</li> <li>Notifications</li> <li>Tutorials</li> <li>Language switching</li> <li>Logout</li> <li>Leave impersonation</li> <li>Switch companies</li> </ul> <p>That last one is important. If the owner is banned on Company A but has Company B with active subscription - they switch to B and keep working. The block is per-company, not per-user.</p> <h3> Gates </h3> <div class="highlight js-code-highlight"> <pre class="highlight php"><code><span class="c1">// UserBlockedGates</span> <span class="nc">Gate</span><span class="o">::</span><span class="nb">define</span><span class="p">(</span><span class="s1">'view-company-payment-blocked-page'</span><span class="p">,</span> <span class="k">function</span> <span class="p">(</span><span class="kt">User</span> <span class="nv">$user</span><span class="p">,</span> <span class="kt">string</span> <span class="nv">$type</span><span class="p">)</span> <span class="p">{</span> <span class="k">return</span> <span class="k">match</span> <span class="p">(</span><span class="nv">$type</span><span class="p">)</span> <span class="p">{</span> <span class="s1">'owner_banned'</span> <span class="o">=&gt;</span> <span class="nv">$user</span><span class="o">-&gt;</span><span class="nf">getActiveCompany</span><span class="p">()</span><span class="o">?-&gt;</span><span class="n">createdBy</span><span class="o">?-&gt;</span><span class="n">user_blocked_at</span> <span class="o">!==</span> <span class="kc">null</span><span class="p">,</span> <span class="s1">'payment_required'</span><span class="p">,</span> <span class="s1">'payment_required_non_owner'</span> <span class="o">=&gt;</span> <span class="o">!</span><span class="nv">$user</span><span class="o">-&gt;</span><span class="nf">getActiveCompany</span><span class="p">()</span><span class="o">?-&gt;</span><span class="nf">hasAccess</span><span class="p">(),</span> <span class="k">default</span> <span class="o">=&gt;</span> <span class="kc">false</span><span class="p">,</span> <span class="p">};</span> <span class="p">});</span> </code></pre> </div> <p>Direct URL protection. Users can't access the blocked page unless they're actually blocked.</p> <h2> Subscription Expiry Notifications </h2> <p>The system warns users before blocking them.</p> <h3> Scheduled Command </h3> <div class="highlight js-code-highlight"> <pre class="highlight php"><code><span class="kd">class</span> <span class="nc">CheckExpiringSubscriptions</span> <span class="kd">extends</span> <span class="nc">Command</span> <span class="p">{</span> <span class="k">protected</span> <span class="nv">$signature</span> <span class="o">=</span> <span class="s1">'subscriptions:check-expiring'</span><span class="p">;</span> <span class="k">public</span> <span class="k">function</span> <span class="n">handle</span><span class="p">():</span> <span class="kt">void</span> <span class="p">{</span> <span class="nv">$this</span><span class="o">-&gt;</span><span class="nf">checkAndNotify</span><span class="p">(</span><span class="n">daysBeforeExpiry</span><span class="o">:</span> <span class="mi">10</span><span class="p">);</span> <span class="nv">$this</span><span class="o">-&gt;</span><span class="nf">checkAndNotify</span><span class="p">(</span><span class="n">daysBeforeExpiry</span><span class="o">:</span> <span class="mi">3</span><span class="p">);</span> <span class="p">}</span> <span class="k">private</span> <span class="k">function</span> <span class="n">checkAndNotify</span><span class="p">(</span><span class="kt">int</span> <span class="nv">$daysBeforeExpiry</span><span class="p">):</span> <span class="kt">void</span> <span class="p">{</span> <span class="nv">$targetDate</span> <span class="o">=</span> <span class="nf">now</span><span class="p">()</span><span class="o">-&gt;</span><span class="nf">addDays</span><span class="p">(</span><span class="nv">$daysBeforeExpiry</span><span class="p">)</span><span class="o">-&gt;</span><span class="nf">toDateString</span><span class="p">();</span> <span class="nv">$companies</span> <span class="o">=</span> <span class="nc">Company</span><span class="o">::</span><span class="nf">query</span><span class="p">()</span> <span class="o">-&gt;</span><span class="nf">whereDate</span><span class="p">(</span><span class="s1">'subscription_ends_at'</span><span class="p">,</span> <span class="nv">$targetDate</span><span class="p">)</span> <span class="o">-&gt;</span><span class="nf">get</span><span class="p">();</span> <span class="k">foreach</span> <span class="p">(</span><span class="nv">$companies</span> <span class="k">as</span> <span class="nv">$company</span><span class="p">)</span> <span class="p">{</span> <span class="nv">$owner</span> <span class="o">=</span> <span class="nv">$company</span><span class="o">-&gt;</span><span class="n">createdBy</span><span class="p">;</span> <span class="c1">// Skip if no owner or owner is banned</span> <span class="k">if</span> <span class="p">(</span><span class="o">!</span><span class="nv">$owner</span> <span class="o">||</span> <span class="nv">$owner</span><span class="o">-&gt;</span><span class="n">user_blocked_at</span> <span class="o">!==</span> <span class="kc">null</span><span class="p">)</span> <span class="p">{</span> <span class="k">continue</span><span class="p">;</span> <span class="p">}</span> <span class="c1">// Unique code prevents duplicates</span> <span class="nv">$code</span> <span class="o">=</span> <span class="s2">"subscription_expiring_</span><span class="si">{</span><span class="nv">$daysBeforeExpiry</span><span class="si">}</span><span class="s2">d_</span><span class="si">{</span><span class="nv">$company</span><span class="o">-&gt;</span><span class="n">id</span><span class="si">}</span><span class="s2">"</span><span class="p">;</span> <span class="k">if</span> <span class="p">(</span><span class="nc">Notification</span><span class="o">::</span><span class="nf">where</span><span class="p">(</span><span class="s1">'code'</span><span class="p">,</span> <span class="nv">$code</span><span class="p">)</span><span class="o">-&gt;</span><span class="nf">exists</span><span class="p">())</span> <span class="p">{</span> <span class="k">continue</span><span class="p">;</span> <span class="p">}</span> <span class="c1">// Create notification with all locale translations</span> <span class="nv">$notification</span> <span class="o">=</span> <span class="nc">Notification</span><span class="o">::</span><span class="nf">create</span><span class="p">([</span> <span class="s1">'code'</span> <span class="o">=&gt;</span> <span class="nv">$code</span><span class="p">,</span> <span class="s1">'type'</span> <span class="o">=&gt;</span> <span class="s1">'subscription_expiring'</span><span class="p">,</span> <span class="c1">// ... translations, data with company name, days, expiry date, payment URL</span> <span class="p">]);</span> <span class="nv">$notification</span><span class="o">-&gt;</span><span class="nf">users</span><span class="p">()</span><span class="o">-&gt;</span><span class="nf">attach</span><span class="p">(</span><span class="nv">$owner</span><span class="o">-&gt;</span><span class="n">id</span><span class="p">);</span> <span class="p">}</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </div> <p><strong>10 days</strong> = friendly reminder. "Hey, renew when you can."<br> <strong>3 days</strong> = urgent. "You're about to lose access."</p> <p>Unique notification codes (<code>subscription_expiring_10d_42</code>) prevent spam. Cron runs daily, notifications are created once.</p> <p>Banned owners are skipped - no point notifying someone who can't access the system anyway.</p> <h2> Frontend Blocked Pages </h2> <h3> CompanyBlocked.vue </h3> <p>One component handles all three blocking scenarios:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight vue"><code><span class="nt">&lt;</span><span class="k">script</span> <span class="na">setup</span><span class="nt">&gt;</span> <span class="kd">const</span> <span class="nx">props</span> <span class="o">=</span> <span class="nf">defineProps</span><span class="p">({</span> <span class="na">blockType</span><span class="p">:</span> <span class="nb">String</span><span class="p">,</span> <span class="c1">// 'user_banned' | 'payment_required' | 'payment_required_non_owner'</span> <span class="na">isOwner</span><span class="p">:</span> <span class="nb">Boolean</span><span class="p">,</span> <span class="na">companyName</span><span class="p">:</span> <span class="nb">String</span><span class="p">,</span> <span class="p">});</span> <span class="kd">const</span> <span class="nx">config</span> <span class="o">=</span> <span class="nf">computed</span><span class="p">(()</span> <span class="o">=&gt;</span> <span class="p">({</span> <span class="na">user_banned</span><span class="p">:</span> <span class="p">{</span> <span class="na">icon</span><span class="p">:</span> <span class="dl">'</span><span class="s1">ban</span><span class="dl">'</span><span class="p">,</span> <span class="na">title</span><span class="p">:</span> <span class="dl">'</span><span class="s1">Account blocked</span><span class="dl">'</span><span class="p">,</span> <span class="na">description</span><span class="p">:</span> <span class="dl">'</span><span class="s1">All company operations are unavailable.</span><span class="dl">'</span><span class="p">,</span> <span class="na">action</span><span class="p">:</span> <span class="p">{</span> <span class="na">label</span><span class="p">:</span> <span class="dl">'</span><span class="s1">Contact support</span><span class="dl">'</span><span class="p">,</span> <span class="na">href</span><span class="p">:</span> <span class="nf">route</span><span class="p">(</span><span class="dl">'</span><span class="s1">tickets.create</span><span class="dl">'</span><span class="p">)</span> <span class="p">},</span> <span class="p">},</span> <span class="na">payment_required</span><span class="p">:</span> <span class="p">{</span> <span class="na">icon</span><span class="p">:</span> <span class="dl">'</span><span class="s1">credit-card</span><span class="dl">'</span><span class="p">,</span> <span class="na">title</span><span class="p">:</span> <span class="dl">'</span><span class="s1">Subscription expired</span><span class="dl">'</span><span class="p">,</span> <span class="na">description</span><span class="p">:</span> <span class="dl">'</span><span class="s1">Renew your subscription to continue.</span><span class="dl">'</span><span class="p">,</span> <span class="na">action</span><span class="p">:</span> <span class="p">{</span> <span class="na">label</span><span class="p">:</span> <span class="dl">'</span><span class="s1">Go to billing</span><span class="dl">'</span><span class="p">,</span> <span class="na">href</span><span class="p">:</span> <span class="nf">route</span><span class="p">(</span><span class="dl">'</span><span class="s1">company.billing</span><span class="dl">'</span><span class="p">)</span> <span class="p">},</span> <span class="p">},</span> <span class="na">payment_required_non_owner</span><span class="p">:</span> <span class="p">{</span> <span class="na">icon</span><span class="p">:</span> <span class="dl">'</span><span class="s1">credit-card</span><span class="dl">'</span><span class="p">,</span> <span class="na">title</span><span class="p">:</span> <span class="dl">'</span><span class="s1">Subscription expired</span><span class="dl">'</span><span class="p">,</span> <span class="na">description</span><span class="p">:</span> <span class="dl">'</span><span class="s1">Please contact your company administrator.</span><span class="dl">'</span><span class="p">,</span> <span class="na">action</span><span class="p">:</span> <span class="p">{</span> <span class="na">label</span><span class="p">:</span> <span class="dl">'</span><span class="s1">Logout</span><span class="dl">'</span><span class="p">,</span> <span class="na">href</span><span class="p">:</span> <span class="nf">route</span><span class="p">(</span><span class="dl">'</span><span class="s1">logout</span><span class="dl">'</span><span class="p">)</span> <span class="p">},</span> <span class="p">},</span> <span class="p">}[</span><span class="nx">props</span><span class="p">.</span><span class="nx">blockType</span><span class="p">]));</span> <span class="nt">&lt;/</span><span class="k">script</span><span class="nt">&gt;</span> </code></pre> </div> <p>Different icons, titles, descriptions, and calls-to-action. The owner gets a billing link. The employee gets "contact your admin". The banned user gets support tickets.</p> <h3> Inertia Shared Props </h3> <div class="highlight js-code-highlight"> <pre class="highlight php"><code><span class="c1">// HandleInertiaRequests middleware</span> <span class="k">public</span> <span class="k">function</span> <span class="n">share</span><span class="p">(</span><span class="kt">Request</span> <span class="nv">$request</span><span class="p">):</span> <span class="kt">array</span> <span class="p">{</span> <span class="k">return</span> <span class="p">[</span> <span class="c1">// ... other shared data</span> <span class="s1">'block_status'</span> <span class="o">=&gt;</span> <span class="p">(</span><span class="nv">$this</span><span class="o">-&gt;</span><span class="n">getBlockStatus</span><span class="p">)(),</span> <span class="p">];</span> <span class="p">}</span> </code></pre> </div> <p>Every page has access to <code>block_status</code>. The Vue frontend can:</p> <ul> <li>Show warning banners: "Your subscription expires in 3 days"</li> <li>Disable features incrementally</li> <li>Display countdown timers</li> </ul> <p>The middleware blocks. Inertia warns. Two different mechanisms for two different purposes.</p> <p>Responsive design: desktop shows side-by-side layout with icon and message, mobile stacks vertically. Dark mode supported via CSS variables.</p> <h2> Payment Model </h2> <h3> CompanyPayment </h3> <div class="highlight js-code-highlight"> <pre class="highlight php"><code><span class="kd">class</span> <span class="nc">CompanyPayment</span> <span class="kd">extends</span> <span class="nc">Model</span> <span class="p">{</span> <span class="c1">// Fields</span> <span class="c1">// company_id, user_id, plan_id, billing_period</span> <span class="c1">// amount, currency, discount_amount, discount_reason, promo_code_id</span> <span class="c1">// payment_status, payment_method, payment_response (JSON)</span> <span class="c1">// paid_at, period_start, period_end</span> <span class="k">protected</span> <span class="k">function</span> <span class="n">casts</span><span class="p">():</span> <span class="kt">array</span> <span class="p">{</span> <span class="k">return</span> <span class="p">[</span> <span class="s1">'amount'</span> <span class="o">=&gt;</span> <span class="s1">'decimal:2'</span><span class="p">,</span> <span class="s1">'discount_amount'</span> <span class="o">=&gt;</span> <span class="s1">'decimal:2'</span><span class="p">,</span> <span class="s1">'payment_response'</span> <span class="o">=&gt;</span> <span class="s1">'array'</span><span class="p">,</span> <span class="s1">'paid_at'</span> <span class="o">=&gt;</span> <span class="s1">'datetime'</span><span class="p">,</span> <span class="s1">'period_start'</span> <span class="o">=&gt;</span> <span class="s1">'date'</span><span class="p">,</span> <span class="s1">'period_end'</span> <span class="o">=&gt;</span> <span class="s1">'date'</span><span class="p">,</span> <span class="p">];</span> <span class="p">}</span> <span class="k">public</span> <span class="k">function</span> <span class="n">markAsPaid</span><span class="p">(</span><span class="kt">?array</span> <span class="nv">$response</span> <span class="o">=</span> <span class="kc">null</span><span class="p">):</span> <span class="kt">void</span> <span class="p">{</span> <span class="nv">$this</span><span class="o">-&gt;</span><span class="nf">update</span><span class="p">([</span> <span class="s1">'payment_status'</span> <span class="o">=&gt;</span> <span class="s1">'success'</span><span class="p">,</span> <span class="s1">'paid_at'</span> <span class="o">=&gt;</span> <span class="nf">now</span><span class="p">(),</span> <span class="s1">'payment_response'</span> <span class="o">=&gt;</span> <span class="nv">$response</span><span class="p">,</span> <span class="p">]);</span> <span class="p">}</span> <span class="k">public</span> <span class="k">function</span> <span class="n">markAsFailed</span><span class="p">(</span><span class="kt">?array</span> <span class="nv">$response</span> <span class="o">=</span> <span class="kc">null</span><span class="p">):</span> <span class="kt">void</span> <span class="p">{</span> <span class="nv">$this</span><span class="o">-&gt;</span><span class="nf">update</span><span class="p">([</span> <span class="s1">'payment_status'</span> <span class="o">=&gt;</span> <span class="s1">'failed'</span><span class="p">,</span> <span class="s1">'payment_response'</span> <span class="o">=&gt;</span> <span class="nv">$response</span><span class="p">,</span> <span class="p">]);</span> <span class="p">}</span> <span class="k">public</span> <span class="k">function</span> <span class="n">getTotalAmount</span><span class="p">():</span> <span class="kt">float</span> <span class="p">{</span> <span class="k">return</span> <span class="nv">$this</span><span class="o">-&gt;</span><span class="n">amount</span> <span class="o">-</span> <span class="nv">$this</span><span class="o">-&gt;</span><span class="n">discount_amount</span><span class="p">;</span> <span class="p">}</span> <span class="k">public</span> <span class="k">function</span> <span class="n">isSuccessful</span><span class="p">():</span> <span class="kt">bool</span> <span class="p">{</span> <span class="k">return</span> <span class="nv">$this</span><span class="o">-&gt;</span><span class="n">payment_status</span> <span class="o">===</span> <span class="s1">'success'</span><span class="p">;</span> <span class="p">}</span> <span class="k">public</span> <span class="k">function</span> <span class="n">isPending</span><span class="p">():</span> <span class="kt">bool</span> <span class="p">{</span> <span class="k">return</span> <span class="nv">$this</span><span class="o">-&gt;</span><span class="n">payment_status</span> <span class="o">===</span> <span class="s1">'pending'</span><span class="p">;</span> <span class="p">}</span> <span class="k">public</span> <span class="k">function</span> <span class="n">isFailed</span><span class="p">():</span> <span class="kt">bool</span> <span class="p">{</span> <span class="k">return</span> <span class="nv">$this</span><span class="o">-&gt;</span><span class="n">payment_status</span> <span class="o">===</span> <span class="s1">'failed'</span><span class="p">;</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </div> <p>Clean state transitions. <code>markAsPaid()</code> sets status, timestamp, and stores raw gateway response. No string comparisons scattered across controllers.</p> <h3> Events </h3> <p>Every successful payment fires <code>CompanyPaymentProcessed</code>:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight php"><code><span class="k">public</span> <span class="k">function</span> <span class="n">getLogProperties</span><span class="p">():</span> <span class="kt">array</span> <span class="p">{</span> <span class="k">return</span> <span class="p">[</span> <span class="s1">'company_id'</span> <span class="o">=&gt;</span> <span class="nv">$this</span><span class="o">-&gt;</span><span class="n">company</span><span class="o">-&gt;</span><span class="n">id</span><span class="p">,</span> <span class="s1">'company_name'</span> <span class="o">=&gt;</span> <span class="nv">$this</span><span class="o">-&gt;</span><span class="n">company</span><span class="o">-&gt;</span><span class="n">name</span><span class="p">,</span> <span class="s1">'payment_id'</span> <span class="o">=&gt;</span> <span class="nv">$this</span><span class="o">-&gt;</span><span class="n">payment</span><span class="o">-&gt;</span><span class="n">id</span><span class="p">,</span> <span class="s1">'plan_id'</span> <span class="o">=&gt;</span> <span class="nv">$this</span><span class="o">-&gt;</span><span class="n">payment</span><span class="o">-&gt;</span><span class="n">plan_id</span><span class="p">,</span> <span class="s1">'amount'</span> <span class="o">=&gt;</span> <span class="nv">$this</span><span class="o">-&gt;</span><span class="n">payment</span><span class="o">-&gt;</span><span class="n">amount</span><span class="p">,</span> <span class="s1">'currency'</span> <span class="o">=&gt;</span> <span class="nv">$this</span><span class="o">-&gt;</span><span class="n">payment</span><span class="o">-&gt;</span><span class="n">currency</span><span class="p">,</span> <span class="s1">'discount_amount'</span> <span class="o">=&gt;</span> <span class="nv">$this</span><span class="o">-&gt;</span><span class="n">payment</span><span class="o">-&gt;</span><span class="n">discount_amount</span><span class="p">,</span> <span class="s1">'payment_status'</span> <span class="o">=&gt;</span> <span class="nv">$this</span><span class="o">-&gt;</span><span class="n">payment</span><span class="o">-&gt;</span><span class="n">payment_status</span><span class="p">,</span> <span class="s1">'period_start'</span> <span class="o">=&gt;</span> <span class="nv">$this</span><span class="o">-&gt;</span><span class="n">payment</span><span class="o">-&gt;</span><span class="n">period_start</span><span class="p">,</span> <span class="s1">'period_end'</span> <span class="o">=&gt;</span> <span class="nv">$this</span><span class="o">-&gt;</span><span class="n">payment</span><span class="o">-&gt;</span><span class="n">period_end</span><span class="p">,</span> <span class="p">];</span> <span class="p">}</span> </code></pre> </div> <p>Full audit trail. Every dollar tracked.</p> <h3> Admin View </h3> <p>In the admin panel, payment data is displayed in two layers:</p> <p><strong>Table level:</strong> Total payments sum and last payment date (calculated via SQL subquery)<br> <strong>Tooltip level:</strong> Full payment history with individual amounts, discounts, and dates<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight php"><code><span class="c1">// AdminCompanyResource</span> <span class="s1">'payments_history'</span> <span class="o">=&gt;</span> <span class="nv">$this</span><span class="o">-&gt;</span><span class="n">payments</span><span class="o">-&gt;</span><span class="nf">map</span><span class="p">(</span><span class="k">fn</span> <span class="p">(</span><span class="nv">$p</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="p">[</span> <span class="s1">'id'</span> <span class="o">=&gt;</span> <span class="nv">$p</span><span class="o">-&gt;</span><span class="n">id</span><span class="p">,</span> <span class="s1">'date'</span> <span class="o">=&gt;</span> <span class="nv">$p</span><span class="o">-&gt;</span><span class="n">paid_at</span><span class="o">?-&gt;</span><span class="nf">format</span><span class="p">(</span><span class="s1">'d-m-Y'</span><span class="p">),</span> <span class="s1">'amount'</span> <span class="o">=&gt;</span> <span class="nv">$p</span><span class="o">-&gt;</span><span class="n">amount</span><span class="p">,</span> <span class="s1">'discount'</span> <span class="o">=&gt;</span> <span class="nv">$p</span><span class="o">-&gt;</span><span class="n">discount_amount</span><span class="p">,</span> <span class="s1">'currency'</span> <span class="o">=&gt;</span> <span class="nv">$p</span><span class="o">-&gt;</span><span class="n">currency</span><span class="p">,</span> <span class="s1">'total'</span> <span class="o">=&gt;</span> <span class="nv">$p</span><span class="o">-&gt;</span><span class="nf">getTotalAmount</span><span class="p">(),</span> <span class="p">]),</span> </code></pre> </div> <h2> Admin Filtering and Search </h2> <h3> AdminCompaniesFilter </h3> <div class="highlight js-code-highlight"> <pre class="highlight php"><code><span class="kd">class</span> <span class="nc">AdminCompaniesFilter</span> <span class="kd">extends</span> <span class="nc">Filter</span> <span class="p">{</span> <span class="k">protected</span> <span class="k">function</span> <span class="n">subscription_status</span><span class="p">(</span><span class="kt">?string</span> <span class="nv">$value</span><span class="p">):</span> <span class="kt">Builder</span> <span class="p">{</span> <span class="k">return</span> <span class="k">match</span> <span class="p">(</span><span class="nv">$value</span><span class="p">)</span> <span class="p">{</span> <span class="s1">'active'</span> <span class="o">=&gt;</span> <span class="nv">$this</span><span class="o">-&gt;</span><span class="n">builder</span> <span class="o">-&gt;</span><span class="nf">where</span><span class="p">(</span><span class="s1">'subscription_ends_at'</span><span class="p">,</span> <span class="s1">'&gt;'</span><span class="p">,</span> <span class="nf">now</span><span class="p">())</span> <span class="o">-&gt;</span><span class="nf">where</span><span class="p">(</span><span class="s1">'subscription_ends_at'</span><span class="p">,</span> <span class="s1">'&gt;'</span><span class="p">,</span> <span class="nf">now</span><span class="p">()</span><span class="o">-&gt;</span><span class="nf">addDays</span><span class="p">(</span><span class="mi">7</span><span class="p">)),</span> <span class="s1">'expiring'</span> <span class="o">=&gt;</span> <span class="nv">$this</span><span class="o">-&gt;</span><span class="n">builder</span> <span class="o">-&gt;</span><span class="nf">where</span><span class="p">(</span><span class="s1">'subscription_ends_at'</span><span class="p">,</span> <span class="s1">'&gt;'</span><span class="p">,</span> <span class="nf">now</span><span class="p">())</span> <span class="o">-&gt;</span><span class="nf">where</span><span class="p">(</span><span class="s1">'subscription_ends_at'</span><span class="p">,</span> <span class="s1">'&lt;='</span><span class="p">,</span> <span class="nf">now</span><span class="p">()</span><span class="o">-&gt;</span><span class="nf">addDays</span><span class="p">(</span><span class="mi">7</span><span class="p">)),</span> <span class="s1">'expired'</span> <span class="o">=&gt;</span> <span class="nv">$this</span><span class="o">-&gt;</span><span class="n">builder</span> <span class="o">-&gt;</span><span class="nf">where</span><span class="p">(</span><span class="s1">'subscription_ends_at'</span><span class="p">,</span> <span class="s1">'&lt;='</span><span class="p">,</span> <span class="nf">now</span><span class="p">())</span> <span class="o">-&gt;</span><span class="nf">whereNotNull</span><span class="p">(</span><span class="s1">'subscription_ends_at'</span><span class="p">),</span> <span class="s1">'trial'</span> <span class="o">=&gt;</span> <span class="nv">$this</span><span class="o">-&gt;</span><span class="n">builder</span> <span class="o">-&gt;</span><span class="nf">where</span><span class="p">(</span><span class="s1">'trial_ends_at'</span><span class="p">,</span> <span class="s1">'&gt;'</span><span class="p">,</span> <span class="nf">now</span><span class="p">())</span> <span class="o">-&gt;</span><span class="nf">whereNotNull</span><span class="p">(</span><span class="s1">'trial_ends_at'</span><span class="p">),</span> <span class="s1">'never_activated'</span> <span class="o">=&gt;</span> <span class="nv">$this</span><span class="o">-&gt;</span><span class="n">builder</span> <span class="o">-&gt;</span><span class="nf">whereNull</span><span class="p">(</span><span class="s1">'plan_id'</span><span class="p">)</span> <span class="o">-&gt;</span><span class="nf">whereNull</span><span class="p">(</span><span class="s1">'trial_ends_at'</span><span class="p">)</span> <span class="o">-&gt;</span><span class="nf">whereNull</span><span class="p">(</span><span class="s1">'subscription_ends_at'</span><span class="p">),</span> <span class="p">};</span> <span class="p">}</span> <span class="k">protected</span> <span class="k">function</span> <span class="n">plan_id</span><span class="p">(</span><span class="kt">?string</span> <span class="nv">$value</span><span class="p">):</span> <span class="kt">Builder</span> <span class="p">{</span> <span class="cm">/* exact match */</span> <span class="p">}</span> <span class="k">protected</span> <span class="k">function</span> <span class="n">country</span><span class="p">(</span><span class="kt">?string</span> <span class="nv">$value</span><span class="p">):</span> <span class="kt">Builder</span> <span class="p">{</span> <span class="cm">/* exact match */</span> <span class="p">}</span> <span class="k">protected</span> <span class="k">function</span> <span class="n">date_from</span><span class="p">(</span><span class="kt">?string</span> <span class="nv">$value</span><span class="p">):</span> <span class="kt">Builder</span> <span class="p">{</span> <span class="cm">/* created_at &gt;= */</span> <span class="p">}</span> <span class="k">protected</span> <span class="k">function</span> <span class="n">date_to</span><span class="p">(</span><span class="kt">?string</span> <span class="nv">$value</span><span class="p">):</span> <span class="kt">Builder</span> <span class="p">{</span> <span class="cm">/* created_at &lt;= */</span> <span class="p">}</span> <span class="k">protected</span> <span class="k">function</span> <span class="n">search_string</span><span class="p">(</span><span class="kt">?string</span> <span class="nv">$value</span><span class="p">):</span> <span class="kt">Builder</span> <span class="p">{</span> <span class="k">return</span> <span class="nv">$this</span><span class="o">-&gt;</span><span class="n">builder</span><span class="o">-&gt;</span><span class="nf">where</span><span class="p">(</span><span class="k">function</span> <span class="p">(</span><span class="nv">$q</span><span class="p">)</span> <span class="k">use</span> <span class="p">(</span><span class="nv">$value</span><span class="p">)</span> <span class="p">{</span> <span class="nv">$q</span><span class="o">-&gt;</span><span class="nf">where</span><span class="p">(</span><span class="s1">'name'</span><span class="p">,</span> <span class="s1">'like'</span><span class="p">,</span> <span class="s2">"%</span><span class="si">{</span><span class="nv">$value</span><span class="si">}</span><span class="s2">%"</span><span class="p">)</span> <span class="o">-&gt;</span><span class="nf">orWhereHas</span><span class="p">(</span><span class="s1">'createdBy'</span><span class="p">,</span> <span class="k">fn</span><span class="p">(</span><span class="nv">$q</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="nv">$q</span><span class="o">-&gt;</span><span class="nf">where</span><span class="p">(</span><span class="s1">'email'</span><span class="p">,</span> <span class="s1">'like'</span><span class="p">,</span> <span class="s2">"%</span><span class="si">{</span><span class="nv">$value</span><span class="si">}</span><span class="s2">%"</span><span class="p">));</span> <span class="p">});</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </div> <p>Same auto-discovery pattern from previous modules. Request has <code>?subscription_status=expiring&amp;plan_id=basic</code>? Base <code>Filter</code> class iterates params, calls matching methods.</p> <h3> Validation </h3> <div class="highlight js-code-highlight"> <pre class="highlight php"><code><span class="kd">class</span> <span class="nc">AdminCompaniesFilterRequest</span> <span class="kd">extends</span> <span class="nc">FormRequest</span> <span class="p">{</span> <span class="k">public</span> <span class="k">function</span> <span class="n">rules</span><span class="p">():</span> <span class="kt">array</span> <span class="p">{</span> <span class="k">return</span> <span class="p">[</span> <span class="s1">'subscription_status'</span> <span class="o">=&gt;</span> <span class="s1">'nullable|in:active,expiring,expired,trial,never_activated'</span><span class="p">,</span> <span class="s1">'plan_id'</span> <span class="o">=&gt;</span> <span class="s1">'nullable|in:basic,optimal,advanced'</span><span class="p">,</span> <span class="s1">'country'</span> <span class="o">=&gt;</span> <span class="s1">'nullable|string'</span><span class="p">,</span> <span class="s1">'date_from'</span> <span class="o">=&gt;</span> <span class="s1">'nullable|date'</span><span class="p">,</span> <span class="s1">'date_to'</span> <span class="o">=&gt;</span> <span class="s1">'nullable|date|after_or_equal:date_from'</span><span class="p">,</span> <span class="s1">'search_string'</span> <span class="o">=&gt;</span> <span class="s1">'nullable|string|max:255'</span><span class="p">,</span> <span class="s1">'sort_by'</span> <span class="o">=&gt;</span> <span class="s1">'nullable|in:created_at,subscription_ends_at,employees_count,payments_sum'</span><span class="p">,</span> <span class="s1">'sort_order'</span> <span class="o">=&gt;</span> <span class="s1">'nullable|in:asc,desc'</span><span class="p">,</span> <span class="p">];</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </div> <p>Everything validated before reaching the filter. Invalid params can't cause SQL errors.</p> <h3> Quick Search </h3> <div class="highlight js-code-highlight"> <pre class="highlight php"><code><span class="k">public</span> <span class="k">function</span> <span class="n">search</span><span class="p">(</span><span class="kt">Request</span> <span class="nv">$request</span><span class="p">):</span> <span class="kt">JsonResponse</span> <span class="p">{</span> <span class="nv">$companies</span> <span class="o">=</span> <span class="nc">Company</span><span class="o">::</span><span class="nf">query</span><span class="p">()</span> <span class="o">-&gt;</span><span class="nf">where</span><span class="p">(</span><span class="s1">'name'</span><span class="p">,</span> <span class="s1">'like'</span><span class="p">,</span> <span class="s2">"%</span><span class="si">{</span><span class="nv">$search</span><span class="si">}</span><span class="s2">%"</span><span class="p">)</span> <span class="o">-&gt;</span><span class="nf">orWhereHas</span><span class="p">(</span><span class="s1">'createdBy'</span><span class="p">,</span> <span class="k">fn</span><span class="p">(</span><span class="nv">$q</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="nv">$q</span><span class="o">-&gt;</span><span class="nf">where</span><span class="p">(</span><span class="s1">'email'</span><span class="p">,</span> <span class="s1">'like'</span><span class="p">,</span> <span class="s2">"%</span><span class="si">{</span><span class="nv">$search</span><span class="si">}</span><span class="s2">%"</span><span class="p">))</span> <span class="o">-&gt;</span><span class="nf">limit</span><span class="p">(</span><span class="mi">15</span><span class="p">)</span> <span class="o">-&gt;</span><span class="nf">get</span><span class="p">([</span><span class="s1">'id'</span><span class="p">,</span> <span class="s1">'name'</span><span class="p">]);</span> <span class="k">return</span> <span class="nf">response</span><span class="p">()</span><span class="o">-&gt;</span><span class="nf">json</span><span class="p">(</span><span class="nv">$companies</span><span class="p">);</span> <span class="p">}</span> </code></pre> </div> <p>Separate JSON endpoint. 15 results max. Used in admin navigation for fast company lookup.</p> <h2> Testing </h2> <h3> Subscription Status </h3> <div class="highlight js-code-highlight"> <pre class="highlight php"><code><span class="nf">test</span><span class="p">(</span><span class="s1">'company with future subscription has access'</span><span class="p">,</span> <span class="k">function</span> <span class="p">()</span> <span class="p">{</span> <span class="nv">$company</span> <span class="o">=</span> <span class="nc">Company</span><span class="o">::</span><span class="nf">factory</span><span class="p">()</span><span class="o">-&gt;</span><span class="nf">create</span><span class="p">([</span> <span class="s1">'subscription_ends_at'</span> <span class="o">=&gt;</span> <span class="nf">now</span><span class="p">()</span><span class="o">-&gt;</span><span class="nf">addMonth</span><span class="p">(),</span> <span class="p">]);</span> <span class="nf">expect</span><span class="p">(</span><span class="nv">$company</span><span class="o">-&gt;</span><span class="nf">hasAccess</span><span class="p">())</span><span class="o">-&gt;</span><span class="nf">toBeTrue</span><span class="p">()</span> <span class="o">-&gt;</span><span class="k">and</span><span class="p">(</span><span class="nv">$company</span><span class="o">-&gt;</span><span class="nf">hasActiveSubscription</span><span class="p">())</span><span class="o">-&gt;</span><span class="nf">toBeTrue</span><span class="p">();</span> <span class="p">});</span> <span class="nf">test</span><span class="p">(</span><span class="s1">'company on trial has access even without subscription'</span><span class="p">,</span> <span class="k">function</span> <span class="p">()</span> <span class="p">{</span> <span class="nv">$company</span> <span class="o">=</span> <span class="nc">Company</span><span class="o">::</span><span class="nf">factory</span><span class="p">()</span><span class="o">-&gt;</span><span class="nf">create</span><span class="p">([</span> <span class="s1">'trial_ends_at'</span> <span class="o">=&gt;</span> <span class="nf">now</span><span class="p">()</span><span class="o">-&gt;</span><span class="nf">addDays</span><span class="p">(</span><span class="mi">14</span><span class="p">),</span> <span class="s1">'subscription_ends_at'</span> <span class="o">=&gt;</span> <span class="kc">null</span><span class="p">,</span> <span class="p">]);</span> <span class="nf">expect</span><span class="p">(</span><span class="nv">$company</span><span class="o">-&gt;</span><span class="nf">hasAccess</span><span class="p">())</span><span class="o">-&gt;</span><span class="nf">toBeTrue</span><span class="p">()</span> <span class="o">-&gt;</span><span class="k">and</span><span class="p">(</span><span class="nv">$company</span><span class="o">-&gt;</span><span class="nf">isOnTrial</span><span class="p">())</span><span class="o">-&gt;</span><span class="nf">toBeTrue</span><span class="p">();</span> <span class="p">});</span> <span class="nf">test</span><span class="p">(</span><span class="s1">'company with expired subscription has no access'</span><span class="p">,</span> <span class="k">function</span> <span class="p">()</span> <span class="p">{</span> <span class="nv">$company</span> <span class="o">=</span> <span class="nc">Company</span><span class="o">::</span><span class="nf">factory</span><span class="p">()</span><span class="o">-&gt;</span><span class="nf">create</span><span class="p">([</span> <span class="s1">'subscription_ends_at'</span> <span class="o">=&gt;</span> <span class="nf">now</span><span class="p">()</span><span class="o">-&gt;</span><span class="nf">subDay</span><span class="p">(),</span> <span class="s1">'trial_ends_at'</span> <span class="o">=&gt;</span> <span class="nf">now</span><span class="p">()</span><span class="o">-&gt;</span><span class="nf">subMonth</span><span class="p">(),</span> <span class="p">]);</span> <span class="nf">expect</span><span class="p">(</span><span class="nv">$company</span><span class="o">-&gt;</span><span class="nf">hasAccess</span><span class="p">())</span><span class="o">-&gt;</span><span class="nf">toBeFalse</span><span class="p">();</span> <span class="p">});</span> </code></pre> </div> <h3> Ban Cascade </h3> <div class="highlight js-code-highlight"> <pre class="highlight php"><code><span class="nf">test</span><span class="p">(</span><span class="s1">'blocking owner blocks employee access'</span><span class="p">,</span> <span class="k">function</span> <span class="p">()</span> <span class="p">{</span> <span class="nv">$owner</span><span class="o">-&gt;</span><span class="nf">update</span><span class="p">([</span><span class="s1">'user_blocked_at'</span> <span class="o">=&gt;</span> <span class="nf">now</span><span class="p">(),</span> <span class="s1">'user_blocked_status'</span> <span class="o">=&gt;</span> <span class="mi">1</span><span class="p">]);</span> <span class="nf">actingAs</span><span class="p">(</span><span class="nv">$employee</span><span class="p">)</span> <span class="o">-&gt;</span><span class="nf">get</span><span class="p">(</span><span class="nf">route</span><span class="p">(</span><span class="s1">'dashboard'</span><span class="p">))</span> <span class="o">-&gt;</span><span class="nf">assertRedirect</span><span class="p">(</span><span class="nf">route</span><span class="p">(</span><span class="s1">'company.payment.blocked'</span><span class="p">));</span> <span class="p">});</span> <span class="nf">test</span><span class="p">(</span><span class="s1">'employee can switch to another company when owner is banned'</span><span class="p">,</span> <span class="k">function</span> <span class="p">()</span> <span class="p">{</span> <span class="c1">// Employee belongs to companyA (owner banned) and companyB (active)</span> <span class="nf">actingAs</span><span class="p">(</span><span class="nv">$employee</span><span class="p">)</span> <span class="o">-&gt;</span><span class="nf">post</span><span class="p">(</span><span class="nf">route</span><span class="p">(</span><span class="s1">'company.switch'</span><span class="p">,</span> <span class="nv">$companyB</span><span class="p">))</span> <span class="o">-&gt;</span><span class="nf">assertRedirect</span><span class="p">();</span> <span class="p">});</span> </code></pre> </div> <h3> Payment Events </h3> <div class="highlight js-code-highlight"> <pre class="highlight php"><code><span class="nf">test</span><span class="p">(</span><span class="s1">'successful payment fires CompanyPaymentProcessed'</span><span class="p">,</span> <span class="k">function</span> <span class="p">()</span> <span class="p">{</span> <span class="nc">Event</span><span class="o">::</span><span class="nf">fake</span><span class="p">();</span> <span class="nv">$payment</span><span class="o">-&gt;</span><span class="nf">markAsPaid</span><span class="p">([</span><span class="s1">'gateway_status'</span> <span class="o">=&gt;</span> <span class="s1">'ok'</span><span class="p">]);</span> <span class="nc">Event</span><span class="o">::</span><span class="nf">assertDispatched</span><span class="p">(</span><span class="nc">CompanyPaymentProcessed</span><span class="o">::</span><span class="n">class</span><span class="p">);</span> <span class="nf">expect</span><span class="p">(</span><span class="nv">$payment</span><span class="o">-&gt;</span><span class="nf">isSuccessful</span><span class="p">())</span><span class="o">-&gt;</span><span class="nf">toBeTrue</span><span class="p">()</span> <span class="o">-&gt;</span><span class="k">and</span><span class="p">(</span><span class="nv">$payment</span><span class="o">-&gt;</span><span class="n">paid_at</span><span class="p">)</span><span class="o">-&gt;</span><span class="n">not</span><span class="o">-&gt;</span><span class="nf">toBeNull</span><span class="p">();</span> <span class="p">});</span> </code></pre> </div> <h3> Expiry Notifications </h3> <div class="highlight js-code-highlight"> <pre class="highlight php"><code><span class="nf">test</span><span class="p">(</span><span class="s1">'expiring subscription triggers notification at 10 days'</span><span class="p">,</span> <span class="k">function</span> <span class="p">()</span> <span class="p">{</span> <span class="nv">$company</span> <span class="o">=</span> <span class="nc">Company</span><span class="o">::</span><span class="nf">factory</span><span class="p">()</span><span class="o">-&gt;</span><span class="nf">create</span><span class="p">([</span> <span class="s1">'subscription_ends_at'</span> <span class="o">=&gt;</span> <span class="nf">now</span><span class="p">()</span><span class="o">-&gt;</span><span class="nf">addDays</span><span class="p">(</span><span class="mi">10</span><span class="p">),</span> <span class="p">]);</span> <span class="nc">Artisan</span><span class="o">::</span><span class="nf">call</span><span class="p">(</span><span class="s1">'subscriptions:check-expiring'</span><span class="p">);</span> <span class="nf">expect</span><span class="p">(</span><span class="nc">Notification</span><span class="o">::</span><span class="nf">where</span><span class="p">(</span><span class="s1">'code'</span><span class="p">,</span> <span class="s2">"subscription_expiring_10d_</span><span class="si">{</span><span class="nv">$company</span><span class="o">-&gt;</span><span class="n">id</span><span class="si">}</span><span class="s2">"</span><span class="p">)</span><span class="o">-&gt;</span><span class="nf">exists</span><span class="p">())</span> <span class="o">-&gt;</span><span class="nf">toBeTrue</span><span class="p">();</span> <span class="p">});</span> <span class="nf">test</span><span class="p">(</span><span class="s1">'banned owner does not receive expiry notification'</span><span class="p">,</span> <span class="k">function</span> <span class="p">()</span> <span class="p">{</span> <span class="nv">$company</span> <span class="o">=</span> <span class="nc">Company</span><span class="o">::</span><span class="nf">factory</span><span class="p">()</span><span class="o">-&gt;</span><span class="nf">create</span><span class="p">([</span> <span class="s1">'subscription_ends_at'</span> <span class="o">=&gt;</span> <span class="nf">now</span><span class="p">()</span><span class="o">-&gt;</span><span class="nf">addDays</span><span class="p">(</span><span class="mi">10</span><span class="p">),</span> <span class="p">]);</span> <span class="nv">$company</span><span class="o">-&gt;</span><span class="n">createdBy</span><span class="o">-&gt;</span><span class="nf">update</span><span class="p">([</span><span class="s1">'user_blocked_at'</span> <span class="o">=&gt;</span> <span class="nf">now</span><span class="p">()]);</span> <span class="nc">Artisan</span><span class="o">::</span><span class="nf">call</span><span class="p">(</span><span class="s1">'subscriptions:check-expiring'</span><span class="p">);</span> <span class="nf">expect</span><span class="p">(</span><span class="nc">Notification</span><span class="o">::</span><span class="nf">where</span><span class="p">(</span><span class="s1">'code'</span><span class="p">,</span> <span class="s2">"subscription_expiring_10d_</span><span class="si">{</span><span class="nv">$company</span><span class="o">-&gt;</span><span class="n">id</span><span class="si">}</span><span class="s2">"</span><span class="p">)</span><span class="o">-&gt;</span><span class="nf">exists</span><span class="p">())</span> <span class="o">-&gt;</span><span class="nf">toBeFalse</span><span class="p">();</span> <span class="p">});</span> </code></pre> </div> <h3> Admin Filtering </h3> <div class="highlight js-code-highlight"> <pre class="highlight php"><code><span class="nf">test</span><span class="p">(</span><span class="s1">'admin can filter companies by subscription status'</span><span class="p">,</span> <span class="k">function</span> <span class="p">()</span> <span class="p">{</span> <span class="nf">actingAs</span><span class="p">(</span><span class="nv">$admin</span><span class="p">)</span> <span class="o">-&gt;</span><span class="nf">get</span><span class="p">(</span><span class="nf">route</span><span class="p">(</span><span class="s1">'admin.companies.index'</span><span class="p">,</span> <span class="p">[</span><span class="s1">'subscription_status'</span> <span class="o">=&gt;</span> <span class="s1">'expired'</span><span class="p">]))</span> <span class="o">-&gt;</span><span class="nf">assertOk</span><span class="p">()</span> <span class="o">-&gt;</span><span class="nf">assertInertia</span><span class="p">(</span><span class="k">fn</span> <span class="p">(</span><span class="nv">$page</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="nv">$page</span><span class="o">-&gt;</span><span class="nf">has</span><span class="p">(</span><span class="s1">'companies.data'</span><span class="p">));</span> <span class="p">});</span> <span class="nf">test</span><span class="p">(</span><span class="s1">'admin search finds company by owner email'</span><span class="p">,</span> <span class="k">function</span> <span class="p">()</span> <span class="p">{</span> <span class="nf">actingAs</span><span class="p">(</span><span class="nv">$admin</span><span class="p">)</span> <span class="o">-&gt;</span><span class="nf">get</span><span class="p">(</span><span class="nf">route</span><span class="p">(</span><span class="s1">'admin.companies.search'</span><span class="p">,</span> <span class="p">[</span><span class="s1">'search'</span> <span class="o">=&gt;</span> <span class="nv">$owner</span><span class="o">-&gt;</span><span class="n">email</span><span class="p">]))</span> <span class="o">-&gt;</span><span class="nf">assertOk</span><span class="p">()</span> <span class="o">-&gt;</span><span class="nf">assertJsonCount</span><span class="p">(</span><span class="mi">1</span><span class="p">);</span> <span class="p">});</span> </code></pre> </div> <p>Pest v4. Real HTTP requests. No middleware mocking. The tests prove the behavior users experience.</p> <h2> Design Decisions </h2> <ol> <li><p><strong><code>hasAccess()</code> checks both trial AND subscription.</strong> A company on trial with an expired subscription still works. Trial takes priority over subscription status. No double penalty.</p></li> <li><p><strong>GetBlockStatusAction as single source of truth.</strong> One place calculates all blocking logic. Middleware uses it. Frontend uses it (via Inertia shared props). No duplicated conditions.</p></li> <li><p><strong>Three block reasons, not one.</strong> "Company blocked" is useless information. "Owner banned" vs "payment expired" vs "never paid" - each requires different user action.</p></li> <li><p><strong>Owner/employee split on blocked pages.</strong> Owner can fix the problem (pay, appeal). Employee can't. Showing an employee a billing link makes no sense.</p></li> <li><p><strong>Per-company blocking, not per-user.</strong> User owns Company A (banned owner) and Company B (active). They can switch to B. Blocking one company shouldn't kill their entire account.</p></li> <li><p><strong>Unique notification codes.</strong> <code>subscription_expiring_10d_42</code> ensures the same notification is never sent twice. Cron-safe.</p></li> <li><p><strong>Subqueries for aggregates in admin.</strong> Total payments, last payment date - calculated in SQL. One query with subqueries is faster than loading all payments and summing in PHP.</p></li> <li><p><strong>Config-driven plans and statuses.</strong> Plan names, subscription status thresholds (7 days for "expiring"), pagination limits - all in config. Changing a threshold doesn't require code changes.</p></li> </ol> <h2> What's Next </h2> <p>This module is part of <strong>LaraFoundry</strong> - an open-source SaaS framework for Laravel, extracted from a production CRM/ERP.</p> <ul> <li>GitHub: <a href="https://github.com/dmitryisaenko/larafoundry/blob/main/docs/modules/admin_companies.md" rel="noopener noreferrer">github.com/dmitryisaenko/larafoundry</a> </li> <li>Previous modules: Registration, Authentication, Multi-Tenancy, Logging, Multilanguage, Navigation, Vue Frontend, Traits &amp; Middlewares, Admin Users</li> </ul> <p>Follow for the next module deep-dive.</p> laravel php sass webdev Building an Admin User Management System for a Multi-Tenant Laravel SaaS Dmitry Isaenko Mon, 27 Apr 2026 10:19:57 +0000 https://dev.to/d_isaenko_dev/building-an-admin-user-management-system-for-a-multi-tenant-laravel-saas-3mdb https://dev.to/d_isaenko_dev/building-an-admin-user-management-system-for-a-multi-tenant-laravel-saas-3mdb <p>You built a SaaS. Users signed up. Now you need to actually manage them. And "manage" means a lot more than a table with an edit button.</p> <p>I built <a href="https://kohana.io" rel="noopener noreferrer">Kohana.io</a> - a production CRM/ERP for small businesses. The admin user management module turned out to be one of the most complex pieces in the system. Now I'm extracting it into <strong>LaraFoundry</strong>, an open-source SaaS framework for Laravel.</p> <p>This post covers the full implementation: CRUD, banning, impersonation, activity logging, and search/filtering.</p> <h2> Table of Contents </h2> <ol> <li>CRUD Architecture</li> <li>Ban System</li> <li>Impersonation ("Follow")</li> <li>Activity Logging</li> <li>Search &amp; Filtering</li> <li>Testing</li> <li>Design Decisions</li> </ol> <h2> CRUD Architecture </h2> <h3> Create </h3> <p>User creation goes through <code>AdminUserStoreRequest</code> - validation happens before the controller.</p> <p><strong>Validated fields:</strong></p> <ul> <li>Required: <code>name</code>, <code>email</code>, <code>password</code> (with confirmation)</li> <li>Optional: <code>lastname</code>, <code>middlename</code>, <code>phone</code>, <code>sex</code>, <code>country</code>, <code>birth_date</code> </li> <li>Social links: array validation - URL must be valid, social network must exist in config</li> </ul> <p><strong>Password handling:</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight php"><code><span class="c1">// User model</span> <span class="k">protected</span> <span class="k">function</span> <span class="n">password</span><span class="p">():</span> <span class="kt">Attribute</span> <span class="p">{</span> <span class="k">return</span> <span class="nc">Attribute</span><span class="o">::</span><span class="nf">make</span><span class="p">(</span> <span class="n">set</span><span class="o">:</span> <span class="k">fn</span> <span class="p">(</span><span class="nv">$value</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="nc">Hash</span><span class="o">::</span><span class="nf">make</span><span class="p">(</span><span class="nv">$value</span><span class="p">),</span> <span class="p">);</span> <span class="p">}</span> </code></pre> </div> <p>The controller never calls <code>Hash::make()</code>. The Eloquent Attribute mutator handles it. Create, update, import - doesn't matter. One place for hashing.</p> <p><strong>Social links</strong> are validated as an array:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight php"><code><span class="s1">'social_links'</span> <span class="o">=&gt;</span> <span class="s1">'nullable|array'</span><span class="p">,</span> <span class="s1">'social_links.*.url'</span> <span class="o">=&gt;</span> <span class="s1">'nullable|url|max:255'</span><span class="p">,</span> <span class="s1">'social_links.*.social_network'</span> <span class="o">=&gt;</span> <span class="s1">'required_with:social_links.*.url|in:'</span> <span class="mf">.</span> <span class="nb">implode</span><span class="p">(</span><span class="s1">','</span><span class="p">,</span> <span class="nv">$configuredNetworks</span><span class="p">),</span> </code></pre> </div> <h3> Read (Index) </h3> <div class="highlight js-code-highlight"> <pre class="highlight php"><code><span class="k">public</span> <span class="k">function</span> <span class="n">index</span><span class="p">(</span><span class="kt">AdminUserFilterRequest</span> <span class="nv">$request</span><span class="p">,</span> <span class="kt">AdminUsersFilter</span> <span class="nv">$filter</span><span class="p">):</span> <span class="kt">Response</span> <span class="p">{</span> <span class="nv">$users</span> <span class="o">=</span> <span class="nc">User</span><span class="o">::</span><span class="nf">query</span><span class="p">()</span> <span class="o">-&gt;</span><span class="nf">filter</span><span class="p">(</span><span class="nv">$filter</span><span class="p">)</span> <span class="o">-&gt;</span><span class="nf">paginate</span><span class="p">(</span><span class="nf">config</span><span class="p">(</span><span class="s1">'own.admin_users_per_page'</span><span class="p">));</span> <span class="k">return</span> <span class="nc">Inertia</span><span class="o">::</span><span class="nf">render</span><span class="p">(</span><span class="s1">'admin/users/Users'</span><span class="p">,</span> <span class="p">[</span> <span class="s1">'users'</span> <span class="o">=&gt;</span> <span class="nc">UserResource</span><span class="o">::</span><span class="nf">collection</span><span class="p">(</span><span class="nv">$users</span><span class="p">),</span> <span class="s1">'totalUsers'</span> <span class="o">=&gt;</span> <span class="nc">User</span><span class="o">::</span><span class="nb">count</span><span class="p">(),</span> <span class="p">]);</span> <span class="p">}</span> </code></pre> </div> <p>Three key decisions here:</p> <ol> <li> <strong>Filter injection</strong> - <code>AdminUsersFilter</code> is injected, applied via scope. Controller doesn't know how filtering works.</li> <li> <strong>UserResource</strong> - one transformation layer for all responses. The Vue frontend gets consistent data.</li> <li> <strong>Config-driven pagination</strong> - page size lives in config, not hardcoded.</li> </ol> <h3> What the Admin Sees Per User </h3> <p>Every row in the admin users table shows:</p> <div class="table-wrapper-paragraph"><table> <thead> <tr> <th>Column</th> <th>Data</th> </tr> </thead> <tbody> <tr> <td>ID</td> <td>User ID</td> </tr> <tr> <td>Avatar</td> <td>Profile image or default placeholder</td> </tr> <tr> <td>Name</td> <td>Full name (lastname + name), with block/delete reason if applicable</td> </tr> <tr> <td>Email / Phone</td> <td>Email with verification icon, phone with verification icon, social network links</td> </tr> <tr> <td>Registration / Activity</td> <td>Registration date, last activity (with "long ago" warning highlight)</td> </tr> <tr> <td>Companies</td> <td>Owned companies count / employee companies count</td> </tr> <tr> <td>Country</td> <td>Localized country name</td> </tr> <tr> <td>Sex</td> <td>Gender</td> </tr> <tr> <td>Age</td> <td>Calculated from birth_date</td> </tr> <tr> <td>Actions</td> <td>Create ticket, view logs, edit, block/unblock, delete/undelete, impersonate</td> </tr> </tbody> </table></div> <p>The <code>UserResource</code> handles all transformation:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight php"><code><span class="k">return</span> <span class="p">[</span> <span class="s1">'id'</span> <span class="o">=&gt;</span> <span class="nv">$this</span><span class="o">-&gt;</span><span class="n">id</span><span class="p">,</span> <span class="s1">'name'</span> <span class="o">=&gt;</span> <span class="nb">trim</span><span class="p">(</span><span class="nv">$this</span><span class="o">-&gt;</span><span class="n">lastname</span> <span class="mf">.</span> <span class="s1">' '</span> <span class="mf">.</span> <span class="nv">$this</span><span class="o">-&gt;</span><span class="n">name</span><span class="p">),</span> <span class="s1">'avatar'</span> <span class="o">=&gt;</span> <span class="nv">$this</span><span class="o">-&gt;</span><span class="n">avatar_url</span> <span class="o">??</span> <span class="s1">'/images/default-user-logo.png'</span><span class="p">,</span> <span class="s1">'email'</span> <span class="o">=&gt;</span> <span class="nv">$this</span><span class="o">-&gt;</span><span class="n">email</span><span class="p">,</span> <span class="s1">'phone'</span> <span class="o">=&gt;</span> <span class="nv">$this</span><span class="o">-&gt;</span><span class="n">phone</span><span class="p">,</span> <span class="s1">'email_verificated'</span> <span class="o">=&gt;</span> <span class="nv">$this</span><span class="o">-&gt;</span><span class="n">email_verified_at</span> <span class="o">!==</span> <span class="kc">null</span><span class="p">,</span> <span class="s1">'phone_verificated'</span> <span class="o">=&gt;</span> <span class="nv">$this</span><span class="o">-&gt;</span><span class="n">phone_verified_at</span> <span class="o">!==</span> <span class="kc">null</span><span class="p">,</span> <span class="s1">'social_links'</span> <span class="o">=&gt;</span> <span class="nv">$this</span><span class="o">-&gt;</span><span class="n">socialLinks</span><span class="o">-&gt;</span><span class="nf">map</span><span class="p">(</span><span class="cm">/* ... */</span><span class="p">),</span> <span class="s1">'country'</span> <span class="o">=&gt;</span> <span class="nv">$localizedCountryName</span><span class="p">,</span> <span class="s1">'age'</span> <span class="o">=&gt;</span> <span class="nv">$this</span><span class="o">-&gt;</span><span class="n">birth_date</span><span class="o">?-&gt;</span><span class="n">age</span><span class="p">,</span> <span class="s1">'sex'</span> <span class="o">=&gt;</span> <span class="nv">$genderLabel</span><span class="p">,</span> <span class="s1">'created_at'</span> <span class="o">=&gt;</span> <span class="nv">$this</span><span class="o">-&gt;</span><span class="n">created_at</span><span class="o">-&gt;</span><span class="nf">format</span><span class="p">(</span><span class="s1">'d-m-Y'</span><span class="p">),</span> <span class="s1">'last_activity_at'</span> <span class="o">=&gt;</span> <span class="nv">$formattedActivity</span><span class="p">,</span> <span class="c1">// "5 min ago", "long_ago", "Never"</span> <span class="s1">'owned_companies_count'</span> <span class="o">=&gt;</span> <span class="nv">$ownedCount</span><span class="p">,</span> <span class="s1">'employee_companies_count'</span> <span class="o">=&gt;</span> <span class="nv">$employeeCount</span><span class="p">,</span> <span class="s1">'user_blocked_at'</span> <span class="o">=&gt;</span> <span class="nv">$this</span><span class="o">-&gt;</span><span class="n">user_blocked_at</span><span class="p">,</span> <span class="s1">'block_code_text'</span> <span class="o">=&gt;</span> <span class="nv">$formattedBlockReason</span><span class="p">,</span> <span class="c1">// "1. SPAM (3 days ago)"</span> <span class="s1">'user_deleted_at'</span> <span class="o">=&gt;</span> <span class="nv">$this</span><span class="o">-&gt;</span><span class="n">user_deleted_at</span><span class="p">,</span> <span class="p">];</span> </code></pre> </div> <p>Blocked users get a visual badge and the row is styled differently. Deleted users too. Action buttons change based on status: blocked users show "unblock" instead of "block", deleted users show "restore" instead of "delete".</p> <h3> Update </h3> <p>Social links are managed in a database transaction:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight php"><code><span class="no">DB</span><span class="o">::</span><span class="nf">transaction</span><span class="p">(</span><span class="k">function</span> <span class="p">()</span> <span class="k">use</span> <span class="p">(</span><span class="nv">$user</span><span class="p">,</span> <span class="nv">$validated</span><span class="p">)</span> <span class="p">{</span> <span class="nv">$user</span><span class="o">-&gt;</span><span class="nf">socialLinks</span><span class="p">()</span><span class="o">-&gt;</span><span class="nb">delete</span><span class="p">();</span> <span class="k">foreach</span> <span class="p">(</span><span class="nv">$validated</span><span class="p">[</span><span class="s1">'social_links'</span><span class="p">]</span> <span class="o">??</span> <span class="p">[]</span> <span class="k">as</span> <span class="nv">$link</span><span class="p">)</span> <span class="p">{</span> <span class="k">if</span> <span class="p">(</span><span class="nb">trim</span><span class="p">(</span><span class="nv">$link</span><span class="p">[</span><span class="s1">'url'</span><span class="p">]</span> <span class="o">??</span> <span class="s1">''</span><span class="p">)</span> <span class="o">!==</span> <span class="s1">''</span><span class="p">)</span> <span class="p">{</span> <span class="nv">$user</span><span class="o">-&gt;</span><span class="nf">socialLinks</span><span class="p">()</span><span class="o">-&gt;</span><span class="nf">create</span><span class="p">([</span> <span class="s1">'url'</span> <span class="o">=&gt;</span> <span class="nv">$link</span><span class="p">[</span><span class="s1">'url'</span><span class="p">],</span> <span class="s1">'social_network'</span> <span class="o">=&gt;</span> <span class="nv">$link</span><span class="p">[</span><span class="s1">'social_network'</span><span class="p">],</span> <span class="p">]);</span> <span class="p">}</span> <span class="p">}</span> <span class="p">});</span> </code></pre> </div> <p>Delete all existing, create new ones. Atomic operation. No orphaned records.</p> <p>Email uniqueness on update ignores the current user:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight php"><code><span class="s1">'email'</span> <span class="o">=&gt;</span> <span class="p">[</span><span class="s1">'required'</span><span class="p">,</span> <span class="s1">'email'</span><span class="p">,</span> <span class="nc">Rule</span><span class="o">::</span><span class="nf">unique</span><span class="p">(</span><span class="nc">User</span><span class="o">::</span><span class="n">class</span><span class="p">)</span><span class="o">-&gt;</span><span class="nf">ignore</span><span class="p">(</span><span class="nv">$this</span><span class="o">-&gt;</span><span class="nf">route</span><span class="p">(</span><span class="s1">'user'</span><span class="p">)</span><span class="o">-&gt;</span><span class="n">id</span><span class="p">)],</span> </code></pre> </div> <p>The controller also supports a <code>return_url</code> parameter - so the admin lands back exactly where they navigated from.</p> <h3> Delete (Soft) </h3> <p>Deletion sets a <code>user_deleted_at</code> timestamp. Not Laravel's <code>SoftDeletes</code> trait - we use separate timestamps for blocking and deletion.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight php"><code><span class="k">public</span> <span class="k">function</span> <span class="n">delete</span><span class="p">(</span><span class="kt">User</span> <span class="nv">$user</span><span class="p">):</span> <span class="kt">RedirectResponse</span> <span class="p">{</span> <span class="nv">$user</span><span class="o">-&gt;</span><span class="nf">update</span><span class="p">([</span> <span class="s1">'user_deleted_at'</span> <span class="o">=&gt;</span> <span class="nf">now</span><span class="p">(),</span> <span class="s1">'user_blocked_at'</span> <span class="o">=&gt;</span> <span class="kc">null</span><span class="p">,</span> <span class="s1">'user_blocked_status'</span> <span class="o">=&gt;</span> <span class="kc">null</span><span class="p">,</span> <span class="p">]);</span> <span class="k">return</span> <span class="nf">back</span><span class="p">()</span><span class="o">-&gt;</span><span class="nf">with</span><span class="p">(</span><span class="s1">'success'</span><span class="p">,</span> <span class="nf">__</span><span class="p">(</span><span class="s1">'User deleted'</span><span class="p">));</span> <span class="p">}</span> </code></pre> </div> <p>Deleting clears block status. A user can't be both blocked and deleted.</p> <p>Restoring is the reverse: clear <code>user_deleted_at</code>.</p> <h2> Ban System </h2> <p>Banning is not a boolean toggle. It's a multi-step process with events, notifications, and cascade effects.</p> <h3> Block Reasons (Config-Driven) </h3> <div class="highlight js-code-highlight"> <pre class="highlight php"><code><span class="c1">// config/own.php</span> <span class="s1">'block_codes'</span> <span class="o">=&gt;</span> <span class="p">[</span> <span class="mi">1</span> <span class="o">=&gt;</span> <span class="s1">'SPAM'</span><span class="p">,</span> <span class="mi">2</span> <span class="o">=&gt;</span> <span class="s1">'Violation of the rules of service'</span><span class="p">,</span> <span class="mi">3</span> <span class="o">=&gt;</span> <span class="s1">'Inappropriate behavior'</span><span class="p">,</span> <span class="mi">4</span> <span class="o">=&gt;</span> <span class="s1">'Fake account'</span><span class="p">,</span> <span class="mi">5</span> <span class="o">=&gt;</span> <span class="s1">'Reason 05'</span><span class="p">,</span> <span class="p">]</span> </code></pre> </div> <p>Add a ban reason = add a config entry. No code changes. No migrations.</p> <h3> Block Flow </h3> <p>When an admin clicks "Block":</p> <ol> <li> <strong>Database update</strong> - <code>user_blocked_at = now()</code>, <code>user_blocked_status = $reasonId</code> </li> <li> <strong>Event dispatch</strong> - <code>event(new UserBlocked(auth()-&gt;user(), $user, $reasonId))</code> </li> <li> <strong>Queue job</strong> - <code>NotifyUserAboutBlocked::dispatch($user, $reasonId)</code> </li> </ol> <p>Two separate concerns: event for activity logging, job for email notification. The admin doesn't wait for SMTP.</p> <h3> Access Enforcement </h3> <p><code>CheckAccessMiddleware</code> runs on every authenticated request. Three levels:</p> <p><strong>Level 1 - User ban:</strong><br> The user is redirected to a "blocked" page. But they can still access:</p> <ul> <li>Support tickets (to appeal the ban)</li> <li>Notifications</li> <li>Tutorials</li> <li>Language switching</li> <li>Logout</li> <li>Leave impersonation</li> </ul> <p>Locking someone out with zero recourse is bad UX and possibly a legal problem.</p> <p><strong>Level 2 - Company owner ban:</strong><br> Every employee of the banned owner's company gets blocked. Different page, different message. They know it's the owner's issue, not theirs.</p> <p><strong>Level 3 - Payment expired:</strong><br> Users can access payment pages and settings, but the rest of the app shows alerts.</p> <h3> Blocked User Page </h3> <p>The blocked user sees their ban reason and date:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight php"><code><span class="k">public</span> <span class="k">function</span> <span class="n">show</span><span class="p">(</span><span class="kt">Request</span> <span class="nv">$request</span><span class="p">):</span> <span class="kt">Response</span> <span class="p">{</span> <span class="k">return</span> <span class="nc">Inertia</span><span class="o">::</span><span class="nf">render</span><span class="p">(</span><span class="s1">'user/Blocked'</span><span class="p">,</span> <span class="p">[</span> <span class="s1">'blockReason'</span> <span class="o">=&gt;</span> <span class="nv">$request</span><span class="o">-&gt;</span><span class="nf">user</span><span class="p">()</span><span class="o">-&gt;</span><span class="nf">getUserBlockedStatus</span><span class="p">(),</span> <span class="s1">'blockDate'</span> <span class="o">=&gt;</span> <span class="nv">$request</span><span class="o">-&gt;</span><span class="nf">user</span><span class="p">()</span><span class="o">-&gt;</span><span class="nf">getUserBlockedDate</span><span class="p">(),</span> <span class="p">]);</span> <span class="p">}</span> </code></pre> </div> <p>Access to this page is gated - only users with <code>user_blocked_at !== null</code> can see it.</p> <h3> Unblock </h3> <p>Clears timestamps, fires <code>UserUnblocked</code> event, dispatches <code>NotifyUserAboutUnblocked</code> job. Clean reverse.</p> <h3> Event Logging </h3> <p>Every block/unblock is captured in the activity log with full context:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight php"><code><span class="k">public</span> <span class="k">function</span> <span class="n">getLogProperties</span><span class="p">():</span> <span class="kt">array</span> <span class="p">{</span> <span class="k">return</span> <span class="p">[</span> <span class="s1">'user_id'</span> <span class="o">=&gt;</span> <span class="nv">$this</span><span class="o">-&gt;</span><span class="n">user</span><span class="o">-&gt;</span><span class="n">id</span><span class="p">,</span> <span class="s1">'user_name'</span> <span class="o">=&gt;</span> <span class="nv">$this</span><span class="o">-&gt;</span><span class="n">user</span><span class="o">-&gt;</span><span class="nf">getFullname</span><span class="p">(),</span> <span class="s1">'user_email'</span> <span class="o">=&gt;</span> <span class="nv">$this</span><span class="o">-&gt;</span><span class="n">user</span><span class="o">-&gt;</span><span class="n">email</span><span class="p">,</span> <span class="s1">'blocked_at'</span> <span class="o">=&gt;</span> <span class="nv">$this</span><span class="o">-&gt;</span><span class="n">user</span><span class="o">-&gt;</span><span class="n">user_blocked_at</span><span class="o">?-&gt;</span><span class="nf">toDateTimeString</span><span class="p">(),</span> <span class="s1">'block_reason_id'</span> <span class="o">=&gt;</span> <span class="nv">$this</span><span class="o">-&gt;</span><span class="n">reasonId</span><span class="p">,</span> <span class="s1">'block_reason'</span> <span class="o">=&gt;</span> <span class="nv">$reasonText</span><span class="p">,</span> <span class="p">];</span> <span class="p">}</span> </code></pre> </div> <p>Who blocked whom, when, and why. Complete audit trail.</p> <h2> Impersonation </h2> <p>"I can't see that button on my dashboard."</p> <p>One click - you're logged in as that user. Seeing exactly what they see.</p> <h3> Implementation </h3> <div class="highlight js-code-highlight"> <pre class="highlight php"><code><span class="kd">class</span> <span class="nc">ImpersonateController</span> <span class="kd">extends</span> <span class="nc">Controller</span> <span class="p">{</span> <span class="k">public</span> <span class="k">function</span> <span class="n">take</span><span class="p">(</span><span class="kt">Request</span> <span class="nv">$request</span><span class="p">,</span> <span class="nv">$userId</span><span class="p">,</span> <span class="kt">ImpersonateManager</span> <span class="nv">$impersonate</span><span class="p">)</span> <span class="p">{</span> <span class="nv">$user</span> <span class="o">=</span> <span class="nc">User</span><span class="o">::</span><span class="nf">findOrFail</span><span class="p">(</span><span class="nv">$userId</span><span class="p">);</span> <span class="nv">$impersonate</span><span class="o">-&gt;</span><span class="nf">take</span><span class="p">(</span><span class="nv">$request</span><span class="o">-&gt;</span><span class="nf">user</span><span class="p">(),</span> <span class="nv">$user</span><span class="p">);</span> <span class="k">return</span> <span class="nc">Inertia</span><span class="o">::</span><span class="nf">location</span><span class="p">(</span><span class="nf">route</span><span class="p">(</span><span class="s1">'home'</span><span class="p">));</span> <span class="p">}</span> <span class="k">public</span> <span class="k">function</span> <span class="n">leave</span><span class="p">(</span><span class="kt">ImpersonateManager</span> <span class="nv">$impersonate</span><span class="p">)</span> <span class="p">{</span> <span class="nv">$impersonate</span><span class="o">-&gt;</span><span class="nf">leave</span><span class="p">();</span> <span class="k">return</span> <span class="nc">Inertia</span><span class="o">::</span><span class="nf">location</span><span class="p">(</span><span class="nf">route</span><span class="p">(</span><span class="s1">'admin.users.index'</span><span class="p">));</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </div> <p>Built on <code>lab404/laravel-impersonate</code>. The admin session is preserved.</p> <h3> Frontend Awareness </h3> <p>Every page knows if impersonation is active:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight php"><code><span class="c1">// HandleInertiaRequests middleware</span> <span class="s1">'impersonate'</span> <span class="o">=&gt;</span> <span class="p">[</span> <span class="s1">'isActive'</span> <span class="o">=&gt;</span> <span class="nv">$impersonate</span><span class="o">-&gt;</span><span class="nf">isImpersonating</span><span class="p">()</span> <span class="p">]</span> </code></pre> </div> <p>The Vue frontend can show a warning bar: "You are viewing as User X" with a "Leave" button.</p> <h3> Security </h3> <ul> <li>Route requires <code>AdminAccess</code> middleware</li> <li>2FA verification required</li> <li>Activity log captures the event</li> <li>"Leave impersonation" route is whitelisted even for banned users (admin can exit cleanly)</li> <li>"Follow" button hidden for blocked or deleted users</li> </ul> <h3> UI </h3> <div class="highlight js-code-highlight"> <pre class="highlight vue"><code><span class="nt">&lt;Link</span> <span class="err">@</span><span class="na">click.stop</span> <span class="na">class=</span><span class="s">"btn follow"</span> <span class="na">:href=</span><span class="s">"route('admin.impersonate.take', user.id)"</span> <span class="na">method=</span><span class="s">"post"</span> <span class="na">:title=</span><span class="s">"t('Follow')"</span><span class="nt">&gt;</span> <span class="c">&lt;!-- person + arrow icon --&gt;</span> <span class="nt">&lt;/Link&gt;</span> </code></pre> </div> <p>Inertia <code>&lt;Link&gt;</code> component with POST method. No JavaScript fetch calls. No page reload after leaving - <code>Inertia::location()</code> handles full redirect.</p> <h2> Activity Logging </h2> <p>Every action in the system flows through <code>ActivityLogServiceProvider</code>. 30+ event types: login, logout, failed login, user blocked, company created, warehouse updated - everything.</p> <h3> What Gets Stored </h3> <p>Extended Spatie's Activity model with <code>CustomActivity</code>:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>activity_log table: ├── core: log_name, description, subject_type, subject_id, causer_id ├── geo: geo_country, geo_city, geo_updated_at ├── device: user_device_type, user_device_name, user_os, user_browser ├── network: user_ip, user_agent ├── request: route_name, request_method, full_url, response_code └── status: is_successful </code></pre> </div> <p>Plus custom event properties in the <code>properties</code> JSON column.</p> <h3> Logging Flow </h3> <ol> <li>Event fires (e.g., <code>UserBlocked</code>)</li> <li> <code>ActivityLogServiceProvider</code> listener captures it</li> <li> <code>ActivityLogService::logActivity()</code> creates the record with all metadata</li> <li> <code>RetrieveActivityGeoData</code> job dispatched to resolve IP → country/city asynchronously</li> </ol> <p>The geo lookup is a queued job. The original request isn't slowed by an external API call. Geo data appears in the activity log when the job completes.</p> <h3> Admin UI - User Activity Log </h3> <p>Route: <code>GET /admin/logs/{user}?hours=1</code></p> <p><strong>Time range selector:</strong> Buttons for 1h, 6h, 12h, 24h, 48h, 72h. Because "show me the last hour" is 90% of debugging.</p> <p><strong>Table with interactive tooltips:</strong></p> <ul> <li> <strong>Hover IP</strong> → Device type, device name, OS, browser, country, city</li> <li> <strong>Hover action</strong> → Event name, route name, middleware chain, request method, full URL, event properties</li> </ul> <p>Desktop shows a table. Mobile shows cards. Same data, different layout via responsive Vue component.</p> <h3> General Activity Log </h3> <p>Route: <code>GET /admin/logs?hours=24</code></p> <p>System-wide activity. All events. 100 per page. Useful for spotting patterns across users.</p> <h3> Data Transformation </h3> <p><code>ActivityLogResource</code> prepares the data:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight php"><code><span class="s1">'formatted_date'</span> <span class="o">=&gt;</span> <span class="nv">$this</span><span class="o">-&gt;</span><span class="n">created_at</span><span class="o">-&gt;</span><span class="nf">format</span><span class="p">(</span><span class="s1">'d.m.Y H:i:s'</span><span class="p">),</span> <span class="s1">'human_date'</span> <span class="o">=&gt;</span> <span class="nv">$this</span><span class="o">-&gt;</span><span class="n">created_at</span><span class="o">-&gt;</span><span class="nf">locale</span><span class="p">(</span><span class="nf">config</span><span class="p">(</span><span class="s1">'app.locale'</span><span class="p">))</span><span class="o">-&gt;</span><span class="nf">diffForHumans</span><span class="p">(),</span> <span class="s1">'response_code'</span> <span class="o">=&gt;</span> <span class="nv">$this</span><span class="o">-&gt;</span><span class="n">response_code</span><span class="p">,</span> <span class="s1">'is_successful'</span> <span class="o">=&gt;</span> <span class="nv">$this</span><span class="o">-&gt;</span><span class="n">is_successful</span><span class="p">,</span> </code></pre> </div> <h2> Search and Filtering </h2> <h3> Multi-Field Search </h3> <div class="highlight js-code-highlight"> <pre class="highlight php"><code><span class="k">protected</span> <span class="k">function</span> <span class="n">search_string</span><span class="p">(</span><span class="nv">$value</span><span class="p">):</span> <span class="kt">Builder</span> <span class="p">{</span> <span class="k">return</span> <span class="nv">$this</span><span class="o">-&gt;</span><span class="n">builder</span><span class="o">-&gt;</span><span class="nf">where</span><span class="p">(</span><span class="k">function</span> <span class="p">(</span><span class="nv">$query</span><span class="p">)</span> <span class="k">use</span> <span class="p">(</span><span class="nv">$value</span><span class="p">)</span> <span class="p">{</span> <span class="nv">$query</span><span class="o">-&gt;</span><span class="nf">where</span><span class="p">(</span><span class="s1">'id'</span><span class="p">,</span> <span class="nv">$value</span><span class="p">)</span> <span class="o">-&gt;</span><span class="nf">orWhere</span><span class="p">(</span><span class="s1">'name'</span><span class="p">,</span> <span class="s1">'like'</span><span class="p">,</span> <span class="s2">"</span><span class="si">{</span><span class="nv">$value</span><span class="si">}</span><span class="s2">%"</span><span class="p">)</span> <span class="o">-&gt;</span><span class="nf">orWhere</span><span class="p">(</span><span class="s1">'lastname'</span><span class="p">,</span> <span class="s1">'like'</span><span class="p">,</span> <span class="s2">"</span><span class="si">{</span><span class="nv">$value</span><span class="si">}</span><span class="s2">%"</span><span class="p">)</span> <span class="o">-&gt;</span><span class="nf">orWhere</span><span class="p">(</span><span class="s1">'middlename'</span><span class="p">,</span> <span class="s1">'like'</span><span class="p">,</span> <span class="s2">"</span><span class="si">{</span><span class="nv">$value</span><span class="si">}</span><span class="s2">%"</span><span class="p">)</span> <span class="o">-&gt;</span><span class="nf">orWhere</span><span class="p">(</span><span class="s1">'email'</span><span class="p">,</span> <span class="s1">'like'</span><span class="p">,</span> <span class="s2">"</span><span class="si">{</span><span class="nv">$value</span><span class="si">}</span><span class="s2">%"</span><span class="p">)</span> <span class="o">-&gt;</span><span class="nf">orWhere</span><span class="p">(</span><span class="s1">'phone'</span><span class="p">,</span> <span class="s1">'like'</span><span class="p">,</span> <span class="s2">"</span><span class="si">{</span><span class="nv">$value</span><span class="si">}</span><span class="s2">%"</span><span class="p">)</span> <span class="o">-&gt;</span><span class="nf">orWhereRaw</span><span class="p">(</span><span class="s2">"lastname || ' ' || name LIKE ?"</span><span class="p">,</span> <span class="p">[</span><span class="s2">"</span><span class="si">{</span><span class="nv">$value</span><span class="si">}</span><span class="s2">%"</span><span class="p">])</span> <span class="o">-&gt;</span><span class="nf">orWhereRaw</span><span class="p">(</span><span class="s2">"name || ' ' || lastname LIKE ?"</span><span class="p">,</span> <span class="p">[</span><span class="s2">"</span><span class="si">{</span><span class="nv">$value</span><span class="si">}</span><span class="s2">%"</span><span class="p">])</span> <span class="o">-&gt;</span><span class="nf">orWhereRaw</span><span class="p">(</span><span class="s2">"lastname || ' ' || name || ' ' || middlename LIKE ?"</span><span class="p">,</span> <span class="p">[</span><span class="s2">"</span><span class="si">{</span><span class="nv">$value</span><span class="si">}</span><span class="s2">%"</span><span class="p">])</span> <span class="o">-&gt;</span><span class="nf">orWhereRaw</span><span class="p">(</span><span class="s2">"name || ' ' || lastname || ' ' || middlename LIKE ?"</span><span class="p">,</span> <span class="p">[</span><span class="s2">"</span><span class="si">{</span><span class="nv">$value</span><span class="si">}</span><span class="s2">%"</span><span class="p">]);</span> <span class="p">});</span> <span class="p">}</span> </code></pre> </div> <p>"Smith John" works. "John Smith" works. "Smith" works. User ID works. Email prefix works.</p> <h3> Filter Auto-Discovery </h3> <p>Same pattern from the Traits &amp; Middlewares module:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight php"><code><span class="kd">class</span> <span class="nc">AdminUsersFilter</span> <span class="kd">extends</span> <span class="nc">Filter</span> <span class="p">{</span> <span class="k">protected</span> <span class="k">function</span> <span class="n">search_string</span><span class="p">(</span><span class="nv">$value</span><span class="p">)</span> <span class="p">{</span> <span class="cm">/* multi-field search */</span> <span class="p">}</span> <span class="k">protected</span> <span class="k">function</span> <span class="n">age_from</span><span class="p">(</span><span class="nv">$value</span><span class="p">)</span> <span class="p">{</span> <span class="cm">/* birth_date &lt;= now - age years */</span> <span class="p">}</span> <span class="k">protected</span> <span class="k">function</span> <span class="n">age_to</span><span class="p">(</span><span class="nv">$value</span><span class="p">)</span> <span class="p">{</span> <span class="cm">/* birth_date &gt;= now - age years */</span> <span class="p">}</span> <span class="k">protected</span> <span class="k">function</span> <span class="n">country</span><span class="p">(</span><span class="nv">$value</span><span class="p">)</span> <span class="p">{</span> <span class="cm">/* exact match */</span> <span class="p">}</span> <span class="k">protected</span> <span class="k">function</span> <span class="n">registrated</span><span class="p">(</span><span class="nv">$value</span><span class="p">)</span> <span class="p">{</span> <span class="cm">/* today | this_month | this_year */</span> <span class="p">}</span> <span class="k">protected</span> <span class="k">function</span> <span class="n">email_verificated</span><span class="p">(</span><span class="nv">$value</span><span class="p">)</span> <span class="p">{</span> <span class="cm">/* verificated | unverificated */</span> <span class="p">}</span> <span class="k">protected</span> <span class="k">function</span> <span class="n">phone_verificated</span><span class="p">(</span><span class="nv">$value</span><span class="p">)</span> <span class="p">{</span> <span class="cm">/* verificated | unverificated */</span> <span class="p">}</span> <span class="k">protected</span> <span class="k">function</span> <span class="n">recent_activity</span><span class="p">(</span><span class="nv">$value</span><span class="p">)</span> <span class="p">{</span> <span class="cm">/* configurable threshold */</span> <span class="p">}</span> <span class="k">protected</span> <span class="k">function</span> <span class="n">sex</span><span class="p">(</span><span class="nv">$value</span><span class="p">)</span> <span class="p">{</span> <span class="cm">/* m | f */</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </div> <p>Request has <code>?age_from=25&amp;country=DE</code>? Base <code>Filter</code> class iterates request params, calls matching methods. No switch statements. No config mappings.</p> <h3> Validation </h3> <p>Every filter parameter goes through <code>AdminUserFilterRequest</code>:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight php"><code><span class="s1">'age_from'</span> <span class="o">=&gt;</span> <span class="s1">'nullable|integer|min:16|max:100'</span><span class="p">,</span> <span class="s1">'age_to'</span> <span class="o">=&gt;</span> <span class="s1">'nullable|integer|min:16|max:100'</span><span class="p">,</span> <span class="s1">'country'</span> <span class="o">=&gt;</span> <span class="s1">'nullable|string|in:'</span> <span class="mf">.</span> <span class="nb">implode</span><span class="p">(</span><span class="s1">','</span><span class="p">,</span> <span class="nb">array_keys</span><span class="p">(</span><span class="nf">config</span><span class="p">(</span><span class="s1">'app.available_countries'</span><span class="p">))),</span> <span class="s1">'registrated'</span> <span class="o">=&gt;</span> <span class="s1">'nullable|string|in:all,today,this_month,this_year'</span><span class="p">,</span> <span class="s1">'recent_activity'</span> <span class="o">=&gt;</span> <span class="s1">'nullable|string|in:all,more,less_or_equal'</span><span class="p">,</span> <span class="s1">'email_verificated'</span> <span class="o">=&gt;</span> <span class="s1">'nullable|string|in:all,verificated,unverificated'</span><span class="p">,</span> <span class="s1">'sex'</span> <span class="o">=&gt;</span> <span class="s1">'nullable|string|in:m,f'</span><span class="p">,</span> </code></pre> </div> <h3> Real-Time Search </h3> <p>Separate endpoint: <code>GET /admin/users/search</code><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight php"><code><span class="k">public</span> <span class="k">function</span> <span class="n">search</span><span class="p">(</span><span class="kt">AdminUserFilterRequest</span> <span class="nv">$request</span><span class="p">,</span> <span class="kt">AdminUsersFilter</span> <span class="nv">$filter</span><span class="p">):</span> <span class="kt">JsonResponse</span> <span class="p">{</span> <span class="nv">$users</span> <span class="o">=</span> <span class="nc">User</span><span class="o">::</span><span class="nf">query</span><span class="p">()</span> <span class="o">-&gt;</span><span class="nf">where</span><span class="p">(</span><span class="s1">'email'</span><span class="p">,</span> <span class="s1">'!='</span><span class="p">,</span> <span class="nf">config</span><span class="p">(</span><span class="s1">'own.admin_email'</span><span class="p">))</span> <span class="o">-&gt;</span><span class="nf">filter</span><span class="p">(</span><span class="nv">$filter</span><span class="p">)</span> <span class="o">-&gt;</span><span class="nf">paginate</span><span class="p">(</span><span class="nf">config</span><span class="p">(</span><span class="s1">'own.admin_users_per_page'</span><span class="p">));</span> <span class="k">return</span> <span class="nf">response</span><span class="p">()</span><span class="o">-&gt;</span><span class="nf">json</span><span class="p">([</span> <span class="s1">'users'</span> <span class="o">=&gt;</span> <span class="nc">UserResource</span><span class="o">::</span><span class="nf">collection</span><span class="p">(</span><span class="nv">$users</span><span class="p">),</span> <span class="s1">'search'</span> <span class="o">=&gt;</span> <span class="nv">$request</span><span class="o">-&gt;</span><span class="nf">input</span><span class="p">(</span><span class="s1">'search_string'</span><span class="p">),</span> <span class="p">]);</span> <span class="p">}</span> </code></pre> </div> <p>Returns JSON. Frontend component shows matching users as you type. Click a result = navigate to user.</p> <h2> Testing </h2> <p>Admin user management touches auth, permissions, events, jobs, middleware, and database. All tested through HTTP behavior.</p> <h3> CRUD </h3> <div class="highlight js-code-highlight"> <pre class="highlight php"><code><span class="nf">test</span><span class="p">(</span><span class="s1">'admin can create user with valid data'</span><span class="p">,</span> <span class="k">function</span> <span class="p">()</span> <span class="p">{</span> <span class="nf">actingAs</span><span class="p">(</span><span class="nv">$admin</span><span class="p">)</span> <span class="o">-&gt;</span><span class="nf">post</span><span class="p">(</span><span class="nf">route</span><span class="p">(</span><span class="s1">'admin.users.store'</span><span class="p">),</span> <span class="p">[</span> <span class="s1">'name'</span> <span class="o">=&gt;</span> <span class="s1">'John'</span><span class="p">,</span> <span class="s1">'email'</span> <span class="o">=&gt;</span> <span class="s1">'john@example.com'</span><span class="p">,</span> <span class="s1">'password'</span> <span class="o">=&gt;</span> <span class="s1">'securepassword'</span><span class="p">,</span> <span class="s1">'password_confirmation'</span> <span class="o">=&gt;</span> <span class="s1">'securepassword'</span><span class="p">,</span> <span class="p">])</span> <span class="o">-&gt;</span><span class="nf">assertRedirect</span><span class="p">();</span> <span class="nf">expect</span><span class="p">(</span><span class="nc">User</span><span class="o">::</span><span class="nf">where</span><span class="p">(</span><span class="s1">'email'</span><span class="p">,</span> <span class="s1">'john@example.com'</span><span class="p">)</span><span class="o">-&gt;</span><span class="nf">exists</span><span class="p">())</span><span class="o">-&gt;</span><span class="nf">toBeTrue</span><span class="p">();</span> <span class="p">});</span> <span class="nf">test</span><span class="p">(</span><span class="s1">'admin cannot create user with duplicate email'</span><span class="p">,</span> <span class="k">function</span> <span class="p">()</span> <span class="p">{</span> <span class="nc">User</span><span class="o">::</span><span class="nf">factory</span><span class="p">()</span><span class="o">-&gt;</span><span class="nf">create</span><span class="p">([</span><span class="s1">'email'</span> <span class="o">=&gt;</span> <span class="s1">'taken@example.com'</span><span class="p">]);</span> <span class="nf">actingAs</span><span class="p">(</span><span class="nv">$admin</span><span class="p">)</span> <span class="o">-&gt;</span><span class="nf">post</span><span class="p">(</span><span class="nf">route</span><span class="p">(</span><span class="s1">'admin.users.store'</span><span class="p">),</span> <span class="p">[</span> <span class="s1">'name'</span> <span class="o">=&gt;</span> <span class="s1">'John'</span><span class="p">,</span> <span class="s1">'email'</span> <span class="o">=&gt;</span> <span class="s1">'taken@example.com'</span><span class="p">,</span> <span class="s1">'password'</span> <span class="o">=&gt;</span> <span class="s1">'securepassword'</span><span class="p">,</span> <span class="s1">'password_confirmation'</span> <span class="o">=&gt;</span> <span class="s1">'securepassword'</span><span class="p">,</span> <span class="p">])</span> <span class="o">-&gt;</span><span class="nf">assertSessionHasErrors</span><span class="p">(</span><span class="s1">'email'</span><span class="p">);</span> <span class="p">});</span> </code></pre> </div> <h3> Ban Cascade </h3> <div class="highlight js-code-highlight"> <pre class="highlight php"><code><span class="nf">test</span><span class="p">(</span><span class="s1">'blocking company owner blocks employees'</span><span class="p">,</span> <span class="k">function</span> <span class="p">()</span> <span class="p">{</span> <span class="nf">actingAs</span><span class="p">(</span><span class="nv">$admin</span><span class="p">)</span> <span class="o">-&gt;</span><span class="nf">post</span><span class="p">(</span><span class="nf">route</span><span class="p">(</span><span class="s1">'admin.users.block'</span><span class="p">,</span> <span class="nv">$owner</span><span class="p">),</span> <span class="p">[</span><span class="s1">'reason_id'</span> <span class="o">=&gt;</span> <span class="mi">1</span><span class="p">]);</span> <span class="nf">actingAs</span><span class="p">(</span><span class="nv">$employee</span><span class="p">)</span> <span class="o">-&gt;</span><span class="nf">get</span><span class="p">(</span><span class="nf">route</span><span class="p">(</span><span class="s1">'dashboard'</span><span class="p">))</span> <span class="o">-&gt;</span><span class="nf">assertRedirect</span><span class="p">(</span><span class="nf">route</span><span class="p">(</span><span class="s1">'company.payment.blocked'</span><span class="p">));</span> <span class="p">});</span> <span class="nf">test</span><span class="p">(</span><span class="s1">'blocked user can access support tickets'</span><span class="p">,</span> <span class="k">function</span> <span class="p">()</span> <span class="p">{</span> <span class="nf">actingAs</span><span class="p">(</span><span class="nv">$blockedUser</span><span class="p">)</span> <span class="o">-&gt;</span><span class="nf">get</span><span class="p">(</span><span class="nf">route</span><span class="p">(</span><span class="s1">'tickets.index'</span><span class="p">))</span> <span class="o">-&gt;</span><span class="nf">assertOk</span><span class="p">();</span> <span class="p">});</span> </code></pre> </div> <h3> Events &amp; Jobs </h3> <div class="highlight js-code-highlight"> <pre class="highlight php"><code><span class="nc">Event</span><span class="o">::</span><span class="nf">fake</span><span class="p">();</span> <span class="nc">Queue</span><span class="o">::</span><span class="nf">fake</span><span class="p">();</span> <span class="nf">actingAs</span><span class="p">(</span><span class="nv">$admin</span><span class="p">)</span> <span class="o">-&gt;</span><span class="nf">post</span><span class="p">(</span><span class="nf">route</span><span class="p">(</span><span class="s1">'admin.users.block'</span><span class="p">,</span> <span class="nv">$user</span><span class="p">),</span> <span class="p">[</span><span class="s1">'reason_id'</span> <span class="o">=&gt;</span> <span class="mi">1</span><span class="p">]);</span> <span class="nc">Event</span><span class="o">::</span><span class="nf">assertDispatched</span><span class="p">(</span><span class="nc">UserBlocked</span><span class="o">::</span><span class="n">class</span><span class="p">);</span> <span class="nc">Queue</span><span class="o">::</span><span class="nf">assertPushed</span><span class="p">(</span><span class="nc">NotifyUserAboutBlocked</span><span class="o">::</span><span class="n">class</span><span class="p">);</span> </code></pre> </div> <h3> Impersonation </h3> <div class="highlight js-code-highlight"> <pre class="highlight php"><code><span class="nf">test</span><span class="p">(</span><span class="s1">'admin can impersonate user'</span><span class="p">,</span> <span class="k">function</span> <span class="p">()</span> <span class="p">{</span> <span class="nf">actingAs</span><span class="p">(</span><span class="nv">$admin</span><span class="p">)</span> <span class="o">-&gt;</span><span class="nf">post</span><span class="p">(</span><span class="nf">route</span><span class="p">(</span><span class="s1">'admin.impersonate.take'</span><span class="p">,</span> <span class="nv">$user</span><span class="p">))</span> <span class="o">-&gt;</span><span class="nf">assertRedirect</span><span class="p">(</span><span class="nf">route</span><span class="p">(</span><span class="s1">'home'</span><span class="p">));</span> <span class="p">});</span> <span class="nf">test</span><span class="p">(</span><span class="s1">'cannot impersonate blocked user'</span><span class="p">,</span> <span class="k">function</span> <span class="p">()</span> <span class="p">{</span> <span class="c1">// Follow button hidden in UI; route-level protection</span> <span class="p">});</span> </code></pre> </div> <p>Pest v4 + Laravel's HTTP testing. No mocking middleware. No testing implementation details. Assert what users experience.</p> <h2> Design Decisions </h2> <ol> <li><p><strong>Timestamps, not booleans.</strong> <code>user_blocked_at</code> instead of <code>is_blocked</code>. You need to know WHEN it happened. "Blocked 3 days ago" is actionable. "Blocked: yes" tells you nothing.</p></li> <li><p><strong>Events + jobs, not inline logic.</strong> Blocking fires an event (for logging) and a job (for notification). Two concerns, two mechanisms. The admin response isn't blocked by SMTP.</p></li> <li><p><strong>Config-driven ban reasons.</strong> Adding a reason shouldn't require a migration or a code change. Config array entry is enough.</p></li> <li><p><strong>Filter auto-discovery reuse.</strong> Same abstract <code>Filter</code> class from the Traits module. <code>AdminUsersFilter</code> just defines the methods. Zero framework code duplicated.</p></li> <li><p><strong>Async geo lookup.</strong> Activity log stores device data synchronously (it's already in the request). Geo data resolved via queue job. Speed vs completeness trade-off.</p></li> <li><p><strong>Separate timestamps for block and delete.</strong> A user can be blocked and later unblocked. Or blocked and then deleted (clearing block status). Different states, different semantics.</p></li> <li><p><strong>Impersonation with guardrails.</strong> 2FA required. Activity logged. Frontend awareness built in. "Leave" route always available.</p></li> </ol> <h2> What's Next </h2> <p>This module is part of <strong>LaraFoundry</strong> - an open-source SaaS framework for Laravel, extracted from a production CRM/ERP.</p> <ul> <li>GitHub: <a href="https://github.com/dmitryisaenko/larafoundry" rel="noopener noreferrer">github.com/dmitryisaenko/larafoundry</a> </li> <li>Previous modules: Registration, Authentication, Multi-Tenancy, Logging, Multilanguage, Navigation, Vue Frontend, Traits &amp; Middlewares</li> </ul> <p>Follow for the next module deep-dive.</p> laravel php sass webdev 11 Middlewares and 6 Traits That Power a Multi-Tenant Laravel SaaS Dmitry Isaenko Mon, 20 Apr 2026 09:14:13 +0000 https://dev.to/d_isaenko_dev/11-middlewares-and-6-traits-that-power-a-multi-tenant-laravel-saas-441n https://dev.to/d_isaenko_dev/11-middlewares-and-6-traits-that-power-a-multi-tenant-laravel-saas-441n <p>Every request in a multi-tenant SaaS needs to answer a dozen questions before your controller runs. Which company context? Is the session valid? Is the user banned? Has the subscription expired? Should the screen be locked? What language?</p> <p>I built <a href="https://kohana.io" rel="noopener noreferrer">Kohana.io</a> - a production CRM/ERP - and ended up with 11 custom middlewares and 6 traits. Not because I wanted to over-engineer, but because each one solved a recurring problem. Now I'm extracting them into <strong>LaraFoundry</strong>, an open-source SaaS framework for Laravel.</p> <p>This post covers the full middleware stack, all custom traits, and the design decisions behind them.</p> <h2> The Middleware Stack </h2> <p>Order matters. Here's the complete stack with execution sequence:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code> 1. HandleInertiaRequests → shares props with Vue frontend 2. SetActiveCompanyMiddleware → resolves company context 3. UpdateLastSessionActivity → tracks activity + device info 4. AddLinkHeadersForPreloadedAssets → HTTP/2 push 5. StoreIntendedUrl → saves URL for post-auth redirects 6. SetLocale → detects language 7. EnsureEmailIsVerified → gates unverified users 8. CheckPinLockMiddleware → locks after inactivity 9. CheckAccessMiddleware → user bans, owner bans, payment 10. CheckSessionExists → validates session in DB 11. CheckForSessionValidity → regenerates token if needed </code></pre> </div> <p><strong>Why order matters:</strong></p> <ul> <li> <code>SetActiveCompanyMiddleware</code> MUST run before <code>CheckAccessMiddleware</code> - access checks need company context to verify payment status</li> <li> <code>UpdateLastSessionActivity</code> MUST run before <code>CheckPinLockMiddleware</code> - PIN timeout calculated from last_activity timestamp</li> <li> <code>SetLocale</code> MUST run before <code>EnsureEmailIsVerified</code> - verification page needs correct language</li> </ul> <p>In Laravel 12, middlewares are configured in <code>bootstrap/app.php</code>:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight php"><code><span class="o">-&gt;</span><span class="nf">withMiddleware</span><span class="p">(</span><span class="k">function</span> <span class="p">(</span><span class="kt">Middleware</span> <span class="nv">$middleware</span><span class="p">)</span> <span class="p">{</span> <span class="nv">$middleware</span><span class="o">-&gt;</span><span class="nf">web</span><span class="p">(</span><span class="n">append</span><span class="o">:</span> <span class="p">[</span> <span class="nc">HandleInertiaRequests</span><span class="o">::</span><span class="n">class</span><span class="p">,</span> <span class="nc">SetActiveCompanyMiddleware</span><span class="o">::</span><span class="n">class</span><span class="p">,</span> <span class="nc">UpdateLastSessionActivityMiddleware</span><span class="o">::</span><span class="n">class</span><span class="p">,</span> <span class="nc">AddLinkHeadersForPreloadedAssets</span><span class="o">::</span><span class="n">class</span><span class="p">,</span> <span class="nc">StoreIntendedUrl</span><span class="o">::</span><span class="n">class</span><span class="p">,</span> <span class="nc">SetLocale</span><span class="o">::</span><span class="n">class</span><span class="p">,</span> <span class="nc">EnsureEmailIsVerified</span><span class="o">::</span><span class="n">class</span><span class="p">,</span> <span class="nc">CheckPinLockMiddleware</span><span class="o">::</span><span class="n">class</span><span class="p">,</span> <span class="nc">CheckAccessMiddleware</span><span class="o">::</span><span class="n">class</span><span class="p">,</span> <span class="nc">CheckSessionExists</span><span class="o">::</span><span class="n">class</span><span class="p">,</span> <span class="nc">CheckForSessionValidityMiddleware</span><span class="o">::</span><span class="n">class</span><span class="p">,</span> <span class="p">]);</span> <span class="p">})</span> </code></pre> </div> <p>One declaration. Full picture. No Kernel.php scattering.</p> <h2> Middleware Deep-Dives </h2> <h3> SetActiveCompanyMiddleware - Company Context Resolution </h3> <p>A user can own Company A and be an employee at Company B simultaneously. This middleware determines which company context each request runs in.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight php"><code><span class="k">public</span> <span class="k">function</span> <span class="n">handle</span><span class="p">(</span><span class="kt">Request</span> <span class="nv">$request</span><span class="p">,</span> <span class="kt">Closure</span> <span class="nv">$next</span><span class="p">)</span> <span class="p">{</span> <span class="k">if</span> <span class="p">(</span><span class="o">!</span><span class="nf">auth</span><span class="p">()</span><span class="o">-&gt;</span><span class="nf">check</span><span class="p">()</span> <span class="o">||</span> <span class="o">!</span><span class="nv">$request</span><span class="o">-&gt;</span><span class="nf">user</span><span class="p">()</span><span class="o">-&gt;</span><span class="nf">hasVerifiedEmail</span><span class="p">())</span> <span class="p">{</span> <span class="k">return</span> <span class="nv">$next</span><span class="p">(</span><span class="nv">$request</span><span class="p">);</span> <span class="p">}</span> <span class="nv">$user</span> <span class="o">=</span> <span class="nv">$request</span><span class="o">-&gt;</span><span class="nf">user</span><span class="p">();</span> <span class="nv">$sessionCompanyId</span> <span class="o">=</span> <span class="nf">session</span><span class="p">(</span><span class="s1">'active_company_id'</span><span class="p">);</span> <span class="c1">// Validate: does user still belong to this company?</span> <span class="k">if</span> <span class="p">(</span><span class="nv">$sessionCompanyId</span> <span class="o">&amp;&amp;</span> <span class="o">!</span><span class="nv">$user</span><span class="o">-&gt;</span><span class="n">companies</span><span class="o">-&gt;</span><span class="nf">contains</span><span class="p">(</span><span class="s1">'id'</span><span class="p">,</span> <span class="nv">$sessionCompanyId</span><span class="p">))</span> <span class="p">{</span> <span class="nf">session</span><span class="p">()</span><span class="o">-&gt;</span><span class="nf">forget</span><span class="p">(</span><span class="s1">'active_company_id'</span><span class="p">);</span> <span class="nv">$sessionCompanyId</span> <span class="o">=</span> <span class="kc">null</span><span class="p">;</span> <span class="p">}</span> <span class="c1">// Priority: owned company, then employee company</span> <span class="nv">$companies</span> <span class="o">=</span> <span class="nv">$user</span><span class="o">-&gt;</span><span class="nf">companies</span><span class="p">()</span><span class="o">-&gt;</span><span class="nf">whereNull</span><span class="p">(</span><span class="s1">'deleted_at'</span><span class="p">)</span><span class="o">-&gt;</span><span class="nf">get</span><span class="p">();</span> <span class="nv">$activeCompany</span> <span class="o">=</span> <span class="nv">$companies</span><span class="o">-&gt;</span><span class="nf">firstWhere</span><span class="p">(</span><span class="s1">'pivot.is_owner'</span><span class="p">,</span> <span class="kc">true</span><span class="p">)</span> <span class="o">??</span> <span class="nv">$companies</span><span class="o">-&gt;</span><span class="nf">first</span><span class="p">();</span> <span class="nv">$this</span><span class="o">-&gt;</span><span class="nf">setActiveCompany</span><span class="p">(</span><span class="nv">$activeCompany</span><span class="p">);</span> <span class="k">return</span> <span class="nv">$next</span><span class="p">(</span><span class="nv">$request</span><span class="p">);</span> <span class="p">}</span> </code></pre> </div> <p>Resolution priority:</p> <ol> <li>Valid session company (user switched manually) → keep it</li> <li>First company where user is owner</li> <li>First company where user is employee</li> </ol> <p>Edge cases handled: deleted companies filtered. Invalid session values cleared. Users who lost company access don't keep stale context.</p> <h3> CheckPinLockMiddleware - Inactivity Screen Lock </h3> <p>After 30 minutes without activity, the screen locks. PIN code required to continue.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight php"><code><span class="k">public</span> <span class="k">function</span> <span class="n">handle</span><span class="p">(</span><span class="kt">Request</span> <span class="nv">$request</span><span class="p">,</span> <span class="kt">Closure</span> <span class="nv">$next</span><span class="p">)</span> <span class="p">{</span> <span class="nv">$session</span> <span class="o">=</span> <span class="nc">UserSession</span><span class="o">::</span><span class="nf">where</span><span class="p">(</span><span class="s1">'session_id'</span><span class="p">,</span> <span class="nf">session</span><span class="p">()</span><span class="o">-&gt;</span><span class="nf">getId</span><span class="p">())</span><span class="o">-&gt;</span><span class="nf">first</span><span class="p">();</span> <span class="k">if</span> <span class="p">(</span><span class="o">!</span><span class="nv">$session</span> <span class="o">||</span> <span class="o">!</span><span class="nv">$session</span><span class="o">-&gt;</span><span class="n">last_activity</span><span class="p">)</span> <span class="p">{</span> <span class="nv">$session</span><span class="o">?-&gt;</span><span class="nf">update</span><span class="p">([</span><span class="s1">'last_activity'</span> <span class="o">=&gt;</span> <span class="nf">now</span><span class="p">()]);</span> <span class="k">return</span> <span class="nv">$next</span><span class="p">(</span><span class="nv">$request</span><span class="p">);</span> <span class="p">}</span> <span class="nv">$secondsSinceActivity</span> <span class="o">=</span> <span class="nf">now</span><span class="p">()</span><span class="o">-&gt;</span><span class="nf">diffInSeconds</span><span class="p">(</span><span class="nv">$session</span><span class="o">-&gt;</span><span class="n">last_activity</span><span class="p">);</span> <span class="k">if</span> <span class="p">(</span><span class="nv">$secondsSinceActivity</span> <span class="o">&gt;=</span> <span class="nf">config</span><span class="p">(</span><span class="s1">'security.pin_lock_timeout'</span><span class="p">,</span> <span class="mi">1800</span><span class="p">))</span> <span class="p">{</span> <span class="nv">$session</span><span class="o">-&gt;</span><span class="nf">update</span><span class="p">([</span><span class="s1">'pin_locked'</span> <span class="o">=&gt;</span> <span class="kc">true</span><span class="p">]);</span> <span class="k">if</span> <span class="p">(</span><span class="nv">$request</span><span class="o">-&gt;</span><span class="nf">expectsJson</span><span class="p">())</span> <span class="p">{</span> <span class="k">return</span> <span class="nf">response</span><span class="p">()</span><span class="o">-&gt;</span><span class="nf">json</span><span class="p">([</span><span class="s1">'message'</span> <span class="o">=&gt;</span> <span class="s1">'session_locked'</span><span class="p">],</span> <span class="mi">423</span><span class="p">);</span> <span class="p">}</span> <span class="k">return</span> <span class="nf">redirect</span><span class="p">()</span><span class="o">-&gt;</span><span class="nf">route</span><span class="p">(</span><span class="s1">'pin.enter'</span><span class="p">);</span> <span class="p">}</span> <span class="k">return</span> <span class="nv">$next</span><span class="p">(</span><span class="nv">$request</span><span class="p">);</span> <span class="p">}</span> </code></pre> </div> <p>Design decisions:</p> <ul> <li> <strong>Database-backed state</strong> - PIN lock stored in <code>user_sessions.pin_locked</code>, not in PHP session. Can't bypass by manipulating cookies.</li> <li> <strong>HTTP 423 for APIs</strong> - JSON requests get a proper status code, not a redirect to an HTML page.</li> <li> <strong>Configurable timeout</strong> - <code>config('security.pin_lock_timeout')</code> defaults to 1800 seconds (30 min).</li> <li> <strong>Unlock redirects back</strong> - After entering PIN, user returns to <code>last_route_name</code> stored by UpdateLastSessionActivity.</li> </ul> <h3> CheckAccessMiddleware - Three-Level Access Control </h3> <div class="highlight js-code-highlight"> <pre class="highlight php"><code><span class="k">public</span> <span class="k">function</span> <span class="n">handle</span><span class="p">(</span><span class="kt">Request</span> <span class="nv">$request</span><span class="p">,</span> <span class="kt">Closure</span> <span class="nv">$next</span><span class="p">)</span> <span class="p">{</span> <span class="nv">$user</span> <span class="o">=</span> <span class="nv">$request</span><span class="o">-&gt;</span><span class="nf">user</span><span class="p">();</span> <span class="c1">// Level 1: User ban</span> <span class="k">if</span> <span class="p">(</span><span class="nv">$user</span><span class="o">-&gt;</span><span class="n">user_blocked_at</span> <span class="o">!==</span> <span class="kc">null</span><span class="p">)</span> <span class="p">{</span> <span class="nv">$allowed</span> <span class="o">=</span> <span class="p">[</span><span class="s1">'user.blocked'</span><span class="p">,</span> <span class="s1">'logout'</span><span class="p">,</span> <span class="s1">'notifications.*'</span><span class="p">,</span> <span class="s1">'tickets.*'</span><span class="p">];</span> <span class="k">if</span> <span class="p">(</span><span class="o">!</span><span class="nv">$request</span><span class="o">-&gt;</span><span class="nf">routeIs</span><span class="p">(</span><span class="mf">...</span><span class="nv">$allowed</span><span class="p">))</span> <span class="p">{</span> <span class="k">return</span> <span class="nf">redirect</span><span class="p">()</span><span class="o">-&gt;</span><span class="nf">route</span><span class="p">(</span><span class="s1">'user.blocked'</span><span class="p">);</span> <span class="p">}</span> <span class="p">}</span> <span class="c1">// Level 2: Company owner ban</span> <span class="nv">$company</span> <span class="o">=</span> <span class="nf">activeCompany</span><span class="p">();</span> <span class="k">if</span> <span class="p">(</span><span class="nv">$company</span> <span class="o">&amp;&amp;</span> <span class="nv">$company</span><span class="o">-&gt;</span><span class="n">owner</span><span class="o">-&gt;</span><span class="n">user_blocked_at</span> <span class="o">!==</span> <span class="kc">null</span><span class="p">)</span> <span class="p">{</span> <span class="k">return</span> <span class="nf">redirect</span><span class="p">()</span><span class="o">-&gt;</span><span class="nf">route</span><span class="p">(</span><span class="s1">'company.payment.blocked'</span><span class="p">,</span> <span class="p">[</span><span class="s1">'type'</span> <span class="o">=&gt;</span> <span class="s1">'owner_banned'</span><span class="p">]);</span> <span class="p">}</span> <span class="c1">// Level 3: Payment status</span> <span class="k">if</span> <span class="p">(</span><span class="nv">$company</span> <span class="o">&amp;&amp;</span> <span class="o">!</span><span class="nv">$company</span><span class="o">-&gt;</span><span class="nf">isInSetup</span><span class="p">()</span> <span class="o">&amp;&amp;</span> <span class="o">!</span><span class="nv">$company</span><span class="o">-&gt;</span><span class="nf">hasAccess</span><span class="p">())</span> <span class="p">{</span> <span class="nv">$allowed</span> <span class="o">=</span> <span class="p">[</span><span class="s1">'new_company.*'</span><span class="p">,</span> <span class="s1">'my_company.service_payment'</span><span class="p">,</span> <span class="s1">'company.payment.blocked'</span><span class="p">];</span> <span class="k">if</span> <span class="p">(</span><span class="o">!</span><span class="nv">$request</span><span class="o">-&gt;</span><span class="nf">routeIs</span><span class="p">(</span><span class="mf">...</span><span class="nv">$allowed</span><span class="p">))</span> <span class="p">{</span> <span class="k">return</span> <span class="nf">redirect</span><span class="p">()</span><span class="o">-&gt;</span><span class="nf">route</span><span class="p">(</span><span class="s1">'company.payment.blocked'</span><span class="p">);</span> <span class="p">}</span> <span class="p">}</span> <span class="k">return</span> <span class="nv">$next</span><span class="p">(</span><span class="nv">$request</span><span class="p">);</span> <span class="p">}</span> </code></pre> </div> <p>Three levels with specific route whitelists:</p> <div class="table-wrapper-paragraph"><table> <thead> <tr> <th>Level</th> <th>Condition</th> <th>Allowed Routes</th> <th>Everything Else</th> </tr> </thead> <tbody> <tr> <td>User ban</td> <td><code>user_blocked_at != null</code></td> <td>logout, notifications, tickets, tutorials</td> <td>→ user.blocked</td> </tr> <tr> <td>Owner ban</td> <td>Company owner is banned</td> <td>(none for employees)</td> <td>→ company.payment.blocked</td> </tr> <tr> <td>Payment</td> <td>Trial/subscription expired</td> <td>payment pages, company settings</td> <td>→ company.payment.blocked</td> </tr> </tbody> </table></div> <p>Banned users can still reach support. Expired subscriptions still allow reaching payment pages. Practical, not punitive.</p> <h3> SetLocale - Language Detection Chain </h3> <div class="highlight js-code-highlight"> <pre class="highlight php"><code><span class="c1">// Authenticated user detection chain</span> <span class="k">private</span> <span class="k">function</span> <span class="n">detectAuthenticatedLocale</span><span class="p">(</span><span class="kt">User</span> <span class="nv">$user</span><span class="p">,</span> <span class="kt">Request</span> <span class="nv">$request</span><span class="p">):</span> <span class="kt">string</span> <span class="p">{</span> <span class="c1">// 1. User profile preference</span> <span class="k">if</span> <span class="p">(</span><span class="nv">$user</span><span class="o">-&gt;</span><span class="n">locale</span> <span class="o">&amp;&amp;</span> <span class="nb">in_array</span><span class="p">(</span><span class="nv">$user</span><span class="o">-&gt;</span><span class="n">locale</span><span class="p">,</span> <span class="nv">$availableLanguages</span><span class="p">))</span> <span class="p">{</span> <span class="k">return</span> <span class="nv">$user</span><span class="o">-&gt;</span><span class="n">locale</span><span class="p">;</span> <span class="p">}</span> <span class="c1">// 2. Session locale</span> <span class="k">if</span> <span class="p">(</span><span class="nf">session</span><span class="p">(</span><span class="s1">'locale'</span><span class="p">)</span> <span class="o">&amp;&amp;</span> <span class="nb">in_array</span><span class="p">(</span><span class="nf">session</span><span class="p">(</span><span class="s1">'locale'</span><span class="p">),</span> <span class="nv">$availableLanguages</span><span class="p">))</span> <span class="p">{</span> <span class="k">return</span> <span class="nf">session</span><span class="p">(</span><span class="s1">'locale'</span><span class="p">);</span> <span class="p">}</span> <span class="c1">// 3. Browser Accept-Language header</span> <span class="nv">$browserLocale</span> <span class="o">=</span> <span class="nv">$this</span><span class="o">-&gt;</span><span class="nf">detectFromBrowser</span><span class="p">(</span><span class="nv">$request</span><span class="p">);</span> <span class="k">if</span> <span class="p">(</span><span class="nv">$browserLocale</span><span class="p">)</span> <span class="k">return</span> <span class="nv">$browserLocale</span><span class="p">;</span> <span class="c1">// 4. IP geolocation (2s timeout)</span> <span class="nv">$geoLocale</span> <span class="o">=</span> <span class="nv">$this</span><span class="o">-&gt;</span><span class="nf">detectFromIp</span><span class="p">(</span><span class="nv">$request</span><span class="o">-&gt;</span><span class="nf">ip</span><span class="p">());</span> <span class="k">if</span> <span class="p">(</span><span class="nv">$geoLocale</span><span class="p">)</span> <span class="k">return</span> <span class="nv">$geoLocale</span><span class="p">;</span> <span class="c1">// 5. App default</span> <span class="k">return</span> <span class="nf">config</span><span class="p">(</span><span class="s1">'app.locale'</span><span class="p">);</span> <span class="p">}</span> </code></pre> </div> <p>For guests, the chain uses cookies (10-year lifetime) instead of user profile. IP geolocation calls <code>ip-api.com</code> with a 2-second timeout - if it fails, we silently fall back. No broken pages from API downtime.</p> <p>Config-driven mappings:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight php"><code><span class="c1">// config/app.php</span> <span class="s1">'browser_locale_map'</span> <span class="o">=&gt;</span> <span class="p">[</span><span class="s1">'de'</span> <span class="o">=&gt;</span> <span class="s1">'de'</span><span class="p">,</span> <span class="s1">'uk'</span> <span class="o">=&gt;</span> <span class="s1">'ua'</span><span class="p">,</span> <span class="s1">'ru'</span> <span class="o">=&gt;</span> <span class="s1">'ru'</span><span class="p">],</span> <span class="s1">'country_locale_map'</span> <span class="o">=&gt;</span> <span class="p">[</span><span class="s1">'DE'</span> <span class="o">=&gt;</span> <span class="s1">'de'</span><span class="p">,</span> <span class="s1">'UA'</span> <span class="o">=&gt;</span> <span class="s1">'ua'</span><span class="p">,</span> <span class="s1">'US'</span> <span class="o">=&gt;</span> <span class="s1">'en'</span><span class="p">],</span> </code></pre> </div> <p>Adding a new language = two array entries. No code changes.</p> <h3> UpdateLastSessionActivityMiddleware - Activity + Device Tracking </h3> <div class="highlight js-code-highlight"> <pre class="highlight php"><code><span class="k">public</span> <span class="k">function</span> <span class="n">handle</span><span class="p">(</span><span class="kt">Request</span> <span class="nv">$request</span><span class="p">,</span> <span class="kt">Closure</span> <span class="nv">$next</span><span class="p">)</span> <span class="p">{</span> <span class="nv">$response</span> <span class="o">=</span> <span class="nv">$next</span><span class="p">(</span><span class="nv">$request</span><span class="p">);</span> <span class="k">if</span> <span class="p">(</span><span class="o">!</span><span class="nf">auth</span><span class="p">()</span><span class="o">-&gt;</span><span class="nf">check</span><span class="p">())</span> <span class="k">return</span> <span class="nv">$response</span><span class="p">;</span> <span class="c1">// Skip non-trackable requests</span> <span class="k">if</span> <span class="p">(</span><span class="nv">$this</span><span class="o">-&gt;</span><span class="nf">shouldSkip</span><span class="p">(</span><span class="nv">$request</span><span class="p">,</span> <span class="nv">$response</span><span class="p">))</span> <span class="k">return</span> <span class="nv">$response</span><span class="p">;</span> <span class="nv">$session</span> <span class="o">=</span> <span class="nc">UserSession</span><span class="o">::</span><span class="nf">where</span><span class="p">(</span><span class="s1">'session_id'</span><span class="p">,</span> <span class="nf">session</span><span class="p">()</span><span class="o">-&gt;</span><span class="nf">getId</span><span class="p">())</span><span class="o">-&gt;</span><span class="nf">first</span><span class="p">();</span> <span class="k">if</span> <span class="p">(</span><span class="o">!</span><span class="nv">$session</span><span class="p">)</span> <span class="k">return</span> <span class="nv">$response</span><span class="p">;</span> <span class="nv">$agent</span> <span class="o">=</span> <span class="k">new</span> <span class="nc">Agent</span><span class="p">();</span> <span class="nv">$session</span><span class="o">-&gt;</span><span class="nf">update</span><span class="p">([</span> <span class="s1">'last_activity'</span> <span class="o">=&gt;</span> <span class="nf">now</span><span class="p">(),</span> <span class="s1">'last_route_name'</span> <span class="o">=&gt;</span> <span class="nv">$request</span><span class="o">-&gt;</span><span class="nf">route</span><span class="p">()</span><span class="o">?-&gt;</span><span class="nf">getName</span><span class="p">(),</span> <span class="s1">'device_type'</span> <span class="o">=&gt;</span> <span class="nv">$agent</span><span class="o">-&gt;</span><span class="nf">isDesktop</span><span class="p">()</span> <span class="o">?</span> <span class="s1">'desktop'</span> <span class="o">:</span> <span class="p">(</span><span class="nv">$agent</span><span class="o">-&gt;</span><span class="nf">isTablet</span><span class="p">()</span> <span class="o">?</span> <span class="s1">'tablet'</span> <span class="o">:</span> <span class="s1">'mobile'</span><span class="p">),</span> <span class="s1">'device_name'</span> <span class="o">=&gt;</span> <span class="nv">$agent</span><span class="o">-&gt;</span><span class="nf">device</span><span class="p">(),</span> <span class="s1">'os'</span> <span class="o">=&gt;</span> <span class="nv">$agent</span><span class="o">-&gt;</span><span class="nf">platform</span><span class="p">(),</span> <span class="s1">'browser'</span> <span class="o">=&gt;</span> <span class="nv">$agent</span><span class="o">-&gt;</span><span class="nf">browser</span><span class="p">(),</span> <span class="p">]);</span> <span class="nv">$request</span><span class="o">-&gt;</span><span class="nf">user</span><span class="p">()</span><span class="o">-&gt;</span><span class="nf">update</span><span class="p">([</span><span class="s1">'last_activity_at'</span> <span class="o">=&gt;</span> <span class="nf">now</span><span class="p">()]);</span> <span class="k">return</span> <span class="nv">$response</span><span class="p">;</span> <span class="p">}</span> </code></pre> </div> <p>Skipped for: PIN routes (would reset timeout), non-HTML requests, redirects, excluded routes (profile, notifications, API).</p> <p>Result: admin panel shows "User X on Chrome/Windows/Desktop, last active 3 minutes ago on orders page." Useful for support, analytics, and security monitoring.</p> <h3> Session Validation - Anti-Hijacking </h3> <p>Two middlewares work together:</p> <p><strong>CheckSessionExists</strong> - validates session for all requests:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight php"><code><span class="nv">$exists</span> <span class="o">=</span> <span class="nc">UserSession</span><span class="o">::</span><span class="nf">where</span><span class="p">(</span><span class="s1">'user_id'</span><span class="p">,</span> <span class="nv">$user</span><span class="o">-&gt;</span><span class="n">id</span><span class="p">)</span> <span class="o">-&gt;</span><span class="nf">where</span><span class="p">(</span><span class="s1">'session_id'</span><span class="p">,</span> <span class="nf">session</span><span class="p">()</span><span class="o">-&gt;</span><span class="nf">getId</span><span class="p">())</span> <span class="o">-&gt;</span><span class="nf">exists</span><span class="p">();</span> <span class="k">if</span> <span class="p">(</span><span class="o">!</span><span class="nv">$exists</span><span class="p">)</span> <span class="p">{</span> <span class="nc">Auth</span><span class="o">::</span><span class="nf">logout</span><span class="p">();</span> <span class="nv">$request</span><span class="o">-&gt;</span><span class="nf">session</span><span class="p">()</span><span class="o">-&gt;</span><span class="nf">invalidate</span><span class="p">();</span> <span class="k">return</span> <span class="nv">$request</span><span class="o">-&gt;</span><span class="nf">expectsJson</span><span class="p">()</span> <span class="o">?</span> <span class="nf">response</span><span class="p">()</span><span class="o">-&gt;</span><span class="nf">json</span><span class="p">([</span><span class="s1">'message'</span> <span class="o">=&gt;</span> <span class="s1">'session_expired'</span><span class="p">],</span> <span class="mi">401</span><span class="p">)</span> <span class="o">:</span> <span class="nf">redirect</span><span class="p">(</span><span class="s1">'/'</span><span class="p">);</span> <span class="p">}</span> </code></pre> </div> <p><strong>CheckForSessionValidity</strong> - additional cleanup for browser requests:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight php"><code><span class="k">if</span> <span class="p">(</span><span class="o">!</span><span class="nv">$exists</span><span class="p">)</span> <span class="p">{</span> <span class="nc">Cookie</span><span class="o">::</span><span class="nf">queue</span><span class="p">(</span><span class="nc">Cookie</span><span class="o">::</span><span class="nf">forget</span><span class="p">(</span><span class="s1">'remember_web_*'</span><span class="p">));</span> <span class="nv">$request</span><span class="o">-&gt;</span><span class="nf">session</span><span class="p">()</span><span class="o">-&gt;</span><span class="nf">invalidate</span><span class="p">();</span> <span class="nv">$request</span><span class="o">-&gt;</span><span class="nf">session</span><span class="p">()</span><span class="o">-&gt;</span><span class="nf">regenerateToken</span><span class="p">();</span> <span class="k">return</span> <span class="nf">redirect</span><span class="p">(</span><span class="s1">'/'</span><span class="p">);</span> <span class="p">}</span> </code></pre> </div> <p>Why two? Different cleanup for different scenarios. The first handles JSON/API (returns 401). The second handles full browser cleanup (forget cookies, regenerate CSRF token).</p> <p>Force logout from admin panel = delete the <code>user_sessions</code> row. Next request from that device = instant rejection.</p> <h2> Custom Traits </h2> <h3> HasPagination </h3> <div class="highlight js-code-highlight"> <pre class="highlight php"><code><span class="kd">trait</span> <span class="nc">HasPagination</span> <span class="p">{</span> <span class="k">protected</span> <span class="k">function</span> <span class="n">getPaginationData</span><span class="p">(</span><span class="nv">$paginator</span><span class="p">):</span> <span class="kt">array</span> <span class="p">{</span> <span class="k">if</span> <span class="p">(</span><span class="o">!</span><span class="nv">$paginator</span> <span class="k">instanceof</span> <span class="nc">LengthAwarePaginator</span> <span class="o">&amp;&amp;</span> <span class="o">!</span><span class="nv">$paginator</span> <span class="k">instanceof</span> <span class="nc">Paginator</span><span class="p">)</span> <span class="p">{</span> <span class="k">return</span> <span class="p">[];</span> <span class="p">}</span> <span class="k">return</span> <span class="p">[</span> <span class="s1">'current_page'</span> <span class="o">=&gt;</span> <span class="nv">$paginator</span><span class="o">-&gt;</span><span class="nf">currentPage</span><span class="p">(),</span> <span class="s1">'last_page'</span> <span class="o">=&gt;</span> <span class="nv">$paginator</span><span class="o">-&gt;</span><span class="nf">lastPage</span><span class="p">(),</span> <span class="s1">'per_page'</span> <span class="o">=&gt;</span> <span class="nv">$paginator</span><span class="o">-&gt;</span><span class="nf">perPage</span><span class="p">(),</span> <span class="s1">'total'</span> <span class="o">=&gt;</span> <span class="nv">$paginator</span><span class="o">-&gt;</span><span class="nf">total</span><span class="p">(),</span> <span class="s1">'from'</span> <span class="o">=&gt;</span> <span class="nv">$paginator</span><span class="o">-&gt;</span><span class="nf">firstItem</span><span class="p">(),</span> <span class="s1">'to'</span> <span class="o">=&gt;</span> <span class="nv">$paginator</span><span class="o">-&gt;</span><span class="nf">lastItem</span><span class="p">(),</span> <span class="p">];</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </div> <p>Used in every controller that lists data. Type-safe - returns empty array if input isn't a paginator. The frontend <code>PagePaginator</code> component expects this exact structure. 15 list views, zero pagination code duplication.</p> <p>Controller usage:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight php"><code><span class="nv">$paginated</span> <span class="o">=</span> <span class="nv">$query</span><span class="o">-&gt;</span><span class="nf">filter</span><span class="p">(</span><span class="nv">$filter</span><span class="p">)</span><span class="o">-&gt;</span><span class="nf">paginate</span><span class="p">(</span><span class="nv">$perPage</span><span class="p">)</span><span class="o">-&gt;</span><span class="nf">withQueryString</span><span class="p">();</span> <span class="k">return</span> <span class="nc">Inertia</span><span class="o">::</span><span class="nf">render</span><span class="p">(</span><span class="s1">'warehouse/Products'</span><span class="p">,</span> <span class="p">[</span> <span class="s1">'products'</span> <span class="o">=&gt;</span> <span class="nc">ProductResource</span><span class="o">::</span><span class="nf">collection</span><span class="p">(</span><span class="nv">$paginated</span><span class="p">),</span> <span class="s1">'pagination'</span> <span class="o">=&gt;</span> <span class="nv">$this</span><span class="o">-&gt;</span><span class="nf">getPaginationData</span><span class="p">(</span><span class="nv">$paginated</span><span class="p">),</span> <span class="p">]);</span> </code></pre> </div> <p><code>.withQueryString()</code> preserves all filter parameters in pagination links.</p> <h3> Filter Auto-Discovery </h3> <div class="highlight js-code-highlight"> <pre class="highlight php"><code><span class="k">abstract</span> <span class="kd">class</span> <span class="nc">Filter</span> <span class="p">{</span> <span class="k">protected</span> <span class="kt">Builder</span> <span class="nv">$builder</span><span class="p">;</span> <span class="k">protected</span> <span class="kt">Request</span> <span class="nv">$request</span><span class="p">;</span> <span class="k">public</span> <span class="k">function</span> <span class="n">apply</span><span class="p">(</span><span class="kt">Builder</span> <span class="nv">$builder</span><span class="p">)</span> <span class="p">{</span> <span class="nv">$this</span><span class="o">-&gt;</span><span class="n">builder</span> <span class="o">=</span> <span class="nv">$builder</span><span class="p">;</span> <span class="k">foreach</span> <span class="p">(</span><span class="nv">$this</span><span class="o">-&gt;</span><span class="n">request</span><span class="o">-&gt;</span><span class="nf">all</span><span class="p">()</span> <span class="k">as</span> <span class="nv">$name</span> <span class="o">=&gt;</span> <span class="nv">$value</span><span class="p">)</span> <span class="p">{</span> <span class="k">if</span> <span class="p">(</span><span class="nb">method_exists</span><span class="p">(</span><span class="nv">$this</span><span class="p">,</span> <span class="nv">$name</span><span class="p">))</span> <span class="p">{</span> <span class="nb">call_user_func_array</span><span class="p">([</span><span class="nv">$this</span><span class="p">,</span> <span class="nv">$name</span><span class="p">],</span> <span class="p">[</span><span class="nv">$value</span><span class="p">]);</span> <span class="p">}</span> <span class="p">}</span> <span class="k">return</span> <span class="nv">$this</span><span class="o">-&gt;</span><span class="n">builder</span><span class="p">;</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </div> <p>Request param <code>country=DE</code> → calls <code>$filter-&gt;country('DE')</code>. Method exists = filter applied. No routing config. No switch statements. No registration.</p> <p>Concrete example:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight php"><code><span class="kd">class</span> <span class="nc">ContragentsFilter</span> <span class="kd">extends</span> <span class="nc">Filter</span> <span class="p">{</span> <span class="k">public</span> <span class="k">function</span> <span class="n">search_string</span><span class="p">(</span><span class="nv">$value</span> <span class="o">=</span> <span class="kc">null</span><span class="p">)</span> <span class="p">{</span> <span class="nv">$words</span> <span class="o">=</span> <span class="nb">preg_split</span><span class="p">(</span><span class="s1">'/\s+/'</span><span class="p">,</span> <span class="nb">trim</span><span class="p">(</span><span class="nv">$value</span><span class="p">));</span> <span class="k">return</span> <span class="nv">$this</span><span class="o">-&gt;</span><span class="n">builder</span><span class="o">-&gt;</span><span class="nf">where</span><span class="p">(</span><span class="k">function</span> <span class="p">(</span><span class="nv">$query</span><span class="p">)</span> <span class="k">use</span> <span class="p">(</span><span class="nv">$words</span><span class="p">)</span> <span class="p">{</span> <span class="k">foreach</span> <span class="p">(</span><span class="nv">$words</span> <span class="k">as</span> <span class="nv">$word</span><span class="p">)</span> <span class="p">{</span> <span class="nv">$query</span><span class="o">-&gt;</span><span class="nf">whereRaw</span><span class="p">(</span><span class="s1">'LOWER(name) LIKE ?'</span><span class="p">,</span> <span class="p">[</span><span class="s1">'%'</span><span class="mf">.</span><span class="nb">mb_strtolower</span><span class="p">(</span><span class="nv">$word</span><span class="p">)</span><span class="mf">.</span><span class="s1">'%'</span><span class="p">]);</span> <span class="p">}</span> <span class="p">});</span> <span class="p">}</span> <span class="k">public</span> <span class="k">function</span> <span class="n">sort_by</span><span class="p">(</span><span class="nv">$value</span> <span class="o">=</span> <span class="kc">null</span><span class="p">)</span> <span class="p">{</span> <span class="nv">$allowed</span> <span class="o">=</span> <span class="p">[</span><span class="s1">'name'</span><span class="p">,</span> <span class="s1">'country'</span><span class="p">,</span> <span class="s1">'balance'</span><span class="p">,</span> <span class="s1">'created_at'</span><span class="p">];</span> <span class="k">if</span> <span class="p">(</span><span class="nb">in_array</span><span class="p">(</span><span class="nv">$value</span><span class="p">,</span> <span class="nv">$allowed</span><span class="p">))</span> <span class="p">{</span> <span class="nv">$direction</span> <span class="o">=</span> <span class="nv">$this</span><span class="o">-&gt;</span><span class="n">request</span><span class="o">-&gt;</span><span class="nf">input</span><span class="p">(</span><span class="s1">'sort_direction'</span><span class="p">,</span> <span class="s1">'asc'</span><span class="p">);</span> <span class="k">return</span> <span class="nv">$this</span><span class="o">-&gt;</span><span class="n">builder</span><span class="o">-&gt;</span><span class="nf">orderBy</span><span class="p">(</span><span class="nv">$value</span><span class="p">,</span> <span class="nv">$direction</span><span class="p">);</span> <span class="p">}</span> <span class="k">return</span> <span class="nv">$this</span><span class="o">-&gt;</span><span class="n">builder</span><span class="o">-&gt;</span><span class="nf">orderBy</span><span class="p">(</span><span class="s1">'name'</span><span class="p">,</span> <span class="s1">'asc'</span><span class="p">);</span> <span class="p">}</span> <span class="k">public</span> <span class="k">function</span> <span class="n">starts_with</span><span class="p">(</span><span class="nv">$value</span> <span class="o">=</span> <span class="kc">null</span><span class="p">)</span> <span class="p">{</span> <span class="k">return</span> <span class="nv">$this</span><span class="o">-&gt;</span><span class="n">builder</span><span class="o">-&gt;</span><span class="nf">where</span><span class="p">(</span><span class="s1">'name'</span><span class="p">,</span> <span class="s1">'LIKE'</span><span class="p">,</span> <span class="nv">$value</span> <span class="mf">.</span> <span class="s1">'%'</span><span class="p">);</span> <span class="p">}</span> <span class="k">public</span> <span class="k">function</span> <span class="n">country</span><span class="p">(</span><span class="nv">$value</span> <span class="o">=</span> <span class="kc">null</span><span class="p">)</span> <span class="p">{</span> <span class="k">return</span> <span class="nv">$this</span><span class="o">-&gt;</span><span class="n">builder</span><span class="o">-&gt;</span><span class="nf">where</span><span class="p">(</span><span class="s1">'country'</span><span class="p">,</span> <span class="nv">$value</span><span class="p">);</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </div> <p>Key security: whitelisted sort columns prevent SQL injection. Word-by-word search for partial matching. Alphabetical navigation via <code>starts_with()</code>.</p> <h3> NotificationDataHandler </h3> <div class="highlight js-code-highlight"> <pre class="highlight php"><code><span class="kd">trait</span> <span class="nc">NotificationDataHandler</span> <span class="p">{</span> <span class="k">protected</span> <span class="k">function</span> <span class="n">prepareNotificationData</span><span class="p">(</span><span class="kt">array</span> <span class="nv">$validated</span><span class="p">,</span> <span class="kt">string</span> <span class="nv">$status</span> <span class="o">=</span> <span class="s1">'draft'</span><span class="p">):</span> <span class="kt">array</span> <span class="p">{</span> <span class="k">return</span> <span class="p">[</span> <span class="s1">'code'</span> <span class="o">=&gt;</span> <span class="nv">$validated</span><span class="p">[</span><span class="s1">'code'</span><span class="p">],</span> <span class="s1">'notification_type'</span> <span class="o">=&gt;</span> <span class="nv">$validated</span><span class="p">[</span><span class="s1">'notification_type'</span><span class="p">],</span> <span class="s1">'status'</span> <span class="o">=&gt;</span> <span class="nv">$status</span><span class="p">,</span> <span class="c1">// Multilingual content</span> <span class="s1">'title'</span> <span class="o">=&gt;</span> <span class="p">[</span><span class="s1">'en'</span> <span class="o">=&gt;</span> <span class="nv">$validated</span><span class="p">[</span><span class="s1">'title_en'</span><span class="p">],</span> <span class="s1">'de'</span> <span class="o">=&gt;</span> <span class="nv">$validated</span><span class="p">[</span><span class="s1">'title_de'</span><span class="p">]</span> <span class="o">??</span> <span class="kc">null</span><span class="p">],</span> <span class="s1">'body'</span> <span class="o">=&gt;</span> <span class="p">[</span><span class="s1">'en'</span> <span class="o">=&gt;</span> <span class="nv">$validated</span><span class="p">[</span><span class="s1">'body_en'</span><span class="p">],</span> <span class="s1">'de'</span> <span class="o">=&gt;</span> <span class="nv">$validated</span><span class="p">[</span><span class="s1">'body_de'</span><span class="p">]</span> <span class="o">??</span> <span class="kc">null</span><span class="p">],</span> <span class="c1">// Recipient filters</span> <span class="s1">'filter_country'</span> <span class="o">=&gt;</span> <span class="nv">$validated</span><span class="p">[</span><span class="s1">'filter_country'</span><span class="p">]</span> <span class="o">??</span> <span class="kc">null</span><span class="p">,</span> <span class="s1">'filter_sex'</span> <span class="o">=&gt;</span> <span class="nv">$validated</span><span class="p">[</span><span class="s1">'filter_sex'</span><span class="p">]</span> <span class="o">??</span> <span class="kc">null</span><span class="p">,</span> <span class="s1">'filter_age_from'</span> <span class="o">=&gt;</span> <span class="nv">$validated</span><span class="p">[</span><span class="s1">'filter_age_from'</span><span class="p">]</span> <span class="o">??</span> <span class="kc">null</span><span class="p">,</span> <span class="s1">'filter_age_to'</span> <span class="o">=&gt;</span> <span class="nv">$validated</span><span class="p">[</span><span class="s1">'filter_age_to'</span><span class="p">]</span> <span class="o">??</span> <span class="kc">null</span><span class="p">,</span> <span class="s1">'filter_registered'</span> <span class="o">=&gt;</span> <span class="nv">$validated</span><span class="p">[</span><span class="s1">'filter_registered'</span><span class="p">]</span> <span class="o">??</span> <span class="kc">null</span><span class="p">,</span> <span class="s1">'filter_activity'</span> <span class="o">=&gt;</span> <span class="nv">$validated</span><span class="p">[</span><span class="s1">'filter_activity'</span><span class="p">]</span> <span class="o">??</span> <span class="kc">null</span><span class="p">,</span> <span class="s1">'filter_email_verified'</span> <span class="o">=&gt;</span> <span class="nv">$validated</span><span class="p">[</span><span class="s1">'filter_email_verified'</span><span class="p">]</span> <span class="o">??</span> <span class="kc">null</span><span class="p">,</span> <span class="s1">'filter_phone_verified'</span> <span class="o">=&gt;</span> <span class="nv">$validated</span><span class="p">[</span><span class="s1">'filter_phone_verified'</span><span class="p">]</span> <span class="o">??</span> <span class="kc">null</span><span class="p">,</span> <span class="c1">// Visibility window</span> <span class="s1">'visible_from'</span> <span class="o">=&gt;</span> <span class="nv">$validated</span><span class="p">[</span><span class="s1">'visible_from'</span><span class="p">]</span> <span class="o">??</span> <span class="kc">null</span><span class="p">,</span> <span class="s1">'visible_until'</span> <span class="o">=&gt;</span> <span class="nv">$validated</span><span class="p">[</span><span class="s1">'visible_until'</span><span class="p">]</span> <span class="o">??</span> <span class="kc">null</span><span class="p">,</span> <span class="p">];</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </div> <p>Notifications in a SaaS can target user segments: users from Germany, aged 25-40, registered this month, with verified email. This trait centralizes data transformation so create and update controllers use the same mapping. No drift between them.</p> <h3> HasUserFilterRules (Companion to NotificationDataHandler) </h3> <div class="highlight js-code-highlight"> <pre class="highlight php"><code><span class="kd">trait</span> <span class="nc">HasUserFilterRules</span> <span class="p">{</span> <span class="k">protected</span> <span class="k">function</span> <span class="n">getUserFilterRules</span><span class="p">():</span> <span class="kt">array</span> <span class="p">{</span> <span class="k">return</span> <span class="p">[</span> <span class="s1">'filter_country'</span> <span class="o">=&gt;</span> <span class="p">[</span><span class="s1">'nullable'</span><span class="p">,</span> <span class="nc">Rule</span><span class="o">::</span><span class="nf">in</span><span class="p">(</span><span class="nf">config</span><span class="p">(</span><span class="s1">'app.available_countries'</span><span class="p">))],</span> <span class="s1">'filter_sex'</span> <span class="o">=&gt;</span> <span class="p">[</span><span class="s1">'nullable'</span><span class="p">,</span> <span class="nc">Rule</span><span class="o">::</span><span class="nf">in</span><span class="p">([</span><span class="s1">'m'</span><span class="p">,</span> <span class="s1">'f'</span><span class="p">])],</span> <span class="s1">'filter_age_from'</span> <span class="o">=&gt;</span> <span class="p">[</span><span class="s1">'nullable'</span><span class="p">,</span> <span class="s1">'integer'</span><span class="p">,</span> <span class="s1">'min:16'</span><span class="p">,</span> <span class="s1">'max:100'</span><span class="p">],</span> <span class="s1">'filter_age_to'</span> <span class="o">=&gt;</span> <span class="p">[</span><span class="s1">'nullable'</span><span class="p">,</span> <span class="s1">'integer'</span><span class="p">,</span> <span class="s1">'min:16'</span><span class="p">,</span> <span class="s1">'max:100'</span><span class="p">],</span> <span class="s1">'filter_registered'</span> <span class="o">=&gt;</span> <span class="p">[</span><span class="s1">'nullable'</span><span class="p">,</span> <span class="nc">Rule</span><span class="o">::</span><span class="nf">in</span><span class="p">([</span><span class="s1">'all'</span><span class="p">,</span> <span class="s1">'today'</span><span class="p">,</span> <span class="s1">'this_month'</span><span class="p">,</span> <span class="s1">'this_year'</span><span class="p">])],</span> <span class="s1">'filter_activity'</span> <span class="o">=&gt;</span> <span class="p">[</span><span class="s1">'nullable'</span><span class="p">,</span> <span class="nc">Rule</span><span class="o">::</span><span class="nf">in</span><span class="p">([</span><span class="s1">'recently_active'</span><span class="p">,</span> <span class="s1">'inactive'</span><span class="p">])],</span> <span class="s1">'filter_email_verified'</span> <span class="o">=&gt;</span> <span class="p">[</span><span class="s1">'nullable'</span><span class="p">,</span> <span class="s1">'boolean'</span><span class="p">],</span> <span class="s1">'filter_phone_verified'</span> <span class="o">=&gt;</span> <span class="p">[</span><span class="s1">'nullable'</span><span class="p">,</span> <span class="s1">'boolean'</span><span class="p">],</span> <span class="p">];</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </div> <p>Used in Form Requests for notification create/update. Validation rules defined once, shared across endpoints. Country list from config, age range constrained, activity levels enumerated.</p> <h3> LogsActivity (Audit Trail) </h3> <div class="highlight js-code-highlight"> <pre class="highlight php"><code><span class="kd">trait</span> <span class="nc">LogsActivity</span> <span class="p">{</span> <span class="k">public</span> <span class="k">static</span> <span class="k">function</span> <span class="n">bootLogsActivity</span><span class="p">():</span> <span class="kt">void</span> <span class="p">{</span> <span class="k">foreach</span> <span class="p">([</span><span class="s1">'created'</span><span class="p">,</span> <span class="s1">'updated'</span><span class="p">,</span> <span class="s1">'deleted'</span><span class="p">]</span> <span class="k">as</span> <span class="nv">$event</span><span class="p">)</span> <span class="p">{</span> <span class="k">static</span><span class="o">::</span><span class="nv">$event</span><span class="p">(</span><span class="k">function</span> <span class="p">(</span><span class="nv">$model</span><span class="p">)</span> <span class="k">use</span> <span class="p">(</span><span class="nv">$event</span><span class="p">)</span> <span class="p">{</span> <span class="k">static</span><span class="o">::</span><span class="nf">logModelEvent</span><span class="p">(</span><span class="nv">$model</span><span class="p">,</span> <span class="nv">$event</span><span class="p">);</span> <span class="p">});</span> <span class="p">}</span> <span class="p">}</span> <span class="k">protected</span> <span class="k">static</span> <span class="k">function</span> <span class="n">logModelEvent</span><span class="p">(</span><span class="nv">$model</span><span class="p">,</span> <span class="nv">$event</span><span class="p">):</span> <span class="kt">void</span> <span class="p">{</span> <span class="nc">CustomActivity</span><span class="o">::</span><span class="nf">create</span><span class="p">([</span> <span class="s1">'log_name'</span> <span class="o">=&gt;</span> <span class="s1">'model_changes'</span><span class="p">,</span> <span class="s1">'description'</span> <span class="o">=&gt;</span> <span class="nv">$event</span><span class="p">,</span> <span class="s1">'subject_type'</span> <span class="o">=&gt;</span> <span class="nb">get_class</span><span class="p">(</span><span class="nv">$model</span><span class="p">),</span> <span class="s1">'subject_id'</span> <span class="o">=&gt;</span> <span class="nv">$model</span><span class="o">-&gt;</span><span class="n">id</span><span class="p">,</span> <span class="s1">'causer_type'</span> <span class="o">=&gt;</span> <span class="nf">auth</span><span class="p">()</span><span class="o">-&gt;</span><span class="nf">check</span><span class="p">()</span> <span class="o">?</span> <span class="nb">get_class</span><span class="p">(</span><span class="nf">auth</span><span class="p">()</span><span class="o">-&gt;</span><span class="nf">user</span><span class="p">())</span> <span class="o">:</span> <span class="kc">null</span><span class="p">,</span> <span class="s1">'causer_id'</span> <span class="o">=&gt;</span> <span class="nf">auth</span><span class="p">()</span><span class="o">-&gt;</span><span class="nf">id</span><span class="p">(),</span> <span class="s1">'properties'</span> <span class="o">=&gt;</span> <span class="p">[</span> <span class="s1">'old'</span> <span class="o">=&gt;</span> <span class="nv">$event</span> <span class="o">===</span> <span class="s1">'created'</span> <span class="o">?</span> <span class="p">[]</span> <span class="o">:</span> <span class="nv">$model</span><span class="o">-&gt;</span><span class="nf">getOriginal</span><span class="p">(),</span> <span class="s1">'attributes'</span> <span class="o">=&gt;</span> <span class="nv">$model</span><span class="o">-&gt;</span><span class="nf">getDirty</span><span class="p">(),</span> <span class="p">],</span> <span class="p">]);</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </div> <p>Built on top of Spatie's ActivityLog. Records who changed what, when, and the exact before/after values. Only logs dirty attributes - no noise from unchanged fields. Add <code>use LogsActivity</code> to any model and every create/update/delete gets audit-logged automatically.</p> <h2> How They Work Together </h2> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>HTTP Request arrives │ ├── HandleInertiaRequests: share frontend props ├── SetActiveCompanyMiddleware: resolve company context │ └── uses BelongsToCompany trait on models ├── UpdateLastSessionActivity: record timestamp + device ├── SetLocale: detect language ├── EnsureEmailIsVerified: gate check ├── CheckPinLockMiddleware: uses last_activity from step 3 ├── CheckAccessMiddleware: uses company from step 2 ├── CheckSessionExists: validates session in DB │ v Controller runs ├── HasPagination: format pagination data ├── Filter auto-discovery: apply query filters ├── NotificationDataHandler: prepare notification data │ v Model operations ├── BelongsToCompany: automatic tenant isolation ├── HasRolesAndPermissions: permission checks └── LogsActivity: audit trail </code></pre> </div> <p>Middleware handles the request lifecycle. Traits handle the business logic. Each layer independent, each layer tested separately.</p> <h2> Testing </h2> <p>Behavior-driven tests using Pest:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight php"><code><span class="c1">// Middleware: PIN lock</span> <span class="nf">it</span><span class="p">(</span><span class="s1">'locks session after pin timeout'</span><span class="p">,</span> <span class="k">function</span> <span class="p">()</span> <span class="p">{</span> <span class="nv">$user</span> <span class="o">=</span> <span class="nc">User</span><span class="o">::</span><span class="nf">factory</span><span class="p">()</span><span class="o">-&gt;</span><span class="nf">withPinCode</span><span class="p">()</span><span class="o">-&gt;</span><span class="nf">create</span><span class="p">();</span> <span class="nc">UserSession</span><span class="o">::</span><span class="nf">factory</span><span class="p">()</span><span class="o">-&gt;</span><span class="nf">create</span><span class="p">([</span> <span class="s1">'user_id'</span> <span class="o">=&gt;</span> <span class="nv">$user</span><span class="o">-&gt;</span><span class="n">id</span><span class="p">,</span> <span class="s1">'last_activity'</span> <span class="o">=&gt;</span> <span class="nf">now</span><span class="p">()</span><span class="o">-&gt;</span><span class="nf">subMinutes</span><span class="p">(</span><span class="mi">31</span><span class="p">),</span> <span class="p">]);</span> <span class="nf">actingAs</span><span class="p">(</span><span class="nv">$user</span><span class="p">)</span><span class="o">-&gt;</span><span class="nf">get</span><span class="p">(</span><span class="s1">'/dashboard'</span><span class="p">)</span> <span class="o">-&gt;</span><span class="nf">assertRedirect</span><span class="p">(</span><span class="nf">route</span><span class="p">(</span><span class="s1">'pin.enter'</span><span class="p">));</span> <span class="p">});</span> <span class="c1">// Middleware: Access control</span> <span class="nf">it</span><span class="p">(</span><span class="s1">'blocks banned user but allows support tickets'</span><span class="p">,</span> <span class="k">function</span> <span class="p">()</span> <span class="p">{</span> <span class="nv">$user</span> <span class="o">=</span> <span class="nc">User</span><span class="o">::</span><span class="nf">factory</span><span class="p">()</span><span class="o">-&gt;</span><span class="nf">blocked</span><span class="p">()</span><span class="o">-&gt;</span><span class="nf">create</span><span class="p">();</span> <span class="nf">actingAs</span><span class="p">(</span><span class="nv">$user</span><span class="p">)</span><span class="o">-&gt;</span><span class="nf">get</span><span class="p">(</span><span class="s1">'/dashboard'</span><span class="p">)</span> <span class="o">-&gt;</span><span class="nf">assertRedirect</span><span class="p">(</span><span class="nf">route</span><span class="p">(</span><span class="s1">'user.blocked'</span><span class="p">));</span> <span class="nf">actingAs</span><span class="p">(</span><span class="nv">$user</span><span class="p">)</span><span class="o">-&gt;</span><span class="nf">get</span><span class="p">(</span><span class="s1">'/tickets'</span><span class="p">)</span> <span class="o">-&gt;</span><span class="nf">assertOk</span><span class="p">();</span> <span class="p">});</span> <span class="c1">// Middleware: Session validation</span> <span class="nf">it</span><span class="p">(</span><span class="s1">'rejects invalid session with 401 for API'</span><span class="p">,</span> <span class="k">function</span> <span class="p">()</span> <span class="p">{</span> <span class="nv">$user</span> <span class="o">=</span> <span class="nc">User</span><span class="o">::</span><span class="nf">factory</span><span class="p">()</span><span class="o">-&gt;</span><span class="nf">create</span><span class="p">();</span> <span class="nf">actingAs</span><span class="p">(</span><span class="nv">$user</span><span class="p">)</span><span class="o">-&gt;</span><span class="nf">getJson</span><span class="p">(</span><span class="s1">'/api/data'</span><span class="p">)</span> <span class="o">-&gt;</span><span class="nf">assertStatus</span><span class="p">(</span><span class="mi">401</span><span class="p">)</span> <span class="o">-&gt;</span><span class="nf">assertJson</span><span class="p">([</span><span class="s1">'message'</span> <span class="o">=&gt;</span> <span class="s1">'session_expired'</span><span class="p">]);</span> <span class="p">});</span> <span class="c1">// Trait: Filter auto-discovery</span> <span class="nf">it</span><span class="p">(</span><span class="s1">'filters by country via query param'</span><span class="p">,</span> <span class="k">function</span> <span class="p">()</span> <span class="p">{</span> <span class="nc">Contragent</span><span class="o">::</span><span class="nf">factory</span><span class="p">()</span><span class="o">-&gt;</span><span class="nf">create</span><span class="p">([</span><span class="s1">'country'</span> <span class="o">=&gt;</span> <span class="s1">'DE'</span><span class="p">,</span> <span class="s1">'company_id'</span> <span class="o">=&gt;</span> <span class="nv">$company</span><span class="o">-&gt;</span><span class="n">id</span><span class="p">]);</span> <span class="nc">Contragent</span><span class="o">::</span><span class="nf">factory</span><span class="p">()</span><span class="o">-&gt;</span><span class="nf">create</span><span class="p">([</span><span class="s1">'country'</span> <span class="o">=&gt;</span> <span class="s1">'US'</span><span class="p">,</span> <span class="s1">'company_id'</span> <span class="o">=&gt;</span> <span class="nv">$company</span><span class="o">-&gt;</span><span class="n">id</span><span class="p">]);</span> <span class="nf">actingAs</span><span class="p">(</span><span class="nv">$user</span><span class="p">)</span><span class="o">-&gt;</span><span class="nf">get</span><span class="p">(</span><span class="s1">'/contragents/customers?country=DE'</span><span class="p">)</span> <span class="o">-&gt;</span><span class="nf">assertInertia</span><span class="p">(</span><span class="k">fn</span> <span class="p">(</span><span class="nv">$page</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="nv">$page</span><span class="o">-&gt;</span><span class="nf">has</span><span class="p">(</span><span class="s1">'contragents'</span><span class="p">,</span> <span class="mi">1</span><span class="p">));</span> <span class="p">});</span> <span class="c1">// Trait: Pagination</span> <span class="nf">it</span><span class="p">(</span><span class="s1">'returns consistent pagination structure'</span><span class="p">,</span> <span class="k">function</span> <span class="p">()</span> <span class="p">{</span> <span class="nc">Contragent</span><span class="o">::</span><span class="nf">factory</span><span class="p">(</span><span class="mi">30</span><span class="p">)</span><span class="o">-&gt;</span><span class="nf">create</span><span class="p">([</span><span class="s1">'company_id'</span> <span class="o">=&gt;</span> <span class="nv">$company</span><span class="o">-&gt;</span><span class="n">id</span><span class="p">]);</span> <span class="nf">actingAs</span><span class="p">(</span><span class="nv">$user</span><span class="p">)</span><span class="o">-&gt;</span><span class="nf">get</span><span class="p">(</span><span class="s1">'/contragents/customers?page=2'</span><span class="p">)</span> <span class="o">-&gt;</span><span class="nf">assertInertia</span><span class="p">(</span><span class="k">fn</span> <span class="p">(</span><span class="nv">$page</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="nv">$page</span><span class="o">-&gt;</span><span class="nf">has</span><span class="p">(</span><span class="s1">'pagination'</span><span class="p">,</span> <span class="k">fn</span> <span class="p">(</span><span class="nv">$p</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="nv">$p</span><span class="o">-&gt;</span><span class="nf">where</span><span class="p">(</span><span class="s1">'current_page'</span><span class="p">,</span> <span class="mi">2</span><span class="p">)</span> <span class="o">-&gt;</span><span class="nf">where</span><span class="p">(</span><span class="s1">'per_page'</span><span class="p">,</span> <span class="mi">20</span><span class="p">)</span> <span class="p">)</span> <span class="p">);</span> <span class="p">});</span> </code></pre> </div> <p>No middleware mocking. Real HTTP requests. Assert what users experience. If someone reorders the middleware stack but behavior stays the same - tests pass. If someone removes a middleware - tests catch it.</p> <h2> Design Principles </h2> <ol> <li> <strong>Middleware order is explicit</strong> - documented, tested, justified. Each position depends on what runs before it.</li> <li> <strong>Traits are composable</strong> - <code>BelongsToCompany</code> + <code>HasRolesAndPermissions</code> + <code>LogsActivity</code> on any model = full tenant isolation + RBAC + audit trail.</li> <li> <strong>Security is layered</strong> - Session validation → PIN lock → access control → permission checks. Multiple barriers, not one big gate.</li> <li> <strong>Behavior over implementation</strong> - Tests verify user experience, not internal code paths.</li> <li> <strong>Config over code</strong> - Locale mappings, timeout values, sort whitelists - all configurable without touching logic.</li> </ol> <p><strong>LaraFoundry</strong> is an open-source Laravel SaaS framework, being built in public and extracted from a production CRM/ERP.</p> <ul> <li>GitHub: <a href="https://github.com/dmitryisaenko/larafoundry/blob/main/docs/modules/traits_middlewares.md" rel="noopener noreferrer">github.com/dmitryisaenko/larafoundry</a> </li> <li>Website: <a href="https://larafoundry.com" rel="noopener noreferrer">larafoundry.com</a> </li> </ul> <h1> laravel #php #saas #middleware #larafoundry </h1> laravel php sass middleware Building a Production Vue Frontend for Multi-Tenant Laravel SaaS with Inertia v2 Dmitry Isaenko Mon, 13 Apr 2026 12:28:11 +0000 https://dev.to/d_isaenko_dev/building-a-production-vue-frontend-for-multi-tenant-laravel-saas-with-inertia-v2-54h1 https://dev.to/d_isaenko_dev/building-a-production-vue-frontend-for-multi-tenant-laravel-saas-with-inertia-v2-54h1 <p>Most Vue + Laravel tutorials stop at "here's how to render a page with Inertia." Real SaaS apps need dynamic layouts per user type, overlay management, pagination that preserves filter state, modals that stack, and all of this without the complexity of a full state management library.</p> <p>I built a complete frontend module for <a href="https://kohana.io" rel="noopener noreferrer">Kohana.io</a> - a production CRM/ERP - and I'm extracting it into <strong>LaraFoundry</strong>, an open-source SaaS framework for Laravel.</p> <p>This post covers the full frontend architecture: layout switching, overlay system, pagination + filters, modal patterns, Inertia wiring, and testing.</p> <h2> The Problem </h2> <p>A multi-tenant SaaS needs more than one layout. In Kohana.io, I needed five:</p> <div class="table-wrapper-paragraph"><table> <thead> <tr> <th>Layout</th> <th>When</th> <th>What it contains</th> </tr> </thead> <tbody> <tr> <td>GuestLayout</td> <td>Not logged in</td> <td>Landing page, login/register modals</td> </tr> <tr> <td>AuthLayout</td> <td>Regular user</td> <td>Full app: header, pullout menus, notifications</td> </tr> <tr> <td>AdminLayout</td> <td>Admin user</td> <td>Admin panel with different navigation</td> </tr> <tr> <td>AuthBlockedLayout</td> <td>Blocked account</td> <td>Limited access, support tickets only</td> </tr> <tr> <td>AuthDeletedLayout</td> <td>Deleted account</td> <td>Minimal UI for data requests</td> </tr> </tbody> </table></div> <p>Each layout has a completely different component tree. Different headers, different pullout menus, different modal systems. And Inertia's persistent layouts mean they stay mounted across page navigations - you can't just swap a CSS class.</p> <h2> Architecture Overview </h2> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>HTTP Request | v HandleInertiaRequests middleware |── visitor_status: 'admin' | 'auth' | 'authBlocked' | 'authDeleted' | 'guest' |── layout: { layoutData, authUserData } (lazy-loaded) |── flash, translations, ziggy, locale, ui_settings | v app.js - createInertiaApp() |── import.meta.glob('./pages/**/*.vue') → code-split pages |── page.layout = page.layout || LayoutSwitcher → default layout |── i18n, ZiggyVue, Head, Link → plugins | v LayoutSwitcher.vue |── reads visitor_status from Inertia props |── renders matching layout component | v AuthLayout / AdminLayout / GuestLayout / etc. |── pullout menus, overlays, modals |── &lt;slot /&gt; → page content </code></pre> </div> <h2> The LayoutSwitcher Pattern </h2> <p>The core of the system is <code>LayoutSwitcher.vue</code>:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight vue"><code><span class="nt">&lt;</span><span class="k">script</span> <span class="na">setup</span><span class="nt">&gt;</span> <span class="k">import</span> <span class="p">{</span> <span class="nx">computed</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">vue</span><span class="dl">'</span><span class="p">;</span> <span class="k">import</span> <span class="p">{</span> <span class="nx">usePage</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">@inertiajs/vue3</span><span class="dl">'</span><span class="p">;</span> <span class="k">import</span> <span class="nx">AdminLayout</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">@/layouts/AdminLayout.vue</span><span class="dl">'</span><span class="p">;</span> <span class="k">import</span> <span class="nx">AuthLayout</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">@/layouts/AuthLayout.vue</span><span class="dl">'</span><span class="p">;</span> <span class="k">import</span> <span class="nx">AuthBlockedLayout</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">@/layouts/AuthBlockedLayout.vue</span><span class="dl">'</span><span class="p">;</span> <span class="k">import</span> <span class="nx">AuthDeletedLayout</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">@/layouts/AuthDeletedLayout.vue</span><span class="dl">'</span><span class="p">;</span> <span class="k">import</span> <span class="nx">GuestLayout</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">@/layouts/GuestLayout.vue</span><span class="dl">'</span><span class="p">;</span> <span class="kd">const</span> <span class="nx">visitorStatus</span> <span class="o">=</span> <span class="nf">computed</span><span class="p">(()</span> <span class="o">=&gt;</span> <span class="nf">usePage</span><span class="p">().</span><span class="nx">props</span><span class="p">.</span><span class="nx">visitor_status</span><span class="p">);</span> <span class="nt">&lt;/</span><span class="k">script</span><span class="nt">&gt;</span> <span class="nt">&lt;</span><span class="k">template</span><span class="nt">&gt;</span> <span class="nt">&lt;component</span> <span class="na">:is=</span><span class="s">" visitorStatus === 'admin' ? AdminLayout : visitorStatus === 'auth' ? AuthLayout : visitorStatus === 'authBlocked' ? AuthBlockedLayout : visitorStatus === 'authDeleted' ? AuthDeletedLayout : GuestLayout "</span><span class="nt">&gt;</span> <span class="nt">&lt;slot</span> <span class="nt">/&gt;</span> <span class="nt">&lt;/component&gt;</span> <span class="nt">&lt;/</span><span class="k">template</span><span class="nt">&gt;</span> </code></pre> </div> <p>Under 40 lines. The server determines <code>visitor_status</code> via middleware, and the frontend renders the matching layout. No auth checks in Vue. No route guards. No conditional rendering scattered across components.</p> <p>The assignment happens in <code>app.js</code>:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="nx">resolve</span><span class="p">:</span> <span class="k">async </span><span class="p">(</span><span class="nx">name</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">pages</span> <span class="o">=</span> <span class="k">import</span><span class="p">.</span><span class="nx">meta</span><span class="p">.</span><span class="nf">glob</span><span class="p">(</span><span class="dl">'</span><span class="s1">./pages/**/*.vue</span><span class="dl">'</span><span class="p">);</span> <span class="kd">let</span> <span class="nx">module</span> <span class="o">=</span> <span class="k">await</span> <span class="nx">pages</span><span class="p">[</span><span class="s2">`./pages/</span><span class="p">${</span><span class="nx">name</span><span class="p">}</span><span class="s2">.vue`</span><span class="p">]();</span> <span class="kd">let</span> <span class="nx">page</span> <span class="o">=</span> <span class="nx">module</span><span class="p">.</span><span class="k">default</span><span class="p">;</span> <span class="nx">page</span><span class="p">.</span><span class="nx">layout</span> <span class="o">=</span> <span class="nx">page</span><span class="p">.</span><span class="nx">layout</span> <span class="o">||</span> <span class="nx">LayoutSwitcher</span><span class="p">;</span> <span class="k">return</span> <span class="nx">page</span><span class="p">;</span> <span class="p">}</span> </code></pre> </div> <p>Every page automatically gets <code>LayoutSwitcher</code> unless it explicitly defines its own layout. Pages don't import layouts. Pages don't know which layout wraps them.</p> <h2> The Overlay System </h2> <p>A production SaaS layout isn't just a header and a sidebar. The authenticated layout in Kohana.io has 7 pullout panels:</p> <ol> <li>Mobile menu (slides from left)</li> <li>Right profile menu (slides from right)</li> <li>Notifications panel</li> <li>Language selector</li> <li>Company switcher</li> <li>Contragent filter drawer</li> <li>Product filter drawer</li> </ol> <p>And they stack. Opening the language selector while the mobile menu is open creates a double overlay - two backdrop layers, independently dismissable.</p> <h3> State Management (No Library) </h3> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="c1">// AuthLayout.vue - all overlay state</span> <span class="kd">const</span> <span class="nx">viewPulloutMobilemenu</span> <span class="o">=</span> <span class="nf">ref</span><span class="p">(</span><span class="kc">false</span><span class="p">);</span> <span class="kd">const</span> <span class="nx">viewPulloutMenuRight</span> <span class="o">=</span> <span class="nf">ref</span><span class="p">(</span><span class="kc">false</span><span class="p">);</span> <span class="kd">const</span> <span class="nx">viewPulloutNotifications</span> <span class="o">=</span> <span class="nf">ref</span><span class="p">(</span><span class="kc">false</span><span class="p">);</span> <span class="kd">const</span> <span class="nx">viewPulloutMenuChangeLanguage</span> <span class="o">=</span> <span class="nf">ref</span><span class="p">(</span><span class="kc">false</span><span class="p">);</span> <span class="kd">const</span> <span class="nx">viewPulloutMenuChangeCompany</span> <span class="o">=</span> <span class="nf">ref</span><span class="p">(</span><span class="kc">false</span><span class="p">);</span> <span class="kd">const</span> <span class="nx">viewPulloutContragentFilter</span> <span class="o">=</span> <span class="nf">ref</span><span class="p">(</span><span class="kc">false</span><span class="p">);</span> <span class="kd">const</span> <span class="nx">viewPulloutProductFilter</span> <span class="o">=</span> <span class="nf">ref</span><span class="p">(</span><span class="kc">false</span><span class="p">);</span> <span class="kd">const</span> <span class="nx">viewOverlay</span> <span class="o">=</span> <span class="nf">ref</span><span class="p">(</span><span class="kc">false</span><span class="p">);</span> <span class="kd">const</span> <span class="nx">viewDoubleOverlay</span> <span class="o">=</span> <span class="nf">ref</span><span class="p">(</span><span class="kc">false</span><span class="p">);</span> <span class="kd">const</span> <span class="nx">viewModalWrapper</span> <span class="o">=</span> <span class="nf">ref</span><span class="p">(</span><span class="kc">false</span><span class="p">);</span> </code></pre> </div> <p>Plain reactive refs. No Vuex store. No Pinia. No event bus.</p> <h3> Overlay Logic </h3> <ul> <li>Opening any pullout → shows single overlay + disables body scroll via <code>document.body.classList.add('non-overflow')</code> </li> <li>Opening a second panel on top → shows double overlay</li> <li>ESC key → dismisses top layer first using <code>onKeyStroke</code> from @vueuse/core</li> <li>Clicking backdrop → closes everything</li> <li>CSS transitions: 0.3s for single overlay, 0.1s for double (feels snappy)</li> </ul> <h3> Child Component Communication </h3> <p>Pages deep in the component tree trigger layout overlays via provide/inject:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="c1">// AuthLayout.vue (parent)</span> <span class="nf">provide</span><span class="p">(</span><span class="dl">'</span><span class="s1">showPulloutContragentFilter</span><span class="dl">'</span><span class="p">,</span> <span class="nx">showPulloutContragentFilter</span><span class="p">);</span> <span class="nf">provide</span><span class="p">(</span><span class="dl">'</span><span class="s1">showViewContragentModal</span><span class="dl">'</span><span class="p">,</span> <span class="nx">showViewContragentModal</span><span class="p">);</span> <span class="c1">// ContragentsList.vue (child page)</span> <span class="kd">const</span> <span class="nx">showFilter</span> <span class="o">=</span> <span class="nf">inject</span><span class="p">(</span><span class="dl">'</span><span class="s1">showPulloutContragentFilter</span><span class="dl">'</span><span class="p">);</span> </code></pre> </div> <p>The page calls <code>showFilter()</code>. The layout handles z-indexes, backdrops, body scroll, and transition timing. Clean separation.</p> <h3> Transition Animations </h3> <div class="highlight js-code-highlight"> <pre class="highlight css"><code><span class="nc">.overlay-enter-active</span><span class="o">,</span> <span class="nc">.overlay-leave-active</span> <span class="p">{</span> <span class="nl">transition</span><span class="p">:</span> <span class="n">opacity</span> <span class="m">0.3s</span> <span class="n">ease</span><span class="p">;</span> <span class="p">}</span> <span class="nc">.overlay-enter-from</span><span class="o">,</span> <span class="nc">.overlay-leave-to</span> <span class="p">{</span> <span class="nl">opacity</span><span class="p">:</span> <span class="m">0</span><span class="p">;</span> <span class="p">}</span> <span class="c">/* Pullout menus use GPU-accelerated transforms */</span> <span class="nc">.pullout-menu__left</span> <span class="p">{</span> <span class="py">will-change</span><span class="p">:</span> <span class="n">transform</span><span class="p">;</span> <span class="nl">transform</span><span class="p">:</span> <span class="n">translateZ</span><span class="p">(</span><span class="m">0</span><span class="p">);</span> <span class="nl">backface-visibility</span><span class="p">:</span> <span class="nb">hidden</span><span class="p">;</span> <span class="nl">transition</span><span class="p">:</span> <span class="n">transform</span> <span class="m">0.3s</span> <span class="n">ease</span><span class="p">;</span> <span class="p">}</span> </code></pre> </div> <p>CSS-only animations. GPU-accelerated for mobile. No JavaScript animation libraries.</p> <h2> Pagination + Filter Architecture </h2> <h3> Backend: HasPagination Trait </h3> <p>Every controller that paginates uses the same trait:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight php"><code><span class="kd">trait</span> <span class="nc">HasPagination</span> <span class="p">{</span> <span class="k">protected</span> <span class="k">function</span> <span class="n">getPaginationData</span><span class="p">(</span><span class="nv">$paginator</span><span class="p">):</span> <span class="kt">array</span> <span class="p">{</span> <span class="k">return</span> <span class="p">[</span> <span class="s1">'current_page'</span> <span class="o">=&gt;</span> <span class="nv">$paginator</span><span class="o">-&gt;</span><span class="nf">currentPage</span><span class="p">(),</span> <span class="s1">'last_page'</span> <span class="o">=&gt;</span> <span class="nv">$paginator</span><span class="o">-&gt;</span><span class="nf">lastPage</span><span class="p">(),</span> <span class="s1">'per_page'</span> <span class="o">=&gt;</span> <span class="nv">$paginator</span><span class="o">-&gt;</span><span class="nf">perPage</span><span class="p">(),</span> <span class="s1">'total'</span> <span class="o">=&gt;</span> <span class="nv">$paginator</span><span class="o">-&gt;</span><span class="nf">total</span><span class="p">(),</span> <span class="s1">'from'</span> <span class="o">=&gt;</span> <span class="nv">$paginator</span><span class="o">-&gt;</span><span class="nf">firstItem</span><span class="p">(),</span> <span class="s1">'to'</span> <span class="o">=&gt;</span> <span class="nv">$paginator</span><span class="o">-&gt;</span><span class="nf">lastItem</span><span class="p">(),</span> <span class="p">];</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </div> <p>Controller usage:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight php"><code><span class="nv">$paginated</span> <span class="o">=</span> <span class="nv">$query</span><span class="o">-&gt;</span><span class="nf">filter</span><span class="p">(</span><span class="nv">$filter</span><span class="p">)</span><span class="o">-&gt;</span><span class="nf">paginate</span><span class="p">(</span><span class="nv">$perPage</span><span class="p">)</span><span class="o">-&gt;</span><span class="nf">withQueryString</span><span class="p">();</span> <span class="k">return</span> <span class="nc">Inertia</span><span class="o">::</span><span class="nf">render</span><span class="p">(</span><span class="s1">'warehouse/Products'</span><span class="p">,</span> <span class="p">[</span> <span class="s1">'products'</span> <span class="o">=&gt;</span> <span class="nc">ProductResource</span><span class="o">::</span><span class="nf">collection</span><span class="p">(</span><span class="nv">$paginated</span><span class="p">),</span> <span class="s1">'pagination'</span> <span class="o">=&gt;</span> <span class="nv">$this</span><span class="o">-&gt;</span><span class="nf">getPaginationData</span><span class="p">(</span><span class="nv">$paginated</span><span class="p">),</span> <span class="p">]);</span> </code></pre> </div> <p><code>.withQueryString()</code> is critical - it preserves all filter parameters when generating pagination links.</p> <h3> Frontend: PagePaginator Component </h3> <p>The paginator component lives in the layout, not in pages. <code>AppMainContentLayout.vue</code> auto-renders it when pagination data exists:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="kd">const</span> <span class="nx">isPaginationPresent</span> <span class="o">=</span> <span class="nf">computed</span><span class="p">(()</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">total</span> <span class="o">=</span> <span class="nx">page</span><span class="p">.</span><span class="nx">props</span><span class="p">.</span><span class="nx">pagination</span><span class="p">?.</span><span class="nx">total</span> <span class="o">??</span> <span class="mi">0</span><span class="p">;</span> <span class="kd">const</span> <span class="nx">perPage</span> <span class="o">=</span> <span class="nx">page</span><span class="p">.</span><span class="nx">props</span><span class="p">.</span><span class="nx">pagination</span><span class="p">?.</span><span class="nx">per_page</span> <span class="o">??</span> <span class="mi">0</span><span class="p">;</span> <span class="k">return</span> <span class="nx">total</span> <span class="o">&gt;</span> <span class="nx">perPage</span><span class="p">;</span> <span class="p">});</span> </code></pre> </div> <p>The component rebuilds pagination links while preserving all current query parameters:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="kd">const</span> <span class="nx">queryString</span> <span class="o">=</span> <span class="nf">computed</span><span class="p">(()</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">url</span> <span class="o">=</span> <span class="k">new</span> <span class="nc">URL</span><span class="p">(</span><span class="nb">window</span><span class="p">.</span><span class="nx">location</span><span class="p">.</span><span class="nx">href</span><span class="p">);</span> <span class="nx">url</span><span class="p">.</span><span class="nx">searchParams</span><span class="p">.</span><span class="k">delete</span><span class="p">(</span><span class="dl">'</span><span class="s1">page</span><span class="dl">'</span><span class="p">);</span> <span class="kd">const</span> <span class="nx">qs</span> <span class="o">=</span> <span class="nx">url</span><span class="p">.</span><span class="nx">searchParams</span><span class="p">.</span><span class="nf">toString</span><span class="p">();</span> <span class="k">return</span> <span class="nx">qs</span> <span class="p">?</span> <span class="s2">`&amp;</span><span class="p">${</span><span class="nx">qs</span><span class="p">}</span><span class="s2">`</span> <span class="p">:</span> <span class="dl">''</span><span class="p">;</span> <span class="p">});</span> <span class="c1">// Smart page range: max 7 buttons + ellipsis</span> <span class="kd">const</span> <span class="nx">pages</span> <span class="o">=</span> <span class="nf">computed</span><span class="p">(()</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">total</span> <span class="o">=</span> <span class="nx">p</span><span class="p">.</span><span class="nx">value</span><span class="p">.</span><span class="nx">last_page</span><span class="p">;</span> <span class="kd">const</span> <span class="nx">current</span> <span class="o">=</span> <span class="nx">p</span><span class="p">.</span><span class="nx">value</span><span class="p">.</span><span class="nx">current_page</span><span class="p">;</span> <span class="k">if </span><span class="p">(</span><span class="nx">total</span> <span class="o">&lt;=</span> <span class="mi">7</span><span class="p">)</span> <span class="k">return</span> <span class="nb">Array</span><span class="p">.</span><span class="k">from</span><span class="p">({</span> <span class="na">length</span><span class="p">:</span> <span class="nx">total</span> <span class="p">},</span> <span class="p">(</span><span class="nx">_</span><span class="p">,</span> <span class="nx">i</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="nx">i</span> <span class="o">+</span> <span class="mi">1</span><span class="p">);</span> <span class="k">if </span><span class="p">(</span><span class="nx">current</span> <span class="o">&lt;=</span> <span class="mi">4</span><span class="p">)</span> <span class="k">return</span> <span class="p">[</span><span class="mi">1</span><span class="p">,</span> <span class="mi">2</span><span class="p">,</span> <span class="mi">3</span><span class="p">,</span> <span class="mi">4</span><span class="p">,</span> <span class="mi">5</span><span class="p">,</span> <span class="dl">'</span><span class="s1">...</span><span class="dl">'</span><span class="p">,</span> <span class="nx">total</span><span class="p">];</span> <span class="k">if </span><span class="p">(</span><span class="nx">current</span> <span class="o">&gt;=</span> <span class="nx">total</span> <span class="o">-</span> <span class="mi">3</span><span class="p">)</span> <span class="k">return</span> <span class="p">[</span><span class="mi">1</span><span class="p">,</span> <span class="dl">'</span><span class="s1">...</span><span class="dl">'</span><span class="p">,</span> <span class="nx">total</span><span class="o">-</span><span class="mi">4</span><span class="p">,</span> <span class="nx">total</span><span class="o">-</span><span class="mi">3</span><span class="p">,</span> <span class="nx">total</span><span class="o">-</span><span class="mi">2</span><span class="p">,</span> <span class="nx">total</span><span class="o">-</span><span class="mi">1</span><span class="p">,</span> <span class="nx">total</span><span class="p">];</span> <span class="k">return</span> <span class="p">[</span><span class="mi">1</span><span class="p">,</span> <span class="dl">'</span><span class="s1">...</span><span class="dl">'</span><span class="p">,</span> <span class="nx">current</span><span class="o">-</span><span class="mi">1</span><span class="p">,</span> <span class="nx">current</span><span class="p">,</span> <span class="nx">current</span><span class="o">+</span><span class="mi">1</span><span class="p">,</span> <span class="dl">'</span><span class="s1">...</span><span class="dl">'</span><span class="p">,</span> <span class="nx">total</span><span class="p">];</span> <span class="p">});</span> </code></pre> </div> <p>Each page button uses Inertia's <code>&lt;Link&gt;</code> for SPA navigation:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight html"><code><span class="nt">&lt;Link</span> <span class="na">:href=</span><span class="s">"`?page=${item}&amp;${queryString}`"</span><span class="nt">&gt;</span>{{ item }}<span class="nt">&lt;/Link&gt;</span> </code></pre> </div> <p>Country filter active? Preserved. Sort direction? Preserved. Search query? Preserved. No state management needed.</p> <h3> Filter Auto-Discovery Pattern </h3> <p>The filter system uses method auto-discovery:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight php"><code><span class="k">abstract</span> <span class="kd">class</span> <span class="nc">Filter</span> <span class="p">{</span> <span class="k">public</span> <span class="k">function</span> <span class="n">apply</span><span class="p">(</span><span class="kt">Builder</span> <span class="nv">$builder</span><span class="p">)</span> <span class="p">{</span> <span class="nv">$this</span><span class="o">-&gt;</span><span class="n">builder</span> <span class="o">=</span> <span class="nv">$builder</span><span class="p">;</span> <span class="k">foreach</span> <span class="p">(</span><span class="nv">$this</span><span class="o">-&gt;</span><span class="n">request</span><span class="o">-&gt;</span><span class="nf">all</span><span class="p">()</span> <span class="k">as</span> <span class="nv">$name</span> <span class="o">=&gt;</span> <span class="nv">$value</span><span class="p">)</span> <span class="p">{</span> <span class="k">if</span> <span class="p">(</span><span class="nb">method_exists</span><span class="p">(</span><span class="nv">$this</span><span class="p">,</span> <span class="nv">$name</span><span class="p">))</span> <span class="p">{</span> <span class="nb">call_user_func_array</span><span class="p">([</span><span class="nv">$this</span><span class="p">,</span> <span class="nv">$name</span><span class="p">],</span> <span class="p">[</span><span class="nv">$value</span><span class="p">]);</span> <span class="p">}</span> <span class="p">}</span> <span class="k">return</span> <span class="nv">$this</span><span class="o">-&gt;</span><span class="n">builder</span><span class="p">;</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </div> <p>Request parameter <code>country=DE</code> → calls <code>$filter-&gt;country('DE')</code>. No routing config. No switch statements. Method exists = filter applied.</p> <p>Concrete filter example:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight php"><code><span class="kd">class</span> <span class="nc">ContragentsFilter</span> <span class="kd">extends</span> <span class="nc">Filter</span> <span class="p">{</span> <span class="k">public</span> <span class="k">function</span> <span class="n">search_string</span><span class="p">(</span><span class="nv">$value</span> <span class="o">=</span> <span class="kc">null</span><span class="p">)</span> <span class="p">{</span> <span class="nv">$words</span> <span class="o">=</span> <span class="nb">preg_split</span><span class="p">(</span><span class="s1">'/\s+/'</span><span class="p">,</span> <span class="nb">trim</span><span class="p">(</span><span class="nv">$value</span><span class="p">));</span> <span class="k">return</span> <span class="nv">$this</span><span class="o">-&gt;</span><span class="n">builder</span><span class="o">-&gt;</span><span class="nf">where</span><span class="p">(</span><span class="k">function</span> <span class="p">(</span><span class="nv">$query</span><span class="p">)</span> <span class="k">use</span> <span class="p">(</span><span class="nv">$words</span><span class="p">)</span> <span class="p">{</span> <span class="k">foreach</span> <span class="p">(</span><span class="nv">$words</span> <span class="k">as</span> <span class="nv">$word</span><span class="p">)</span> <span class="p">{</span> <span class="nv">$query</span><span class="o">-&gt;</span><span class="nf">whereRaw</span><span class="p">(</span><span class="s1">'LOWER(name) LIKE ?'</span><span class="p">,</span> <span class="p">[</span><span class="s1">'%'</span><span class="mf">.</span><span class="nb">mb_strtolower</span><span class="p">(</span><span class="nv">$word</span><span class="p">)</span><span class="mf">.</span><span class="s1">'%'</span><span class="p">]);</span> <span class="p">}</span> <span class="p">});</span> <span class="p">}</span> <span class="k">public</span> <span class="k">function</span> <span class="n">sort_by</span><span class="p">(</span><span class="nv">$value</span> <span class="o">=</span> <span class="kc">null</span><span class="p">)</span> <span class="p">{</span> <span class="nv">$allowed</span> <span class="o">=</span> <span class="p">[</span><span class="s1">'name'</span><span class="p">,</span> <span class="s1">'country'</span><span class="p">,</span> <span class="s1">'balance'</span><span class="p">,</span> <span class="s1">'created_at'</span><span class="p">];</span> <span class="k">if</span> <span class="p">(</span><span class="nb">in_array</span><span class="p">(</span><span class="nv">$value</span><span class="p">,</span> <span class="nv">$allowed</span><span class="p">))</span> <span class="p">{</span> <span class="nv">$direction</span> <span class="o">=</span> <span class="nv">$this</span><span class="o">-&gt;</span><span class="n">request</span><span class="o">-&gt;</span><span class="nf">input</span><span class="p">(</span><span class="s1">'sort_direction'</span><span class="p">,</span> <span class="s1">'asc'</span><span class="p">);</span> <span class="k">return</span> <span class="nv">$this</span><span class="o">-&gt;</span><span class="n">builder</span><span class="o">-&gt;</span><span class="nf">orderBy</span><span class="p">(</span><span class="nv">$value</span><span class="p">,</span> <span class="nv">$direction</span><span class="p">);</span> <span class="p">}</span> <span class="k">return</span> <span class="nv">$this</span><span class="o">-&gt;</span><span class="n">builder</span><span class="o">-&gt;</span><span class="nf">orderBy</span><span class="p">(</span><span class="s1">'name'</span><span class="p">,</span> <span class="s1">'asc'</span><span class="p">);</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </div> <p>Whitelisted sort columns prevent SQL injection. Word-by-word search matching. Alphabetical navigation via <code>starts_with()</code> method. Quick filter presets for products (<code>min_stock</code>, <code>has_reserved</code>).</p> <h3> Frontend Filter Integration </h3> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="c1">// Inertia router navigation with state preservation</span> <span class="kd">const</span> <span class="nx">performSearch</span> <span class="o">=</span> <span class="p">()</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">params</span> <span class="o">=</span> <span class="p">{};</span> <span class="k">if </span><span class="p">(</span><span class="nx">filters</span><span class="p">.</span><span class="nx">value</span><span class="p">.</span><span class="nx">search</span><span class="p">)</span> <span class="nx">params</span><span class="p">.</span><span class="nx">search_string</span> <span class="o">=</span> <span class="nx">filters</span><span class="p">.</span><span class="nx">value</span><span class="p">.</span><span class="nx">search</span><span class="p">;</span> <span class="k">if </span><span class="p">(</span><span class="nx">filters</span><span class="p">.</span><span class="nx">value</span><span class="p">.</span><span class="nx">country</span><span class="p">)</span> <span class="nx">params</span><span class="p">.</span><span class="nx">country</span> <span class="o">=</span> <span class="nx">filters</span><span class="p">.</span><span class="nx">value</span><span class="p">.</span><span class="nx">country</span><span class="p">;</span> <span class="c1">// ... all filter params</span> <span class="nx">router</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="nf">route</span><span class="p">(</span><span class="nx">routeName</span><span class="p">.</span><span class="nx">value</span><span class="p">),</span> <span class="nx">params</span><span class="p">,</span> <span class="p">{</span> <span class="na">preserveState</span><span class="p">:</span> <span class="kc">true</span><span class="p">,</span> <span class="c1">// Component state survives</span> <span class="na">preserveScroll</span><span class="p">:</span> <span class="kc">true</span><span class="p">,</span> <span class="c1">// Scroll position maintained</span> <span class="na">replace</span><span class="p">:</span> <span class="kc">true</span><span class="p">,</span> <span class="c1">// Single history entry</span> <span class="p">});</span> <span class="p">};</span> </code></pre> </div> <p><code>preserveState: true</code> is the key. Component reactive state persists across Inertia navigations. No need to store filters in a Vuex store or local storage.</p> <h2> Modal &amp; Popup System </h2> <p>LaraFoundry uses a hybrid approach: custom modals for complex interactions, SweetAlert2 for confirmations.</p> <h3> Custom Form Modal (Inertia useForm) </h3> <div class="highlight js-code-highlight"> <pre class="highlight vue"><code><span class="nt">&lt;</span><span class="k">script</span> <span class="na">setup</span><span class="nt">&gt;</span> <span class="k">import</span> <span class="p">{</span> <span class="nx">useForm</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">@inertiajs/vue3</span><span class="dl">'</span><span class="p">;</span> <span class="kd">const</span> <span class="nx">form</span> <span class="o">=</span> <span class="nf">useForm</span><span class="p">({</span> <span class="na">email</span><span class="p">:</span> <span class="dl">''</span><span class="p">,</span> <span class="na">role_id</span><span class="p">:</span> <span class="dl">''</span> <span class="p">});</span> <span class="kd">const</span> <span class="nx">submit</span> <span class="o">=</span> <span class="p">()</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="nx">form</span><span class="p">.</span><span class="nf">post</span><span class="p">(</span><span class="nf">route</span><span class="p">(</span><span class="dl">'</span><span class="s1">my_company.employees.invite</span><span class="dl">'</span><span class="p">),</span> <span class="p">{</span> <span class="na">preserveScroll</span><span class="p">:</span> <span class="kc">true</span><span class="p">,</span> <span class="na">onSuccess</span><span class="p">:</span> <span class="p">()</span> <span class="o">=&gt;</span> <span class="nf">emit</span><span class="p">(</span><span class="dl">'</span><span class="s1">invited</span><span class="dl">'</span><span class="p">),</span> <span class="p">});</span> <span class="p">};</span> <span class="nt">&lt;/</span><span class="k">script</span><span class="nt">&gt;</span> <span class="nt">&lt;</span><span class="k">template</span><span class="nt">&gt;</span> <span class="nt">&lt;Transition</span> <span class="na">name=</span><span class="s">"modal"</span><span class="nt">&gt;</span> <span class="nt">&lt;div</span> <span class="na">class=</span><span class="s">"modal-overlay"</span> <span class="err">@</span><span class="na">click.self=</span><span class="s">"emit('close')"</span><span class="nt">&gt;</span> <span class="nt">&lt;div</span> <span class="na">class=</span><span class="s">"modal"</span><span class="nt">&gt;</span> <span class="nt">&lt;form</span> <span class="err">@</span><span class="na">submit.prevent=</span><span class="s">"submit"</span><span class="nt">&gt;</span> <span class="nt">&lt;InputField</span> <span class="na">v-model=</span><span class="s">"form.email"</span> <span class="na">:class=</span><span class="s">"</span>{ 'input--error': form.errors.email }" /&gt; <span class="nt">&lt;span</span> <span class="na">v-if=</span><span class="s">"form.errors.email"</span><span class="nt">&gt;</span><span class="si">{{</span> <span class="nx">form</span><span class="p">.</span><span class="nx">errors</span><span class="p">.</span><span class="nx">email</span> <span class="si">}}</span><span class="nt">&lt;/span&gt;</span> <span class="nt">&lt;button</span> <span class="na">type=</span><span class="s">"submit"</span> <span class="na">:disabled=</span><span class="s">"form.processing"</span><span class="nt">&gt;</span> <span class="si">{{</span> <span class="nx">form</span><span class="p">.</span><span class="nx">processing</span> <span class="p">?</span> <span class="nf">t</span><span class="p">(</span><span class="dl">'</span><span class="s1">Sending...</span><span class="dl">'</span><span class="p">)</span> <span class="p">:</span> <span class="nf">t</span><span class="p">(</span><span class="dl">'</span><span class="s1">Send</span><span class="dl">'</span><span class="p">)</span> <span class="si">}}</span> <span class="nt">&lt;/button&gt;</span> <span class="nt">&lt;/form&gt;</span> <span class="nt">&lt;/div&gt;</span> <span class="nt">&lt;/div&gt;</span> <span class="nt">&lt;/Transition&gt;</span> <span class="nt">&lt;/</span><span class="k">template</span><span class="nt">&gt;</span> </code></pre> </div> <p><code>form.processing</code> disables the submit button. <code>form.errors</code> shows server-side validation. <code>onSuccess</code> closes the modal. Three features, zero custom code.</p> <h3> Async Data-Loading Modal </h3> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="kd">const</span> <span class="nx">loading</span> <span class="o">=</span> <span class="nf">ref</span><span class="p">(</span><span class="kc">false</span><span class="p">);</span> <span class="kd">const</span> <span class="nx">contragent</span> <span class="o">=</span> <span class="nf">ref</span><span class="p">(</span><span class="kc">null</span><span class="p">);</span> <span class="nf">watch</span><span class="p">(()</span> <span class="o">=&gt;</span> <span class="nx">props</span><span class="p">.</span><span class="nx">visible</span><span class="p">,</span> <span class="p">(</span><span class="nx">newVal</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="k">if </span><span class="p">(</span><span class="nx">newVal</span> <span class="o">&amp;&amp;</span> <span class="nx">props</span><span class="p">.</span><span class="nx">contragentUuid</span><span class="p">)</span> <span class="p">{</span> <span class="nf">fetchContragentData</span><span class="p">();</span> <span class="p">}</span> <span class="p">});</span> <span class="kd">const</span> <span class="nx">fetchContragentData</span> <span class="o">=</span> <span class="k">async </span><span class="p">()</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="nx">loading</span><span class="p">.</span><span class="nx">value</span> <span class="o">=</span> <span class="kc">true</span><span class="p">;</span> <span class="k">try</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">response</span> <span class="o">=</span> <span class="k">await</span> <span class="nx">axios</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="nf">route</span><span class="p">(</span><span class="dl">'</span><span class="s1">contragents.view_data</span><span class="dl">'</span><span class="p">,</span> <span class="nx">props</span><span class="p">.</span><span class="nx">contragentUuid</span><span class="p">));</span> <span class="nx">contragent</span><span class="p">.</span><span class="nx">value</span> <span class="o">=</span> <span class="nx">response</span><span class="p">.</span><span class="nx">data</span><span class="p">.</span><span class="nx">contragent</span><span class="p">;</span> <span class="p">}</span> <span class="k">catch </span><span class="p">(</span><span class="nx">err</span><span class="p">)</span> <span class="p">{</span> <span class="nx">error</span><span class="p">.</span><span class="nx">value</span> <span class="o">=</span> <span class="nf">t</span><span class="p">(</span><span class="dl">'</span><span class="s1">Failed to load data</span><span class="dl">'</span><span class="p">);</span> <span class="p">}</span> <span class="k">finally</span> <span class="p">{</span> <span class="nx">loading</span><span class="p">.</span><span class="nx">value</span> <span class="o">=</span> <span class="kc">false</span><span class="p">;</span> <span class="p">}</span> <span class="p">};</span> </code></pre> </div> <p>Data fetched only when modal becomes visible. Loading spinner. Error state. Tabs for different data views. ESC key to close.</p> <h3> SweetAlert2 for Confirmations </h3> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="kd">const</span> <span class="nx">result</span> <span class="o">=</span> <span class="k">await</span> <span class="nx">Swal</span><span class="p">.</span><span class="nf">fire</span><span class="p">({</span> <span class="na">title</span><span class="p">:</span> <span class="nf">t</span><span class="p">(</span><span class="dl">'</span><span class="s1">Remove Employee?</span><span class="dl">'</span><span class="p">),</span> <span class="na">text</span><span class="p">:</span> <span class="nf">t</span><span class="p">(</span><span class="dl">'</span><span class="s1">This action will immediately remove the employee.</span><span class="dl">'</span><span class="p">),</span> <span class="na">icon</span><span class="p">:</span> <span class="dl">'</span><span class="s1">error</span><span class="dl">'</span><span class="p">,</span> <span class="na">showCancelButton</span><span class="p">:</span> <span class="kc">true</span><span class="p">,</span> <span class="na">confirmButtonColor</span><span class="p">:</span> <span class="dl">'</span><span class="s1">#ef4444</span><span class="dl">'</span><span class="p">,</span> <span class="p">});</span> <span class="k">if </span><span class="p">(</span><span class="nx">result</span><span class="p">.</span><span class="nx">isConfirmed</span><span class="p">)</span> <span class="p">{</span> <span class="nx">router</span><span class="p">.</span><span class="k">delete</span><span class="p">(</span><span class="nf">route</span><span class="p">(</span><span class="dl">'</span><span class="s1">my_company.employees.remove</span><span class="dl">'</span><span class="p">,</span> <span class="nx">employee</span><span class="p">.</span><span class="nx">id</span><span class="p">));</span> <span class="p">}</span> </code></pre> </div> <p>One await. No custom component. Accessible. Styled.</p> <h3> Layout-Level Modal Orchestration </h3> <p>Generic modals are managed in the layout via provide/inject:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="c1">// AuthLayout.vue</span> <span class="kd">const</span> <span class="nx">modal</span> <span class="o">=</span> <span class="nf">reactive</span><span class="p">({</span> <span class="na">view</span><span class="p">:</span> <span class="kc">false</span><span class="p">,</span> <span class="na">title</span><span class="p">:</span> <span class="nf">t</span><span class="p">(</span><span class="dl">'</span><span class="s1">Confirm the action</span><span class="dl">'</span><span class="p">),</span> <span class="na">content</span><span class="p">:</span> <span class="kc">null</span><span class="p">,</span> <span class="na">targetUrl</span><span class="p">:</span> <span class="kc">null</span><span class="p">,</span> <span class="na">modalType</span><span class="p">:</span> <span class="dl">'</span><span class="s1">confirmable</span><span class="dl">'</span><span class="p">,</span> <span class="p">});</span> <span class="nf">provide</span><span class="p">(</span><span class="dl">'</span><span class="s1">showViewContragentModal</span><span class="dl">'</span><span class="p">,</span> <span class="nx">showViewContragentModal</span><span class="p">);</span> </code></pre> </div> <p>Pages inject trigger functions. The layout handles z-indexes, overlay stacking, and transition timing.</p> <h2> Full Inertia Wiring </h2> <h3> Blade Template </h3> <div class="highlight js-code-highlight"> <pre class="highlight html"><code><span class="nt">&lt;head&gt;</span> <span class="nt">&lt;title</span> <span class="na">inertia</span><span class="nt">&gt;</span>{{ config('app.name') }}<span class="nt">&lt;/title&gt;</span> @vite(['resources/js/app.js', 'resources/css/app.css']) @inertiaHead @routes <span class="nt">&lt;/head&gt;</span> <span class="nt">&lt;body&gt;</span> @inertia <span class="nt">&lt;/body&gt;</span> </code></pre> </div> <p><code>@routes</code> dumps Ziggy routes. <code>@inertiaHead</code> enables dynamic head management from Vue. <code>@inertia</code> mounts the SPA.</p> <h3> app.js Entry Point </h3> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="nf">createInertiaApp</span><span class="p">({</span> <span class="na">title</span><span class="p">:</span> <span class="p">(</span><span class="nx">title</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="s2">`</span><span class="p">${</span><span class="nx">title</span><span class="p">}</span><span class="s2"> - </span><span class="p">${</span><span class="nx">appName</span><span class="p">}</span><span class="s2">`</span><span class="p">,</span> <span class="na">resolve</span><span class="p">:</span> <span class="k">async </span><span class="p">(</span><span class="nx">name</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">pages</span> <span class="o">=</span> <span class="k">import</span><span class="p">.</span><span class="nx">meta</span><span class="p">.</span><span class="nf">glob</span><span class="p">(</span><span class="dl">'</span><span class="s1">./pages/**/*.vue</span><span class="dl">'</span><span class="p">);</span> <span class="kd">let</span> <span class="nx">module</span> <span class="o">=</span> <span class="k">await</span> <span class="nx">pages</span><span class="p">[</span><span class="s2">`./pages/</span><span class="p">${</span><span class="nx">name</span><span class="p">}</span><span class="s2">.vue`</span><span class="p">]();</span> <span class="kd">let</span> <span class="nx">page</span> <span class="o">=</span> <span class="nx">module</span><span class="p">.</span><span class="k">default</span><span class="p">;</span> <span class="nx">page</span><span class="p">.</span><span class="nx">layout</span> <span class="o">=</span> <span class="nx">page</span><span class="p">.</span><span class="nx">layout</span> <span class="o">||</span> <span class="nx">LayoutSwitcher</span><span class="p">;</span> <span class="k">return</span> <span class="nx">page</span><span class="p">;</span> <span class="p">},</span> <span class="nf">setup</span><span class="p">({</span> <span class="nx">el</span><span class="p">,</span> <span class="nx">App</span><span class="p">,</span> <span class="nx">props</span><span class="p">,</span> <span class="nx">plugin</span> <span class="p">})</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">i18n</span> <span class="o">=</span> <span class="nf">createI18n</span><span class="p">({</span> <span class="na">legacy</span><span class="p">:</span> <span class="kc">false</span><span class="p">,</span> <span class="na">locale</span><span class="p">:</span> <span class="nx">pageProps</span><span class="p">.</span><span class="nx">locale</span> <span class="o">||</span> <span class="dl">'</span><span class="s1">en</span><span class="dl">'</span><span class="p">,</span> <span class="na">messages</span><span class="p">:</span> <span class="p">{</span> <span class="p">[</span><span class="nx">locale</span><span class="p">]:</span> <span class="nx">translations</span> <span class="p">},</span> <span class="p">});</span> <span class="nf">createApp</span><span class="p">({</span> <span class="na">render</span><span class="p">:</span> <span class="p">()</span> <span class="o">=&gt;</span> <span class="nf">h</span><span class="p">(</span><span class="nx">App</span><span class="p">,</span> <span class="nx">props</span><span class="p">)</span> <span class="p">})</span> <span class="p">.</span><span class="nf">use</span><span class="p">(</span><span class="nx">plugin</span><span class="p">)</span> <span class="p">.</span><span class="nf">use</span><span class="p">(</span><span class="nx">i18n</span><span class="p">)</span> <span class="p">.</span><span class="nf">use</span><span class="p">(</span><span class="nx">ZiggyVue</span><span class="p">)</span> <span class="p">.</span><span class="nf">component</span><span class="p">(</span><span class="dl">'</span><span class="s1">Head</span><span class="dl">'</span><span class="p">,</span> <span class="nx">Head</span><span class="p">)</span> <span class="p">.</span><span class="nf">component</span><span class="p">(</span><span class="dl">'</span><span class="s1">Link</span><span class="dl">'</span><span class="p">,</span> <span class="nx">Link</span><span class="p">)</span> <span class="p">.</span><span class="nf">mount</span><span class="p">(</span><span class="nx">el</span><span class="p">);</span> <span class="c1">// Global translation function</span> <span class="nx">app</span><span class="p">.</span><span class="nx">config</span><span class="p">.</span><span class="nx">globalProperties</span><span class="p">.</span><span class="nx">t</span> <span class="o">=</span> <span class="p">(...</span><span class="nx">args</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="nx">i18n</span><span class="p">.</span><span class="nb">global</span><span class="p">.</span><span class="nf">t</span><span class="p">(...</span><span class="nx">args</span><span class="p">);</span> <span class="nx">globalThis</span><span class="p">.</span><span class="nx">t</span> <span class="o">=</span> <span class="p">(...</span><span class="nx">args</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="nx">i18n</span><span class="p">.</span><span class="nb">global</span><span class="p">.</span><span class="nf">t</span><span class="p">(...</span><span class="nx">args</span><span class="p">);</span> <span class="p">},</span> <span class="na">progress</span><span class="p">:</span> <span class="p">{</span> <span class="na">delay</span><span class="p">:</span> <span class="mi">0</span><span class="p">,</span> <span class="na">color</span><span class="p">:</span> <span class="dl">'</span><span class="s1">#3b82f6</span><span class="dl">'</span><span class="p">,</span> <span class="na">showSpinner</span><span class="p">:</span> <span class="kc">false</span> <span class="p">},</span> <span class="p">});</span> </code></pre> </div> <p>Key decisions:</p> <ul> <li> <strong><code>import.meta.glob</code></strong> - Vite code-splits every page. Only the current page is loaded.</li> <li> <strong>Global <code>t()</code> function</strong> - registered on both <code>globalProperties</code> (Options API) and <code>globalThis</code> (Composition API). No imports needed anywhere.</li> <li> <strong>Progress bar delay: 0</strong> - appears immediately on navigation. Users see instant feedback.</li> </ul> <h3> Shared Props (Middleware) </h3> <div class="highlight js-code-highlight"> <pre class="highlight php"><code><span class="k">public</span> <span class="k">function</span> <span class="n">share</span><span class="p">(</span><span class="kt">Request</span> <span class="nv">$request</span><span class="p">):</span> <span class="kt">array</span> <span class="p">{</span> <span class="k">return</span> <span class="p">[</span> <span class="s1">'layout'</span> <span class="o">=&gt;</span> <span class="k">fn</span> <span class="p">()</span> <span class="o">=&gt;</span> <span class="nv">$layout</span><span class="o">-&gt;</span><span class="nf">getLayout</span><span class="p">(),</span> <span class="c1">// lazy</span> <span class="s1">'flash'</span> <span class="o">=&gt;</span> <span class="k">fn</span> <span class="p">()</span> <span class="o">=&gt;</span> <span class="n">session</span> <span class="n">messages</span><span class="p">,</span> <span class="c1">// lazy</span> <span class="s1">'ziggy'</span> <span class="o">=&gt;</span> <span class="p">[</span><span class="mf">...</span><span class="p">(</span><span class="k">new</span> <span class="nc">Ziggy</span><span class="p">)</span><span class="o">-&gt;</span><span class="nf">toArray</span><span class="p">()],</span> <span class="s1">'locale'</span> <span class="o">=&gt;</span> <span class="k">fn</span> <span class="p">()</span> <span class="o">=&gt;</span> <span class="nc">App</span><span class="o">::</span><span class="nf">getLocale</span><span class="p">(),</span> <span class="s1">'translations'</span> <span class="o">=&gt;</span> <span class="k">fn</span> <span class="p">()</span> <span class="o">=&gt;</span> <span class="n">merged</span> <span class="n">translations</span><span class="p">,</span> <span class="c1">// lazy</span> <span class="s1">'visitor_status'</span> <span class="o">=&gt;</span> <span class="n">visitor</span> <span class="n">status</span> <span class="n">closure</span><span class="p">,</span> <span class="s1">'ui_settings'</span> <span class="o">=&gt;</span> <span class="k">fn</span> <span class="p">()</span> <span class="o">=&gt;</span> <span class="n">user</span> <span class="no">UI</span> <span class="n">preferences</span><span class="p">,</span> <span class="c1">// lazy</span> <span class="p">];</span> <span class="p">}</span> </code></pre> </div> <p>Everything wrapped in closures for lazy evaluation. Layout data is only computed when the frontend reads <code>page.props.layout</code>.</p> <h3> Vite Aliases </h3> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="nx">resolve</span><span class="p">:</span> <span class="p">{</span> <span class="nl">alias</span><span class="p">:</span> <span class="p">{</span> <span class="dl">'</span><span class="s1">@</span><span class="dl">'</span><span class="p">:</span> <span class="nx">path</span><span class="p">.</span><span class="nf">resolve</span><span class="p">(</span><span class="nx">__dirname</span><span class="p">,</span> <span class="dl">'</span><span class="s1">./resources/js</span><span class="dl">'</span><span class="p">),</span> <span class="dl">'</span><span class="s1">@css</span><span class="dl">'</span><span class="p">:</span> <span class="nx">path</span><span class="p">.</span><span class="nf">resolve</span><span class="p">(</span><span class="nx">__dirname</span><span class="p">,</span> <span class="dl">'</span><span class="s1">./resources/css</span><span class="dl">'</span><span class="p">),</span> <span class="dl">'</span><span class="s1">@assets</span><span class="dl">'</span><span class="p">:</span> <span class="nx">path</span><span class="p">.</span><span class="nf">resolve</span><span class="p">(</span><span class="nx">__dirname</span><span class="p">,</span> <span class="dl">'</span><span class="s1">./public/assets</span><span class="dl">'</span><span class="p">),</span> <span class="dl">'</span><span class="s1">ziggy-js</span><span class="dl">'</span><span class="p">:</span> <span class="nf">resolve</span><span class="p">(</span><span class="nx">__dirname</span><span class="p">,</span> <span class="dl">'</span><span class="s1">vendor/tightenco/ziggy</span><span class="dl">'</span><span class="p">),</span> <span class="p">},</span> <span class="p">}</span> </code></pre> </div> <p><code>@/components/PagePaginator.vue</code> instead of relative path chains.</p> <h2> Testing </h2> <p>Frontend behavior is tested through Pest feature tests that assert on Inertia props:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight php"><code><span class="nf">it</span><span class="p">(</span><span class="s1">'serves auth layout for authenticated users'</span><span class="p">,</span> <span class="k">function</span> <span class="p">()</span> <span class="p">{</span> <span class="nf">actingAs</span><span class="p">(</span><span class="nc">User</span><span class="o">::</span><span class="nf">factory</span><span class="p">()</span><span class="o">-&gt;</span><span class="nf">create</span><span class="p">())</span> <span class="o">-&gt;</span><span class="nf">get</span><span class="p">(</span><span class="s1">'/dashboard'</span><span class="p">)</span> <span class="o">-&gt;</span><span class="nf">assertInertia</span><span class="p">(</span><span class="k">fn</span> <span class="p">(</span><span class="nv">$page</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="nv">$page</span><span class="o">-&gt;</span><span class="nf">where</span><span class="p">(</span><span class="s1">'visitor_status'</span><span class="p">,</span> <span class="s1">'auth'</span><span class="p">)</span> <span class="p">);</span> <span class="p">});</span> <span class="nf">it</span><span class="p">(</span><span class="s1">'returns pagination data with filter state'</span><span class="p">,</span> <span class="k">function</span> <span class="p">()</span> <span class="p">{</span> <span class="nc">Product</span><span class="o">::</span><span class="nf">factory</span><span class="p">(</span><span class="mi">30</span><span class="p">)</span><span class="o">-&gt;</span><span class="nf">create</span><span class="p">([</span><span class="s1">'company_id'</span> <span class="o">=&gt;</span> <span class="nv">$company</span><span class="o">-&gt;</span><span class="n">id</span><span class="p">]);</span> <span class="nf">actingAs</span><span class="p">(</span><span class="nv">$user</span><span class="p">)</span> <span class="o">-&gt;</span><span class="nf">get</span><span class="p">(</span><span class="s1">'/warehouse/products?page=2'</span><span class="p">)</span> <span class="o">-&gt;</span><span class="nf">assertInertia</span><span class="p">(</span><span class="k">fn</span> <span class="p">(</span><span class="nv">$page</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="nv">$page</span><span class="o">-&gt;</span><span class="nf">has</span><span class="p">(</span><span class="s1">'pagination'</span><span class="p">,</span> <span class="k">fn</span> <span class="p">(</span><span class="nv">$p</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="nv">$p</span><span class="o">-&gt;</span><span class="nf">where</span><span class="p">(</span><span class="s1">'current_page'</span><span class="p">,</span> <span class="mi">2</span><span class="p">)</span> <span class="o">-&gt;</span><span class="nf">where</span><span class="p">(</span><span class="s1">'per_page'</span><span class="p">,</span> <span class="mi">20</span><span class="p">)</span> <span class="o">-&gt;</span><span class="nf">where</span><span class="p">(</span><span class="s1">'total'</span><span class="p">,</span> <span class="mi">30</span><span class="p">)</span> <span class="p">)</span> <span class="p">);</span> <span class="p">});</span> <span class="nf">it</span><span class="p">(</span><span class="s1">'shares flash messages via Inertia'</span><span class="p">,</span> <span class="k">function</span> <span class="p">()</span> <span class="p">{</span> <span class="nf">actingAs</span><span class="p">(</span><span class="nv">$user</span><span class="p">)</span><span class="o">-&gt;</span><span class="nf">post</span><span class="p">(</span><span class="s1">'/contragents'</span><span class="p">,</span> <span class="nv">$validData</span><span class="p">);</span> <span class="nf">actingAs</span><span class="p">(</span><span class="nv">$user</span><span class="p">)</span> <span class="o">-&gt;</span><span class="nf">get</span><span class="p">(</span><span class="s1">'/contragents/customers'</span><span class="p">)</span> <span class="o">-&gt;</span><span class="nf">assertInertia</span><span class="p">(</span><span class="k">fn</span> <span class="p">(</span><span class="nv">$page</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="nv">$page</span><span class="o">-&gt;</span><span class="nf">has</span><span class="p">(</span><span class="s1">'flash.info'</span><span class="p">));</span> <span class="p">});</span> <span class="nf">it</span><span class="p">(</span><span class="s1">'returns contragent data for view modal'</span><span class="p">,</span> <span class="k">function</span> <span class="p">()</span> <span class="p">{</span> <span class="nv">$contragent</span> <span class="o">=</span> <span class="nc">Contragent</span><span class="o">::</span><span class="nf">factory</span><span class="p">()</span><span class="o">-&gt;</span><span class="nf">create</span><span class="p">();</span> <span class="nf">actingAs</span><span class="p">(</span><span class="nv">$user</span><span class="p">)</span> <span class="o">-&gt;</span><span class="nf">get</span><span class="p">(</span><span class="nf">route</span><span class="p">(</span><span class="s1">'contragents.view_data'</span><span class="p">,</span> <span class="nv">$contragent</span><span class="o">-&gt;</span><span class="n">uuid</span><span class="p">))</span> <span class="o">-&gt;</span><span class="nf">assertJson</span><span class="p">([</span><span class="s1">'contragent'</span> <span class="o">=&gt;</span> <span class="p">[</span><span class="s1">'name'</span> <span class="o">=&gt;</span> <span class="nv">$contragent</span><span class="o">-&gt;</span><span class="n">name</span><span class="p">]]);</span> <span class="p">});</span> </code></pre> </div> <p>The pattern: test what the server sends. If Inertia props are correct, Vue renders correctly. This covers layout switching, pagination, filters, flash messages, and modal data.</p> <p>For complex interactive components (filter watchers, URL manipulation), unit tests with Vitest would supplement this. But for the majority of frontend behavior, Pest feature tests are sufficient.</p> <h2> Directory Structure </h2> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>resources/js/ ├── app.js # Entry point, plugins, LayoutSwitcher default ├── layouts/ │ ├── LayoutSwitcher.vue # Dynamic layout router │ ├── AuthLayout.vue # Authenticated users (7 pullout menus) │ ├── AdminLayout.vue # Admin panel │ ├── GuestLayout.vue # Public + login/register modals │ ├── AuthBlockedLayout.vue # Blocked users │ ├── AuthDeletedLayout.vue # Deleted accounts │ └── app/ # Sub-layout components │ ├── AppHeaderDesktopLayout.vue │ ├── AppMainContentLayout.vue # Wraps content + auto-renders pagination │ ├── AppModalLayout.vue │ ├── AppFooterLayout.vue │ ├── AppPulloutMobilemenuLayout.vue │ ├── AppPulloutMenuRightLayout.vue │ ├── AppPulloutMenuNotificationsLayout.vue │ └── ... (7 more pullout components) ├── pages/ # Inertia pages (auto-resolved) ├── components/ # Reusable components │ ├── PagePaginator.vue │ ├── contragents/ViewContragentModal.vue │ ├── SendTestEmailModal.vue │ └── ui/ # Form inputs, filters, etc. ├── composables/ # Vue composition functions └── store/ └── unreadCountStore.js # Simple ref-based store </code></pre> </div> <h2> What's Included </h2> <div class="table-wrapper-paragraph"><table> <thead> <tr> <th>Feature</th> <th>Implementation</th> </tr> </thead> <tbody> <tr> <td>Layout switching</td> <td>LayoutSwitcher + visitor_status prop (5 layouts)</td> </tr> <tr> <td>Overlay system</td> <td>7 pullout panels, double-layer stacking, ESC dismissal</td> </tr> <tr> <td>Pagination</td> <td>HasPagination trait + PagePaginator component (auto-render)</td> </tr> <tr> <td>Filters</td> <td>Auto-discovery pattern, alphabetical nav, quick presets</td> </tr> <tr> <td>Modals</td> <td>Custom (useForm, async axios) + SweetAlert2 (confirmations)</td> </tr> <tr> <td>State management</td> <td>Reactive refs + provide/inject (no Vuex/Pinia)</td> </tr> <tr> <td>i18n</td> <td>vue-i18n v11 with Laravel translations, global t()</td> </tr> <tr> <td>Routing</td> <td>Ziggy named routes in Vue templates</td> </tr> <tr> <td>Code splitting</td> <td>Vite import.meta.glob per page</td> </tr> <tr> <td>Testing</td> <td>Pest feature tests asserting Inertia props</td> </tr> </tbody> </table></div> <h2> Key Takeaway </h2> <p>Push complexity to the backend. Vue renders pre-computed data.</p> <p>No permission checks in Vue components. No auth guards. No client-side menu filtering. No state calculations. The server sends exactly what each user type needs. The frontend renders it.</p> <p>The LayoutSwitcher pattern, the overlay system, the pagination auto-rendering, the filter auto-discovery - they all follow the same principle. The backend is the source of truth. The frontend is a rendering engine.</p> <p><strong>LaraFoundry</strong> is an open-source Laravel SaaS framework, being built in public and extracted from a production CRM/ERP.</p> <ul> <li>GitHub: <a href="https://github.com/dmitryisaenko/larafoundry/blob/main/docs/modules/vue_frontend.md" rel="noopener noreferrer">github.com/dmitryisaenko/larafoundry</a> </li> <li><p>Website: <a href="https://larafoundry.com" rel="noopener noreferrer">larafoundry.com</a></p></li> <li><h1> laravel #vue #inertia #saas #larafoundry </h1></li> </ul> laravel vue inertia saas Building a Dynamic, Permission-Aware Navigation System for Multi-Tenant Laravel SaaS Dmitry Isaenko Mon, 06 Apr 2026 09:02:03 +0000 https://dev.to/d_isaenko_dev/building-a-dynamic-permission-aware-navigation-system-for-multi-tenant-laravel-saas-4n1o https://dev.to/d_isaenko_dev/building-a-dynamic-permission-aware-navigation-system-for-multi-tenant-laravel-saas-4n1o <p>Most SaaS navigation tutorials show you how to render a <code>&lt;nav&gt;</code> with 5 links. Real multi-tenant apps need something very different: menus that change based on who's logged in, what company they're in, and what permissions they have.</p> <p>I built a complete navigation module for <a href="https://kohana.io" rel="noopener noreferrer">Kohana.io</a> - a production CRM/ERP - and I'm now extracting it into <strong>LaraFoundry</strong>, an open-source SaaS framework for Laravel.</p> <p>This post covers the full system: backend menu building, permission filtering, sub-menu routing, the First Allowed Route pattern, frontend rendering (desktop + mobile), and testing.</p> <h2> The Problem </h2> <p>In a multi-tenant SaaS with role-based access, navigation has to solve several problems at once:</p> <ul> <li> <strong>Admins</strong> see a completely different menu than regular users (admin panel vs business modules)</li> <li> <strong>Company owners</strong> see all modules (Orders, Warehouse, Accounting, Production...)</li> <li> <strong>Employees</strong> see only modules they have permissions for</li> <li>Each module has <strong>sub-pages</strong> with potentially different permission requirements</li> <li>When a user <strong>switches companies</strong>, the menu must recalculate</li> <li>The same data must render on <strong>desktop</strong> (two-tier header) and <strong>mobile</strong> (hamburger with collapsible sections)</li> <li>Users should be able to <strong>set a default landing page</strong> </li> <li>There should be <strong>zero 403 pages</strong> - if a user hits a forbidden page, redirect them gracefully</li> </ul> <h2> Architecture Overview </h2> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>Request | v LayoutController::getLayout() | v LayoutDataService | ├── getNav('upLevel') → Desktop top-level tabs ├── getNav('bottomLevel') → Desktop sub-page tabs ├── getNav('myCompanySidebar') → Company management sidebar ├── getNav('mobile') → Full mobile tree ├── getFirstAllowedRouteName() → Smart redirect target | └── Each method calls: getNavItems($items, $level) └── checkUserAndCompanyPolicy($policyName) ├── Admin → always allowed ├── 'public' → any authenticated user └── else → $user-&gt;hasPermissionTo($policy, $company) | v HandleInertiaRequests (middleware) |── Shares layout data as Inertia prop (lazy-loaded) | v Vue frontend ├── Desktop: two-tier header └── Mobile: hamburger pullout menu </code></pre> </div> <h2> Backend: LayoutDataService </h2> <p>The entire navigation system lives in one service class - <code>LayoutDataService</code>. It handles four distinct navigation contexts from a single source of truth.</p> <h3> Menu Item Structure </h3> <p>Every menu item follows the same shape:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight php"><code><span class="p">[</span> <span class="s1">'linkName'</span> <span class="o">=&gt;</span> <span class="nf">__</span><span class="p">(</span><span class="s1">'Orders'</span><span class="p">),</span> <span class="c1">// Translated label</span> <span class="s1">'linkUrl'</span> <span class="o">=&gt;</span> <span class="nf">route</span><span class="p">(</span><span class="s1">'orders.incoming'</span><span class="p">),</span> <span class="c1">// Target URL</span> <span class="s1">'policyName'</span> <span class="o">=&gt;</span> <span class="s1">'orders.view'</span><span class="p">,</span> <span class="c1">// Permission slug</span> <span class="s1">'routeName'</span> <span class="o">=&gt;</span> <span class="s1">'orders'</span><span class="p">,</span> <span class="c1">// Route name for matching</span> <span class="s1">'linkIconSvg'</span> <span class="o">=&gt;</span> <span class="s1">'icon_orders.svg'</span><span class="p">,</span> <span class="c1">// Icon file</span> <span class="s1">'isLinkActive'</span> <span class="o">=&gt;</span> <span class="nc">Route</span><span class="o">::</span><span class="nf">currentRouteNamed</span><span class="p">(</span><span class="s1">'orders.*'</span><span class="p">),</span> <span class="s1">'companyItem'</span> <span class="o">=&gt;</span> <span class="kc">true</span><span class="p">,</span> <span class="c1">// Company-specific item</span> <span class="p">]</span> </code></pre> </div> <h3> Permission Filtering </h3> <p>The core of the system is <code>checkUserAndCompanyPolicy()</code>:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight php"><code><span class="k">private</span> <span class="k">function</span> <span class="n">checkUserAndCompanyPolicy</span><span class="p">(</span><span class="nv">$policyName</span><span class="p">):</span> <span class="kt">bool</span> <span class="p">{</span> <span class="c1">// Admins see everything</span> <span class="k">if</span> <span class="p">(</span><span class="k">self</span><span class="o">::</span><span class="nf">isAdmin</span><span class="p">())</span> <span class="k">return</span> <span class="kc">true</span><span class="p">;</span> <span class="c1">// Empty policy = blocked (security measure)</span> <span class="k">if</span> <span class="p">(</span><span class="k">empty</span><span class="p">(</span><span class="nv">$policyName</span><span class="p">))</span> <span class="k">return</span> <span class="kc">false</span><span class="p">;</span> <span class="c1">// Public items (notifications, support, profile)</span> <span class="k">if</span> <span class="p">(</span><span class="nv">$policyName</span> <span class="o">===</span> <span class="s1">'public'</span><span class="p">)</span> <span class="k">return</span> <span class="nf">auth</span><span class="p">()</span><span class="o">-&gt;</span><span class="nf">check</span><span class="p">();</span> <span class="c1">// Company-specific permission check</span> <span class="nv">$user</span> <span class="o">=</span> <span class="nf">auth</span><span class="p">()</span><span class="o">-&gt;</span><span class="nf">user</span><span class="p">();</span> <span class="nv">$company</span> <span class="o">=</span> <span class="nv">$user</span><span class="o">-&gt;</span><span class="n">activeCompany</span><span class="p">;</span> <span class="k">if</span> <span class="p">(</span><span class="nv">$user</span><span class="o">-&gt;</span><span class="nf">isOwnerOf</span><span class="p">(</span><span class="nv">$company</span><span class="p">))</span> <span class="k">return</span> <span class="kc">true</span><span class="p">;</span> <span class="k">return</span> <span class="nv">$user</span><span class="o">-&gt;</span><span class="nf">hasPermissionTo</span><span class="p">(</span><span class="nv">$policyName</span><span class="p">,</span> <span class="nv">$company</span><span class="p">);</span> <span class="p">}</span> </code></pre> </div> <p>This one method handles all three user types. No separate admin menu builder. No role-checking conditionals scattered across the codebase.</p> <h3> Three User Types, Three Menus </h3> <div class="table-wrapper-paragraph"><table> <thead> <tr> <th>User type</th> <th>Menu</th> <th>Modules</th> </tr> </thead> <tbody> <tr> <td>Admin</td> <td>Admin panel</td> <td>Users, Companies, Payments, Notifications, Support</td> </tr> <tr> <td>Owner</td> <td>Business modules</td> <td>All 8 modules + company management sidebar</td> </tr> <tr> <td>Employee</td> <td>Filtered business modules</td> <td>Only modules with explicit permissions</td> </tr> </tbody> </table></div> <p>The key design decision: <strong>owners always see all modules, even if their subscription expired.</strong> Subscription blocking is handled at the page level with a separate overlay, not by hiding navigation. This way users know what they're paying for.</p> <h3> Sub-Menu Routing </h3> <p>Clicking "Orders" doesn't go to <code>/orders</code>. It goes to the user's default sub-page for that module.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight php"><code><span class="c1">// GetDefaultBottomLevelRouteNameAction</span> <span class="s1">'orders'</span> <span class="o">=&gt;</span> <span class="s1">'orders.incoming'</span><span class="p">,</span> <span class="s1">'warehouse'</span> <span class="o">=&gt;</span> <span class="s1">'warehouse.products'</span><span class="p">,</span> <span class="s1">'accounting'</span> <span class="o">=&gt;</span> <span class="s1">'accounting.funds_movement'</span><span class="p">,</span> <span class="s1">'contragents'</span> <span class="o">=&gt;</span> <span class="s1">'contragents.customers'</span><span class="p">,</span> <span class="s1">'production'</span> <span class="o">=&gt;</span> <span class="s1">'production.main_workshop'</span><span class="p">,</span> </code></pre> </div> <p>Sub-routes also have their own permissions:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight php"><code><span class="c1">// Warehouse sub-routes</span> <span class="p">[</span> <span class="p">[</span><span class="s1">'routeName'</span> <span class="o">=&gt;</span> <span class="s1">'warehouse.report'</span><span class="p">,</span> <span class="s1">'policyName'</span> <span class="o">=&gt;</span> <span class="s1">'warehouse.view'</span><span class="p">],</span> <span class="p">[</span><span class="s1">'routeName'</span> <span class="o">=&gt;</span> <span class="s1">'warehouse.products'</span><span class="p">,</span> <span class="s1">'policyName'</span> <span class="o">=&gt;</span> <span class="s1">'warehouse.view'</span><span class="p">],</span> <span class="p">[</span><span class="s1">'routeName'</span> <span class="o">=&gt;</span> <span class="s1">'warehouse.consumables'</span><span class="p">,</span> <span class="s1">'policyName'</span> <span class="o">=&gt;</span> <span class="s1">'warehouse.view'</span><span class="p">],</span> <span class="p">[</span><span class="s1">'routeName'</span> <span class="o">=&gt;</span> <span class="s1">'warehouse.settings'</span><span class="p">,</span> <span class="s1">'policyName'</span> <span class="o">=&gt;</span> <span class="s1">'warehouse.manageCategories'</span><span class="p">],</span> <span class="p">]</span> </code></pre> </div> <p>An employee with <code>warehouse.view</code> but without <code>warehouse.manageCategories</code> will see Products, Consumables, and Report tabs, but not Settings.</p> <h2> The First Allowed Route (FAR) Pattern </h2> <p>This pattern eliminates 403 pages entirely. I covered it in detail in my <a href="https://dev.to/d_isaenko_dev/how-i-built-a-complete-multi-tenancy-system-for-my-laravel-saas-without-spatie-227a">multi-tenancy series</a>, but here's the core:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight php"><code><span class="k">public</span> <span class="k">function</span> <span class="n">getFirstAllowedRouteName</span><span class="p">():</span> <span class="kt">string</span> <span class="p">{</span> <span class="k">if</span> <span class="p">(</span><span class="k">self</span><span class="o">::</span><span class="nf">isAdmin</span><span class="p">())</span> <span class="k">return</span> <span class="s1">'admin.dashboard.index'</span><span class="p">;</span> <span class="k">if</span> <span class="p">(</span><span class="o">!</span><span class="nv">$this</span><span class="o">-&gt;</span><span class="n">authUserData</span><span class="o">-&gt;</span><span class="nf">hasUserCompanyOrRole</span><span class="p">())</span> <span class="p">{</span> <span class="k">return</span> <span class="s1">'notifications.index'</span><span class="p">;</span> <span class="p">}</span> <span class="c1">// Check user's saved default route</span> <span class="nv">$saved</span> <span class="o">=</span> <span class="nf">auth</span><span class="p">()</span><span class="o">-&gt;</span><span class="nf">user</span><span class="p">()</span><span class="o">-&gt;</span><span class="nf">getDefaultRouteForActiveCompany</span><span class="p">();</span> <span class="k">if</span> <span class="p">(</span><span class="nv">$saved</span> <span class="o">&amp;&amp;</span> <span class="nv">$this</span><span class="o">-&gt;</span><span class="nf">isBottomLevelRouteAccessible</span><span class="p">(</span><span class="nv">$saved</span><span class="p">))</span> <span class="p">{</span> <span class="k">return</span> <span class="nv">$saved</span><span class="p">;</span> <span class="p">}</span> <span class="c1">// Walk the menu, find first accessible page</span> <span class="k">foreach</span> <span class="p">(</span><span class="nv">$this</span><span class="o">-&gt;</span><span class="nf">getNavUpLevelItemsArray</span><span class="p">()</span> <span class="k">as</span> <span class="nv">$item</span><span class="p">)</span> <span class="p">{</span> <span class="k">if</span> <span class="p">(</span><span class="o">!</span><span class="k">empty</span><span class="p">(</span><span class="nv">$item</span><span class="p">[</span><span class="s1">'unvisibly'</span><span class="p">]))</span> <span class="k">continue</span><span class="p">;</span> <span class="k">if</span> <span class="p">(</span><span class="nv">$this</span><span class="o">-&gt;</span><span class="nf">checkUserAndCompanyPolicy</span><span class="p">(</span><span class="nv">$item</span><span class="p">[</span><span class="s1">'policyName'</span><span class="p">]))</span> <span class="p">{</span> <span class="nv">$route</span> <span class="o">=</span> <span class="nv">$this</span><span class="o">-&gt;</span><span class="nf">getFirstAllowedBottomLevelRoute</span><span class="p">(</span><span class="nv">$item</span><span class="p">[</span><span class="s1">'routeName'</span><span class="p">]);</span> <span class="k">return</span> <span class="nv">$route</span> <span class="o">??</span> <span class="nv">$item</span><span class="p">[</span><span class="s1">'routeName'</span><span class="p">];</span> <span class="p">}</span> <span class="p">}</span> <span class="k">return</span> <span class="s1">'notifications.index'</span><span class="p">;</span> <span class="p">}</span> </code></pre> </div> <p>This handles four critical scenarios:</p> <ol> <li> <strong>After login</strong> - where should the user land?</li> <li> <strong>After 403</strong> - redirect instead of showing error page</li> <li> <strong>After company switch</strong> - permissions may differ</li> <li> <strong>Home link</strong> - always points to an accessible page</li> </ol> <p>The 403 exception handler ties it all together:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight php"><code><span class="c1">// bootstrap/app.php</span> <span class="nv">$exceptions</span><span class="o">-&gt;</span><span class="nf">renderable</span><span class="p">(</span><span class="k">function</span> <span class="p">(</span><span class="kt">AccessDeniedHttpException</span> <span class="nv">$e</span><span class="p">,</span> <span class="kt">Request</span> <span class="nv">$request</span><span class="p">)</span> <span class="p">{</span> <span class="nv">$layoutService</span> <span class="o">=</span> <span class="nf">app</span><span class="p">(</span><span class="nc">LayoutDataService</span><span class="o">::</span><span class="n">class</span><span class="p">);</span> <span class="k">return</span> <span class="nf">redirect</span><span class="p">()</span> <span class="o">-&gt;</span><span class="nf">route</span><span class="p">(</span><span class="nv">$layoutService</span><span class="o">-&gt;</span><span class="nf">getFirstAllowedRouteName</span><span class="p">())</span> <span class="o">-&gt;</span><span class="nf">with</span><span class="p">(</span><span class="s1">'message-disappear-error'</span><span class="p">,</span> <span class="nf">__</span><span class="p">(</span><span class="s1">'You do not have permission to access this page'</span><span class="p">));</span> <span class="p">});</span> </code></pre> </div> <h3> User-Configurable Default Page </h3> <p>Users can set their preferred landing page in profile settings. It's stored per company in the <code>company_user</code> pivot table. If permissions change and that page becomes inaccessible, the system clears the default automatically and shows a warning.</p> <h2> Data Flow to Frontend </h2> <p><code>LayoutController::getLayout()</code> returns everything the frontend needs:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight php"><code><span class="p">[</span> <span class="s1">'layoutData'</span> <span class="o">=&gt;</span> <span class="p">[</span> <span class="s1">'homeRoute'</span> <span class="o">=&gt;</span> <span class="nv">$this</span><span class="o">-&gt;</span><span class="nf">getFirstAllowedRoute</span><span class="p">(),</span> <span class="s1">'navDesktopUpLevel'</span> <span class="o">=&gt;</span> <span class="nv">$this</span><span class="o">-&gt;</span><span class="nf">getNav</span><span class="p">(</span><span class="s1">'upLevel'</span><span class="p">),</span> <span class="s1">'navDesktopBottomLevel'</span> <span class="o">=&gt;</span> <span class="nv">$this</span><span class="o">-&gt;</span><span class="nf">getNav</span><span class="p">(</span><span class="s1">'bottomLevel'</span><span class="p">),</span> <span class="s1">'navDesktopMycompanySidebar'</span> <span class="o">=&gt;</span> <span class="nv">$this</span><span class="o">-&gt;</span><span class="nf">getNav</span><span class="p">(</span><span class="s1">'myCompanySidebar'</span><span class="p">),</span> <span class="s1">'navMobile'</span> <span class="o">=&gt;</span> <span class="nv">$this</span><span class="o">-&gt;</span><span class="nf">getNav</span><span class="p">(</span><span class="s1">'mobile'</span><span class="p">),</span> <span class="s1">'defaultRoute'</span> <span class="o">=&gt;</span> <span class="nv">$savedDefaultRoute</span><span class="p">,</span> <span class="s1">'breadcrumbsString'</span> <span class="o">=&gt;</span> <span class="nv">$breadcrumbs</span><span class="p">,</span> <span class="p">],</span> <span class="s1">'authUserData'</span> <span class="o">=&gt;</span> <span class="p">[</span> <span class="s1">'currentCompanyName'</span> <span class="o">=&gt;</span> <span class="nv">$company</span><span class="o">-&gt;</span><span class="n">name</span><span class="p">,</span> <span class="s1">'currentRole'</span> <span class="o">=&gt;</span> <span class="nv">$role</span><span class="o">-&gt;</span><span class="n">slug</span><span class="p">,</span> <span class="s1">'isAuthUserOwnerOfCurrentCompany'</span> <span class="o">=&gt;</span> <span class="nv">$isOwner</span><span class="p">,</span> <span class="c1">// ... 15+ more fields</span> <span class="p">]</span> <span class="p">]</span> </code></pre> </div> <p>This is shared via <code>HandleInertiaRequests</code> middleware as a lazy-loaded prop. One request, all navigation data included. Zero extra API calls.</p> <h2> Frontend: Desktop Navigation </h2> <p>The desktop layout uses a two-tier header:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight vue"><code><span class="nt">&lt;</span><span class="k">template</span><span class="nt">&gt;</span> <span class="c">&lt;!-- Top: module tabs --&gt;</span> <span class="nt">&lt;nav</span> <span class="na">class=</span><span class="s">"header-nav"</span><span class="nt">&gt;</span> <span class="nt">&lt;Link</span> <span class="na">v-for=</span><span class="s">"item in layoutData.navDesktopUpLevel"</span> <span class="na">:key=</span><span class="s">"item.routeName"</span> <span class="na">:href=</span><span class="s">"item.linkUrl"</span> <span class="na">:class=</span><span class="s">"</span>{ 'header-nav__link--active': item.linkActive }"&gt; <span class="si">{{</span> <span class="nx">item</span><span class="p">.</span><span class="nx">linkName</span> <span class="si">}}</span> <span class="nt">&lt;/Link&gt;</span> <span class="nt">&lt;/nav&gt;</span> <span class="c">&lt;!-- Bottom: sub-pages for current module --&gt;</span> <span class="nt">&lt;nav</span> <span class="na">class=</span><span class="s">"header-nav-bottom"</span><span class="nt">&gt;</span> <span class="nt">&lt;Link</span> <span class="na">v-for=</span><span class="s">"item in layoutData.navDesktopBottomLevel"</span> <span class="na">:key=</span><span class="s">"item.routeName"</span> <span class="na">:href=</span><span class="s">"item.linkUrl"</span> <span class="na">:class=</span><span class="s">"</span>{ 'header-nav__link--active': item.linkActive }"&gt; <span class="si">{{</span> <span class="nx">item</span><span class="p">.</span><span class="nx">linkName</span> <span class="si">}}</span> <span class="nt">&lt;/Link&gt;</span> <span class="nt">&lt;/nav&gt;</span> <span class="nt">&lt;/</span><span class="k">template</span><span class="nt">&gt;</span> </code></pre> </div> <p>Active states are computed server-side via <code>Route::currentRouteNamed()</code>. The frontend doesn't need to match URLs or check permissions - it's all in the data.</p> <h2> Frontend: Mobile Navigation </h2> <p>Mobile gets a completely different data structure. <code>navMobile</code> is a hierarchical tree:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="p">[</span> <span class="p">{</span> <span class="na">linkName</span><span class="p">:</span> <span class="dl">"</span><span class="s2">Orders</span><span class="dl">"</span><span class="p">,</span> <span class="na">linkUrl</span><span class="p">:</span> <span class="dl">"</span><span class="s2">/orders/incoming</span><span class="dl">"</span><span class="p">,</span> <span class="na">linkActive</span><span class="p">:</span> <span class="kc">true</span><span class="p">,</span> <span class="na">linkIconUrl</span><span class="p">:</span> <span class="dl">"</span><span class="s2">/icons/icon_orders.svg</span><span class="dl">"</span><span class="p">,</span> <span class="na">child</span><span class="p">:</span> <span class="p">[</span> <span class="p">{</span> <span class="na">linkName</span><span class="p">:</span> <span class="dl">"</span><span class="s2">Report</span><span class="dl">"</span><span class="p">,</span> <span class="na">linkUrl</span><span class="p">:</span> <span class="dl">"</span><span class="s2">/orders/report</span><span class="dl">"</span><span class="p">,</span> <span class="na">linkActive</span><span class="p">:</span> <span class="kc">false</span> <span class="p">},</span> <span class="p">{</span> <span class="na">linkName</span><span class="p">:</span> <span class="dl">"</span><span class="s2">Incoming</span><span class="dl">"</span><span class="p">,</span> <span class="na">linkUrl</span><span class="p">:</span> <span class="dl">"</span><span class="s2">/orders/incoming</span><span class="dl">"</span><span class="p">,</span> <span class="na">linkActive</span><span class="p">:</span> <span class="kc">true</span> <span class="p">},</span> <span class="p">{</span> <span class="na">linkName</span><span class="p">:</span> <span class="dl">"</span><span class="s2">Outgoing</span><span class="dl">"</span><span class="p">,</span> <span class="na">linkUrl</span><span class="p">:</span> <span class="dl">"</span><span class="s2">/orders/outgoing</span><span class="dl">"</span><span class="p">,</span> <span class="na">linkActive</span><span class="p">:</span> <span class="kc">false</span> <span class="p">},</span> <span class="p">]</span> <span class="p">}</span> <span class="p">]</span> </code></pre> </div> <p>The mobile menu is a slide-out pullout from the left, built with CSS transitions and GPU acceleration:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight css"><code><span class="nc">.pullout-menu__left</span> <span class="p">{</span> <span class="py">will-change</span><span class="p">:</span> <span class="n">transform</span><span class="p">;</span> <span class="nl">transform</span><span class="p">:</span> <span class="n">translateZ</span><span class="p">(</span><span class="m">0</span><span class="p">);</span> <span class="nl">backface-visibility</span><span class="p">:</span> <span class="nb">hidden</span><span class="p">;</span> <span class="nl">transition</span><span class="p">:</span> <span class="n">transform</span> <span class="m">0.3s</span> <span class="n">ease</span><span class="p">;</span> <span class="p">}</span> </code></pre> </div> <p>It has a settings mode toggle where users can select their default landing page via radio buttons. This fires a PUT request to the backend.</p> <p><strong>Responsive strategy:</strong> Mobile-first with Custom SCSS breakpoints:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight html"><code><span class="nt">&lt;div</span> <span class="na">class=</span><span class="s">"lg:hidden"</span><span class="nt">&gt;</span><span class="c">&lt;!-- Mobile menu --&gt;</span><span class="nt">&lt;/div&gt;</span> <span class="nt">&lt;div</span> <span class="na">class=</span><span class="s">"hidden lg:flex"</span><span class="nt">&gt;</span><span class="c">&lt;!-- Desktop menu --&gt;</span><span class="nt">&lt;/div&gt;</span> </code></pre> </div> <h3> Right-Side Pullout </h3> <p>A separate right pullout handles user profile, company info, language selection, and quick actions. On mobile it slides from the right. On ultra-wide screens (2xl+) it drops from the top.</p> <h3> State Management </h3> <p>No Vuex. No Pinia. Navigation state is managed with reactive refs in the layout component:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="kd">const</span> <span class="nx">viewPulloutMobilemenu</span> <span class="o">=</span> <span class="nf">ref</span><span class="p">(</span><span class="kc">false</span><span class="p">);</span> <span class="kd">const</span> <span class="nx">viewPulloutMenuRight</span> <span class="o">=</span> <span class="nf">ref</span><span class="p">(</span><span class="kc">false</span><span class="p">);</span> <span class="kd">const</span> <span class="nx">viewOverlay</span> <span class="o">=</span> <span class="nf">ref</span><span class="p">(</span><span class="kc">false</span><span class="p">);</span> </code></pre> </div> <p>Child components communicate via emits. Overlays use CSS transitions with JS cleanup timeouts.</p> <h2> Testing </h2> <p>Navigation is authorization. If the menu is wrong, security is wrong.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight php"><code><span class="nf">it</span><span class="p">(</span><span class="s1">'shows all modules to company owner'</span><span class="p">,</span> <span class="k">function</span> <span class="p">()</span> <span class="p">{</span> <span class="nv">$owner</span> <span class="o">=</span> <span class="nc">User</span><span class="o">::</span><span class="nf">factory</span><span class="p">()</span><span class="o">-&gt;</span><span class="nf">owner</span><span class="p">()</span><span class="o">-&gt;</span><span class="nf">create</span><span class="p">();</span> <span class="nf">actingAs</span><span class="p">(</span><span class="nv">$owner</span><span class="p">)</span> <span class="o">-&gt;</span><span class="nf">get</span><span class="p">(</span><span class="s1">'/dashboard'</span><span class="p">)</span> <span class="o">-&gt;</span><span class="nf">assertInertia</span><span class="p">(</span><span class="k">fn</span> <span class="p">(</span><span class="nv">$page</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="nv">$page</span><span class="o">-&gt;</span><span class="nf">has</span><span class="p">(</span><span class="s1">'layout.layoutData.navDesktopUpLevel'</span><span class="p">,</span> <span class="mi">8</span><span class="p">)</span> <span class="p">);</span> <span class="p">});</span> <span class="nf">it</span><span class="p">(</span><span class="s1">'hides modules without permission from employee'</span><span class="p">,</span> <span class="k">function</span> <span class="p">()</span> <span class="p">{</span> <span class="nv">$employee</span> <span class="o">=</span> <span class="nc">User</span><span class="o">::</span><span class="nf">factory</span><span class="p">()</span><span class="o">-&gt;</span><span class="nf">employee</span><span class="p">()</span><span class="o">-&gt;</span><span class="nf">create</span><span class="p">();</span> <span class="nf">grantPermission</span><span class="p">(</span><span class="nv">$employee</span><span class="p">,</span> <span class="s1">'orders.view'</span><span class="p">);</span> <span class="nf">actingAs</span><span class="p">(</span><span class="nv">$employee</span><span class="p">)</span> <span class="o">-&gt;</span><span class="nf">get</span><span class="p">(</span><span class="s1">'/orders/incoming'</span><span class="p">)</span> <span class="o">-&gt;</span><span class="nf">assertInertia</span><span class="p">(</span><span class="k">fn</span> <span class="p">(</span><span class="nv">$page</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="nv">$page</span><span class="o">-&gt;</span><span class="nf">where</span><span class="p">(</span><span class="s1">'layout.layoutData.navDesktopUpLevel'</span><span class="p">,</span> <span class="k">fn</span> <span class="p">(</span><span class="nv">$nav</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="nf">collect</span><span class="p">(</span><span class="nv">$nav</span><span class="p">)</span><span class="o">-&gt;</span><span class="nf">pluck</span><span class="p">(</span><span class="s1">'routeName'</span><span class="p">)</span><span class="o">-&gt;</span><span class="nf">contains</span><span class="p">(</span><span class="s1">'orders'</span><span class="p">)</span> <span class="o">&amp;&amp;</span> <span class="o">!</span><span class="nf">collect</span><span class="p">(</span><span class="nv">$nav</span><span class="p">)</span><span class="o">-&gt;</span><span class="nf">pluck</span><span class="p">(</span><span class="s1">'routeName'</span><span class="p">)</span><span class="o">-&gt;</span><span class="nf">contains</span><span class="p">(</span><span class="s1">'warehouse'</span><span class="p">)</span> <span class="p">)</span> <span class="p">);</span> <span class="p">});</span> <span class="nf">it</span><span class="p">(</span><span class="s1">'redirects to first allowed route when default is revoked'</span><span class="p">,</span> <span class="k">function</span> <span class="p">()</span> <span class="p">{</span> <span class="nv">$employee</span> <span class="o">=</span> <span class="nc">User</span><span class="o">::</span><span class="nf">factory</span><span class="p">()</span><span class="o">-&gt;</span><span class="nf">employee</span><span class="p">()</span><span class="o">-&gt;</span><span class="nf">create</span><span class="p">();</span> <span class="nv">$employee</span><span class="o">-&gt;</span><span class="nf">setDefaultRoute</span><span class="p">(</span><span class="s1">'warehouse.products'</span><span class="p">);</span> <span class="nf">revokePermission</span><span class="p">(</span><span class="nv">$employee</span><span class="p">,</span> <span class="s1">'warehouse.view'</span><span class="p">);</span> <span class="nf">actingAs</span><span class="p">(</span><span class="nv">$employee</span><span class="p">)</span> <span class="o">-&gt;</span><span class="nf">get</span><span class="p">(</span><span class="s1">'/'</span><span class="p">)</span> <span class="o">-&gt;</span><span class="nf">assertRedirect</span><span class="p">(</span><span class="nf">route</span><span class="p">(</span><span class="s1">'orders.incoming'</span><span class="p">));</span> <span class="p">});</span> </code></pre> </div> <p>Test coverage includes:</p> <ul> <li>Admin menu isolation</li> <li>Owner sees all 8 modules</li> <li>Employee sees only permitted modules</li> <li>Sub-level permission filtering (warehouse.view vs warehouse.manageCategories)</li> <li>Default route save/clear/fallback</li> <li>Company switch recalculation</li> <li>Mobile menu tree consistency</li> <li>Hidden items (notifications, support) remain accessible via URL</li> </ul> <h2> What's Included </h2> <div class="table-wrapper-paragraph"><table> <thead> <tr> <th>Feature</th> <th>Details</th> </tr> </thead> <tbody> <tr> <td>Menu building</td> <td>Dynamic per-request via LayoutDataService</td> </tr> <tr> <td>User types</td> <td>Admin, Owner, Employee - distinct menus</td> </tr> <tr> <td>Permissions</td> <td>Module-level + sub-page-level filtering</td> </tr> <tr> <td>FAR pattern</td> <td>Zero 403 pages, smart redirects</td> </tr> <tr> <td>Default pages</td> <td>User-configurable per company</td> </tr> <tr> <td>Desktop</td> <td>Two-tier header (modules + sub-pages)</td> </tr> <tr> <td>Mobile</td> <td>Hamburger with collapsible parent/child</td> </tr> <tr> <td>Transitions</td> <td>GPU-accelerated CSS (will-change, translateZ)</td> </tr> <tr> <td>i18n</td> <td>All labels translated via __()</td> </tr> <tr> <td>Testing</td> <td>Pest tests for all user types and edge cases</td> </tr> </tbody> </table></div> <h2> Key Takeaway </h2> <p>Push complexity to the backend. The frontend should render data, not compute it. LaraFoundry's Vue components don't check permissions, don't calculate active states, don't filter menu items. They receive clean, pre-filtered arrays and render them. That's it.</p> <p>One service class. One source of truth. The menu, the permissions, and the routing all share the same data. Change a permission - the menu updates. Add a module - add an entry to the items array. No config files to sync. No database tables to maintain.</p> <p><strong>LaraFoundry</strong> is an open-source Laravel SaaS framework, being built in public and extracted from a production CRM/ERP.</p> <ul> <li>GitHub: <a href="https://github.com/dmitryisaenko/larafoundry/blob/main/docs/modules/navigation.md" rel="noopener noreferrer">github.com/dmitryisaenko/larafoundry</a> </li> <li>Website: <a href="https://larafoundry.com" rel="noopener noreferrer">larafoundry.com</a> </li> </ul> laravel vue sass navigation Building a Production-Grade Multilanguage System for Laravel SaaS (with Inertia + Vue) Dmitry Isaenko Mon, 30 Mar 2026 10:41:29 +0000 https://dev.to/d_isaenko_dev/building-a-production-grade-multilanguage-system-for-laravel-saas-with-inertia-vue-2b3h https://dev.to/d_isaenko_dev/building-a-production-grade-multilanguage-system-for-laravel-saas-with-inertia-vue-2b3h <p>Most Laravel tutorials on i18n stop at "use <code>__()</code> helper and create translation files." That's maybe 10% of what a real SaaS application needs. What about automatic language detection? What about passing 1700+ translation strings to a Vue frontend without extra API calls? What about translating user-generated content?</p> <p>I built all of this for <a href="https://kohana.io" rel="noopener noreferrer">Kohana.io</a> - a production CRM/ERP system - and I'm now extracting it into <strong>LaraFoundry</strong>, an open-source SaaS framework for Laravel.</p> <p>This post covers the complete Multilanguage module: backend, frontend, translation APIs, and testing.</p> <h2> The Problem </h2> <p>Every SaaS boilerplate handles i18n the same way: "We support it. Here's a <code>__()</code> function. Good luck."</p> <p>But in production you need answers to:</p> <ul> <li>How do you detect a user's preferred language before they've even signed up?</li> <li>Where do you persist that preference across sessions, devices, and auth states?</li> <li>How do you efficiently pass translations to a JavaScript frontend?</li> <li>What about translating actual user content, not just UI labels?</li> </ul> <h2> Architecture Overview </h2> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>Request | v SetLocale Middleware |-- Check user.locale (DB) |-- Check session |-- Check browser Accept-Language |-- Check IP geolocation (ip-api.com) |-- Fall back to default 'en' | v app()-&gt;setLocale($locale) | v HandleInertiaRequests |-- Load lang/{locale}.json |-- Load lang/{locale}/*.php |-- Pass as Inertia shared props | v Vue + vue-i18n |-- Global t() function |-- Language switcher component </code></pre> </div> <h2> Backend: The Locale Detection Chain </h2> <p>The core of the system is the <code>SetLocale</code> middleware. It runs on every request and uses a 5-step fallback chain.</p> <h3> For Authenticated Users </h3> <div class="highlight js-code-highlight"> <pre class="highlight php"><code><span class="c1">// app/Http/Middleware/SetLocale.php</span> <span class="k">public</span> <span class="k">function</span> <span class="n">handle</span><span class="p">(</span><span class="kt">Request</span> <span class="nv">$request</span><span class="p">,</span> <span class="kt">Closure</span> <span class="nv">$next</span><span class="p">)</span> <span class="p">{</span> <span class="nv">$locale</span> <span class="o">=</span> <span class="kc">null</span><span class="p">;</span> <span class="k">if</span> <span class="p">(</span><span class="nf">auth</span><span class="p">()</span><span class="o">-&gt;</span><span class="nf">check</span><span class="p">())</span> <span class="p">{</span> <span class="c1">// Step 1: User's saved preference</span> <span class="nv">$locale</span> <span class="o">=</span> <span class="nf">auth</span><span class="p">()</span><span class="o">-&gt;</span><span class="nf">user</span><span class="p">()</span><span class="o">-&gt;</span><span class="n">locale</span><span class="p">;</span> <span class="c1">// Step 2: Session</span> <span class="k">if</span> <span class="p">(</span><span class="o">!</span><span class="nv">$locale</span><span class="p">)</span> <span class="p">{</span> <span class="nv">$locale</span> <span class="o">=</span> <span class="nf">session</span><span class="p">(</span><span class="s1">'locale'</span><span class="p">);</span> <span class="p">}</span> <span class="c1">// Step 3: Browser Accept-Language</span> <span class="k">if</span> <span class="p">(</span><span class="o">!</span><span class="nv">$locale</span><span class="p">)</span> <span class="p">{</span> <span class="nv">$locale</span> <span class="o">=</span> <span class="nv">$this</span><span class="o">-&gt;</span><span class="nf">detectFromBrowser</span><span class="p">(</span><span class="nv">$request</span><span class="p">);</span> <span class="p">}</span> <span class="c1">// Step 4: IP Geolocation</span> <span class="k">if</span> <span class="p">(</span><span class="o">!</span><span class="nv">$locale</span><span class="p">)</span> <span class="p">{</span> <span class="nv">$locale</span> <span class="o">=</span> <span class="nv">$this</span><span class="o">-&gt;</span><span class="nf">detectFromIp</span><span class="p">(</span><span class="nv">$request</span><span class="o">-&gt;</span><span class="nf">ip</span><span class="p">());</span> <span class="p">}</span> <span class="c1">// Step 5: Default</span> <span class="nv">$locale</span> <span class="o">=</span> <span class="nv">$locale</span> <span class="o">?:</span> <span class="nf">config</span><span class="p">(</span><span class="s1">'app.locale'</span><span class="p">);</span> <span class="c1">// Persist</span> <span class="nf">auth</span><span class="p">()</span><span class="o">-&gt;</span><span class="nf">user</span><span class="p">()</span><span class="o">-&gt;</span><span class="nf">update</span><span class="p">([</span><span class="s1">'locale'</span> <span class="o">=&gt;</span> <span class="nv">$locale</span><span class="p">]);</span> <span class="nf">session</span><span class="p">([</span><span class="s1">'locale'</span> <span class="o">=&gt;</span> <span class="nv">$locale</span><span class="p">]);</span> <span class="p">}</span> <span class="nf">app</span><span class="p">()</span><span class="o">-&gt;</span><span class="nb">setLocale</span><span class="p">(</span><span class="nv">$locale</span><span class="p">);</span> <span class="k">return</span> <span class="nv">$next</span><span class="p">(</span><span class="nv">$request</span><span class="p">);</span> <span class="p">}</span> </code></pre> </div> <h3> For Guest Users </h3> <p>Guests follow a similar chain but persist to a cookie instead of the database:</p> <ol> <li>Check <code>locale</code> cookie (set for 10 years after first detection)</li> <li>Session</li> <li>Browser language</li> <li>IP geolocation</li> <li>Default</li> </ol> <p>The IP geolocation calls <code>ip-api.com</code> to detect the visitor's country, then maps it via config:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight php"><code><span class="c1">// config/app.php</span> <span class="s1">'country_locale_map'</span> <span class="o">=&gt;</span> <span class="p">[</span> <span class="s1">'US'</span> <span class="o">=&gt;</span> <span class="s1">'en'</span><span class="p">,</span> <span class="s1">'GB'</span> <span class="o">=&gt;</span> <span class="s1">'en'</span><span class="p">,</span> <span class="s1">'UA'</span> <span class="o">=&gt;</span> <span class="s1">'uk'</span><span class="p">,</span> <span class="s1">'RU'</span> <span class="o">=&gt;</span> <span class="s1">'ru'</span><span class="p">,</span> <span class="s1">'PL'</span> <span class="o">=&gt;</span> <span class="s1">'pl'</span><span class="p">,</span> <span class="s1">'DE'</span> <span class="o">=&gt;</span> <span class="s1">'de'</span><span class="p">,</span> <span class="p">],</span> <span class="s1">'browser_locale_map'</span> <span class="o">=&gt;</span> <span class="p">[</span> <span class="s1">'en'</span> <span class="o">=&gt;</span> <span class="s1">'en'</span><span class="p">,</span> <span class="s1">'uk'</span> <span class="o">=&gt;</span> <span class="s1">'uk'</span><span class="p">,</span> <span class="s1">'ru'</span> <span class="o">=&gt;</span> <span class="s1">'ru'</span><span class="p">,</span> <span class="p">],</span> </code></pre> </div> <h3> Language Switching </h3> <p>Manual language switching is a simple controller:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight php"><code><span class="c1">// app/Http/Controllers/LanguageController.php</span> <span class="k">public</span> <span class="k">function</span> <span class="n">languageSwitch</span><span class="p">(</span><span class="nv">$locale</span> <span class="o">=</span> <span class="s1">'en'</span><span class="p">)</span> <span class="p">{</span> <span class="k">if</span> <span class="p">(</span><span class="nb">array_key_exists</span><span class="p">(</span><span class="nv">$locale</span><span class="p">,</span> <span class="nf">config</span><span class="p">(</span><span class="s1">'app.available_languages'</span><span class="p">)))</span> <span class="p">{</span> <span class="nf">app</span><span class="p">()</span><span class="o">-&gt;</span><span class="nb">setLocale</span><span class="p">(</span><span class="nv">$locale</span><span class="p">);</span> <span class="nc">Session</span><span class="o">::</span><span class="nf">put</span><span class="p">(</span><span class="s1">'locale'</span><span class="p">,</span> <span class="nv">$locale</span><span class="p">);</span> <span class="k">if</span> <span class="p">(</span><span class="nf">auth</span><span class="p">()</span><span class="o">-&gt;</span><span class="nf">check</span><span class="p">())</span> <span class="p">{</span> <span class="nf">auth</span><span class="p">()</span><span class="o">-&gt;</span><span class="nf">user</span><span class="p">()</span><span class="o">-&gt;</span><span class="nf">update</span><span class="p">([</span><span class="s1">'locale'</span> <span class="o">=&gt;</span> <span class="nv">$locale</span><span class="p">]);</span> <span class="p">}</span> <span class="nc">Cookie</span><span class="o">::</span><span class="nf">queue</span><span class="p">(</span><span class="s1">'locale'</span><span class="p">,</span> <span class="nv">$locale</span><span class="p">,</span> <span class="mi">525600</span><span class="p">);</span> <span class="c1">// 1 year</span> <span class="p">}</span> <span class="k">return</span> <span class="nf">redirect</span><span class="p">()</span><span class="o">-&gt;</span><span class="nf">back</span><span class="p">();</span> <span class="p">}</span> </code></pre> </div> <p>Exposed via a single route:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight php"><code><span class="nc">Route</span><span class="o">::</span><span class="nf">get</span><span class="p">(</span><span class="s1">'/language_switch/{locale?}'</span><span class="p">,</span> <span class="p">[</span><span class="nc">LanguageController</span><span class="o">::</span><span class="n">class</span><span class="p">,</span> <span class="s1">'languageSwitch'</span><span class="p">])</span> <span class="o">-&gt;</span><span class="nf">name</span><span class="p">(</span><span class="s1">'language_switch'</span><span class="p">);</span> </code></pre> </div> <h2> Translation Files Structure </h2> <p>LaraFoundry uses two formats:</p> <p><strong>JSON files</strong> for UI strings (the bulk of translations):<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="s">lang/</span> <span class="s">en.json -&gt; {} (empty - English keys are the strings)</span> <span class="s">uk.json -&gt; 1700+ key-value pairs</span> <span class="s">pl.json -&gt; Polish translations</span> <span class="s">de.json -&gt; German translations</span> </code></pre> </div> <p><strong>PHP array files</strong> for framework-specific strings:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="s">lang/</span> <span class="s">en/</span> <span class="s">auth.php</span> <span class="s">validation.php</span> <span class="s">pagination.php</span> <span class="s">passwords.php</span> <span class="s">uk/</span> <span class="s">auth.php</span> <span class="s">validation.php</span> <span class="s">...</span> </code></pre> </div> <p>The empty <code>en.json</code> is intentional. English strings serve as their own keys. <code>t('Dashboard')</code> returns <code>'Dashboard'</code> for English users with no translation file needed. This means adding a new string to the app requires zero changes to translation files for the default language.</p> <h2> Frontend: Laravel to Vue via Inertia </h2> <p>This is where it gets interesting. No extra API calls, no lazy loading of translations - they travel with every Inertia response.</p> <h3> Sharing Translations via Inertia Props </h3> <div class="highlight js-code-highlight"> <pre class="highlight php"><code><span class="c1">// app/Http/Middleware/HandleInertiaRequests.php</span> <span class="k">public</span> <span class="k">function</span> <span class="n">share</span><span class="p">(</span><span class="kt">Request</span> <span class="nv">$request</span><span class="p">):</span> <span class="kt">array</span> <span class="p">{</span> <span class="k">return</span> <span class="p">[</span> <span class="c1">// ...</span> <span class="s1">'locale'</span> <span class="o">=&gt;</span> <span class="k">fn</span> <span class="p">()</span> <span class="o">=&gt;</span> <span class="nc">App</span><span class="o">::</span><span class="nf">getLocale</span><span class="p">(),</span> <span class="s1">'translations'</span> <span class="o">=&gt;</span> <span class="k">function</span> <span class="p">()</span> <span class="p">{</span> <span class="nv">$locale</span> <span class="o">=</span> <span class="nc">App</span><span class="o">::</span><span class="nf">getLocale</span><span class="p">();</span> <span class="nv">$data</span> <span class="o">=</span> <span class="p">[];</span> <span class="c1">// Load JSON translations</span> <span class="nv">$jsonPath</span> <span class="o">=</span> <span class="nf">base_path</span><span class="p">(</span><span class="s2">"lang/</span><span class="si">{</span><span class="nv">$locale</span><span class="si">}</span><span class="s2">.json"</span><span class="p">);</span> <span class="k">if</span> <span class="p">(</span><span class="nc">File</span><span class="o">::</span><span class="nf">exists</span><span class="p">(</span><span class="nv">$jsonPath</span><span class="p">))</span> <span class="p">{</span> <span class="nv">$data</span> <span class="o">=</span> <span class="nb">array_merge</span><span class="p">(</span><span class="nv">$data</span><span class="p">,</span> <span class="nb">json_decode</span><span class="p">(</span><span class="nc">File</span><span class="o">::</span><span class="nf">get</span><span class="p">(</span><span class="nv">$jsonPath</span><span class="p">),</span> <span class="kc">true</span><span class="p">)</span> <span class="o">??</span> <span class="p">[]</span> <span class="p">);</span> <span class="p">}</span> <span class="c1">// Load PHP array translations</span> <span class="nv">$dir</span> <span class="o">=</span> <span class="nf">base_path</span><span class="p">(</span><span class="s2">"lang/</span><span class="si">{</span><span class="nv">$locale</span><span class="si">}</span><span class="s2">"</span><span class="p">);</span> <span class="k">if</span> <span class="p">(</span><span class="nc">File</span><span class="o">::</span><span class="nf">exists</span><span class="p">(</span><span class="nv">$dir</span><span class="p">))</span> <span class="p">{</span> <span class="k">foreach</span> <span class="p">(</span><span class="nc">File</span><span class="o">::</span><span class="nf">files</span><span class="p">(</span><span class="nv">$dir</span><span class="p">)</span> <span class="k">as</span> <span class="nv">$file</span><span class="p">)</span> <span class="p">{</span> <span class="nv">$name</span> <span class="o">=</span> <span class="nb">pathinfo</span><span class="p">(</span><span class="nv">$file</span><span class="p">,</span> <span class="no">PATHINFO_FILENAME</span><span class="p">);</span> <span class="nv">$data</span><span class="p">[</span><span class="nv">$name</span><span class="p">]</span> <span class="o">=</span> <span class="nc">Lang</span><span class="o">::</span><span class="nf">get</span><span class="p">(</span><span class="nv">$name</span><span class="p">);</span> <span class="p">}</span> <span class="p">}</span> <span class="k">return</span> <span class="nv">$data</span><span class="p">;</span> <span class="p">},</span> <span class="p">];</span> <span class="p">}</span> </code></pre> </div> <h3> Vue i18n Setup </h3> <p>In <code>app.js</code>, vue-i18n is initialized with the translations from Inertia props:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="k">import</span> <span class="p">{</span> <span class="nx">createI18n</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">vue-i18n</span><span class="dl">'</span><span class="p">;</span> <span class="kd">const</span> <span class="nx">locale</span> <span class="o">=</span> <span class="nx">pageProps</span><span class="p">.</span><span class="nx">locale</span> <span class="o">||</span> <span class="dl">'</span><span class="s1">en</span><span class="dl">'</span><span class="p">;</span> <span class="kd">const</span> <span class="nx">translations</span> <span class="o">=</span> <span class="nx">pageProps</span><span class="p">.</span><span class="nx">translations</span> <span class="o">||</span> <span class="p">{};</span> <span class="kd">const</span> <span class="nx">i18n</span> <span class="o">=</span> <span class="nf">createI18n</span><span class="p">({</span> <span class="na">legacy</span><span class="p">:</span> <span class="kc">false</span><span class="p">,</span> <span class="nx">locale</span><span class="p">,</span> <span class="na">fallbackLocale</span><span class="p">:</span> <span class="dl">'</span><span class="s1">en</span><span class="dl">'</span><span class="p">,</span> <span class="na">messages</span><span class="p">:</span> <span class="p">{</span> <span class="p">[</span><span class="nx">locale</span><span class="p">]:</span> <span class="nx">translations</span><span class="p">,</span> <span class="p">},</span> <span class="p">});</span> <span class="kd">const</span> <span class="nx">app</span> <span class="o">=</span> <span class="nf">createApp</span><span class="p">({</span> <span class="na">render</span><span class="p">:</span> <span class="p">()</span> <span class="o">=&gt;</span> <span class="nf">h</span><span class="p">(</span><span class="nx">App</span><span class="p">,</span> <span class="nx">props</span><span class="p">)</span> <span class="p">})</span> <span class="p">.</span><span class="nf">use</span><span class="p">(</span><span class="nx">plugin</span><span class="p">)</span> <span class="p">.</span><span class="nf">use</span><span class="p">(</span><span class="nx">i18n</span><span class="p">)</span> <span class="p">.</span><span class="nf">use</span><span class="p">(</span><span class="nx">ZiggyVue</span><span class="p">);</span> <span class="c1">// Global t() - no imports needed anywhere</span> <span class="nx">app</span><span class="p">.</span><span class="nx">config</span><span class="p">.</span><span class="nx">globalProperties</span><span class="p">.</span><span class="nx">t</span> <span class="o">=</span> <span class="p">(...</span><span class="nx">args</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="nx">i18n</span><span class="p">.</span><span class="nb">global</span><span class="p">.</span><span class="nf">t</span><span class="p">(...</span><span class="nx">args</span><span class="p">);</span> <span class="nx">globalThis</span><span class="p">.</span><span class="nx">t</span> <span class="o">=</span> <span class="p">(...</span><span class="nx">args</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="nx">i18n</span><span class="p">.</span><span class="nb">global</span><span class="p">.</span><span class="nf">t</span><span class="p">(...</span><span class="nx">args</span><span class="p">);</span> </code></pre> </div> <h3> Using Translations in Components </h3> <div class="highlight js-code-highlight"> <pre class="highlight vue"><code><span class="nt">&lt;</span><span class="k">template</span><span class="nt">&gt;</span> <span class="nt">&lt;h1&gt;</span><span class="si">{{</span> <span class="nf">t</span><span class="p">(</span><span class="dl">'</span><span class="s1">Dashboard</span><span class="dl">'</span><span class="p">)</span> <span class="si">}}</span><span class="nt">&lt;/h1&gt;</span> <span class="nt">&lt;p&gt;</span><span class="si">{{</span> <span class="nf">t</span><span class="p">(</span><span class="dl">'</span><span class="s1">Welcome back</span><span class="dl">'</span><span class="p">)</span> <span class="si">}}</span><span class="nt">&lt;/p&gt;</span> <span class="nt">&lt;button&gt;</span><span class="si">{{</span> <span class="nf">t</span><span class="p">(</span><span class="dl">'</span><span class="s1">Save changes</span><span class="dl">'</span><span class="p">)</span> <span class="si">}}</span><span class="nt">&lt;/button&gt;</span> <span class="nt">&lt;/</span><span class="k">template</span><span class="nt">&gt;</span> </code></pre> </div> <p>No imports. No <code>useI18n()</code>. No composables. Just <code>t()</code> and it works everywhere.</p> <h3> Language Switcher Component </h3> <p>The language switcher gets its data from Inertia layout props:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight vue"><code><span class="nt">&lt;</span><span class="k">template</span><span class="nt">&gt;</span> <span class="nt">&lt;div</span> <span class="na">v-for=</span><span class="s">"lang in availableLanguages"</span> <span class="na">:key=</span><span class="s">"lang.locale"</span><span class="nt">&gt;</span> <span class="nt">&lt;img</span> <span class="na">:src=</span><span class="s">"lang.flagUrl"</span> <span class="na">alt=</span><span class="s">""</span> <span class="nt">/&gt;</span> <span class="nt">&lt;div</span> <span class="na">v-if=</span><span class="s">"lang.locale === currentLocale"</span> <span class="na">class=</span><span class="s">"active-lang"</span><span class="nt">&gt;</span> <span class="si">{{</span> <span class="nx">lang</span><span class="p">.</span><span class="nx">title</span> <span class="si">}}</span> <span class="nt">&lt;/div&gt;</span> <span class="nt">&lt;a</span> <span class="na">v-else</span> <span class="na">:href=</span><span class="s">"lang.routeUrl"</span><span class="nt">&gt;</span> <span class="si">{{</span> <span class="nx">lang</span><span class="p">.</span><span class="nx">title</span> <span class="si">}}</span> <span class="nt">&lt;/a&gt;</span> <span class="nt">&lt;/div&gt;</span> <span class="nt">&lt;/</span><span class="k">template</span><span class="nt">&gt;</span> </code></pre> </div> <p>The backend provides everything the component needs:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight php"><code><span class="c1">// app/Services/LayoutDataService.php</span> <span class="k">public</span> <span class="k">function</span> <span class="n">getAvailableLanguages</span><span class="p">()</span> <span class="p">{</span> <span class="k">return</span> <span class="nf">collect</span><span class="p">(</span><span class="nf">config</span><span class="p">(</span><span class="s1">'app.available_languages'</span><span class="p">))</span> <span class="o">-&gt;</span><span class="nf">map</span><span class="p">(</span><span class="k">fn</span> <span class="p">(</span><span class="nv">$title</span><span class="p">,</span> <span class="nv">$locale</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="p">[</span> <span class="s1">'title'</span> <span class="o">=&gt;</span> <span class="nv">$title</span><span class="p">,</span> <span class="s1">'shortTitle'</span> <span class="o">=&gt;</span> <span class="nv">$locale</span><span class="p">,</span> <span class="s1">'flagUrl'</span> <span class="o">=&gt;</span> <span class="nf">url</span><span class="p">(</span><span class="s2">"/icons/flag-</span><span class="si">{</span><span class="nv">$locale</span><span class="si">}</span><span class="s2">-icon.png"</span><span class="p">),</span> <span class="s1">'locale'</span> <span class="o">=&gt;</span> <span class="nv">$locale</span><span class="p">,</span> <span class="s1">'routeUrl'</span> <span class="o">=&gt;</span> <span class="nf">route</span><span class="p">(</span><span class="s1">'language_switch'</span><span class="p">,</span> <span class="p">[</span><span class="s1">'locale'</span> <span class="o">=&gt;</span> <span class="nv">$locale</span><span class="p">]),</span> <span class="p">])</span><span class="o">-&gt;</span><span class="nf">toArray</span><span class="p">();</span> <span class="p">}</span> </code></pre> </div> <h2> Bonus: Pluggable Translation API </h2> <p>Beyond UI translations, LaraFoundry includes a translation service for user-generated content. Two providers out of the box:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight php"><code><span class="c1">// app/Contracts/Translator.php</span> <span class="kd">interface</span> <span class="nc">Translator</span> <span class="p">{</span> <span class="k">public</span> <span class="k">function</span> <span class="n">translateText</span><span class="p">(</span><span class="kt">string</span> <span class="nv">$text</span><span class="p">,</span> <span class="kt">string</span> <span class="nv">$from</span><span class="p">,</span> <span class="kt">array</span> <span class="nv">$to</span><span class="p">):</span> <span class="kt">array</span><span class="p">;</span> <span class="k">public</span> <span class="k">function</span> <span class="n">getSupportedLanguages</span><span class="p">():</span> <span class="kt">array</span><span class="p">;</span> <span class="k">public</span> <span class="k">function</span> <span class="n">isLanguageSupported</span><span class="p">(</span><span class="kt">string</span> <span class="nv">$code</span><span class="p">):</span> <span class="kt">bool</span><span class="p">;</span> <span class="k">public</span> <span class="k">function</span> <span class="n">getUsageInfo</span><span class="p">():</span> <span class="kt">?array</span><span class="p">;</span> <span class="p">}</span> </code></pre> </div> <p>Implementations: <code>DeepLTranslator</code> and <code>GoogleTranslator</code>. Swap via environment variable:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight php"><code><span class="s1">'translator_default'</span> <span class="o">=&gt;</span> <span class="nf">env</span><span class="p">(</span><span class="s1">'TRANSLATION_SERVICE'</span><span class="p">,</span> <span class="s1">'deepl'</span><span class="p">),</span> </code></pre> </div> <p>REST endpoints included:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight php"><code><span class="no">POST</span> <span class="o">/</span><span class="n">translate</span> <span class="o">-</span> <span class="n">translate</span> <span class="n">text</span> <span class="no">GET</span> <span class="o">/</span><span class="n">translate</span><span class="o">/</span><span class="n">usage</span> <span class="o">-</span> <span class="n">check</span> <span class="no">API</span> <span class="n">quota</span> <span class="no">GET</span> <span class="o">/</span><span class="n">translate</span><span class="o">/</span><span class="n">languages</span> <span class="o">-</span> <span class="k">list</span> <span class="n">supported</span> <span class="n">languages</span> </code></pre> </div> <h2> Testing </h2> <p>The multilanguage module has comprehensive test coverage using Pest:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight php"><code><span class="nf">it</span><span class="p">(</span><span class="s1">'detects locale from user profile'</span><span class="p">,</span> <span class="k">function</span> <span class="p">()</span> <span class="p">{</span> <span class="nv">$user</span> <span class="o">=</span> <span class="nc">User</span><span class="o">::</span><span class="nf">factory</span><span class="p">()</span><span class="o">-&gt;</span><span class="nf">create</span><span class="p">([</span><span class="s1">'locale'</span> <span class="o">=&gt;</span> <span class="s1">'uk'</span><span class="p">]);</span> <span class="nf">actingAs</span><span class="p">(</span><span class="nv">$user</span><span class="p">)</span> <span class="o">-&gt;</span><span class="nf">get</span><span class="p">(</span><span class="s1">'/dashboard'</span><span class="p">)</span> <span class="o">-&gt;</span><span class="nf">assertOk</span><span class="p">();</span> <span class="nf">expect</span><span class="p">(</span><span class="nf">app</span><span class="p">()</span><span class="o">-&gt;</span><span class="nf">getLocale</span><span class="p">())</span><span class="o">-&gt;</span><span class="nf">toBe</span><span class="p">(</span><span class="s1">'uk'</span><span class="p">);</span> <span class="p">});</span> <span class="nf">it</span><span class="p">(</span><span class="s1">'switches language and persists to database'</span><span class="p">,</span> <span class="k">function</span> <span class="p">()</span> <span class="p">{</span> <span class="nv">$user</span> <span class="o">=</span> <span class="nc">User</span><span class="o">::</span><span class="nf">factory</span><span class="p">()</span><span class="o">-&gt;</span><span class="nf">create</span><span class="p">([</span><span class="s1">'locale'</span> <span class="o">=&gt;</span> <span class="s1">'en'</span><span class="p">]);</span> <span class="nf">actingAs</span><span class="p">(</span><span class="nv">$user</span><span class="p">)</span> <span class="o">-&gt;</span><span class="nf">get</span><span class="p">(</span><span class="s1">'/language_switch/uk'</span><span class="p">)</span> <span class="o">-&gt;</span><span class="nf">assertRedirect</span><span class="p">();</span> <span class="nf">expect</span><span class="p">(</span><span class="nv">$user</span><span class="o">-&gt;</span><span class="nf">fresh</span><span class="p">()</span><span class="o">-&gt;</span><span class="n">locale</span><span class="p">)</span><span class="o">-&gt;</span><span class="nf">toBe</span><span class="p">(</span><span class="s1">'uk'</span><span class="p">);</span> <span class="p">});</span> <span class="nf">it</span><span class="p">(</span><span class="s1">'ignores unsupported locale'</span><span class="p">,</span> <span class="k">function</span> <span class="p">()</span> <span class="p">{</span> <span class="nf">actingAs</span><span class="p">(</span><span class="nv">$user</span><span class="p">)</span> <span class="o">-&gt;</span><span class="nf">get</span><span class="p">(</span><span class="s1">'/language_switch/xx'</span><span class="p">)</span> <span class="o">-&gt;</span><span class="nf">assertRedirect</span><span class="p">();</span> <span class="nf">expect</span><span class="p">(</span><span class="nv">$user</span><span class="o">-&gt;</span><span class="nf">fresh</span><span class="p">()</span><span class="o">-&gt;</span><span class="n">locale</span><span class="p">)</span><span class="o">-&gt;</span><span class="nf">toBe</span><span class="p">(</span><span class="s1">'en'</span><span class="p">);</span> <span class="p">});</span> </code></pre> </div> <p>Test coverage includes:</p> <ul> <li>All 5 detection fallback levels for both auth and guest</li> <li>Language switching with DB, session, and cookie persistence</li> <li>Translation loading and merging (JSON + PHP)</li> <li>Invalid/unsupported locale handling</li> <li>Mocked DeepL and Google Translate API responses</li> <li>Inertia props validation (locale + translations present)</li> </ul> <h2> What's Included </h2> <div class="table-wrapper-paragraph"><table> <thead> <tr> <th>Feature</th> <th>Details</th> </tr> </thead> <tbody> <tr> <td>Languages</td> <td>EN, UK, PL, DE (2 active, 2 ready)</td> </tr> <tr> <td>Detection</td> <td>Browser + IP geolocation + fallback chain</td> </tr> <tr> <td>Persistence</td> <td>DB (auth) + Cookie (guest) + Session</td> </tr> <tr> <td>Frontend</td> <td>vue-i18n v3 + global t() + Inertia props</td> </tr> <tr> <td>Translation files</td> <td>JSON (UI) + PHP arrays (framework)</td> </tr> <tr> <td>Content translation</td> <td>DeepL + Google Translate API</td> </tr> <tr> <td>UI</td> <td>Language switcher with flags (auth + guest)</td> </tr> <tr> <td>Testing</td> <td>Pest tests for all detection paths</td> </tr> </tbody> </table></div> <h2> Wrapping Up </h2> <p>Most SaaS i18n implementations are either too simple (just <code>__()</code>) or too complex (dedicated translation management services, CDN-hosted locale files, runtime language switching via WebSockets).</p> <p>LaraFoundry's approach sits in the middle: comprehensive enough for production, simple enough to understand in 30 minutes. The entire system is ~10 files and zero external dependencies beyond <code>vue-i18n</code>.</p> <p>If you're building a SaaS with Laravel + Inertia + Vue and need multilanguage support, this module gives you everything you need.</p> <p><strong>LaraFoundry</strong> is an open-source Laravel SaaS framework, being built in public and extracted from a production CRM/ERP.</p> <ul> <li>GitHub: <a href="https://github.com/dmitryisaenko/larafoundry/blob/main/docs/modules/multilanguage.md" rel="noopener noreferrer">github.com/dmitryisaenko/larafoundry</a> </li> <li>Website: <a href="https://larafoundry.com" rel="noopener noreferrer">larafoundry.com</a> </li> </ul> <h1> laravel #vue #i18n #saas #larafoundry </h1> laravel vue i18n saas How I Built a Production-Grade Activity Logging System for a Laravel SaaS (Event-Driven, Zero Manual Calls) Dmitry Isaenko Mon, 23 Mar 2026 09:44:53 +0000 https://dev.to/d_isaenko_dev/how-i-built-a-production-grade-activity-logging-system-for-a-laravel-saas-event-driven-zero-27e https://dev.to/d_isaenko_dev/how-i-built-a-production-grade-activity-logging-system-for-a-laravel-saas-event-driven-zero-27e <h2> Introduction </h2> <p>"We'll add logging later."</p> <p>Every developer has said it. Few actually go back and do it properly. And when they do, it's usually after something breaks in production and nobody can figure out what happened.</p> <p>When I started building <a href="https://kohana.io" rel="noopener noreferrer">Kohana.io</a> - a production CRM/ERP system - I decided logging would be a Day 1 feature. Not a nice-to-have. Not a "sprint 47" backlog item.</p> <p>Now I'm extracting the core of Kohana into <a href="https://larafoundry.com" rel="noopener noreferrer">LaraFoundry</a> - a reusable SaaS engine. And the logging module is one of the most important pieces.</p> <p>In this article, I'll walk through the complete architecture: the event-driven approach, device fingerprinting, async geolocation, multi-channel notifications, and the admin UI that makes it all actionable.</p> <h2> The Problem with Manual Logging </h2> <p>Most logging in Laravel apps looks like this:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight php"><code><span class="c1">// Scattered across 40 controllers</span> <span class="nc">Log</span><span class="o">::</span><span class="nf">info</span><span class="p">(</span><span class="s1">'User logged in'</span><span class="p">,</span> <span class="p">[</span><span class="s1">'user_id'</span> <span class="o">=&gt;</span> <span class="nv">$user</span><span class="o">-&gt;</span><span class="n">id</span><span class="p">]);</span> <span class="nc">Log</span><span class="o">::</span><span class="nf">info</span><span class="p">(</span><span class="s1">'Product created'</span><span class="p">,</span> <span class="p">[</span><span class="s1">'product_id'</span> <span class="o">=&gt;</span> <span class="nv">$product</span><span class="o">-&gt;</span><span class="n">id</span><span class="p">]);</span> <span class="nc">Log</span><span class="o">::</span><span class="nf">warning</span><span class="p">(</span><span class="s1">'Login failed'</span><span class="p">,</span> <span class="p">[</span><span class="s1">'email'</span> <span class="o">=&gt;</span> <span class="nv">$email</span><span class="p">]);</span> </code></pre> </div> <p>Problems:</p> <ol> <li> <strong>Inconsistent</strong> - every developer formats logs differently</li> <li> <strong>Incomplete</strong> - someone always forgets to add a log call</li> <li> <strong>Flat</strong> - no device info, no geo, no request context</li> <li> <strong>Unqueryable</strong> - good luck searching through text files for patterns</li> </ol> <p>LaraFoundry takes a different approach: event-driven, structured, and automatic.</p> <h2> Architecture Overview </h2> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>User Action (HTTP Request) | v Event Fired (e.g. ProductCreated::class) | v ActivityLogServiceProvider (listener) | v ActivityLogService::logActivity() | +---&gt; Creates CustomActivity record | - Request metadata (IP, URL, method) | - Device info (browser, OS, device type) | - Event properties (custom per event) | - Response status code | +---&gt; Dispatches RetrieveActivityGeoData job | v GetGeoDataByIpAction (cached 24h) | v Updates CustomActivity with geo data </code></pre> </div> <h2> Package Stack </h2> <div class="table-wrapper-paragraph"><table> <thead> <tr> <th>Package</th> <th>Purpose</th> </tr> </thead> <tbody> <tr> <td><code>spatie/laravel-activitylog</code></td> <td>Core activity tracking (extended)</td> </tr> <tr> <td><code>jenssegers/agent</code></td> <td>Device/browser/OS detection</td> </tr> <tr> <td><code>opcodesio/log-viewer</code></td> <td>Web UI for Monolog file logs</td> </tr> <tr> <td><code>laravel/telescope</code></td> <td>Dev/testing debugger</td> </tr> </tbody> </table></div> <p>Plus a free geo API (ip-api.com) with smart caching.</p> <h2> Step 1: The Event Map </h2> <p>The heart of the system is <code>ActivityLogServiceProvider</code>. It defines a single array mapping events to log metadata:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight php"><code><span class="kd">class</span> <span class="nc">ActivityLogServiceProvider</span> <span class="kd">extends</span> <span class="nc">ServiceProvider</span> <span class="p">{</span> <span class="k">protected</span> <span class="kt">array</span> <span class="nv">$events</span> <span class="o">=</span> <span class="p">[</span> <span class="c1">// Auth events</span> <span class="nc">Registered</span><span class="o">::</span><span class="n">class</span> <span class="o">=&gt;</span> <span class="p">[</span><span class="s1">'Auth'</span><span class="p">,</span> <span class="s1">'New user registered'</span><span class="p">,</span> <span class="mi">200</span><span class="p">],</span> <span class="nc">Login</span><span class="o">::</span><span class="n">class</span> <span class="o">=&gt;</span> <span class="p">[</span><span class="s1">'Auth'</span><span class="p">,</span> <span class="s1">'Login'</span><span class="p">,</span> <span class="mi">200</span><span class="p">],</span> <span class="nc">Logout</span><span class="o">::</span><span class="n">class</span> <span class="o">=&gt;</span> <span class="p">[</span><span class="s1">'Auth'</span><span class="p">,</span> <span class="s1">'Logout'</span><span class="p">,</span> <span class="mi">200</span><span class="p">],</span> <span class="nc">Failed</span><span class="o">::</span><span class="n">class</span> <span class="o">=&gt;</span> <span class="p">[</span><span class="s1">'Auth'</span><span class="p">,</span> <span class="s1">'Login failed'</span><span class="p">,</span> <span class="mi">401</span><span class="p">],</span> <span class="nc">PasswordReset</span><span class="o">::</span><span class="n">class</span> <span class="o">=&gt;</span> <span class="p">[</span><span class="s1">'Auth'</span><span class="p">,</span> <span class="s1">'Password reset'</span><span class="p">,</span> <span class="mi">200</span><span class="p">],</span> <span class="c1">// Company events</span> <span class="nc">CompanyCreate</span><span class="o">::</span><span class="n">class</span> <span class="o">=&gt;</span> <span class="p">[</span><span class="s1">'Company'</span><span class="p">,</span> <span class="s1">'New company created'</span><span class="p">,</span> <span class="mi">200</span><span class="p">],</span> <span class="nc">CompanyDeleted</span><span class="o">::</span><span class="n">class</span> <span class="o">=&gt;</span> <span class="p">[</span><span class="s1">'Company'</span><span class="p">,</span> <span class="s1">'Company deleted'</span><span class="p">,</span> <span class="mi">200</span><span class="p">],</span> <span class="nc">EmployeeInvitationSent</span><span class="o">::</span><span class="n">class</span> <span class="o">=&gt;</span> <span class="p">[</span><span class="s1">'Company'</span><span class="p">,</span> <span class="s1">'Employee invitation sent'</span><span class="p">,</span> <span class="mi">200</span><span class="p">],</span> <span class="nc">RoleCreated</span><span class="o">::</span><span class="n">class</span> <span class="o">=&gt;</span> <span class="p">[</span><span class="s1">'Company'</span><span class="p">,</span> <span class="s1">'Custom role created'</span><span class="p">,</span> <span class="mi">201</span><span class="p">],</span> <span class="c1">// Warehouse events</span> <span class="nc">ProductCreated</span><span class="o">::</span><span class="n">class</span> <span class="o">=&gt;</span> <span class="p">[</span><span class="s1">'Warehouse'</span><span class="p">,</span> <span class="s1">'Product created'</span><span class="p">,</span> <span class="mi">201</span><span class="p">],</span> <span class="nc">ProductUpdated</span><span class="o">::</span><span class="n">class</span> <span class="o">=&gt;</span> <span class="p">[</span><span class="s1">'Warehouse'</span><span class="p">,</span> <span class="s1">'Product updated'</span><span class="p">,</span> <span class="mi">200</span><span class="p">],</span> <span class="nc">ProductDeleted</span><span class="o">::</span><span class="n">class</span> <span class="o">=&gt;</span> <span class="p">[</span><span class="s1">'Warehouse'</span><span class="p">,</span> <span class="s1">'Product deleted'</span><span class="p">,</span> <span class="mi">200</span><span class="p">],</span> <span class="nc">ProductCreationFailed</span><span class="o">::</span><span class="n">class</span> <span class="o">=&gt;</span> <span class="p">[</span><span class="s1">'Warehouse'</span><span class="p">,</span> <span class="s1">'Product creation failed'</span><span class="p">,</span> <span class="mi">500</span><span class="p">],</span> <span class="c1">// Contragent events</span> <span class="nc">ContragentCreated</span><span class="o">::</span><span class="n">class</span> <span class="o">=&gt;</span> <span class="p">[</span><span class="s1">'Contragent'</span><span class="p">,</span> <span class="s1">'Contragent created'</span><span class="p">,</span> <span class="mi">201</span><span class="p">],</span> <span class="nc">ContragentDeleted</span><span class="o">::</span><span class="n">class</span> <span class="o">=&gt;</span> <span class="p">[</span><span class="s1">'Contragent'</span><span class="p">,</span> <span class="s1">'Contragent deleted'</span><span class="p">,</span> <span class="mi">200</span><span class="p">],</span> <span class="c1">// ... 60+ events total</span> <span class="p">];</span> <span class="p">}</span> </code></pre> </div> <p>Format: <code>[EventGroupName, Description, HTTP ResponseCode]</code>.</p> <p>In the <code>boot()</code> method, all listeners are registered dynamically:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight php"><code><span class="k">public</span> <span class="k">function</span> <span class="n">boot</span><span class="p">()</span> <span class="p">{</span> <span class="nc">Activity</span><span class="o">::</span><span class="nf">unguard</span><span class="p">();</span> <span class="k">foreach</span> <span class="p">(</span><span class="nv">$this</span><span class="o">-&gt;</span><span class="n">events</span> <span class="k">as</span> <span class="nv">$eventClass</span> <span class="o">=&gt;</span> <span class="p">[</span><span class="nv">$group</span><span class="p">,</span> <span class="nv">$desc</span><span class="p">,</span> <span class="nv">$code</span><span class="p">])</span> <span class="p">{</span> <span class="nc">Event</span><span class="o">::</span><span class="nf">listen</span><span class="p">(</span><span class="nv">$eventClass</span><span class="p">,</span> <span class="k">function</span> <span class="p">(</span><span class="nv">$event</span><span class="p">)</span> <span class="k">use</span> <span class="p">(</span><span class="nv">$eventClass</span><span class="p">,</span> <span class="nv">$group</span><span class="p">,</span> <span class="nv">$desc</span><span class="p">,</span> <span class="nv">$code</span><span class="p">)</span> <span class="p">{</span> <span class="nv">$eventClassName</span> <span class="o">=</span> <span class="nf">class_basename</span><span class="p">(</span><span class="nv">$eventClass</span><span class="p">);</span> <span class="nv">$eventProperties</span> <span class="o">=</span> <span class="nb">method_exists</span><span class="p">(</span><span class="nv">$event</span><span class="p">,</span> <span class="s1">'getLogProperties'</span><span class="p">)</span> <span class="o">?</span> <span class="p">[</span><span class="s1">'event_properties'</span> <span class="o">=&gt;</span> <span class="nv">$event</span><span class="o">-&gt;</span><span class="nf">getLogProperties</span><span class="p">()]</span> <span class="o">:</span> <span class="p">[];</span> <span class="nc">ActivityLogService</span><span class="o">::</span><span class="nf">logActivity</span><span class="p">(</span> <span class="nv">$event</span><span class="p">,</span> <span class="nv">$eventClassName</span><span class="p">,</span> <span class="nv">$group</span><span class="p">,</span> <span class="nv">$desc</span><span class="p">,</span> <span class="nv">$code</span><span class="p">,</span> <span class="nv">$eventProperties</span> <span class="p">);</span> <span class="p">});</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </div> <p>The key insight: each event can optionally implement <code>getLogProperties()</code> to provide module-specific context:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight php"><code><span class="c1">// In TicketCreate event</span> <span class="k">public</span> <span class="k">function</span> <span class="n">getLogProperties</span><span class="p">():</span> <span class="kt">array</span> <span class="p">{</span> <span class="k">return</span> <span class="p">[</span> <span class="s1">'ticket_id'</span> <span class="o">=&gt;</span> <span class="nv">$this</span><span class="o">-&gt;</span><span class="n">ticket</span><span class="o">-&gt;</span><span class="n">id</span><span class="p">,</span> <span class="s1">'ticket_title'</span> <span class="o">=&gt;</span> <span class="nv">$this</span><span class="o">-&gt;</span><span class="n">ticket</span><span class="o">-&gt;</span><span class="n">title</span><span class="p">,</span> <span class="s1">'ticket_priority'</span> <span class="o">=&gt;</span> <span class="nv">$this</span><span class="o">-&gt;</span><span class="n">ticket</span><span class="o">-&gt;</span><span class="n">priority</span><span class="p">,</span> <span class="s1">'categories'</span> <span class="o">=&gt;</span> <span class="nv">$this</span><span class="o">-&gt;</span><span class="n">ticket</span><span class="o">-&gt;</span><span class="n">categories</span><span class="o">-&gt;</span><span class="nf">pluck</span><span class="p">(</span><span class="s1">'name'</span><span class="p">)</span><span class="o">-&gt;</span><span class="nb">implode</span><span class="p">(</span><span class="s1">', '</span><span class="p">),</span> <span class="p">];</span> <span class="p">}</span> </code></pre> </div> <p>No coupling between events and the logging system. Events don't know they're being logged. The ServiceProvider handles everything.</p> <h2> Step 2: The Custom Activity Model </h2> <p>Spatie's default Activity model stores the basics: <code>log_name</code>, <code>description</code>, <code>properties</code>, <code>causer</code>. For a SaaS, that's not enough.</p> <p><code>CustomActivity</code> extends Spatie's model with 15 additional fields:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight php"><code><span class="kd">class</span> <span class="nc">CustomActivity</span> <span class="kd">extends</span> <span class="nc">Activity</span> <span class="p">{</span> <span class="k">protected</span> <span class="nv">$table</span> <span class="o">=</span> <span class="s1">'activity_log'</span><span class="p">;</span> <span class="k">protected</span> <span class="nv">$fillable</span> <span class="o">=</span> <span class="p">[</span> <span class="s1">'user_agent'</span><span class="p">,</span> <span class="s1">'log_name'</span><span class="p">,</span> <span class="s1">'description'</span><span class="p">,</span> <span class="s1">'subject_type'</span><span class="p">,</span> <span class="s1">'subject_id'</span><span class="p">,</span> <span class="s1">'causer_type'</span><span class="p">,</span> <span class="s1">'causer_id'</span><span class="p">,</span> <span class="s1">'properties'</span><span class="p">,</span> <span class="c1">// Device fingerprint</span> <span class="s1">'user_ip'</span><span class="p">,</span> <span class="s1">'user_device_type'</span><span class="p">,</span> <span class="s1">'user_device_name'</span><span class="p">,</span> <span class="s1">'user_os'</span><span class="p">,</span> <span class="s1">'user_browser'</span><span class="p">,</span> <span class="c1">// Request context</span> <span class="s1">'route_name'</span><span class="p">,</span> <span class="s1">'request_method'</span><span class="p">,</span> <span class="s1">'full_url'</span><span class="p">,</span> <span class="s1">'response_code'</span><span class="p">,</span> <span class="c1">// Status</span> <span class="s1">'is_successful'</span><span class="p">,</span> <span class="s1">'user_email'</span><span class="p">,</span> <span class="c1">// Geolocation</span> <span class="s1">'geo_country'</span><span class="p">,</span> <span class="s1">'geo_city'</span><span class="p">,</span> <span class="s1">'geo_updated_at'</span><span class="p">,</span> <span class="p">];</span> <span class="k">protected</span> <span class="nv">$casts</span> <span class="o">=</span> <span class="p">[</span> <span class="s1">'properties'</span> <span class="o">=&gt;</span> <span class="s1">'collection'</span><span class="p">,</span> <span class="s1">'is_successful'</span> <span class="o">=&gt;</span> <span class="s1">'boolean'</span><span class="p">,</span> <span class="s1">'geo_updated_at'</span> <span class="o">=&gt;</span> <span class="s1">'datetime'</span><span class="p">,</span> <span class="p">];</span> <span class="p">}</span> </code></pre> </div> <p>Now every event is structured and queryable. Want failed logins from a specific country? One Eloquent query.</p> <h2> Step 3: The Activity Log Service </h2> <p><code>ActivityLogService</code> is the central piece that creates log records and enriches them with device data:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight php"><code><span class="kd">class</span> <span class="nc">ActivityLogService</span> <span class="p">{</span> <span class="k">public</span> <span class="k">static</span> <span class="k">function</span> <span class="n">logActivity</span><span class="p">(</span><span class="nv">$event</span><span class="p">,</span> <span class="kt">string</span> <span class="nv">$eventClassName</span><span class="p">,</span> <span class="kt">string</span> <span class="nv">$eventGroupName</span><span class="p">,</span> <span class="kt">string</span> <span class="nv">$description</span><span class="p">,</span> <span class="kt">int</span> <span class="nv">$responseCode</span><span class="p">,</span> <span class="kt">array</span> <span class="nv">$eventProperties</span> <span class="o">=</span> <span class="p">[]):</span> <span class="kt">void</span> <span class="p">{</span> <span class="nv">$request</span> <span class="o">=</span> <span class="nf">request</span><span class="p">();</span> <span class="nv">$ip</span> <span class="o">=</span> <span class="nv">$request</span><span class="o">-&gt;</span><span class="nf">ip</span><span class="p">();</span> <span class="nv">$properties</span> <span class="o">=</span> <span class="p">[</span> <span class="s1">'event_group_name'</span> <span class="o">=&gt;</span> <span class="nv">$eventGroupName</span><span class="p">,</span> <span class="s1">'middleware'</span> <span class="o">=&gt;</span> <span class="nf">request</span><span class="p">()</span><span class="o">-&gt;</span><span class="nf">route</span><span class="p">()</span><span class="o">?-&gt;</span><span class="nf">gatherMiddleware</span><span class="p">()</span> <span class="o">??</span> <span class="p">[],</span> <span class="p">]</span> <span class="o">+</span> <span class="nv">$eventProperties</span><span class="p">;</span> <span class="nv">$activity</span> <span class="o">=</span> <span class="nc">CustomActivity</span><span class="o">::</span><span class="nf">create</span><span class="p">([</span> <span class="s1">'log_name'</span> <span class="o">=&gt;</span> <span class="nv">$eventClassName</span><span class="p">,</span> <span class="s1">'description'</span> <span class="o">=&gt;</span> <span class="nv">$description</span><span class="p">,</span> <span class="s1">'properties'</span> <span class="o">=&gt;</span> <span class="nv">$properties</span><span class="p">,</span> <span class="s1">'response_code'</span> <span class="o">=&gt;</span> <span class="nv">$responseCode</span><span class="p">,</span> <span class="s1">'is_successful'</span> <span class="o">=&gt;</span> <span class="p">(</span><span class="nv">$responseCode</span> <span class="o">&lt;</span> <span class="mi">400</span><span class="p">),</span> <span class="s1">'user_ip'</span> <span class="o">=&gt;</span> <span class="nv">$ip</span><span class="p">,</span> <span class="s1">'user_device_type'</span> <span class="o">=&gt;</span> <span class="nc">Agent</span><span class="o">::</span><span class="nf">isDesktop</span><span class="p">()</span> <span class="o">?</span> <span class="s1">'desktop'</span> <span class="o">:</span> <span class="p">(</span><span class="nc">Agent</span><span class="o">::</span><span class="nf">isTablet</span><span class="p">()</span> <span class="o">?</span> <span class="s1">'tablet'</span> <span class="o">:</span> <span class="s1">'mobile'</span><span class="p">),</span> <span class="s1">'user_device_name'</span> <span class="o">=&gt;</span> <span class="nc">Agent</span><span class="o">::</span><span class="nf">device</span><span class="p">(),</span> <span class="s1">'user_os'</span> <span class="o">=&gt;</span> <span class="nc">Agent</span><span class="o">::</span><span class="nf">platform</span><span class="p">(),</span> <span class="s1">'user_browser'</span> <span class="o">=&gt;</span> <span class="nc">Agent</span><span class="o">::</span><span class="nf">browser</span><span class="p">(),</span> <span class="s1">'route_name'</span> <span class="o">=&gt;</span> <span class="nv">$request</span><span class="o">-&gt;</span><span class="nf">route</span><span class="p">()</span><span class="o">?-&gt;</span><span class="nf">getName</span><span class="p">(),</span> <span class="s1">'request_method'</span> <span class="o">=&gt;</span> <span class="nv">$request</span><span class="o">-&gt;</span><span class="nf">method</span><span class="p">(),</span> <span class="s1">'full_url'</span> <span class="o">=&gt;</span> <span class="nv">$request</span><span class="o">-&gt;</span><span class="nf">fullUrl</span><span class="p">(),</span> <span class="c1">// Geo filled async</span> <span class="s1">'geo_country'</span> <span class="o">=&gt;</span> <span class="kc">null</span><span class="p">,</span> <span class="s1">'geo_city'</span> <span class="o">=&gt;</span> <span class="kc">null</span><span class="p">,</span> <span class="p">]);</span> <span class="nc">RetrieveActivityGeoData</span><span class="o">::</span><span class="nf">dispatch</span><span class="p">(</span><span class="nv">$activity</span><span class="o">-&gt;</span><span class="n">id</span><span class="p">,</span> <span class="nv">$ip</span><span class="p">);</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </div> <p>Notice: geolocation fields are null on creation. They get filled asynchronously via a queued job.</p> <h2> Step 4: Async Geolocation </h2> <p>A geo API call adds ~200ms per request. unacceptable for synchronous execution. LaraFoundry handles this in the background:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight php"><code><span class="kd">class</span> <span class="nc">RetrieveActivityGeoData</span> <span class="kd">implements</span> <span class="nc">ShouldQueue</span> <span class="p">{</span> <span class="k">public</span> <span class="nv">$timeout</span> <span class="o">=</span> <span class="mi">30</span><span class="p">;</span> <span class="k">public</span> <span class="nv">$tries</span> <span class="o">=</span> <span class="mi">3</span><span class="p">;</span> <span class="k">public</span> <span class="k">function</span> <span class="n">handle</span><span class="p">()</span> <span class="p">{</span> <span class="nv">$activity</span> <span class="o">=</span> <span class="nc">CustomActivity</span><span class="o">::</span><span class="nf">find</span><span class="p">(</span><span class="nv">$this</span><span class="o">-&gt;</span><span class="n">activityId</span><span class="p">);</span> <span class="k">if</span> <span class="p">(</span><span class="o">!</span><span class="nv">$activity</span><span class="p">)</span> <span class="k">return</span><span class="p">;</span> <span class="nv">$geoData</span> <span class="o">=</span> <span class="nf">app</span><span class="p">(</span><span class="nc">GetGeoDataByIpAction</span><span class="o">::</span><span class="n">class</span><span class="p">)(</span><span class="nv">$this</span><span class="o">-&gt;</span><span class="n">ip</span><span class="p">);</span> <span class="nv">$activity</span><span class="o">-&gt;</span><span class="nf">update</span><span class="p">([</span> <span class="s1">'geo_country'</span> <span class="o">=&gt;</span> <span class="nv">$geoData</span><span class="p">[</span><span class="s1">'country'</span><span class="p">],</span> <span class="s1">'geo_city'</span> <span class="o">=&gt;</span> <span class="nv">$geoData</span><span class="p">[</span><span class="s1">'city'</span><span class="p">],</span> <span class="s1">'geo_updated_at'</span> <span class="o">=&gt;</span> <span class="nf">now</span><span class="p">(),</span> <span class="p">]);</span> <span class="p">}</span> <span class="k">public</span> <span class="k">function</span> <span class="n">failed</span><span class="p">(</span><span class="nc">\Throwable</span> <span class="nv">$exception</span><span class="p">)</span> <span class="p">{</span> <span class="nc">Log</span><span class="o">::</span><span class="nf">error</span><span class="p">(</span><span class="s2">"Failed to get geo data for activity </span><span class="si">{</span><span class="nv">$this</span><span class="o">-&gt;</span><span class="n">activityId</span><span class="si">}</span><span class="s2">: "</span> <span class="mf">.</span> <span class="nv">$exception</span><span class="o">-&gt;</span><span class="nf">getMessage</span><span class="p">());</span> <span class="nv">$activity</span> <span class="o">=</span> <span class="nc">CustomActivity</span><span class="o">::</span><span class="nf">find</span><span class="p">(</span><span class="nv">$this</span><span class="o">-&gt;</span><span class="n">activityId</span><span class="p">);</span> <span class="nv">$activity</span><span class="o">?-&gt;</span><span class="nf">update</span><span class="p">([</span> <span class="s1">'geo_country'</span> <span class="o">=&gt;</span> <span class="s1">'Unknown'</span><span class="p">,</span> <span class="s1">'geo_city'</span> <span class="o">=&gt;</span> <span class="s1">'Unknown'</span><span class="p">,</span> <span class="s1">'geo_updated_at'</span> <span class="o">=&gt;</span> <span class="nf">now</span><span class="p">(),</span> <span class="p">]);</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </div> <p>The <code>GetGeoDataByIpAction</code> itself is a clean, invokable action class with smart caching:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight php"><code><span class="kd">class</span> <span class="nc">GetGeoDataByIpAction</span> <span class="p">{</span> <span class="k">public</span> <span class="k">function</span> <span class="n">__invoke</span><span class="p">(</span><span class="kt">string</span> <span class="nv">$ip</span><span class="p">):</span> <span class="kt">array</span> <span class="p">{</span> <span class="k">if</span> <span class="p">(</span><span class="k">self</span><span class="o">::</span><span class="nf">isLocalIp</span><span class="p">(</span><span class="nv">$ip</span><span class="p">))</span> <span class="p">{</span> <span class="k">return</span> <span class="p">[</span><span class="s1">'country'</span> <span class="o">=&gt;</span> <span class="s1">'Local network'</span><span class="p">,</span> <span class="s1">'city'</span> <span class="o">=&gt;</span> <span class="s1">'Local network'</span><span class="p">];</span> <span class="p">}</span> <span class="k">return</span> <span class="nc">Cache</span><span class="o">::</span><span class="nf">remember</span><span class="p">(</span><span class="s2">"geo_data_</span><span class="si">{</span><span class="nv">$ip</span><span class="si">}</span><span class="s2">"</span><span class="p">,</span> <span class="mi">24</span> <span class="o">*</span> <span class="mi">60</span> <span class="o">*</span> <span class="mi">60</span><span class="p">,</span> <span class="k">function</span> <span class="p">()</span> <span class="k">use</span> <span class="p">(</span><span class="nv">$ip</span><span class="p">)</span> <span class="p">{</span> <span class="k">try</span> <span class="p">{</span> <span class="nv">$response</span> <span class="o">=</span> <span class="nc">Http</span><span class="o">::</span><span class="nf">timeout</span><span class="p">(</span><span class="mi">5</span><span class="p">)</span><span class="o">-&gt;</span><span class="nf">get</span><span class="p">(</span><span class="s2">"http://ip-api.com/json/</span><span class="si">{</span><span class="nv">$ip</span><span class="si">}</span><span class="s2">"</span><span class="p">);</span> <span class="k">if</span> <span class="p">(</span><span class="nv">$response</span><span class="o">-&gt;</span><span class="nf">successful</span><span class="p">())</span> <span class="p">{</span> <span class="nv">$data</span> <span class="o">=</span> <span class="nv">$response</span><span class="o">-&gt;</span><span class="nf">json</span><span class="p">();</span> <span class="k">return</span> <span class="p">[</span> <span class="s1">'country'</span> <span class="o">=&gt;</span> <span class="nv">$data</span><span class="p">[</span><span class="s1">'country'</span><span class="p">]</span> <span class="o">??</span> <span class="s1">'Unknown'</span><span class="p">,</span> <span class="s1">'city'</span> <span class="o">=&gt;</span> <span class="nv">$data</span><span class="p">[</span><span class="s1">'city'</span><span class="p">]</span> <span class="o">??</span> <span class="s1">'Unknown'</span><span class="p">,</span> <span class="p">];</span> <span class="p">}</span> <span class="p">}</span> <span class="k">catch</span> <span class="p">(</span><span class="nc">Exception</span> <span class="nv">$e</span><span class="p">)</span> <span class="p">{</span> <span class="nc">Log</span><span class="o">::</span><span class="nf">warning</span><span class="p">(</span><span class="s2">"Geo API error for IP </span><span class="si">{</span><span class="nv">$ip</span><span class="si">}</span><span class="s2">: "</span> <span class="mf">.</span> <span class="nv">$e</span><span class="o">-&gt;</span><span class="nf">getMessage</span><span class="p">());</span> <span class="p">}</span> <span class="k">return</span> <span class="p">[</span><span class="s1">'country'</span> <span class="o">=&gt;</span> <span class="s1">'Unknown'</span><span class="p">,</span> <span class="s1">'city'</span> <span class="o">=&gt;</span> <span class="s1">'Unknown'</span><span class="p">];</span> <span class="p">});</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </div> <p>Key decisions:</p> <ul> <li> <strong>24-hour cache</strong> per IP (same user, same IP, no redundant API calls)</li> <li> <strong>Local IP detection</strong> (127.0.0.1, 192.168.<em>, 10.</em>, 172.* skip the API)</li> <li> <strong>Graceful fallback</strong> ("Unknown" if the API is down)</li> <li> <strong>5-second timeout</strong> (don't hang on slow API responses)</li> </ul> <h2> Step 5: Multi-Channel Admin Notifications </h2> <p>Some events need more than a log entry. Admin login attempts in LaraFoundry trigger instant notifications via email and Telegram:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight php"><code><span class="kd">class</span> <span class="nc">AdminLoginAttemptNotification</span> <span class="kd">extends</span> <span class="nc">Notification</span> <span class="kd">implements</span> <span class="nc">ShouldQueue</span> <span class="p">{</span> <span class="k">public</span> <span class="k">function</span> <span class="n">__construct</span><span class="p">(</span><span class="nv">$step</span><span class="p">)</span> <span class="p">{</span> <span class="nv">$this</span><span class="o">-&gt;</span><span class="n">ip</span> <span class="o">=</span> <span class="nf">request</span><span class="p">()</span><span class="o">-&gt;</span><span class="nf">ip</span><span class="p">();</span> <span class="nv">$geoData</span> <span class="o">=</span> <span class="nf">app</span><span class="p">(</span><span class="nc">GetGeoDataByIpAction</span><span class="o">::</span><span class="n">class</span><span class="p">)(</span><span class="nv">$this</span><span class="o">-&gt;</span><span class="n">ip</span><span class="p">);</span> <span class="nv">$this</span><span class="o">-&gt;</span><span class="n">location</span> <span class="o">=</span> <span class="s1">'Country: '</span><span class="mf">.</span><span class="nv">$geoData</span><span class="p">[</span><span class="s1">'country'</span><span class="p">]</span><span class="mf">.</span><span class="s1">', City: '</span><span class="mf">.</span><span class="nv">$geoData</span><span class="p">[</span><span class="s1">'city'</span><span class="p">];</span> <span class="c1">// Capture device data DURING request, BEFORE queue serialization</span> <span class="nv">$this</span><span class="o">-&gt;</span><span class="n">deviceType</span> <span class="o">=</span> <span class="nc">Agent</span><span class="o">::</span><span class="nf">isDesktop</span><span class="p">()</span> <span class="o">?</span> <span class="s1">'desktop'</span> <span class="o">:</span> <span class="p">(</span><span class="nc">Agent</span><span class="o">::</span><span class="nf">isTablet</span><span class="p">()</span> <span class="o">?</span> <span class="s1">'tablet'</span> <span class="o">:</span> <span class="s1">'mobile'</span><span class="p">);</span> <span class="nv">$this</span><span class="o">-&gt;</span><span class="n">deviceName</span> <span class="o">=</span> <span class="nc">Agent</span><span class="o">::</span><span class="nf">device</span><span class="p">();</span> <span class="nv">$this</span><span class="o">-&gt;</span><span class="n">deviceOS</span> <span class="o">=</span> <span class="nc">Agent</span><span class="o">::</span><span class="nf">platform</span><span class="p">();</span> <span class="nv">$this</span><span class="o">-&gt;</span><span class="n">deviceBrowser</span> <span class="o">=</span> <span class="nc">Agent</span><span class="o">::</span><span class="nf">browser</span><span class="p">();</span> <span class="nv">$this</span><span class="o">-&gt;</span><span class="n">userAgent</span> <span class="o">=</span> <span class="nf">request</span><span class="p">()</span><span class="o">-&gt;</span><span class="nf">userAgent</span><span class="p">();</span> <span class="p">}</span> <span class="k">public</span> <span class="k">function</span> <span class="n">via</span><span class="p">(</span><span class="nv">$notifiable</span><span class="p">)</span> <span class="p">{</span> <span class="k">return</span> <span class="p">[</span><span class="s1">'mail'</span><span class="p">,</span> <span class="s1">'telegram'</span><span class="p">];</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </div> <p><strong>Important gotcha:</strong> Device data must be captured in the constructor (during the HTTP request), not in the <code>toMail()</code>/<code>toTelegram()</code> methods. The Agent facade needs the actual request context. once the notification is serialized to the queue, that context is gone.</p> <h2> Step 6: File-Based Logging (Monolog) </h2> <p>Activity logs are for business events. For system-level debugging, LaraFoundry uses Monolog with split channels:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight php"><code><span class="c1">// config/logging.php</span> <span class="s1">'stack'</span> <span class="o">=&gt;</span> <span class="p">[</span> <span class="s1">'driver'</span> <span class="o">=&gt;</span> <span class="s1">'stack'</span><span class="p">,</span> <span class="s1">'channels'</span> <span class="o">=&gt;</span> <span class="p">[</span><span class="s1">'daily'</span><span class="p">,</span> <span class="s1">'critical'</span><span class="p">],</span> <span class="p">],</span> <span class="s1">'daily'</span> <span class="o">=&gt;</span> <span class="p">[</span> <span class="s1">'driver'</span> <span class="o">=&gt;</span> <span class="s1">'daily'</span><span class="p">,</span> <span class="s1">'path'</span> <span class="o">=&gt;</span> <span class="nf">storage_path</span><span class="p">(</span><span class="s1">'logs/laravel.log'</span><span class="p">),</span> <span class="s1">'level'</span> <span class="o">=&gt;</span> <span class="s1">'debug'</span><span class="p">,</span> <span class="s1">'days'</span> <span class="o">=&gt;</span> <span class="mi">14</span><span class="p">,</span> <span class="p">],</span> <span class="s1">'critical'</span> <span class="o">=&gt;</span> <span class="p">[</span> <span class="s1">'driver'</span> <span class="o">=&gt;</span> <span class="s1">'daily'</span><span class="p">,</span> <span class="s1">'path'</span> <span class="o">=&gt;</span> <span class="nf">storage_path</span><span class="p">(</span><span class="s1">'logs/critical.log'</span><span class="p">),</span> <span class="s1">'level'</span> <span class="o">=&gt;</span> <span class="s1">'error'</span><span class="p">,</span> <span class="s1">'days'</span> <span class="o">=&gt;</span> <span class="mi">30</span><span class="p">,</span> <span class="p">],</span> </code></pre> </div> <p>Every log entry goes to <code>daily</code>. Only errors go to <code>critical</code> (with 30-day retention instead of 14). This means you can freely rotate daily logs without losing error history.</p> <p>For browsing these logs, <code>opcodesio/log-viewer</code> provides a web UI at <code>/admin/log-viewer</code> with search, filtering, and stack trace viewing.</p> <h2> Step 7: Telescope for Development </h2> <p>Laravel Telescope is the developer's microscope. In LaraFoundry, it's enabled only in <code>local</code> and <code>testing</code>:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight php"><code><span class="s1">'enabled'</span> <span class="o">=&gt;</span> <span class="nb">in_array</span><span class="p">(</span><span class="nf">env</span><span class="p">(</span><span class="s1">'APP_ENV'</span><span class="p">),</span> <span class="p">[</span><span class="s1">'local'</span><span class="p">,</span> <span class="s1">'testing'</span><span class="p">]),</span> </code></pre> </div> <p>Configured watchers:</p> <ul> <li> <strong>QueryWatcher</strong> - flags slow queries &gt; 100ms</li> <li> <strong>ModelWatcher</strong> - tracks all <code>eloquent.*</code> events</li> <li> <strong>EventWatcher</strong> - every event dispatched</li> <li> <strong>JobWatcher</strong> - queue job processing</li> <li> <strong>ExceptionWatcher</strong> - all exceptions</li> <li> <strong>MailWatcher</strong>, <strong>NotificationWatcher</strong>, <strong>GateWatcher</strong>, etc.</li> </ul> <p>Zero overhead in production. Full visibility in development.</p> <h2> Step 8: The Admin UI </h2> <p>Logs are useless if nobody looks at them. LaraFoundry provides two Inertia/Vue views:</p> <p><strong>User-specific logs</strong> (<code>/admin/logs/{user}</code>):</p> <ul> <li>Time range filter: 1h, 6h, 12h, 24h, 48h, 72h</li> <li>Device info in tooltips</li> <li>Success/error badges</li> <li>Responsive: tables on desktop, expandable cards on mobile</li> </ul> <p><strong>General system logs</strong> (<code>/admin/generalLogs</code>):</p> <ul> <li>All events across all users</li> <li>Event group filtering (Auth, Company, Warehouse...)</li> <li>Response code + result columns</li> <li>100 per page with pagination</li> </ul> <p>The controller is minimal:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight php"><code><span class="k">public</span> <span class="k">function</span> <span class="n">userLogs</span><span class="p">(</span><span class="kt">Request</span> <span class="nv">$request</span><span class="p">,</span> <span class="kt">User</span> <span class="nv">$user</span><span class="p">)</span> <span class="p">{</span> <span class="nv">$hours</span> <span class="o">=</span> <span class="nv">$request</span><span class="o">-&gt;</span><span class="nf">get</span><span class="p">(</span><span class="s1">'hours'</span><span class="p">,</span> <span class="mi">1</span><span class="p">);</span> <span class="nv">$logs</span> <span class="o">=</span> <span class="nc">CustomActivity</span><span class="o">::</span><span class="nf">where</span><span class="p">(</span><span class="s1">'causer_id'</span><span class="p">,</span> <span class="nv">$user</span><span class="o">-&gt;</span><span class="n">id</span><span class="p">)</span> <span class="o">-&gt;</span><span class="nf">where</span><span class="p">(</span><span class="s1">'created_at'</span><span class="p">,</span> <span class="s1">'&gt;='</span><span class="p">,</span> <span class="nc">Carbon</span><span class="o">::</span><span class="nf">now</span><span class="p">()</span><span class="o">-&gt;</span><span class="nf">subHours</span><span class="p">(</span><span class="nv">$hours</span><span class="p">))</span> <span class="o">-&gt;</span><span class="nf">orderBy</span><span class="p">(</span><span class="s1">'created_at'</span><span class="p">,</span> <span class="s1">'desc'</span><span class="p">)</span> <span class="o">-&gt;</span><span class="nf">with</span><span class="p">(</span><span class="s1">'user'</span><span class="p">)</span> <span class="o">-&gt;</span><span class="nf">paginate</span><span class="p">(</span><span class="mi">50</span><span class="p">);</span> <span class="k">return</span> <span class="nc">Inertia</span><span class="o">::</span><span class="nf">render</span><span class="p">(</span><span class="s1">'admin/logs/UserLogs'</span><span class="p">,</span> <span class="p">[</span> <span class="s1">'logs'</span> <span class="o">=&gt;</span> <span class="nc">ActivityLogResource</span><span class="o">::</span><span class="nf">collection</span><span class="p">(</span><span class="nv">$logs</span><span class="p">),</span> <span class="s1">'selectedHours'</span> <span class="o">=&gt;</span> <span class="nv">$hours</span><span class="p">,</span> <span class="s1">'availableHours'</span> <span class="o">=&gt;</span> <span class="p">[</span><span class="mi">1</span><span class="p">,</span> <span class="mi">6</span><span class="p">,</span> <span class="mi">12</span><span class="p">,</span> <span class="mi">24</span><span class="p">,</span> <span class="mi">48</span><span class="p">,</span> <span class="mi">72</span><span class="p">],</span> <span class="p">]);</span> <span class="p">}</span> </code></pre> </div> <h2> Testing </h2> <p>Every link in the logging chain gets tested with Pest PHP:</p> <ul> <li>Events fire correctly from user actions</li> <li>ServiceProvider intercepts events and calls ActivityLogService</li> <li>CustomActivity records are created with all expected fields</li> <li>Device fingerprint data is captured</li> <li>Geo-data job dispatches and handles failures</li> <li>Admin notifications fire on critical events</li> <li>Time range filters return correct datasets</li> <li>Log viewer routes require authentication</li> </ul> <p>A logging system that silently breaks is worse than no logging at all.</p> <h2> Summary </h2> <div class="table-wrapper-paragraph"><table> <thead> <tr> <th>Layer</th> <th>Tool</th> <th>Environment</th> <th>Audience</th> </tr> </thead> <tbody> <tr> <td>Business activity</td> <td>CustomActivity + Inertia UI</td> <td>All</td> <td>Admins</td> </tr> <tr> <td>System debugging</td> <td>Laravel Telescope</td> <td>Dev/Testing</td> <td>Developers</td> </tr> <tr> <td>File logs</td> <td>Monolog + Log Viewer</td> <td>All</td> <td>DevOps</td> </tr> <tr> <td>Real-time alerts</td> <td>Notifications (Mail + Telegram)</td> <td>All</td> <td>Admins</td> </tr> </tbody> </table></div> <p>Adding logging to a new module? Add your events to the <code>$events</code> array in <code>ActivityLogServiceProvider</code>. That's it.</p> <p>If you're building a SaaS and logging isn't a Day 1 feature - reconsider. Your future self debugging a production issue at 2 AM will thank you.</p> <p>LaraFoundry is a production-proven SaaS engine extracted from <a href="https://kohana.io" rel="noopener noreferrer">Kohana.io</a>. Follow the build-in-public journey and join the waitlist at <a href="https://larafoundry.com" rel="noopener noreferrer">larafoundry.com</a>.</p> <h1> laravel #php #saas #webdev #larafoundry </h1> laravel php saas webdev How I Built a Complete Multi-Tenancy System for My Laravel SaaS - Without Spatie Dmitry Isaenko Mon, 16 Mar 2026 10:39:52 +0000 https://dev.to/d_isaenko_dev/how-i-built-a-complete-multi-tenancy-system-for-my-laravel-saas-without-spatie-227a https://dev.to/d_isaenko_dev/how-i-built-a-complete-multi-tenancy-system-for-my-laravel-saas-without-spatie-227a <p>Every SaaS application needs to answer one question on every single request: "who can do what in which company?"</p> <p>Sounds simple. It's not.</p> <p>I've been building <strong>Kohana.io</strong> - a SaaS CRM/ERP for small businesses. The multi-tenancy module took longer than any other module to get right. Not because the code is complex, but because the <em>decisions</em> are complex: single database or separate databases? Config-driven or database-driven permissions? How do you handle permission overrides? What happens when a user gets a 403?</p> <p>Now I'm extracting this module into <strong>LaraFoundry</strong> - an open-source Laravel SaaS framework - so nobody has to make these decisions from scratch again.</p> <p>Here's exactly how it works.</p> <h2> Architecture Overview </h2> <div class="table-wrapper-paragraph"><table> <thead> <tr> <th>Component</th> <th>Purpose</th> </tr> </thead> <tbody> <tr> <td>'BelongsToCompany' trait</td> <td>Automatic query filtering by active company</td> </tr> <tr> <td>'config/roles-and-permissions.php'</td> <td>All permissions defined in one place</td> </tr> <tr> <td>Gate classes (8 files)</td> <td>Complex authorization logic per module</td> </tr> <tr> <td>'HasRolesAndPermissions' trait</td> <td>5-level permission hierarchy on User model</td> </tr> <tr> <td>'SetActiveCompanyMiddleware'</td> <td>Auto-resolves tenant context</td> </tr> <tr> <td>'CheckAccessMiddleware'</td> <td>Ban + payment status checks</td> </tr> <tr> <td>'LayoutDataService'</td> <td>Permission-aware menu + FAR routing</td> </tr> </tbody> </table></div> <p><strong>Tech stack:</strong> Laravel 12, Inertia.js v2, Vue 3, Pest PHP</p> <h2> 1. Data Isolation - The BelongsToCompany Trait </h2> <p>The scariest bug in multi-tenancy is a data leak. Showing Company A's orders to Company B.</p> <p>It only takes one forgotten 'where('company_id', ...)' and you've got a GDPR nightmare.</p> <p>LaraFoundry solves this at the Eloquent model level:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight php"><code><span class="kd">trait</span> <span class="nc">BelongsToCompany</span> <span class="p">{</span> <span class="k">protected</span> <span class="k">static</span> <span class="k">function</span> <span class="n">bootBelongsToCompany</span><span class="p">():</span> <span class="kt">void</span> <span class="p">{</span> <span class="k">static</span><span class="o">::</span><span class="nf">addGlobalScope</span><span class="p">(</span><span class="s1">'company'</span><span class="p">,</span> <span class="k">function</span> <span class="p">(</span><span class="kt">Builder</span> <span class="nv">$builder</span><span class="p">)</span> <span class="p">{</span> <span class="k">if</span> <span class="p">(</span><span class="nf">auth</span><span class="p">()</span><span class="o">-&gt;</span><span class="nf">check</span><span class="p">())</span> <span class="p">{</span> <span class="nv">$companyId</span> <span class="o">=</span> <span class="nf">auth</span><span class="p">()</span><span class="o">-&gt;</span><span class="nf">user</span><span class="p">()</span><span class="o">-&gt;</span><span class="nf">getCurrentCompanyId</span><span class="p">();</span> <span class="k">if</span> <span class="p">(</span><span class="nv">$companyId</span><span class="p">)</span> <span class="p">{</span> <span class="nv">$builder</span><span class="o">-&gt;</span><span class="nf">where</span><span class="p">(</span> <span class="nv">$builder</span><span class="o">-&gt;</span><span class="nf">getModel</span><span class="p">()</span><span class="o">-&gt;</span><span class="nf">getTable</span><span class="p">()</span> <span class="mf">.</span> <span class="s1">'.company_id'</span><span class="p">,</span> <span class="nv">$companyId</span> <span class="p">);</span> <span class="p">}</span> <span class="p">}</span> <span class="p">});</span> <span class="p">}</span> <span class="k">public</span> <span class="k">function</span> <span class="n">scopeForCompany</span><span class="p">(</span><span class="kt">Builder</span> <span class="nv">$query</span><span class="p">,</span> <span class="kt">int</span> <span class="nv">$companyId</span><span class="p">):</span> <span class="kt">Builder</span> <span class="p">{</span> <span class="k">return</span> <span class="nv">$query</span><span class="o">-&gt;</span><span class="nf">withoutGlobalScope</span><span class="p">(</span><span class="s1">'company'</span><span class="p">)</span> <span class="o">-&gt;</span><span class="nf">where</span><span class="p">(</span><span class="nv">$this</span><span class="o">-&gt;</span><span class="nf">getTable</span><span class="p">()</span> <span class="mf">.</span> <span class="s1">'.company_id'</span><span class="p">,</span> <span class="nv">$companyId</span><span class="p">);</span> <span class="p">}</span> <span class="k">public</span> <span class="k">function</span> <span class="n">scopeForAdmin</span><span class="p">(</span><span class="kt">Builder</span> <span class="nv">$query</span><span class="p">):</span> <span class="kt">Builder</span> <span class="p">{</span> <span class="k">return</span> <span class="nv">$query</span><span class="o">-&gt;</span><span class="nf">withoutGlobalScope</span><span class="p">(</span><span class="s1">'company'</span><span class="p">);</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </div> <p><strong>Usage:</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight php"><code><span class="c1">// Controller - no filtering needed</span> <span class="nv">$orders</span> <span class="o">=</span> <span class="nc">Order</span><span class="o">::</span><span class="nf">query</span><span class="p">()</span><span class="o">-&gt;</span><span class="nf">latest</span><span class="p">()</span><span class="o">-&gt;</span><span class="nf">paginate</span><span class="p">(</span><span class="mi">20</span><span class="p">);</span> <span class="c1">// Automatically: SELECT * FROM orders WHERE company_id = 5</span> <span class="c1">// Admin dashboard - see everything</span> <span class="nv">$allOrders</span> <span class="o">=</span> <span class="nc">Order</span><span class="o">::</span><span class="nf">forAdmin</span><span class="p">()</span><span class="o">-&gt;</span><span class="nf">latest</span><span class="p">()</span><span class="o">-&gt;</span><span class="nf">paginate</span><span class="p">(</span><span class="mi">50</span><span class="p">);</span> <span class="c1">// Specific company query</span> <span class="nv">$report</span> <span class="o">=</span> <span class="nc">Order</span><span class="o">::</span><span class="nf">forCompany</span><span class="p">(</span><span class="mi">7</span><span class="p">)</span><span class="o">-&gt;</span><span class="nf">where</span><span class="p">(</span><span class="s1">'status'</span><span class="p">,</span> <span class="s1">'completed'</span><span class="p">)</span><span class="o">-&gt;</span><span class="nf">get</span><span class="p">();</span> </code></pre> </div> <p>The table prefix ('$builder-&gt;getModel()-&gt;getTable() . '.company_id'') prevents ambiguous column errors in joins. Small detail, saves hours of debugging.</p> <h2> 2. Config-Driven Permission Registration </h2> <p>All permissions are defined in 'config/roles-and-permissions.php':<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight php"><code><span class="s1">'permissions'</span> <span class="o">=&gt;</span> <span class="p">[</span> <span class="s1">'orders'</span> <span class="o">=&gt;</span> <span class="p">[</span> <span class="s1">'label'</span> <span class="o">=&gt;</span> <span class="s1">'Orders'</span><span class="p">,</span> <span class="s1">'permissions'</span> <span class="o">=&gt;</span> <span class="p">[</span> <span class="s1">'orders.view'</span> <span class="o">=&gt;</span> <span class="s1">'View orders'</span><span class="p">,</span> <span class="s1">'orders.create'</span> <span class="o">=&gt;</span> <span class="s1">'Create orders'</span><span class="p">,</span> <span class="s1">'orders.update'</span> <span class="o">=&gt;</span> <span class="s1">'Update orders'</span><span class="p">,</span> <span class="s1">'orders.delete'</span> <span class="o">=&gt;</span> <span class="s1">'Delete orders'</span><span class="p">,</span> <span class="s1">'orders.approve'</span> <span class="o">=&gt;</span> <span class="s1">'Approve orders'</span><span class="p">,</span> <span class="s1">'orders.status_change'</span> <span class="o">=&gt;</span> <span class="s1">'Change order status'</span><span class="p">,</span> <span class="s1">'orders.export'</span> <span class="o">=&gt;</span> <span class="s1">'Export orders'</span><span class="p">,</span> <span class="p">],</span> <span class="p">],</span> <span class="s1">'warehouse'</span> <span class="o">=&gt;</span> <span class="p">[</span> <span class="s1">'label'</span> <span class="o">=&gt;</span> <span class="s1">'Warehouse'</span><span class="p">,</span> <span class="s1">'permissions'</span> <span class="o">=&gt;</span> <span class="p">[</span> <span class="s1">'warehouse.view'</span> <span class="o">=&gt;</span> <span class="s1">'View warehouse'</span><span class="p">,</span> <span class="s1">'warehouse.create'</span> <span class="o">=&gt;</span> <span class="s1">'Add to warehouse'</span><span class="p">,</span> <span class="s1">'warehouse.update'</span> <span class="o">=&gt;</span> <span class="s1">'Update warehouse'</span><span class="p">,</span> <span class="s1">'warehouse.delete'</span> <span class="o">=&gt;</span> <span class="s1">'Delete from warehouse'</span><span class="p">,</span> <span class="s1">'warehouse.inventory'</span> <span class="o">=&gt;</span> <span class="s1">'Inventory'</span><span class="p">,</span> <span class="s1">'warehouse.transfer'</span> <span class="o">=&gt;</span> <span class="s1">'Transfer goods'</span><span class="p">,</span> <span class="s1">'warehouse.reserve'</span> <span class="o">=&gt;</span> <span class="s1">'Reserve goods'</span><span class="p">,</span> <span class="s1">'warehouse.assembly'</span> <span class="o">=&gt;</span> <span class="s1">'Order assembly'</span><span class="p">,</span> <span class="p">],</span> <span class="p">],</span> <span class="c1">// 20+ modules, 100+ permissions total</span> <span class="p">],</span> </code></pre> </div> <p>'AuthServiceProvider' reads this config and registers a Gate for each permission:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight php"><code><span class="k">protected</span> <span class="k">function</span> <span class="n">registerPermissionGates</span><span class="p">():</span> <span class="kt">void</span> <span class="p">{</span> <span class="nv">$permissions</span> <span class="o">=</span> <span class="nv">$this</span><span class="o">-&gt;</span><span class="nf">getAllPermissionsFromConfig</span><span class="p">();</span> <span class="k">foreach</span> <span class="p">(</span><span class="nv">$permissions</span> <span class="k">as</span> <span class="nv">$permissionSlug</span><span class="p">)</span> <span class="p">{</span> <span class="nc">Gate</span><span class="o">::</span><span class="nb">define</span><span class="p">(</span><span class="nv">$permissionSlug</span><span class="p">,</span> <span class="k">function</span> <span class="p">(</span><span class="kt">User</span> <span class="nv">$user</span><span class="p">,</span> <span class="kt">?Company</span> <span class="nv">$company</span> <span class="o">=</span> <span class="kc">null</span><span class="p">)</span> <span class="k">use</span> <span class="p">(</span><span class="nv">$permissionSlug</span><span class="p">)</span> <span class="p">{</span> <span class="nv">$company</span> <span class="o">=</span> <span class="nv">$company</span> <span class="o">??</span> <span class="nv">$user</span><span class="o">-&gt;</span><span class="nf">getActiveCompany</span><span class="p">();</span> <span class="k">return</span> <span class="nv">$user</span><span class="o">-&gt;</span><span class="nf">hasPermissionTo</span><span class="p">(</span><span class="nv">$permissionSlug</span><span class="p">,</span> <span class="nv">$company</span><span class="p">);</span> <span class="p">});</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </div> <p>One loop. All permissions registered. Add a new permission? Add one line to config, run 'php artisan permissions:sync'.</p> <h2> 3. Dedicated Gate Classes for Complex Logic </h2> <p>Config handles 90% of permissions (simple CRUD). But some authorization logic has business rules. Like removing an employee:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight php"><code><span class="c1">// app/Gates/EmployeeGates.php</span> <span class="kd">class</span> <span class="nc">EmployeeGates</span> <span class="p">{</span> <span class="k">public</span> <span class="k">static</span> <span class="k">function</span> <span class="n">register</span><span class="p">():</span> <span class="kt">void</span> <span class="p">{</span> <span class="nc">Gate</span><span class="o">::</span><span class="nb">define</span><span class="p">(</span><span class="s1">'employees.remove'</span><span class="p">,</span> <span class="k">function</span> <span class="p">(</span><span class="kt">User</span> <span class="nv">$user</span><span class="p">,</span> <span class="kt">User</span> <span class="nv">$employee</span><span class="p">)</span> <span class="p">{</span> <span class="nv">$company</span> <span class="o">=</span> <span class="nv">$user</span><span class="o">-&gt;</span><span class="nf">getActiveCompany</span><span class="p">();</span> <span class="k">if</span> <span class="p">(</span><span class="nv">$user</span><span class="o">-&gt;</span><span class="n">id</span> <span class="o">===</span> <span class="nv">$employee</span><span class="o">-&gt;</span><span class="n">id</span><span class="p">)</span> <span class="k">return</span> <span class="kc">false</span><span class="p">;</span> <span class="c1">// can't remove yourself</span> <span class="k">if</span> <span class="p">(</span><span class="nv">$employee</span><span class="o">-&gt;</span><span class="nf">isOwnerOf</span><span class="p">(</span><span class="nv">$company</span><span class="p">))</span> <span class="k">return</span> <span class="kc">false</span><span class="p">;</span> <span class="c1">// can't remove the owner</span> <span class="k">if</span> <span class="p">(</span><span class="o">!</span><span class="nv">$employee</span><span class="o">-&gt;</span><span class="n">companies</span><span class="o">-&gt;</span><span class="nf">contains</span><span class="p">(</span><span class="nv">$company</span><span class="p">))</span> <span class="k">return</span> <span class="kc">false</span><span class="p">;</span> <span class="c1">// wrong company</span> <span class="k">if</span> <span class="p">(</span><span class="nv">$user</span><span class="o">-&gt;</span><span class="nf">isOwnerOf</span><span class="p">(</span><span class="nv">$company</span><span class="p">))</span> <span class="k">return</span> <span class="kc">true</span><span class="p">;</span> <span class="c1">// owner can remove anyone</span> <span class="k">return</span> <span class="nv">$user</span><span class="o">-&gt;</span><span class="nf">hasPermissionTo</span><span class="p">(</span><span class="s1">'company.employees.remove'</span><span class="p">,</span> <span class="nv">$company</span><span class="p">);</span> <span class="p">});</span> <span class="c1">// employees.assignRole, employees.grantPermissions,</span> <span class="c1">// employees.manageRolesAndPermissions, employees.requestRemoval,</span> <span class="c1">// employees.confirmRemoval...</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </div> <p>Each module gets its own Gate class. All registered from AuthServiceProvider:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight php"><code><span class="k">protected</span> <span class="k">function</span> <span class="n">registerCustomGates</span><span class="p">():</span> <span class="kt">void</span> <span class="p">{</span> <span class="nc">CompanyGates</span><span class="o">::</span><span class="nf">register</span><span class="p">();</span> <span class="nc">EmployeeGates</span><span class="o">::</span><span class="nf">register</span><span class="p">();</span> <span class="nc">RoleGates</span><span class="o">::</span><span class="nf">register</span><span class="p">();</span> <span class="nc">ContragentGates</span><span class="o">::</span><span class="nf">register</span><span class="p">();</span> <span class="nc">WarehouseGates</span><span class="o">::</span><span class="nf">register</span><span class="p">();</span> <span class="nc">ProductionGates</span><span class="o">::</span><span class="nf">register</span><span class="p">();</span> <span class="p">}</span> </code></pre> </div> <p><strong>Result:</strong> AuthServiceProvider stays under 60 lines. Each Gate class is independently testable.</p> <h2> 4. The 5-Level Permission Hierarchy </h2> <p>This is the core of the system. Five levels, checked top to bottom:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>Level 1: Super Admin -&gt; bypass everything Level 2: Company Owner -&gt; full access to their company Level 3: Revoked -&gt; explicitly blocked (overrides roles!) Level 4: Individual -&gt; explicitly granted (overrides roles) Level 5: Role-based -&gt; permissions inherited from role </code></pre> </div> <p>The implementation:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight php"><code><span class="k">public</span> <span class="k">function</span> <span class="n">hasPermissionTo</span><span class="p">(</span><span class="kt">string</span> <span class="nv">$permissionSlug</span><span class="p">,</span> <span class="kt">Company</span><span class="o">|</span><span class="n">int</span><span class="o">|</span><span class="kc">null</span> <span class="nv">$company</span> <span class="o">=</span> <span class="kc">null</span><span class="p">):</span> <span class="kt">bool</span> <span class="p">{</span> <span class="c1">// Level 1: Super admin</span> <span class="k">if</span> <span class="p">(</span><span class="nv">$this</span><span class="o">-&gt;</span><span class="nf">isSuperAdmin</span><span class="p">())</span> <span class="k">return</span> <span class="kc">true</span><span class="p">;</span> <span class="c1">// Level 2: Company owner</span> <span class="k">if</span> <span class="p">(</span><span class="nv">$company</span> <span class="o">&amp;&amp;</span> <span class="nv">$this</span><span class="o">-&gt;</span><span class="nf">isOwnerOf</span><span class="p">(</span><span class="nv">$company</span><span class="p">))</span> <span class="k">return</span> <span class="kc">true</span><span class="p">;</span> <span class="nv">$companyId</span> <span class="o">=</span> <span class="nv">$company</span> <span class="k">instanceof</span> <span class="nc">Company</span> <span class="o">?</span> <span class="nv">$company</span><span class="o">-&gt;</span><span class="n">id</span> <span class="o">:</span> <span class="nv">$company</span><span class="p">;</span> <span class="c1">// Level 3: Check if explicitly revoked</span> <span class="nv">$isRevoked</span> <span class="o">=</span> <span class="nv">$this</span><span class="o">-&gt;</span><span class="nf">permissions</span><span class="p">()</span> <span class="o">-&gt;</span><span class="nf">where</span><span class="p">(</span><span class="s1">'permissions.slug'</span><span class="p">,</span> <span class="nv">$permissionSlug</span><span class="p">)</span> <span class="o">-&gt;</span><span class="nf">wherePivot</span><span class="p">(</span><span class="s1">'company_id'</span><span class="p">,</span> <span class="nv">$companyId</span><span class="p">)</span> <span class="o">-&gt;</span><span class="nf">wherePivot</span><span class="p">(</span><span class="s1">'is_revoked'</span><span class="p">,</span> <span class="kc">true</span><span class="p">)</span> <span class="o">-&gt;</span><span class="nf">exists</span><span class="p">();</span> <span class="k">if</span> <span class="p">(</span><span class="nv">$isRevoked</span><span class="p">)</span> <span class="k">return</span> <span class="kc">false</span><span class="p">;</span> <span class="c1">// Level 4: Check if explicitly granted</span> <span class="nv">$isGranted</span> <span class="o">=</span> <span class="nv">$this</span><span class="o">-&gt;</span><span class="nf">permissions</span><span class="p">()</span> <span class="o">-&gt;</span><span class="nf">where</span><span class="p">(</span><span class="s1">'permissions.slug'</span><span class="p">,</span> <span class="nv">$permissionSlug</span><span class="p">)</span> <span class="o">-&gt;</span><span class="nf">wherePivot</span><span class="p">(</span><span class="s1">'company_id'</span><span class="p">,</span> <span class="nv">$companyId</span><span class="p">)</span> <span class="o">-&gt;</span><span class="nf">wherePivot</span><span class="p">(</span><span class="s1">'is_revoked'</span><span class="p">,</span> <span class="kc">false</span><span class="p">)</span> <span class="o">-&gt;</span><span class="nf">exists</span><span class="p">();</span> <span class="k">if</span> <span class="p">(</span><span class="nv">$isGranted</span><span class="p">)</span> <span class="k">return</span> <span class="kc">true</span><span class="p">;</span> <span class="c1">// Level 5: Check role permissions (company-scoped)</span> <span class="k">return</span> <span class="nv">$this</span><span class="o">-&gt;</span><span class="nf">roles</span><span class="p">()</span> <span class="o">-&gt;</span><span class="nf">wherePivot</span><span class="p">(</span><span class="s1">'company_id'</span><span class="p">,</span> <span class="nv">$companyId</span><span class="p">)</span> <span class="o">-&gt;</span><span class="nf">whereHas</span><span class="p">(</span><span class="s1">'permissions'</span><span class="p">,</span> <span class="k">fn</span><span class="p">(</span><span class="nv">$q</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="nv">$q</span><span class="o">-&gt;</span><span class="nf">where</span><span class="p">(</span><span class="s1">'slug'</span><span class="p">,</span> <span class="nv">$permissionSlug</span><span class="p">))</span> <span class="o">-&gt;</span><span class="nf">exists</span><span class="p">();</span> <span class="p">}</span> </code></pre> </div> <p><strong>Why this order matters:</strong></p> <p>Imagine a "Manager" role with 'orders.delete'. But one specific manager shouldn't delete orders. Instead of creating a new role, the company owner just revokes that one permission. Done.</p> <p>The opposite works too - a "Worker" role doesn't have 'production.assign', but one senior worker needs it. Grant it individually.</p> <p>The 'is_revoked' flag in the 'user_permissions' pivot table is what makes it all possible:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>user_permissions: user_id, permission_id, company_id, is_revoked, granted_by_id </code></pre> </div> <p>One boolean. So much flexibility.</p> <h2> 5. Role Templates &amp; Custom Roles </h2> <p>When a new company is created, 5 role templates are automatically cloned:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight php"><code><span class="s1">'role_templates'</span> <span class="o">=&gt;</span> <span class="p">[</span> <span class="s1">'manager'</span> <span class="o">=&gt;</span> <span class="p">[</span> <span class="s1">'name'</span> <span class="o">=&gt;</span> <span class="s1">'Manager'</span><span class="p">,</span> <span class="s1">'description'</span> <span class="o">=&gt;</span> <span class="s1">'Manage orders, contragents, view reports'</span><span class="p">,</span> <span class="s1">'permissions'</span> <span class="o">=&gt;</span> <span class="p">[</span> <span class="s1">'orders.view'</span><span class="p">,</span> <span class="s1">'orders.create'</span><span class="p">,</span> <span class="s1">'orders.update'</span><span class="p">,</span> <span class="s1">'orders.delete'</span><span class="p">,</span> <span class="s1">'contragents.viewAny'</span><span class="p">,</span> <span class="s1">'contragents.view'</span><span class="p">,</span> <span class="s1">'contragents.create'</span><span class="p">,</span> <span class="s1">'production.view'</span><span class="p">,</span> <span class="s1">'production.create'</span><span class="p">,</span> <span class="s1">'dashboard.view'</span><span class="p">,</span> <span class="c1">// ...20+ permissions</span> <span class="p">],</span> <span class="p">],</span> <span class="s1">'accountant'</span> <span class="o">=&gt;</span> <span class="p">[</span> <span class="cm">/* ... */</span> <span class="p">],</span> <span class="s1">'storekeeper'</span> <span class="o">=&gt;</span> <span class="p">[</span> <span class="cm">/* ... */</span> <span class="p">],</span> <span class="s1">'logistician'</span> <span class="o">=&gt;</span> <span class="p">[</span> <span class="cm">/* ... */</span> <span class="p">],</span> <span class="s1">'worker'</span> <span class="o">=&gt;</span> <span class="p">[</span> <span class="cm">/* ... */</span> <span class="p">],</span> <span class="p">],</span> </code></pre> </div> <p>The company owner can:</p> <ul> <li>Edit template roles (add/remove permissions)</li> <li>Create completely custom roles</li> <li>Assign multiple roles to one employee</li> <li>Override any role permission per individual user</li> <li>Delete custom roles (if no users are assigned)</li> </ul> <p>All from the UI. No developer needed.</p> <h2> 6. Middleware Stack - Tenant Context </h2> <p>Three middleware components handle the multi-tenancy lifecycle:</p> <h3> SetActiveCompanyMiddleware </h3> <p>Runs on every web request. Sets the active company context:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight php"><code><span class="k">public</span> <span class="k">function</span> <span class="n">handle</span><span class="p">(</span><span class="kt">Request</span> <span class="nv">$request</span><span class="p">,</span> <span class="kt">Closure</span> <span class="nv">$next</span><span class="p">):</span> <span class="kt">Response</span> <span class="p">{</span> <span class="k">if</span> <span class="p">(</span><span class="o">!</span><span class="nf">auth</span><span class="p">()</span><span class="o">-&gt;</span><span class="nf">check</span><span class="p">()</span> <span class="o">||</span> <span class="o">!</span><span class="nf">auth</span><span class="p">()</span><span class="o">-&gt;</span><span class="nf">user</span><span class="p">()</span><span class="o">-&gt;</span><span class="nf">hasVerifiedEmail</span><span class="p">())</span> <span class="p">{</span> <span class="k">return</span> <span class="nv">$next</span><span class="p">(</span><span class="nv">$request</span><span class="p">);</span> <span class="p">}</span> <span class="nv">$user</span> <span class="o">=</span> <span class="nf">auth</span><span class="p">()</span><span class="o">-&gt;</span><span class="nf">user</span><span class="p">();</span> <span class="c1">// Already has active company? Verify ownership</span> <span class="k">if</span> <span class="p">(</span><span class="nf">session</span><span class="p">()</span><span class="o">-&gt;</span><span class="nf">has</span><span class="p">(</span><span class="s1">'active_company_id'</span><span class="p">))</span> <span class="p">{</span> <span class="nv">$companyBelongsToUser</span> <span class="o">=</span> <span class="nv">$user</span><span class="o">-&gt;</span><span class="nf">companies</span><span class="p">()</span> <span class="o">-&gt;</span><span class="nf">wherePivot</span><span class="p">(</span><span class="s1">'is_deleted'</span><span class="p">,</span> <span class="kc">false</span><span class="p">)</span> <span class="o">-&gt;</span><span class="nf">where</span><span class="p">(</span><span class="s1">'companies.id'</span><span class="p">,</span> <span class="nf">session</span><span class="p">(</span><span class="s1">'active_company_id'</span><span class="p">))</span> <span class="o">-&gt;</span><span class="nf">exists</span><span class="p">();</span> <span class="k">if</span> <span class="p">(</span><span class="nv">$companyBelongsToUser</span><span class="p">)</span> <span class="k">return</span> <span class="nv">$next</span><span class="p">(</span><span class="nv">$request</span><span class="p">);</span> <span class="nf">session</span><span class="p">()</span><span class="o">-&gt;</span><span class="nf">forget</span><span class="p">(</span><span class="s1">'active_company_id'</span><span class="p">);</span> <span class="p">}</span> <span class="c1">// Priority: owned company &gt; employee company</span> <span class="nv">$ownedCompany</span> <span class="o">=</span> <span class="nv">$user</span><span class="o">-&gt;</span><span class="n">companies</span><span class="o">-&gt;</span><span class="nf">first</span><span class="p">(</span> <span class="k">fn</span><span class="p">(</span><span class="nv">$company</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="nv">$user</span><span class="o">-&gt;</span><span class="nf">isOwnerOf</span><span class="p">(</span><span class="nv">$company</span><span class="p">)</span> <span class="p">);</span> <span class="nv">$user</span><span class="o">-&gt;</span><span class="nf">setActiveCompany</span><span class="p">(</span><span class="nv">$ownedCompany</span> <span class="o">??</span> <span class="nv">$user</span><span class="o">-&gt;</span><span class="n">companies</span><span class="o">-&gt;</span><span class="nf">first</span><span class="p">());</span> <span class="k">return</span> <span class="nv">$next</span><span class="p">(</span><span class="nv">$request</span><span class="p">);</span> <span class="p">}</span> </code></pre> </div> <p>If a user gets removed from a company, the middleware auto-switches on the next request. No stale state.</p> <h3> CheckAccessMiddleware </h3> <p>Checks ban status (user + owner) and payment status (trial + subscription). Even banned users can access support tickets.</p> <h3> CheckCompanyAccess </h3> <p>Owner-only routes: company settings, employee management, role configuration.</p> <p><strong>Middleware order in bootstrap/app.php:</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>1. HandleInertiaRequests 2. SetActiveCompanyMiddleware &lt;- tenant context 3. UpdateLastSessionActivity 4. SetLocale 5. EnsureEmailIsVerified 6. CheckPinLockMiddleware 7. CheckAccessMiddleware &lt;- ban + payment check 8. CheckSessionExists </code></pre> </div> <p>Order matters. You can't check company permissions before you know which company.</p> <h2> 7. Permission-Aware Navigation </h2> <p>Every menu item has a 'policyName':<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight php"><code><span class="p">[</span> <span class="s1">'linkName'</span> <span class="o">=&gt;</span> <span class="nf">__</span><span class="p">(</span><span class="s1">'Orders'</span><span class="p">),</span> <span class="s1">'policyName'</span> <span class="o">=&gt;</span> <span class="s1">'orders.view'</span><span class="p">,</span> <span class="s1">'routeName'</span> <span class="o">=&gt;</span> <span class="s1">'orders'</span><span class="p">,</span> <span class="p">],</span> <span class="p">[</span> <span class="s1">'linkName'</span> <span class="o">=&gt;</span> <span class="nf">__</span><span class="p">(</span><span class="s1">'Warehouse'</span><span class="p">),</span> <span class="s1">'policyName'</span> <span class="o">=&gt;</span> <span class="s1">'warehouse.view'</span><span class="p">,</span> <span class="s1">'routeName'</span> <span class="o">=&gt;</span> <span class="s1">'warehouse'</span><span class="p">,</span> <span class="p">],</span> </code></pre> </div> <p>Each item runs through 'checkUserAndCompanyPolicy()':<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight php"><code><span class="k">private</span> <span class="k">function</span> <span class="n">checkUserAndCompanyPolicy</span><span class="p">(</span><span class="nv">$policyName</span><span class="p">)</span> <span class="p">{</span> <span class="k">if</span> <span class="p">(</span><span class="nv">$this</span><span class="o">-&gt;</span><span class="nf">isAdmin</span><span class="p">())</span> <span class="k">return</span> <span class="kc">true</span><span class="p">;</span> <span class="k">if</span> <span class="p">(</span><span class="k">empty</span><span class="p">(</span><span class="nv">$policyName</span><span class="p">))</span> <span class="k">return</span> <span class="kc">false</span><span class="p">;</span> <span class="k">if</span> <span class="p">(</span><span class="nv">$policyName</span> <span class="o">===</span> <span class="s1">'public'</span><span class="p">)</span> <span class="k">return</span> <span class="nf">auth</span><span class="p">()</span><span class="o">-&gt;</span><span class="nf">check</span><span class="p">();</span> <span class="nv">$user</span> <span class="o">=</span> <span class="nf">auth</span><span class="p">()</span><span class="o">-&gt;</span><span class="nf">user</span><span class="p">();</span> <span class="nv">$company</span> <span class="o">=</span> <span class="nv">$user</span><span class="o">-&gt;</span><span class="nf">getActiveCompany</span><span class="p">();</span> <span class="k">if</span> <span class="p">(</span><span class="o">!</span><span class="nv">$company</span><span class="p">)</span> <span class="k">return</span> <span class="kc">false</span><span class="p">;</span> <span class="k">if</span> <span class="p">(</span><span class="nv">$user</span><span class="o">-&gt;</span><span class="nf">isOwnerOf</span><span class="p">(</span><span class="nv">$company</span><span class="p">))</span> <span class="k">return</span> <span class="kc">true</span><span class="p">;</span> <span class="k">return</span> <span class="nv">$user</span><span class="o">-&gt;</span><span class="nf">hasPermissionTo</span><span class="p">(</span><span class="nv">$policyName</span><span class="p">,</span> <span class="nv">$company</span><span class="p">);</span> <span class="p">}</span> </code></pre> </div> <p>A "Storekeeper" sees: Warehouse. A "Manager" sees: Orders, Production, Contragents. An owner sees everything. If you can't access it - you don't see it.</p> <h2> 8. The First Allowed Route (FAR) Pattern </h2> <p>The pattern that eliminated 403 pages from my SaaS entirely.</p> <p>Instead of showing a 403 error page, redirect the user to the first page they CAN access:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight php"><code><span class="c1">// bootstrap/app.php - exception handler</span> <span class="nv">$exceptions</span><span class="o">-&gt;</span><span class="nf">renderable</span><span class="p">(</span><span class="k">function</span> <span class="p">(</span><span class="kt">AccessDeniedHttpException</span> <span class="nv">$e</span><span class="p">,</span> <span class="kt">Request</span> <span class="nv">$request</span><span class="p">)</span> <span class="p">{</span> <span class="nv">$layoutService</span> <span class="o">=</span> <span class="nf">app</span><span class="p">(</span><span class="nc">LayoutDataService</span><span class="o">::</span><span class="n">class</span><span class="p">);</span> <span class="k">return</span> <span class="nf">redirect</span><span class="p">()</span> <span class="o">-&gt;</span><span class="nf">route</span><span class="p">(</span><span class="nv">$layoutService</span><span class="o">-&gt;</span><span class="nf">getFirstAllowedRouteName</span><span class="p">())</span> <span class="o">-&gt;</span><span class="nf">with</span><span class="p">(</span><span class="s1">'message-disappear-error'</span><span class="p">,</span> <span class="nf">__</span><span class="p">(</span><span class="s1">'You do not have permission to access this page'</span><span class="p">));</span> <span class="p">});</span> </code></pre> </div> <p>The 'getFirstAllowedRouteName()' method:</p> <ol> <li>Checks if user has a saved default page for this company</li> <li>If that page is still accessible - go there</li> <li>If not - clear it, show warning, fall back</li> <li>Walk through menu items, find the first accessible one</li> <li>Fallback to notifications </li> </ol> <div class="highlight js-code-highlight"> <pre class="highlight php"><code><span class="k">public</span> <span class="k">function</span> <span class="n">getFirstAllowedRouteName</span><span class="p">():</span> <span class="kt">string</span> <span class="p">{</span> <span class="k">if</span> <span class="p">(</span><span class="k">self</span><span class="o">::</span><span class="nf">isAdmin</span><span class="p">())</span> <span class="k">return</span> <span class="s1">'admin.dashboard.index'</span><span class="p">;</span> <span class="k">if</span> <span class="p">(</span><span class="o">!</span><span class="nv">$this</span><span class="o">-&gt;</span><span class="n">authUserData</span><span class="o">-&gt;</span><span class="nf">hasUserCompanyOrRole</span><span class="p">())</span> <span class="p">{</span> <span class="k">return</span> <span class="s1">'notifications.index'</span><span class="p">;</span> <span class="p">}</span> <span class="c1">// Check saved default route</span> <span class="nv">$saved</span> <span class="o">=</span> <span class="nf">auth</span><span class="p">()</span><span class="o">-&gt;</span><span class="nf">user</span><span class="p">()</span><span class="o">-&gt;</span><span class="nf">getDefaultRouteForActiveCompany</span><span class="p">();</span> <span class="k">if</span> <span class="p">(</span><span class="nv">$saved</span> <span class="o">&amp;&amp;</span> <span class="nv">$this</span><span class="o">-&gt;</span><span class="nf">isBottomLevelRouteAccessible</span><span class="p">(</span><span class="nv">$saved</span><span class="p">))</span> <span class="p">{</span> <span class="k">return</span> <span class="nv">$saved</span><span class="p">;</span> <span class="p">}</span> <span class="c1">// Walk menu items</span> <span class="k">foreach</span> <span class="p">(</span><span class="nv">$this</span><span class="o">-&gt;</span><span class="nf">getNavUpLevelItemsArray</span><span class="p">()</span> <span class="k">as</span> <span class="nv">$navItem</span><span class="p">)</span> <span class="p">{</span> <span class="k">if</span> <span class="p">(</span><span class="o">!</span><span class="k">empty</span><span class="p">(</span><span class="nv">$navItem</span><span class="p">[</span><span class="s1">'unvisibly'</span><span class="p">]))</span> <span class="k">continue</span><span class="p">;</span> <span class="k">if</span> <span class="p">(</span><span class="nv">$this</span><span class="o">-&gt;</span><span class="nf">checkUserAndCompanyPolicy</span><span class="p">(</span><span class="nv">$navItem</span><span class="p">[</span><span class="s1">'policyName'</span><span class="p">]))</span> <span class="p">{</span> <span class="k">return</span> <span class="nv">$this</span><span class="o">-&gt;</span><span class="nf">getFirstAllowedBottomLevelRoute</span><span class="p">(</span><span class="nv">$navItem</span><span class="p">[</span><span class="s1">'routeName'</span><span class="p">])</span> <span class="o">??</span> <span class="nv">$navItem</span><span class="p">[</span><span class="s1">'routeName'</span><span class="p">];</span> <span class="p">}</span> <span class="p">}</span> <span class="k">return</span> <span class="s1">'notifications.index'</span><span class="p">;</span> <span class="p">}</span> </code></pre> </div> <p><strong>Used in 4 places:</strong> after login, after 403, after company switch, in sidebar "Home" link.</p> <h2> 9. Testing - Proof It Works </h2> <p>Multi-tenancy bugs are silent data leaks. Automated tests are mandatory.</p> <h3> Permission hierarchy test: </h3> <div class="highlight js-code-highlight"> <pre class="highlight php"><code><span class="nf">it</span><span class="p">(</span><span class="s1">'respects priority: revoked &gt; granted &gt; role'</span><span class="p">,</span> <span class="k">function</span> <span class="p">()</span> <span class="p">{</span> <span class="nv">$employee</span><span class="o">-&gt;</span><span class="nf">assignRole</span><span class="p">(</span><span class="nv">$managerRole</span><span class="p">,</span> <span class="nv">$company</span><span class="p">);</span> <span class="c1">// Manager has orders.view from role</span> <span class="nv">$employee</span><span class="o">-&gt;</span><span class="nf">revokePermissionFrom</span><span class="p">(</span><span class="nv">$ordersView</span><span class="p">,</span> <span class="nv">$company</span><span class="p">);</span> <span class="c1">// Manager doesn't have warehouse.delete</span> <span class="nv">$employee</span><span class="o">-&gt;</span><span class="nf">givePermissionTo</span><span class="p">(</span><span class="nv">$warehouseDelete</span><span class="p">,</span> <span class="nv">$company</span><span class="p">);</span> <span class="nf">expect</span><span class="p">(</span><span class="nv">$employee</span><span class="o">-&gt;</span><span class="nf">hasPermissionTo</span><span class="p">(</span><span class="s1">'orders.view'</span><span class="p">,</span> <span class="nv">$company</span><span class="p">))</span><span class="o">-&gt;</span><span class="nf">toBeFalse</span><span class="p">()</span> <span class="o">-&gt;</span><span class="k">and</span><span class="p">(</span><span class="nv">$employee</span><span class="o">-&gt;</span><span class="nf">hasPermissionTo</span><span class="p">(</span><span class="s1">'warehouse.delete'</span><span class="p">,</span> <span class="nv">$company</span><span class="p">))</span><span class="o">-&gt;</span><span class="nf">toBeTrue</span><span class="p">();</span> <span class="p">});</span> </code></pre> </div> <h3> Cross-company isolation: </h3> <div class="highlight js-code-highlight"> <pre class="highlight php"><code><span class="nf">it</span><span class="p">(</span><span class="s1">'denies updating role from different company'</span><span class="p">,</span> <span class="k">function</span> <span class="p">()</span> <span class="p">{</span> <span class="nv">$roleFromCompany2</span> <span class="o">=</span> <span class="nc">Role</span><span class="o">::</span><span class="nf">create</span><span class="p">([</span> <span class="s1">'company_id'</span> <span class="o">=&gt;</span> <span class="nv">$company2</span><span class="o">-&gt;</span><span class="n">id</span><span class="p">,</span> <span class="p">]);</span> <span class="nv">$this</span><span class="o">-&gt;</span><span class="nf">actingAs</span><span class="p">(</span><span class="nv">$ownerOfCompany1</span><span class="p">);</span> <span class="nf">expect</span><span class="p">(</span><span class="nc">Gate</span><span class="o">::</span><span class="nf">denies</span><span class="p">(</span><span class="s1">'roles.update'</span><span class="p">,</span> <span class="nv">$roleFromCompany2</span><span class="p">))</span><span class="o">-&gt;</span><span class="nf">toBeTrue</span><span class="p">();</span> <span class="p">});</span> </code></pre> </div> <h3> Menu visibility: </h3> <div class="highlight js-code-highlight"> <pre class="highlight php"><code><span class="nf">it</span><span class="p">(</span><span class="s1">'employee with orders permission sees only orders'</span><span class="p">,</span> <span class="k">function</span> <span class="p">()</span> <span class="p">{</span> <span class="nv">$employee</span><span class="o">-&gt;</span><span class="nf">givePermissionTo</span><span class="p">(</span><span class="nv">$ordersPermission</span><span class="p">,</span> <span class="nv">$company</span><span class="p">);</span> <span class="nv">$menu</span> <span class="o">=</span> <span class="nv">$service</span><span class="o">-&gt;</span><span class="nf">getNav</span><span class="p">(</span><span class="s1">'upLevel'</span><span class="p">);</span> <span class="nv">$labels</span> <span class="o">=</span> <span class="nf">collect</span><span class="p">(</span><span class="nv">$menu</span><span class="p">)</span><span class="o">-&gt;</span><span class="nf">pluck</span><span class="p">(</span><span class="s1">'linkName'</span><span class="p">)</span><span class="o">-&gt;</span><span class="nf">toArray</span><span class="p">();</span> <span class="nf">expect</span><span class="p">(</span><span class="nv">$labels</span><span class="p">)</span> <span class="o">-&gt;</span><span class="nf">toContain</span><span class="p">(</span><span class="s1">'Orders'</span><span class="p">)</span> <span class="o">-&gt;</span><span class="n">not</span><span class="o">-&gt;</span><span class="nf">toContain</span><span class="p">(</span><span class="s1">'Production'</span><span class="p">)</span> <span class="o">-&gt;</span><span class="n">not</span><span class="o">-&gt;</span><span class="nf">toContain</span><span class="p">(</span><span class="s1">'Warehouse'</span><span class="p">)</span> <span class="o">-&gt;</span><span class="n">not</span><span class="o">-&gt;</span><span class="nf">toContain</span><span class="p">(</span><span class="s1">'My company'</span><span class="p">);</span> <span class="p">});</span> </code></pre> </div> <h3> Owner-only routes: </h3> <div class="highlight js-code-highlight"> <pre class="highlight php"><code><span class="nf">it</span><span class="p">(</span><span class="s1">'employee cannot access company settings page'</span><span class="p">,</span> <span class="k">function</span> <span class="p">()</span> <span class="p">{</span> <span class="nv">$response</span> <span class="o">=</span> <span class="nv">$this</span><span class="o">-&gt;</span><span class="nf">withCookie</span><span class="p">(</span><span class="nv">$cookieName</span><span class="p">,</span> <span class="nv">$sessionId</span><span class="p">)</span> <span class="o">-&gt;</span><span class="nf">get</span><span class="p">(</span><span class="nf">route</span><span class="p">(</span><span class="s1">'my_company.company_settings'</span><span class="p">));</span> <span class="nv">$response</span><span class="o">-&gt;</span><span class="nf">assertRedirect</span><span class="p">();</span> <span class="nv">$response</span><span class="o">-&gt;</span><span class="nf">assertSessionHas</span><span class="p">(</span><span class="s1">'message-disappear-error'</span><span class="p">);</span> <span class="p">});</span> </code></pre> </div> <p><strong>Total test coverage:</strong> 19 test files covering permission hierarchy, cross-company isolation, Gate authorization, menu visibility, middleware chain, owner-only routes, role CRUD, employee management, and edge cases (no company, expired trial, banned owner, unverified email).</p> <h2> Database Schema </h2> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>companies id, name, created_by_id, trial_ends_at, subscription_ends_at company_user user_id, company_id, is_owner, is_deleted, default_route roles id, name, slug, company_id, is_global, is_template, is_custom permissions id, name, slug, module role_permissions role_id, permission_id user_roles user_id, role_id, company_id, assigned_by_id user_permissions user_id, permission_id, company_id, is_revoked, granted_by_id </code></pre> </div> <h2> Why Not Spatie? </h2> <p>Spatie Permission is great for simpler setups. But it doesn't handle:</p> <ul> <li>Company-scoped roles (same role slug, different permissions per company)</li> <li>Permission overrides (revoke/grant individual permissions that override roles)</li> <li>Role templates that clone on company creation</li> <li>The 'is_revoked' pattern for granular control</li> <li>Config-driven permission registration with artisan sync</li> </ul> <p>LaraFoundry's system is purpose-built for multi-tenant SaaS where company owners manage their own teams.</p> <h2> What's Next </h2> <p>All of this is extracted from Kohana.io, where it runs in production handling real companies with real employees.</p> <p>Star the repo or join the waitlist: <strong><a href="https://larafoundry.com/" rel="noopener noreferrer">larafoundry.com</a></strong></p> <p><em>This is part of a series where I'm building LaraFoundry in public. Previously: <a href="https://dev.to/d_isaenko_dev/building-a-production-grade-registration-module-for-laravel-saas-the-complete-breakdown-53il">Registration Module</a>, <a href="https://dev.to/d_isaenko_dev/i-built-6-authentication-methods-for-my-laravel-saas-heres-the-full-architecture-25jp">Authentication Module</a>.</em></p> laravel php sass multitenancy I Built 6 Authentication Methods for My Laravel SaaS - Here's the Full Architecture Dmitry Isaenko Mon, 09 Mar 2026 08:15:12 +0000 https://dev.to/d_isaenko_dev/i-built-6-authentication-methods-for-my-laravel-saas-heres-the-full-architecture-25jp https://dev.to/d_isaenko_dev/i-built-6-authentication-methods-for-my-laravel-saas-heres-the-full-architecture-25jp <p>Every SaaS project starts with authentication. And every time, developers face the same choice: use a starter kit and outgrow it in a month, or build from scratch and spend weeks on something that isn't your core product.</p> <p>I've been building <strong>Kohana.io</strong> - a SaaS CRM/ERP for small businesses - and I got tired of this cycle. So I built a comprehensive authentication module that handles everything from basic email login to QR code authentication and real-time admin security alerts.</p> <p>Now I'm extracting it into <strong>LaraFoundry</strong> - an open-source SaaS framework for Laravel - so nobody has to build this again.</p> <p>Here's how it all works.</p> <h2> The Authentication Stack </h2> <div class="table-wrapper-paragraph"><table> <thead> <tr> <th>Method</th> <th>Use Case</th> </tr> </thead> <tbody> <tr> <td>Email/Password</td> <td>Standard login with rate limiting</td> </tr> <tr> <td>OAuth (Google, Facebook, Twitter)</td> <td>One-click social login</td> </tr> <tr> <td>QR Code</td> <td>Cross-device login (scan from phone)</td> </tr> <tr> <td>PIN Code</td> <td>Session lock for shared workstations</td> </tr> <tr> <td>2FA (TOTP)</td> <td>Admin account protection</td> </tr> <tr> <td>IP Whitelisting</td> <td>Admin access restriction</td> </tr> </tbody> </table></div> <p><strong>Tech stack:</strong> Laravel 12, Inertia.js v2, Vue 3, Custom SCSS</p> <p><strong>Key packages:</strong> Laravel Socialite v5, PragmaRX Google2FA, SimpleSoftwareIO QrCode, Jenssegers Agent</p> <h2> 1. Email/Password Authentication </h2> <p>The foundation. But with important production-grade additions.</p> <h3> Rate Limiting </h3> <p>Login attempts are limited to 5 per email+IP combination:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight php"><code><span class="c1">// LoginRequest.php</span> <span class="k">public</span> <span class="k">function</span> <span class="n">ensureIsNotRateLimited</span><span class="p">():</span> <span class="kt">void</span> <span class="p">{</span> <span class="k">if</span> <span class="p">(</span><span class="o">!</span><span class="nc">RateLimiter</span><span class="o">::</span><span class="nf">tooManyAttempts</span><span class="p">(</span><span class="nv">$this</span><span class="o">-&gt;</span><span class="nf">throttleKey</span><span class="p">(),</span> <span class="mi">5</span><span class="p">))</span> <span class="p">{</span> <span class="k">return</span><span class="p">;</span> <span class="p">}</span> <span class="nf">event</span><span class="p">(</span><span class="k">new</span> <span class="nc">Lockout</span><span class="p">(</span><span class="nv">$this</span><span class="p">));</span> <span class="nv">$seconds</span> <span class="o">=</span> <span class="nc">RateLimiter</span><span class="o">::</span><span class="nf">availableIn</span><span class="p">(</span><span class="nv">$this</span><span class="o">-&gt;</span><span class="nf">throttleKey</span><span class="p">());</span> <span class="k">throw</span> <span class="nc">ValidationException</span><span class="o">::</span><span class="nf">withMessages</span><span class="p">([</span> <span class="s1">'email'</span> <span class="o">=&gt;</span> <span class="nf">trans</span><span class="p">(</span><span class="s1">'auth.throttle'</span><span class="p">,</span> <span class="p">[</span> <span class="s1">'seconds'</span> <span class="o">=&gt;</span> <span class="nv">$seconds</span><span class="p">,</span> <span class="s1">'minutes'</span> <span class="o">=&gt;</span> <span class="nb">ceil</span><span class="p">(</span><span class="nv">$seconds</span> <span class="o">/</span> <span class="mi">60</span><span class="p">),</span> <span class="p">]),</span> <span class="p">]);</span> <span class="p">}</span> <span class="k">public</span> <span class="k">function</span> <span class="n">throttleKey</span><span class="p">():</span> <span class="kt">string</span> <span class="p">{</span> <span class="k">return</span> <span class="nc">Str</span><span class="o">::</span><span class="nf">transliterate</span><span class="p">(</span> <span class="nc">Str</span><span class="o">::</span><span class="nf">lower</span><span class="p">(</span><span class="nv">$this</span><span class="o">-&gt;</span><span class="nf">string</span><span class="p">(</span><span class="s1">'email'</span><span class="p">))</span> <span class="mf">.</span> <span class="s1">'|'</span> <span class="mf">.</span> <span class="nv">$this</span><span class="o">-&gt;</span><span class="nf">ip</span><span class="p">()</span> <span class="p">);</span> <span class="p">}</span> </code></pre> </div> <h3> Session Tracking </h3> <p>Every successful login creates a detailed session record:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight php"><code><span class="nv">$request</span><span class="o">-&gt;</span><span class="nf">user</span><span class="p">()</span><span class="o">-&gt;</span><span class="nf">userSessions</span><span class="p">()</span><span class="o">-&gt;</span><span class="nf">create</span><span class="p">([</span> <span class="s1">'session_id'</span> <span class="o">=&gt;</span> <span class="nv">$request</span><span class="o">-&gt;</span><span class="nf">session</span><span class="p">()</span><span class="o">-&gt;</span><span class="nf">getId</span><span class="p">(),</span> <span class="s1">'ip_address'</span> <span class="o">=&gt;</span> <span class="nv">$request</span><span class="o">-&gt;</span><span class="nf">getClientIp</span><span class="p">(),</span> <span class="s1">'user_agent'</span> <span class="o">=&gt;</span> <span class="nv">$request</span><span class="o">-&gt;</span><span class="nf">userAgent</span><span class="p">(),</span> <span class="s1">'last_activity'</span> <span class="o">=&gt;</span> <span class="nf">now</span><span class="p">(),</span> <span class="s1">'pin_locked'</span> <span class="o">=&gt;</span> <span class="kc">false</span><span class="p">,</span> <span class="s1">'user_device_type'</span> <span class="o">=&gt;</span> <span class="k">self</span><span class="o">::</span><span class="nf">getUserDeviceType</span><span class="p">(),</span> <span class="s1">'user_device_name'</span> <span class="o">=&gt;</span> <span class="nc">Agent</span><span class="o">::</span><span class="nf">device</span><span class="p">(),</span> <span class="s1">'user_os'</span> <span class="o">=&gt;</span> <span class="nc">Agent</span><span class="o">::</span><span class="nf">platform</span><span class="p">(),</span> <span class="s1">'user_browser'</span> <span class="o">=&gt;</span> <span class="nc">Agent</span><span class="o">::</span><span class="nf">browser</span><span class="p">(),</span> <span class="p">]);</span> </code></pre> </div> <p>This gives users a "Active Sessions" view where they can see all their logged-in devices and clear the ones they don't recognize - similar to what Google and GitHub offer.</p> <h3> Remember Me </h3> <p>Works for both email and OAuth login. For OAuth, the remember me preference is stored in the session before the redirect and applied after the callback:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight php"><code><span class="c1">// Before OAuth redirect</span> <span class="k">if</span> <span class="p">(</span><span class="nv">$request</span><span class="o">-&gt;</span><span class="nf">boolean</span><span class="p">(</span><span class="s1">'oauth_remeber_me'</span><span class="p">))</span> <span class="p">{</span> <span class="nf">session</span><span class="p">([</span><span class="s1">'oauth_remember_me'</span> <span class="o">=&gt;</span> <span class="kc">true</span><span class="p">]);</span> <span class="p">}</span> <span class="c1">// After OAuth callback</span> <span class="nv">$remember</span> <span class="o">=</span> <span class="nf">session</span><span class="p">(</span><span class="s1">'oauth_remember_me'</span><span class="p">,</span> <span class="kc">false</span><span class="p">);</span> <span class="nc">Auth</span><span class="o">::</span><span class="nf">login</span><span class="p">(</span><span class="nv">$user</span><span class="p">,</span> <span class="nv">$remember</span><span class="p">);</span> </code></pre> </div> <h2> 2. OAuth Authentication </h2> <p>Three providers out of the box: Google, Facebook, and Twitter. Powered by Laravel Socialite v5.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight php"><code><span class="k">public</span> <span class="k">function</span> <span class="n">callback</span><span class="p">(</span><span class="kt">string</span> <span class="nv">$provider</span><span class="p">,</span> <span class="kt">UserLogoService</span> <span class="nv">$userLogo</span><span class="p">)</span> <span class="p">{</span> <span class="k">if</span> <span class="p">(</span><span class="o">!</span><span class="nb">in_array</span><span class="p">(</span><span class="nv">$provider</span><span class="p">,</span> <span class="p">[</span><span class="s1">'google'</span><span class="p">,</span> <span class="s1">'facebook'</span><span class="p">,</span> <span class="s1">'twitter'</span><span class="p">]))</span> <span class="p">{</span> <span class="k">return</span> <span class="nf">redirect</span><span class="p">()</span><span class="o">-&gt;</span><span class="nf">route</span><span class="p">(</span><span class="s1">'guest_index'</span><span class="p">)</span> <span class="o">-&gt;</span><span class="nf">with</span><span class="p">(</span><span class="s1">'message-error'</span><span class="p">,</span> <span class="s1">'Invalid OAuth provider'</span><span class="p">);</span> <span class="p">}</span> <span class="nv">$socialUser</span> <span class="o">=</span> <span class="nc">Socialite</span><span class="o">::</span><span class="nf">driver</span><span class="p">(</span><span class="nv">$provider</span><span class="p">)</span><span class="o">-&gt;</span><span class="nf">user</span><span class="p">();</span> <span class="nv">$user</span> <span class="o">=</span> <span class="nc">User</span><span class="o">::</span><span class="nf">updateOrCreate</span><span class="p">(</span> <span class="p">[</span><span class="s1">'email'</span> <span class="o">=&gt;</span> <span class="nv">$socialUser</span><span class="o">-&gt;</span><span class="n">email</span><span class="p">],</span> <span class="p">[</span> <span class="s1">'provider_id'</span> <span class="o">=&gt;</span> <span class="nv">$socialUser</span><span class="o">-&gt;</span><span class="n">id</span><span class="p">,</span> <span class="s1">'provider_name'</span> <span class="o">=&gt;</span> <span class="nv">$provider</span><span class="p">,</span> <span class="s1">'name'</span> <span class="o">=&gt;</span> <span class="nv">$socialUser</span><span class="o">-&gt;</span><span class="n">name</span><span class="p">,</span> <span class="s1">'email_verified_at'</span> <span class="o">=&gt;</span> <span class="nf">now</span><span class="p">(),</span> <span class="c1">// OAuth = auto-verified</span> <span class="s1">'provider_token'</span> <span class="o">=&gt;</span> <span class="nv">$socialUser</span><span class="o">-&gt;</span><span class="n">token</span><span class="p">,</span> <span class="s1">'provider_refresh_token'</span> <span class="o">=&gt;</span> <span class="nv">$socialUser</span><span class="o">-&gt;</span><span class="n">refreshToken</span><span class="p">,</span> <span class="s1">'last_login_at'</span> <span class="o">=&gt;</span> <span class="nf">now</span><span class="p">(),</span> <span class="s1">'last_activity_at'</span> <span class="o">=&gt;</span> <span class="nf">now</span><span class="p">(),</span> <span class="p">]</span> <span class="p">);</span> <span class="nc">Auth</span><span class="o">::</span><span class="nf">login</span><span class="p">(</span><span class="nv">$user</span><span class="p">,</span> <span class="nv">$remember</span><span class="p">);</span> <span class="p">}</span> </code></pre> </div> <p><strong>Key design decisions:</strong></p> <ul> <li> <strong>Email as the unique identifier</strong> - if a user registers via email and later logs in with Google using the same email, the account is linked automatically</li> <li> <strong>OAuth emails are auto-verified</strong> - no need to send a verification email when Google already confirmed it</li> <li> <strong>Provider tokens are stored</strong> - useful for future integrations (e.g., importing contacts from Google)</li> <li> <strong>Login method is tracked per session</strong> - so the "Active Sessions" view shows whether the user logged in natively or via OAuth</li> </ul> <h2> 3. QR Code Authentication </h2> <p>This is the feature I'm most proud of. It works like WhatsApp Web: scan a QR code from your already-authenticated phone to log in on desktop.</p> <h3> The Architecture </h3> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>┌──────────────────┐ ┌──────────────┐ ┌──────────────────┐ │ Desktop Browser │ │ Server │ │ Mobile (Auth'd) │ │ (Guest) │ │ │ │ │ ├──────────────────┤ ├──────────────┤ ├──────────────────┤ │ 1. Request QR │───────&gt;│ 2. Generate │ │ │ │ │&lt;───────│ UUID + │ │ │ │ 3. Display QR │ │ SignIn │ │ │ │ │ │ Request │ │ │ │ 4. Poll every 3s │───────&gt;│ │ │ │ │ │ │ │&lt;───────│ 5. Scan QR code │ │ │ │ 6. Verify + │───────&gt;│ 7. Show "Success"│ │ │ │ Approve │ │ │ │ 8. Poll detects │&lt;───────│ │ │ │ │ approval │ │ │ │ │ │ 9. Auto-login │ │ │ │ │ └──────────────────┘ └──────────────┘ └──────────────────┘ </code></pre> </div> <h3> Token Generation </h3> <div class="highlight js-code-highlight"> <pre class="highlight php"><code><span class="k">public</span> <span class="k">function</span> <span class="n">codeGenerate</span><span class="p">()</span> <span class="p">{</span> <span class="nv">$token</span> <span class="o">=</span> <span class="nc">Uuid</span><span class="o">::</span><span class="nf">uuid4</span><span class="p">();</span> <span class="nf">session</span><span class="p">()</span><span class="o">-&gt;</span><span class="nf">put</span><span class="p">(</span><span class="s1">'token'</span><span class="p">,</span> <span class="nc">Crypt</span><span class="o">::</span><span class="nf">encrypt</span><span class="p">(</span><span class="nv">$token</span><span class="p">));</span> <span class="nv">$signInRequest</span> <span class="o">=</span> <span class="nc">SignInRequest</span><span class="o">::</span><span class="nf">create</span><span class="p">([</span> <span class="s1">'token'</span> <span class="o">=&gt;</span> <span class="nv">$token</span><span class="p">,</span> <span class="s1">'expires_at'</span> <span class="o">=&gt;</span> <span class="nf">now</span><span class="p">()</span><span class="o">-&gt;</span><span class="nf">addMinutes</span><span class="p">(</span><span class="mi">5</span><span class="p">),</span> <span class="s1">'ip_address'</span> <span class="o">=&gt;</span> <span class="nf">request</span><span class="p">()</span><span class="o">-&gt;</span><span class="nf">ip</span><span class="p">(),</span> <span class="s1">'user_agent'</span> <span class="o">=&gt;</span> <span class="nf">request</span><span class="p">()</span><span class="o">-&gt;</span><span class="nf">userAgent</span><span class="p">(),</span> <span class="p">]);</span> <span class="nf">session</span><span class="p">()</span><span class="o">-&gt;</span><span class="nf">put</span><span class="p">(</span><span class="s1">'signInId'</span><span class="p">,</span> <span class="nc">Crypt</span><span class="o">::</span><span class="nf">encrypt</span><span class="p">(</span><span class="nv">$signInRequest</span><span class="o">-&gt;</span><span class="n">id</span><span class="p">));</span> <span class="nv">$qrCodeUrl</span> <span class="o">=</span> <span class="nf">route</span><span class="p">(</span><span class="s1">'qr.verifyLogin'</span><span class="p">,</span> <span class="p">[</span> <span class="s1">'id'</span> <span class="o">=&gt;</span> <span class="nc">Crypt</span><span class="o">::</span><span class="nf">encrypt</span><span class="p">(</span><span class="nv">$signInRequest</span><span class="o">-&gt;</span><span class="n">id</span><span class="p">),</span> <span class="s1">'token'</span> <span class="o">=&gt;</span> <span class="nv">$token</span><span class="p">,</span> <span class="p">]);</span> <span class="nv">$qrCode</span> <span class="o">=</span> <span class="nb">base64_encode</span><span class="p">(</span> <span class="nc">QrCode</span><span class="o">::</span><span class="nf">size</span><span class="p">(</span><span class="mi">400</span><span class="p">)</span><span class="o">-&gt;</span><span class="nf">format</span><span class="p">(</span><span class="s1">'svg'</span><span class="p">)</span><span class="o">-&gt;</span><span class="nf">generate</span><span class="p">(</span><span class="nv">$qrCodeUrl</span><span class="p">)</span> <span class="p">);</span> <span class="k">return</span> <span class="nf">response</span><span class="p">()</span><span class="o">-&gt;</span><span class="nf">json</span><span class="p">([</span> <span class="s1">'qrCode'</span> <span class="o">=&gt;</span> <span class="nv">$qrCode</span><span class="p">,</span> <span class="s1">'activeUntil'</span> <span class="o">=&gt;</span> <span class="nv">$signInRequest</span><span class="o">-&gt;</span><span class="n">expires_at</span><span class="p">,</span> <span class="p">]);</span> <span class="p">}</span> </code></pre> </div> <h3> Approval from Authenticated Device </h3> <div class="highlight js-code-highlight"> <pre class="highlight php"><code><span class="k">public</span> <span class="k">function</span> <span class="n">verifyLogin</span><span class="p">(</span><span class="kt">string</span> <span class="nv">$id</span><span class="p">,</span> <span class="kt">string</span> <span class="nv">$token</span><span class="p">)</span> <span class="p">{</span> <span class="c1">// Admins cannot approve QR logins (security)</span> <span class="k">if</span> <span class="p">(</span><span class="nf">auth</span><span class="p">()</span><span class="o">-&gt;</span><span class="nf">user</span><span class="p">()</span><span class="o">-&gt;</span><span class="n">is_admin</span><span class="p">)</span> <span class="p">{</span> <span class="k">return</span> <span class="nf">response</span><span class="p">()</span><span class="o">-&gt;</span><span class="nf">json</span><span class="p">([</span> <span class="s1">'error'</span> <span class="o">=&gt;</span> <span class="s1">'Admin QR login is forbidden.'</span> <span class="p">],</span> <span class="mi">404</span><span class="p">);</span> <span class="p">}</span> <span class="nv">$signInRequest</span> <span class="o">=</span> <span class="nc">SignInRequest</span><span class="o">::</span><span class="nf">query</span><span class="p">()</span> <span class="o">-&gt;</span><span class="nf">where</span><span class="p">(</span><span class="s1">'expires_at'</span><span class="p">,</span> <span class="s1">'&gt;'</span><span class="p">,</span> <span class="nf">now</span><span class="p">())</span> <span class="o">-&gt;</span><span class="nf">where</span><span class="p">(</span><span class="s1">'id'</span><span class="p">,</span> <span class="nc">Crypt</span><span class="o">::</span><span class="nf">decrypt</span><span class="p">(</span><span class="nv">$id</span><span class="p">))</span> <span class="o">-&gt;</span><span class="nf">where</span><span class="p">(</span><span class="s1">'token'</span><span class="p">,</span> <span class="nv">$token</span><span class="p">)</span> <span class="o">-&gt;</span><span class="nf">first</span><span class="p">();</span> <span class="k">if</span> <span class="p">(</span><span class="o">!</span><span class="nv">$signInRequest</span><span class="p">)</span> <span class="p">{</span> <span class="k">return</span> <span class="nf">response</span><span class="p">()</span><span class="o">-&gt;</span><span class="nf">json</span><span class="p">([</span><span class="s1">'error'</span> <span class="o">=&gt;</span> <span class="s1">'Code incorrect!'</span><span class="p">],</span> <span class="mi">404</span><span class="p">);</span> <span class="p">}</span> <span class="nv">$signInRequest</span><span class="o">-&gt;</span><span class="nf">update</span><span class="p">([</span> <span class="s1">'user_id'</span> <span class="o">=&gt;</span> <span class="nf">auth</span><span class="p">()</span><span class="o">-&gt;</span><span class="nf">id</span><span class="p">(),</span> <span class="s1">'approved'</span> <span class="o">=&gt;</span> <span class="kc">true</span><span class="p">,</span> <span class="s1">'approved_at'</span> <span class="o">=&gt;</span> <span class="nf">now</span><span class="p">(),</span> <span class="s1">'approved_ip'</span> <span class="o">=&gt;</span> <span class="nf">request</span><span class="p">()</span><span class="o">-&gt;</span><span class="nf">ip</span><span class="p">(),</span> <span class="s1">'approved_user_agent'</span> <span class="o">=&gt;</span> <span class="nf">request</span><span class="p">()</span><span class="o">-&gt;</span><span class="nf">userAgent</span><span class="p">(),</span> <span class="p">]);</span> <span class="k">return</span> <span class="nf">response</span><span class="p">()</span><span class="o">-&gt;</span><span class="nf">json</span><span class="p">([</span><span class="s1">'message'</span> <span class="o">=&gt;</span> <span class="s1">'Code recognized'</span><span class="p">],</span> <span class="mi">200</span><span class="p">);</span> <span class="p">}</span> </code></pre> </div> <h3> Browser Polling </h3> <div class="highlight js-code-highlight"> <pre class="highlight php"><code><span class="k">public</span> <span class="k">function</span> <span class="n">pollLogin</span><span class="p">()</span> <span class="p">{</span> <span class="nv">$signInRequest</span> <span class="o">=</span> <span class="nc">SignInRequest</span><span class="o">::</span><span class="nf">query</span><span class="p">()</span> <span class="o">-&gt;</span><span class="nf">where</span><span class="p">(</span><span class="s1">'id'</span><span class="p">,</span> <span class="nc">Crypt</span><span class="o">::</span><span class="nf">decrypt</span><span class="p">(</span><span class="nf">session</span><span class="p">(</span><span class="s1">'signInId'</span><span class="p">)))</span> <span class="o">-&gt;</span><span class="nf">where</span><span class="p">(</span><span class="s1">'token'</span><span class="p">,</span> <span class="nc">Crypt</span><span class="o">::</span><span class="nf">decrypt</span><span class="p">(</span><span class="nf">session</span><span class="p">(</span><span class="s1">'token'</span><span class="p">)))</span> <span class="o">-&gt;</span><span class="nf">where</span><span class="p">(</span><span class="s1">'expires_at'</span><span class="p">,</span> <span class="s1">'&gt;'</span><span class="p">,</span> <span class="nf">now</span><span class="p">())</span> <span class="o">-&gt;</span><span class="nf">first</span><span class="p">();</span> <span class="k">if</span> <span class="p">(</span><span class="nv">$signInRequest</span> <span class="o">&amp;&amp;</span> <span class="nv">$signInRequest</span><span class="o">-&gt;</span><span class="n">approved</span><span class="p">)</span> <span class="p">{</span> <span class="nc">Auth</span><span class="o">::</span><span class="nf">login</span><span class="p">(</span><span class="nc">User</span><span class="o">::</span><span class="nf">find</span><span class="p">(</span><span class="nv">$signInRequest</span><span class="o">-&gt;</span><span class="n">user_id</span><span class="p">));</span> <span class="nv">$request</span><span class="o">-&gt;</span><span class="nf">session</span><span class="p">()</span><span class="o">-&gt;</span><span class="nf">regenerate</span><span class="p">();</span> <span class="c1">// Create session record...</span> <span class="k">return</span> <span class="nf">response</span><span class="p">()</span><span class="o">-&gt;</span><span class="nf">json</span><span class="p">([</span><span class="s1">'result'</span> <span class="o">=&gt;</span> <span class="kc">true</span><span class="p">]);</span> <span class="p">}</span> <span class="k">return</span> <span class="nf">response</span><span class="p">()</span><span class="o">-&gt;</span><span class="nf">json</span><span class="p">([</span><span class="s1">'result'</span> <span class="o">=&gt;</span> <span class="kc">false</span><span class="p">]);</span> <span class="p">}</span> </code></pre> </div> <p><strong>Security measures:</strong></p> <ul> <li>Tokens expire in 5 minutes</li> <li>Request IDs are encrypted - never exposed in URLs raw</li> <li>Admins cannot approve QR logins (prevents privilege escalation)</li> <li>Both requesting and approving devices are fingerprinted</li> <li>Session is regenerated after login</li> </ul> <h2> 4. PIN Code Screen Lock </h2> <p>This feature was born from a real need. In Kohana.io, warehouse workers and sales managers often use shared computers. Logging out and back in every break is painful. Session timeout destroys unsaved work.</p> <h3> How It Works </h3> <p>Users enable a 4-digit PIN from their profile:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight php"><code><span class="k">public</span> <span class="k">function</span> <span class="n">enable</span><span class="p">(</span><span class="kt">Request</span> <span class="nv">$request</span><span class="p">)</span> <span class="p">{</span> <span class="nv">$request</span><span class="o">-&gt;</span><span class="nf">validate</span><span class="p">([</span><span class="s1">'pin'</span> <span class="o">=&gt;</span> <span class="s1">'required|digits:4'</span><span class="p">]);</span> <span class="nv">$request</span><span class="o">-&gt;</span><span class="nf">user</span><span class="p">()</span><span class="o">-&gt;</span><span class="nf">update</span><span class="p">([</span> <span class="s1">'pin_code'</span> <span class="o">=&gt;</span> <span class="nf">bcrypt</span><span class="p">(</span><span class="nv">$request</span><span class="o">-&gt;</span><span class="n">pin</span><span class="p">)</span> <span class="p">]);</span> <span class="p">}</span> </code></pre> </div> <p>The <code>CheckPinLockMiddleware</code> runs on every request:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight php"><code><span class="k">public</span> <span class="k">function</span> <span class="n">handle</span><span class="p">(</span><span class="kt">Request</span> <span class="nv">$request</span><span class="p">,</span> <span class="kt">Closure</span> <span class="nv">$next</span><span class="p">)</span> <span class="p">{</span> <span class="nv">$user</span> <span class="o">=</span> <span class="nv">$request</span><span class="o">-&gt;</span><span class="nf">user</span><span class="p">();</span> <span class="k">if</span> <span class="p">(</span><span class="o">!</span><span class="nv">$user</span> <span class="o">||</span> <span class="o">!</span><span class="nv">$user</span><span class="o">-&gt;</span><span class="n">pin_code</span><span class="p">)</span> <span class="p">{</span> <span class="k">return</span> <span class="nv">$next</span><span class="p">(</span><span class="nv">$request</span><span class="p">);</span> <span class="p">}</span> <span class="nv">$session</span> <span class="o">=</span> <span class="nv">$user</span><span class="o">-&gt;</span><span class="nf">userSessions</span><span class="p">()</span> <span class="o">-&gt;</span><span class="nf">where</span><span class="p">(</span><span class="s1">'session_id'</span><span class="p">,</span> <span class="nv">$request</span><span class="o">-&gt;</span><span class="nf">session</span><span class="p">()</span><span class="o">-&gt;</span><span class="nf">getId</span><span class="p">())</span> <span class="o">-&gt;</span><span class="nf">first</span><span class="p">();</span> <span class="c1">// Already locked in DB?</span> <span class="k">if</span> <span class="p">(</span><span class="nv">$session</span> <span class="o">&amp;&amp;</span> <span class="nv">$session</span><span class="o">-&gt;</span><span class="n">pin_locked</span><span class="p">)</span> <span class="p">{</span> <span class="k">return</span> <span class="nf">redirect</span><span class="p">()</span><span class="o">-&gt;</span><span class="nf">route</span><span class="p">(</span><span class="s1">'pin.enter'</span><span class="p">);</span> <span class="p">}</span> <span class="c1">// Inactivity timeout check</span> <span class="nv">$timeout</span> <span class="o">=</span> <span class="nf">config</span><span class="p">(</span><span class="s1">'security.pin_lock_timeout'</span><span class="p">,</span> <span class="mi">1800</span><span class="p">);</span> <span class="k">if</span> <span class="p">(</span><span class="nv">$session</span> <span class="o">&amp;&amp;</span> <span class="nv">$session</span><span class="o">-&gt;</span><span class="n">last_activity</span> <span class="o">-&gt;</span><span class="nf">diffInSeconds</span><span class="p">(</span><span class="nf">now</span><span class="p">())</span> <span class="o">&gt;</span> <span class="nv">$timeout</span><span class="p">)</span> <span class="p">{</span> <span class="nv">$session</span><span class="o">-&gt;</span><span class="nf">update</span><span class="p">([</span><span class="s1">'pin_locked'</span> <span class="o">=&gt;</span> <span class="kc">true</span><span class="p">]);</span> <span class="k">return</span> <span class="nf">redirect</span><span class="p">()</span><span class="o">-&gt;</span><span class="nf">route</span><span class="p">(</span><span class="s1">'pin.enter'</span><span class="p">);</span> <span class="p">}</span> <span class="nv">$session</span><span class="o">?-&gt;</span><span class="nf">update</span><span class="p">([</span><span class="s1">'last_activity'</span> <span class="o">=&gt;</span> <span class="nf">now</span><span class="p">()]);</span> <span class="k">return</span> <span class="nv">$next</span><span class="p">(</span><span class="nv">$request</span><span class="p">);</span> <span class="p">}</span> </code></pre> </div> <h3> Why This Is Better Than Session Timeout </h3> <div class="table-wrapper-paragraph"><table> <thead> <tr> <th>Feature</th> <th>Session Timeout</th> <th>PIN Lock</th> </tr> </thead> <tbody> <tr> <td>Unlock speed</td> <td>Full password + possible 2FA</td> <td>4 digits</td> </tr> <tr> <td>Session data</td> <td>Lost</td> <td>Preserved</td> </tr> <tr> <td>Unsaved work</td> <td>Gone</td> <td>Safe</td> </tr> <tr> <td>Per-device control</td> <td>No</td> <td>Yes</td> </tr> <tr> <td>Bypass via background requests</td> <td>Easy</td> <td>Impossible (DB-persisted)</td> </tr> </tbody> </table></div> <p>The lock state is stored in the database, not the session. This means background API calls or WebSocket connections can't accidentally reset the inactivity timer.</p> <h2> 5. Admin Security - The 3-Layer System </h2> <h3> Layer 1: IP Whitelisting </h3> <div class="highlight js-code-highlight"> <pre class="highlight php"><code><span class="k">private</span> <span class="k">function</span> <span class="n">checkAdminByIP</span><span class="p">():</span> <span class="kt">bool</span> <span class="p">{</span> <span class="k">if</span> <span class="p">(</span><span class="k">empty</span><span class="p">(</span><span class="nf">config</span><span class="p">(</span><span class="s1">'own.admin_ips'</span><span class="p">)))</span> <span class="p">{</span> <span class="k">return</span> <span class="kc">true</span><span class="p">;</span> <span class="p">}</span> <span class="nv">$allowedIps</span> <span class="o">=</span> <span class="nb">explode</span><span class="p">(</span><span class="s1">','</span><span class="p">,</span> <span class="nf">config</span><span class="p">(</span><span class="s1">'own.admin_ips'</span><span class="p">));</span> <span class="k">return</span> <span class="nb">in_array</span><span class="p">(</span><span class="nf">request</span><span class="p">()</span><span class="o">-&gt;</span><span class="nf">ip</span><span class="p">(),</span> <span class="nv">$allowedIps</span><span class="p">);</span> <span class="p">}</span> </code></pre> </div> <p>Wrong IP? Instant force-logout. No error page. The <code>GetVisitorStatusAction</code> returns <code>'forcelogout'</code> and the controller handles it:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight php"><code><span class="k">if</span> <span class="p">((</span><span class="nv">$this</span><span class="o">-&gt;</span><span class="n">getVisitorStatus</span><span class="p">)()</span> <span class="o">===</span> <span class="s1">'forcelogout'</span><span class="p">)</span> <span class="p">{</span> <span class="k">return</span> <span class="nf">app</span><span class="p">(</span><span class="nc">AuthenticatedSessionController</span><span class="o">::</span><span class="n">class</span><span class="p">)</span> <span class="o">-&gt;</span><span class="nf">destroy</span><span class="p">(</span><span class="nf">request</span><span class="p">());</span> <span class="p">}</span> </code></pre> </div> <h3> Layer 2: Google Authenticator 2FA </h3> <p>After successful email+password login, admins see a 2FA screen. The <code>Require2FA</code> middleware enforces this on all admin routes:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight php"><code><span class="k">public</span> <span class="k">function</span> <span class="n">handle</span><span class="p">(</span><span class="kt">Request</span> <span class="nv">$request</span><span class="p">,</span> <span class="kt">Closure</span> <span class="nv">$next</span><span class="p">)</span> <span class="p">{</span> <span class="k">if</span> <span class="p">((</span><span class="nv">$this</span><span class="o">-&gt;</span><span class="n">getVisitorStatus</span><span class="p">)()</span> <span class="o">===</span> <span class="s1">'admin'</span><span class="p">)</span> <span class="p">{</span> <span class="k">if</span> <span class="p">(</span><span class="o">!</span><span class="nf">session</span><span class="p">(</span><span class="s1">'2fa_verified'</span><span class="p">))</span> <span class="p">{</span> <span class="k">if</span> <span class="p">(</span><span class="o">!</span><span class="nv">$request</span><span class="o">-&gt;</span><span class="nf">routeIs</span><span class="p">(</span><span class="s1">'admin.2fa.*'</span><span class="p">))</span> <span class="p">{</span> <span class="k">return</span> <span class="nc">Inertia</span><span class="o">::</span><span class="nf">location</span><span class="p">(</span><span class="nf">route</span><span class="p">(</span><span class="s1">'admin.2fa.show'</span><span class="p">));</span> <span class="p">}</span> <span class="p">}</span> <span class="p">}</span> <span class="k">return</span> <span class="nv">$next</span><span class="p">(</span><span class="nv">$request</span><span class="p">);</span> <span class="p">}</span> </code></pre> </div> <h3> Layer 3: Real-Time Notifications </h3> <p>Every failed admin login attempt triggers an email AND Telegram notification:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight php"><code><span class="k">public</span> <span class="k">static</span> <span class="k">function</span> <span class="n">notifyAdminOnLoginFail</span><span class="p">(</span><span class="nv">$step</span> <span class="o">=</span> <span class="s1">'During login input'</span><span class="p">)</span> <span class="p">{</span> <span class="nc">Notification</span><span class="o">::</span><span class="nf">route</span><span class="p">(</span><span class="s1">'mail'</span><span class="p">,</span> <span class="nf">config</span><span class="p">(</span><span class="s1">'own.admin_email'</span><span class="p">))</span> <span class="o">-&gt;</span><span class="nf">route</span><span class="p">(</span><span class="s1">'telegram'</span><span class="p">,</span> <span class="nf">config</span><span class="p">(</span><span class="s1">'own.telegram_chat_id'</span><span class="p">))</span> <span class="o">-&gt;</span><span class="nf">notify</span><span class="p">(</span><span class="k">new</span> <span class="nc">AdminLoginAttemptNotification</span><span class="p">(</span><span class="nv">$step</span><span class="p">));</span> <span class="p">}</span> </code></pre> </div> <p>The notification includes: IP + geolocation, device fingerprint, user agent, and which step failed (login, 2FA, or IP).</p> <p><strong>Trigger points:</strong></p> <ol> <li>Wrong password with admin email</li> <li>Wrong 2FA code</li> <li>Correct credentials but unauthorized IP</li> </ol> <h2> 6. The Visitor Status System </h2> <p>The <code>GetVisitorStatusAction</code> is the central piece that ties everything together:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight php"><code><span class="k">public</span> <span class="k">function</span> <span class="n">__invoke</span><span class="p">():</span> <span class="kt">string</span> <span class="p">{</span> <span class="k">if</span> <span class="p">(</span><span class="o">!</span><span class="nf">auth</span><span class="p">()</span><span class="o">-&gt;</span><span class="nf">check</span><span class="p">())</span> <span class="k">return</span> <span class="s1">'guest'</span><span class="p">;</span> <span class="nv">$user</span> <span class="o">=</span> <span class="nf">auth</span><span class="p">()</span><span class="o">-&gt;</span><span class="nf">user</span><span class="p">();</span> <span class="k">if</span> <span class="p">(</span><span class="nv">$user</span><span class="o">-&gt;</span><span class="n">is_admin</span> <span class="o">&amp;&amp;</span> <span class="nv">$this</span><span class="o">-&gt;</span><span class="nf">checkAdminByEmail</span><span class="p">())</span> <span class="p">{</span> <span class="k">if</span> <span class="p">(</span><span class="nv">$this</span><span class="o">-&gt;</span><span class="nf">checkAdminByIP</span><span class="p">())</span> <span class="p">{</span> <span class="k">return</span> <span class="s1">'admin'</span><span class="p">;</span> <span class="p">}</span> <span class="k">else</span> <span class="p">{</span> <span class="nc">AdminHelper</span><span class="o">::</span><span class="nf">notifyAdminOnLoginFail</span><span class="p">(</span><span class="s1">'IPs denied'</span><span class="p">);</span> <span class="k">return</span> <span class="s1">'forcelogout'</span><span class="p">;</span> <span class="p">}</span> <span class="p">}</span> <span class="k">if</span> <span class="p">(</span><span class="nv">$user</span><span class="o">-&gt;</span><span class="n">user_blocked_at</span><span class="p">)</span> <span class="k">return</span> <span class="s1">'authBlocked'</span><span class="p">;</span> <span class="k">if</span> <span class="p">(</span><span class="nv">$user</span><span class="o">-&gt;</span><span class="n">user_deleted_at</span><span class="p">)</span> <span class="k">return</span> <span class="s1">'authDeleted'</span><span class="p">;</span> <span class="k">return</span> <span class="s1">'auth'</span><span class="p">;</span> <span class="p">}</span> </code></pre> </div> <p>Six possible states. Used in middleware, controllers, and frontend via Inertia shared data. Every component in the system knows exactly who the current user is and what they can do.</p> <h2> Route Architecture </h2> <div class="highlight js-code-highlight"> <pre class="highlight php"><code><span class="c1">// Guest routes</span> <span class="nc">Route</span><span class="o">::</span><span class="nf">middleware</span><span class="p">(</span><span class="s1">'guest'</span><span class="p">)</span><span class="o">-&gt;</span><span class="nf">group</span><span class="p">(</span><span class="k">function</span> <span class="p">()</span> <span class="p">{</span> <span class="nc">Route</span><span class="o">::</span><span class="nf">post</span><span class="p">(</span><span class="s1">'register'</span><span class="p">,</span> <span class="p">[</span><span class="nc">RegisteredUserController</span><span class="o">::</span><span class="n">class</span><span class="p">,</span> <span class="s1">'store'</span><span class="p">]);</span> <span class="nc">Route</span><span class="o">::</span><span class="nf">post</span><span class="p">(</span><span class="s1">'login'</span><span class="p">,</span> <span class="p">[</span><span class="nc">AuthenticatedSessionController</span><span class="o">::</span><span class="n">class</span><span class="p">,</span> <span class="s1">'store'</span><span class="p">]);</span> <span class="c1">// OAuth</span> <span class="nc">Route</span><span class="o">::</span><span class="nf">controller</span><span class="p">(</span><span class="nc">OAuthLoginController</span><span class="o">::</span><span class="n">class</span><span class="p">)</span> <span class="o">-&gt;</span><span class="nf">prefix</span><span class="p">(</span><span class="s1">'oauth'</span><span class="p">)</span><span class="o">-&gt;</span><span class="nf">name</span><span class="p">(</span><span class="s1">'oauth.'</span><span class="p">)</span><span class="o">-&gt;</span><span class="nf">group</span><span class="p">(</span><span class="k">function</span> <span class="p">()</span> <span class="p">{</span> <span class="nc">Route</span><span class="o">::</span><span class="nf">get</span><span class="p">(</span><span class="s1">'{provider}/callback'</span><span class="p">,</span> <span class="s1">'callback'</span><span class="p">);</span> <span class="nc">Route</span><span class="o">::</span><span class="nf">get</span><span class="p">(</span><span class="s1">'{provider}'</span><span class="p">,</span> <span class="s1">'redirect'</span><span class="p">);</span> <span class="p">});</span> <span class="c1">// Password reset</span> <span class="nc">Route</span><span class="o">::</span><span class="nf">controller</span><span class="p">(</span><span class="nc">ResetPasswordController</span><span class="o">::</span><span class="n">class</span><span class="p">)</span> <span class="o">-&gt;</span><span class="nf">prefix</span><span class="p">(</span><span class="s1">'password'</span><span class="p">)</span><span class="o">-&gt;</span><span class="nf">name</span><span class="p">(</span><span class="s1">'password.'</span><span class="p">)</span><span class="o">-&gt;</span><span class="nf">group</span><span class="p">(</span><span class="k">function</span> <span class="p">()</span> <span class="p">{</span> <span class="nc">Route</span><span class="o">::</span><span class="nf">post</span><span class="p">(</span><span class="s1">'forgot-password'</span><span class="p">,</span> <span class="s1">'sendEmail'</span><span class="p">);</span> <span class="nc">Route</span><span class="o">::</span><span class="nf">get</span><span class="p">(</span><span class="s1">'reset-password/{token}'</span><span class="p">,</span> <span class="s1">'resetForm'</span><span class="p">);</span> <span class="nc">Route</span><span class="o">::</span><span class="nf">post</span><span class="p">(</span><span class="s1">'reset-password'</span><span class="p">,</span> <span class="s1">'resetHandler'</span><span class="p">);</span> <span class="p">});</span> <span class="p">});</span> <span class="c1">// QR Code (mixed middleware)</span> <span class="nc">Route</span><span class="o">::</span><span class="nf">controller</span><span class="p">(</span><span class="nc">LoginWithQrCode</span><span class="o">::</span><span class="n">class</span><span class="p">)</span> <span class="o">-&gt;</span><span class="nf">prefix</span><span class="p">(</span><span class="s1">'qr'</span><span class="p">)</span><span class="o">-&gt;</span><span class="nf">name</span><span class="p">(</span><span class="s1">'qr.'</span><span class="p">)</span><span class="o">-&gt;</span><span class="nf">group</span><span class="p">(</span><span class="k">function</span> <span class="p">()</span> <span class="p">{</span> <span class="nc">Route</span><span class="o">::</span><span class="nf">post</span><span class="p">(</span><span class="s1">'code-generate'</span><span class="p">,</span> <span class="s1">'codeGenerate'</span><span class="p">)</span><span class="o">-&gt;</span><span class="nf">middleware</span><span class="p">(</span><span class="s1">'guest'</span><span class="p">);</span> <span class="nc">Route</span><span class="o">::</span><span class="nf">post</span><span class="p">(</span><span class="s1">'poll-login'</span><span class="p">,</span> <span class="s1">'pollLogin'</span><span class="p">)</span><span class="o">-&gt;</span><span class="nf">middleware</span><span class="p">(</span><span class="s1">'guest'</span><span class="p">);</span> <span class="nc">Route</span><span class="o">::</span><span class="nf">get</span><span class="p">(</span><span class="s1">'verify/{id}/{token}'</span><span class="p">,</span> <span class="s1">'verifyLogin'</span><span class="p">)</span> <span class="o">-&gt;</span><span class="nf">middleware</span><span class="p">([</span><span class="s1">'auth'</span><span class="p">,</span> <span class="s1">'prevent.nonadmin.routes'</span><span class="p">]);</span> <span class="p">});</span> <span class="c1">// Authenticated routes</span> <span class="nc">Route</span><span class="o">::</span><span class="nf">middleware</span><span class="p">([</span><span class="s1">'auth'</span><span class="p">])</span><span class="o">-&gt;</span><span class="nf">group</span><span class="p">(</span><span class="k">function</span> <span class="p">()</span> <span class="p">{</span> <span class="c1">// Email verification</span> <span class="nc">Route</span><span class="o">::</span><span class="nf">controller</span><span class="p">(</span><span class="nc">EmailVerificationController</span><span class="o">::</span><span class="n">class</span><span class="p">)</span> <span class="o">-&gt;</span><span class="nf">middleware</span><span class="p">(</span><span class="s1">'prevent.nonadmin.routes'</span><span class="p">)</span> <span class="o">-&gt;</span><span class="nf">prefix</span><span class="p">(</span><span class="s1">'email'</span><span class="p">)</span><span class="o">-&gt;</span><span class="nf">name</span><span class="p">(</span><span class="s1">'verification.'</span><span class="p">)</span><span class="o">-&gt;</span><span class="nf">group</span><span class="p">(</span><span class="k">function</span> <span class="p">()</span> <span class="p">{</span> <span class="nc">Route</span><span class="o">::</span><span class="nf">get</span><span class="p">(</span><span class="s1">'verify-email'</span><span class="p">,</span> <span class="s1">'notice'</span><span class="p">);</span> <span class="nc">Route</span><span class="o">::</span><span class="nf">get</span><span class="p">(</span><span class="s1">'verify-email/{id}/{hash}'</span><span class="p">,</span> <span class="s1">'verify'</span><span class="p">)</span> <span class="o">-&gt;</span><span class="nf">middleware</span><span class="p">([</span><span class="s1">'signed'</span><span class="p">,</span> <span class="s1">'throttle:6,1'</span><span class="p">]);</span> <span class="nc">Route</span><span class="o">::</span><span class="nf">post</span><span class="p">(</span><span class="s1">'email/verification-notification'</span><span class="p">,</span> <span class="s1">'send'</span><span class="p">)</span> <span class="o">-&gt;</span><span class="nf">middleware</span><span class="p">(</span><span class="s1">'throttle:6,1'</span><span class="p">);</span> <span class="p">});</span> <span class="c1">// PIN code</span> <span class="nc">Route</span><span class="o">::</span><span class="nf">controller</span><span class="p">(</span><span class="nc">PinController</span><span class="o">::</span><span class="n">class</span><span class="p">)</span> <span class="o">-&gt;</span><span class="nf">prefix</span><span class="p">(</span><span class="s1">'pin'</span><span class="p">)</span><span class="o">-&gt;</span><span class="nf">name</span><span class="p">(</span><span class="s1">'pin.'</span><span class="p">)</span><span class="o">-&gt;</span><span class="nf">group</span><span class="p">(</span><span class="k">function</span> <span class="p">()</span> <span class="p">{</span> <span class="nc">Route</span><span class="o">::</span><span class="nf">get</span><span class="p">(</span><span class="s1">'/'</span><span class="p">,</span> <span class="k">fn</span> <span class="p">()</span> <span class="o">=&gt;</span> <span class="nf">inertia</span><span class="p">(</span><span class="s1">'auth/EnterPin'</span><span class="p">));</span> <span class="nc">Route</span><span class="o">::</span><span class="nf">post</span><span class="p">(</span><span class="s1">'check'</span><span class="p">,</span> <span class="s1">'check'</span><span class="p">);</span> <span class="nc">Route</span><span class="o">::</span><span class="nf">post</span><span class="p">(</span><span class="s1">'enable'</span><span class="p">,</span> <span class="s1">'enable'</span><span class="p">);</span> <span class="nc">Route</span><span class="o">::</span><span class="nf">post</span><span class="p">(</span><span class="s1">'disable'</span><span class="p">,</span> <span class="s1">'disable'</span><span class="p">);</span> <span class="nc">Route</span><span class="o">::</span><span class="nf">post</span><span class="p">(</span><span class="s1">'lock'</span><span class="p">,</span> <span class="s1">'lock'</span><span class="p">);</span> <span class="p">});</span> <span class="p">});</span> <span class="c1">// Admin routes (2FA + IP protected)</span> <span class="nc">Route</span><span class="o">::</span><span class="nf">middleware</span><span class="p">([</span><span class="nc">AdminAccess</span><span class="o">::</span><span class="n">class</span><span class="p">,</span> <span class="s1">'2fa'</span><span class="p">])</span><span class="o">-&gt;</span><span class="nf">group</span><span class="p">(</span><span class="k">function</span> <span class="p">()</span> <span class="p">{</span> <span class="nc">Route</span><span class="o">::</span><span class="nf">prefix</span><span class="p">(</span><span class="s1">'admin/2fa'</span><span class="p">)</span><span class="o">-&gt;</span><span class="nf">name</span><span class="p">(</span><span class="s1">'admin.2fa.'</span><span class="p">)</span> <span class="o">-&gt;</span><span class="nf">controller</span><span class="p">(</span><span class="nc">TwoFactorController</span><span class="o">::</span><span class="n">class</span><span class="p">)</span><span class="o">-&gt;</span><span class="nf">group</span><span class="p">(</span><span class="k">function</span> <span class="p">()</span> <span class="p">{</span> <span class="nc">Route</span><span class="o">::</span><span class="nf">get</span><span class="p">(</span><span class="s1">'/'</span><span class="p">,</span> <span class="s1">'show'</span><span class="p">);</span> <span class="nc">Route</span><span class="o">::</span><span class="nf">post</span><span class="p">(</span><span class="s1">'/'</span><span class="p">,</span> <span class="s1">'verify'</span><span class="p">);</span> <span class="p">});</span> <span class="p">});</span> </code></pre> </div> <h2> 7. Testing - Proof It All Works </h2> <p>Authentication is the front door to your SaaS. If it breaks, nobody gets in. If it has a hole, everyone gets in. Automated tests are non-negotiable.</p> <h3> PIN lock testing: </h3> <div class="highlight js-code-highlight"> <pre class="highlight php"><code><span class="nf">it</span><span class="p">(</span><span class="s1">'persists pin_locked=true to DB when auto-lock fires due to inactivity'</span><span class="p">,</span> <span class="k">function</span> <span class="p">()</span> <span class="p">{</span> <span class="nv">$user</span> <span class="o">=</span> <span class="nc">User</span><span class="o">::</span><span class="nf">factory</span><span class="p">()</span><span class="o">-&gt;</span><span class="nf">create</span><span class="p">([</span><span class="s1">'pin_code'</span> <span class="o">=&gt;</span> <span class="nf">bcrypt</span><span class="p">(</span><span class="s1">'1234'</span><span class="p">)]);</span> <span class="nv">$sessionId</span> <span class="o">=</span> <span class="nf">actingAsWithSession</span><span class="p">(</span><span class="nv">$user</span><span class="p">);</span> <span class="nc">UserSession</span><span class="o">::</span><span class="nf">where</span><span class="p">(</span><span class="s1">'session_id'</span><span class="p">,</span> <span class="nv">$sessionId</span><span class="p">)</span> <span class="o">-&gt;</span><span class="nf">update</span><span class="p">([</span><span class="s1">'last_activity'</span> <span class="o">=&gt;</span> <span class="nf">now</span><span class="p">()</span><span class="o">-&gt;</span><span class="nf">subMinutes</span><span class="p">(</span><span class="mi">31</span><span class="p">)</span><span class="o">-&gt;</span><span class="nf">utc</span><span class="p">()]);</span> <span class="nv">$this</span><span class="o">-&gt;</span><span class="nf">withCookie</span><span class="p">(</span><span class="nv">$cookieName</span><span class="p">,</span> <span class="nv">$sessionId</span><span class="p">)</span><span class="o">-&gt;</span><span class="nf">get</span><span class="p">(</span><span class="nf">route</span><span class="p">(</span><span class="s1">'home'</span><span class="p">));</span> <span class="nv">$session</span> <span class="o">=</span> <span class="nc">UserSession</span><span class="o">::</span><span class="nf">where</span><span class="p">(</span><span class="s1">'session_id'</span><span class="p">,</span> <span class="nv">$sessionId</span><span class="p">)</span><span class="o">-&gt;</span><span class="nf">first</span><span class="p">();</span> <span class="nf">expect</span><span class="p">((</span><span class="n">bool</span><span class="p">)</span> <span class="nv">$session</span><span class="o">-&gt;</span><span class="n">pin_locked</span><span class="p">)</span><span class="o">-&gt;</span><span class="nf">toBeTrue</span><span class="p">();</span> <span class="p">});</span> <span class="nf">it</span><span class="p">(</span><span class="s1">'keeps lock active when last_activity is reset while pin_locked=true'</span><span class="p">,</span> <span class="k">function</span> <span class="p">()</span> <span class="p">{</span> <span class="c1">// This test caught a real bug:</span> <span class="c1">// a background AJAX request was resetting last_activity,</span> <span class="c1">// which accidentally unlocked PIN-locked screens</span> <span class="nc">UserSession</span><span class="o">::</span><span class="nf">where</span><span class="p">(</span><span class="s1">'session_id'</span><span class="p">,</span> <span class="nv">$sessionId</span><span class="p">)</span> <span class="o">-&gt;</span><span class="nf">update</span><span class="p">([</span><span class="s1">'pin_locked'</span> <span class="o">=&gt;</span> <span class="kc">true</span><span class="p">,</span> <span class="s1">'last_activity'</span> <span class="o">=&gt;</span> <span class="nf">now</span><span class="p">()</span><span class="o">-&gt;</span><span class="nf">subMinutes</span><span class="p">(</span><span class="mi">31</span><span class="p">)]);</span> <span class="c1">// Background request resets last_activity</span> <span class="nc">UserSession</span><span class="o">::</span><span class="nf">where</span><span class="p">(</span><span class="s1">'session_id'</span><span class="p">,</span> <span class="nv">$sessionId</span><span class="p">)</span> <span class="o">-&gt;</span><span class="nf">update</span><span class="p">([</span><span class="s1">'last_activity'</span> <span class="o">=&gt;</span> <span class="nf">now</span><span class="p">()]);</span> <span class="nv">$response</span> <span class="o">=</span> <span class="nv">$this</span><span class="o">-&gt;</span><span class="nf">withCookie</span><span class="p">(</span><span class="nv">$cookieName</span><span class="p">,</span> <span class="nv">$sessionId</span><span class="p">)</span><span class="o">-&gt;</span><span class="nf">get</span><span class="p">(</span><span class="nf">route</span><span class="p">(</span><span class="s1">'home'</span><span class="p">));</span> <span class="nv">$response</span><span class="o">-&gt;</span><span class="nf">assertRedirect</span><span class="p">(</span><span class="nf">route</span><span class="p">(</span><span class="s1">'pin.enter'</span><span class="p">));</span> <span class="c1">// still locked!</span> <span class="p">});</span> </code></pre> </div> <h3> Ban system testing: </h3> <div class="highlight js-code-highlight"> <pre class="highlight php"><code><span class="nf">it</span><span class="p">(</span><span class="s1">'blocks banned user from accessing main routes'</span><span class="p">,</span> <span class="k">function</span> <span class="p">()</span> <span class="p">{</span> <span class="nv">$this</span><span class="o">-&gt;</span><span class="n">user</span><span class="o">-&gt;</span><span class="nf">update</span><span class="p">([</span><span class="s1">'user_blocked_at'</span> <span class="o">=&gt;</span> <span class="nf">now</span><span class="p">()]);</span> <span class="nv">$response</span> <span class="o">=</span> <span class="nv">$this</span><span class="o">-&gt;</span><span class="nf">withCookie</span><span class="p">(</span><span class="nv">$cookieName</span><span class="p">,</span> <span class="nv">$sessionId</span><span class="p">)</span><span class="o">-&gt;</span><span class="nf">get</span><span class="p">(</span><span class="nf">route</span><span class="p">(</span><span class="s1">'home'</span><span class="p">));</span> <span class="nv">$response</span><span class="o">-&gt;</span><span class="nf">assertRedirect</span><span class="p">(</span><span class="nf">route</span><span class="p">(</span><span class="s1">'user.blocked'</span><span class="p">));</span> <span class="p">});</span> <span class="nf">it</span><span class="p">(</span><span class="s1">'allows banned user to access tickets (support)'</span><span class="p">,</span> <span class="k">function</span> <span class="p">()</span> <span class="p">{</span> <span class="nv">$this</span><span class="o">-&gt;</span><span class="n">user</span><span class="o">-&gt;</span><span class="nf">update</span><span class="p">([</span><span class="s1">'user_blocked_at'</span> <span class="o">=&gt;</span> <span class="nf">now</span><span class="p">()]);</span> <span class="nv">$response</span> <span class="o">=</span> <span class="nv">$this</span><span class="o">-&gt;</span><span class="nf">withCookie</span><span class="p">(</span><span class="nv">$cookieName</span><span class="p">,</span> <span class="nv">$sessionId</span><span class="p">)</span><span class="o">-&gt;</span><span class="nf">get</span><span class="p">(</span><span class="nf">route</span><span class="p">(</span><span class="s1">'tickets.index'</span><span class="p">));</span> <span class="nv">$response</span><span class="o">-&gt;</span><span class="nf">assertSuccessful</span><span class="p">();</span> <span class="p">});</span> <span class="nf">it</span><span class="p">(</span><span class="s1">'blocks entire company when owner is banned'</span><span class="p">,</span> <span class="k">function</span> <span class="p">()</span> <span class="p">{</span> <span class="c1">// When the owner gets banned, ALL employees in that company lose access</span> <span class="p">});</span> </code></pre> </div> <h3> Blocked user page: </h3> <div class="highlight js-code-highlight"> <pre class="highlight php"><code><span class="nf">it</span><span class="p">(</span><span class="s1">'blocked user can view user.blocked page'</span><span class="p">,</span> <span class="k">function</span> <span class="p">()</span> <span class="p">{</span> <span class="nv">$this</span><span class="o">-&gt;</span><span class="n">user</span><span class="o">-&gt;</span><span class="nf">update</span><span class="p">([</span> <span class="s1">'user_blocked_at'</span> <span class="o">=&gt;</span> <span class="nf">now</span><span class="p">(),</span> <span class="s1">'user_blocked_status'</span> <span class="o">=&gt;</span> <span class="mi">1</span><span class="p">,</span> <span class="p">]);</span> <span class="nv">$response</span><span class="o">-&gt;</span><span class="nf">assertInertia</span><span class="p">(</span><span class="k">fn</span> <span class="p">(</span><span class="nv">$page</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="nv">$page</span> <span class="o">-&gt;</span><span class="nf">component</span><span class="p">(</span><span class="s1">'auth/UserBlocked'</span><span class="p">)</span> <span class="o">-&gt;</span><span class="nf">has</span><span class="p">(</span><span class="s1">'blockReason'</span><span class="p">)</span> <span class="o">-&gt;</span><span class="nf">has</span><span class="p">(</span><span class="s1">'blockDate'</span><span class="p">)</span> <span class="p">);</span> <span class="p">});</span> <span class="nf">it</span><span class="p">(</span><span class="s1">'redirects previously blocked user after unblocking'</span><span class="p">,</span> <span class="k">function</span> <span class="p">()</span> <span class="p">{</span> <span class="nv">$this</span><span class="o">-&gt;</span><span class="n">user</span><span class="o">-&gt;</span><span class="nf">update</span><span class="p">([</span><span class="s1">'user_blocked_at'</span> <span class="o">=&gt;</span> <span class="nf">now</span><span class="p">()]);</span> <span class="nv">$this</span><span class="o">-&gt;</span><span class="n">user</span><span class="o">-&gt;</span><span class="nf">update</span><span class="p">([</span><span class="s1">'user_blocked_at'</span> <span class="o">=&gt;</span> <span class="kc">null</span><span class="p">]);</span> <span class="nv">$response</span><span class="o">-&gt;</span><span class="nf">assertRedirect</span><span class="p">();</span> <span class="c1">// goes to first allowed route</span> <span class="p">});</span> </code></pre> </div> <h3> What the test suite covers: </h3> <ul> <li>Login/logout flow (valid + invalid credentials)</li> <li>PIN auto-lock (inactivity timeout, DB persistence, correct/wrong PIN, edge cases)</li> <li>PIN manual lock (lock, unlock, wrong PIN)</li> <li>User ban (blocking, allowed routes, support ticket access, logout)</li> <li>Company owner ban (cascade to all employees)</li> <li>Session management (isolation, ordering by last_activity)</li> <li>Blocked user page (display, unblock redirect)</li> <li>CheckAccess middleware priority (user ban &gt; owner ban &gt; payment check)</li> <li>Email verification (valid hash, invalid hash, signed URLs)</li> </ul> <h2> What's Next </h2> <p>This authentication module ships with LaraFoundry out of the box. No configuration beyond your <code>.env</code> file.</p> <p>Coming up next in the LaraFoundry series:</p> <ul> <li> <strong>Roles &amp; Permissions</strong> - Spatie + custom gates</li> <li> <strong>Team Management</strong> - multi-company, invitations, member roles</li> <li> <strong>Subscription Billing</strong> - Stripe integration</li> </ul> <p>Star the repo on GitHub or join the waitlist at <strong>larafoundry.com</strong> to get notified.</p> <p><em>LaraFoundry is being extracted from Kohana.io - a production SaaS CRM/ERP. Every feature described in this article is running in production today.</em></p> <h1> larafoundry #laravel #php #saas #authentication #webdev #security #opensource </h1> laravel php saas authentication Building a Production-Grade Registration Module for Laravel SaaS - The Complete Breakdown Dmitry Isaenko Mon, 02 Mar 2026 09:32:01 +0000 https://dev.to/d_isaenko_dev/building-a-production-grade-registration-module-for-laravel-saas-the-complete-breakdown-53il https://dev.to/d_isaenko_dev/building-a-production-grade-registration-module-for-laravel-saas-the-complete-breakdown-53il <h2> The Problem </h2> <p>Every SaaS project starts the same way. You scaffold authentication, wire up OAuth, handle email verification, build avatar logic, and set up session tracking. Then you do it all over again for your next project.</p> <p>After my fourth SaaS project in three years, I decided to stop copy-pasting and start extracting.</p> <p><strong>LaraFoundry</strong> is a modular SaaS engine I'm building in public - extracted from <a href="https://kohana.io" rel="noopener noreferrer">Kohana.io</a>, a production CRM/ERP system. Every module is battle-tested with real users before it's packaged.</p> <p>This article is a complete technical breakdown of the first module: <strong>Registration</strong>.</p> <h2> What's Inside </h2> <p>The Registration module isn't just "create user + hash password." Here's what it handles:</p> <ol> <li> <strong>Multi-provider authentication</strong> - Form + OAuth2 (Google, Facebook, Twitter)</li> <li> <strong>Smart avatar system</strong> - Gravatar detection with generated fallback</li> <li> <strong>Session &amp; device tracking</strong> - Full device fingerprinting on every login</li> <li> <strong>Auth event logging</strong> - 7 events logged automatically from Day 1</li> <li> <strong>Team onboarding</strong> - Company invitation with auto-acceptance</li> </ol> <p>Let's dive into each one.</p> <h2> 1. Multi-Provider Authentication </h2> <h3> Form Registration </h3> <p>The traditional path. User submits name, email, password - standard Laravel validation with a configurable password minimum.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight php"><code><span class="c1">// RegisteredUserController.php</span> <span class="k">public</span> <span class="k">function</span> <span class="n">store</span><span class="p">(</span><span class="kt">Request</span> <span class="nv">$request</span><span class="p">,</span> <span class="kt">UserLogoService</span> <span class="nv">$userLogo</span><span class="p">)</span> <span class="p">{</span> <span class="nv">$credentials</span> <span class="o">=</span> <span class="nv">$request</span><span class="o">-&gt;</span><span class="nf">validate</span><span class="p">([</span> <span class="s1">'name'</span> <span class="o">=&gt;</span> <span class="s1">'required|string|max:255'</span><span class="p">,</span> <span class="s1">'email'</span> <span class="o">=&gt;</span> <span class="s1">'required|string|lowercase|email|max:255|unique:'</span> <span class="mf">.</span> <span class="nc">User</span><span class="o">::</span><span class="n">class</span><span class="p">,</span> <span class="s1">'password'</span> <span class="o">=&gt;</span> <span class="p">[</span><span class="s1">'required'</span><span class="p">,</span> <span class="s1">'confirmed'</span><span class="p">,</span> <span class="s1">'min:'</span> <span class="mf">.</span> <span class="nf">config</span><span class="p">(</span><span class="s1">'own.minmal_password_lenght'</span><span class="p">)],</span> <span class="p">]);</span> <span class="nv">$credentials</span><span class="p">[</span><span class="s1">'avatar'</span><span class="p">]</span> <span class="o">=</span> <span class="nv">$userLogo</span><span class="o">-&gt;</span><span class="nf">assignDefaultUserLogo</span><span class="p">(</span><span class="nv">$credentials</span><span class="p">,</span> <span class="kc">true</span><span class="p">);</span> <span class="nv">$credentials</span><span class="p">[</span><span class="s1">'last_login_at'</span><span class="p">]</span> <span class="o">=</span> <span class="nf">now</span><span class="p">();</span> <span class="nv">$credentials</span><span class="p">[</span><span class="s1">'last_activity_at'</span><span class="p">]</span> <span class="o">=</span> <span class="nf">now</span><span class="p">();</span> <span class="nv">$credentials</span><span class="p">[</span><span class="s1">'locale'</span><span class="p">]</span> <span class="o">=</span> <span class="nc">Session</span><span class="o">::</span><span class="nf">get</span><span class="p">(</span><span class="s1">'locale'</span><span class="p">,</span> <span class="nf">config</span><span class="p">(</span><span class="s1">'app.locale'</span><span class="p">,</span> <span class="s1">'en'</span><span class="p">));</span> <span class="nv">$user</span> <span class="o">=</span> <span class="nc">User</span><span class="o">::</span><span class="nf">create</span><span class="p">(</span><span class="nv">$credentials</span><span class="p">);</span> <span class="nf">event</span><span class="p">(</span><span class="k">new</span> <span class="nc">Registered</span><span class="p">(</span><span class="nv">$user</span><span class="p">));</span> <span class="c1">// Email verification</span> <span class="nv">$user</span><span class="o">-&gt;</span><span class="nf">notify</span><span class="p">(</span><span class="k">new</span> <span class="nc">WelcomeEmailNotification</span><span class="p">);</span> <span class="c1">// Queued welcome email</span> <span class="nc">Auth</span><span class="o">::</span><span class="nf">login</span><span class="p">(</span><span class="nv">$user</span><span class="p">);</span> <span class="k">return</span> <span class="nc">Inertia</span><span class="o">::</span><span class="nf">location</span><span class="p">(</span><span class="nf">route</span><span class="p">(</span><span class="s1">'home'</span><span class="p">));</span> <span class="p">}</span> </code></pre> </div> <p>Notice what happens in a single request:</p> <ul> <li>User created with auto-generated avatar</li> <li> <code>Registered</code> event fires (triggers email verification)</li> <li>Welcome email queued (non-blocking)</li> <li>User logged in immediately</li> <li>Session recorded with device info</li> </ul> <h3> OAuth2 Flow </h3> <p>LaraFoundry supports Google, Facebook, and Twitter via Laravel Socialite. The callback handler does everything in one request:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight php"><code><span class="c1">// OAuthLoginController.php</span> <span class="k">public</span> <span class="k">function</span> <span class="n">callback</span><span class="p">(</span><span class="kt">string</span> <span class="nv">$provider</span><span class="p">,</span> <span class="kt">UserLogoService</span> <span class="nv">$userLogo</span><span class="p">)</span> <span class="p">{</span> <span class="nv">$socialUser</span> <span class="o">=</span> <span class="nc">Socialite</span><span class="o">::</span><span class="nf">driver</span><span class="p">(</span><span class="nv">$provider</span><span class="p">)</span><span class="o">-&gt;</span><span class="nf">user</span><span class="p">();</span> <span class="nv">$user</span> <span class="o">=</span> <span class="nc">User</span><span class="o">::</span><span class="nf">updateOrCreate</span><span class="p">(</span> <span class="p">[</span><span class="s1">'email'</span> <span class="o">=&gt;</span> <span class="nv">$socialUser</span><span class="o">-&gt;</span><span class="n">email</span><span class="p">],</span> <span class="p">[</span> <span class="s1">'provider_id'</span> <span class="o">=&gt;</span> <span class="nv">$socialUser</span><span class="o">-&gt;</span><span class="n">id</span><span class="p">,</span> <span class="s1">'provider_name'</span> <span class="o">=&gt;</span> <span class="nv">$provider</span><span class="p">,</span> <span class="s1">'name'</span> <span class="o">=&gt;</span> <span class="nv">$socialUser</span><span class="o">-&gt;</span><span class="n">name</span><span class="p">,</span> <span class="s1">'email_verified_at'</span> <span class="o">=&gt;</span> <span class="nf">now</span><span class="p">(),</span> <span class="c1">// OAuth = pre-verified</span> <span class="s1">'provider_token'</span> <span class="o">=&gt;</span> <span class="nv">$socialUser</span><span class="o">-&gt;</span><span class="n">token</span><span class="p">,</span> <span class="s1">'provider_refresh_token'</span> <span class="o">=&gt;</span> <span class="nv">$socialUser</span><span class="o">-&gt;</span><span class="n">refreshToken</span><span class="p">,</span> <span class="s1">'avatar'</span> <span class="o">=&gt;</span> <span class="nv">$userLogo</span><span class="o">-&gt;</span><span class="nf">assignDefaultUserLogo</span><span class="p">([</span> <span class="s1">'name'</span> <span class="o">=&gt;</span> <span class="nv">$socialUser</span><span class="o">-&gt;</span><span class="n">name</span><span class="p">,</span> <span class="s1">'email'</span> <span class="o">=&gt;</span> <span class="nv">$socialUser</span><span class="o">-&gt;</span><span class="n">email</span><span class="p">,</span> <span class="p">],</span> <span class="kc">true</span><span class="p">),</span> <span class="s1">'last_login_at'</span> <span class="o">=&gt;</span> <span class="nf">now</span><span class="p">(),</span> <span class="s1">'locale'</span> <span class="o">=&gt;</span> <span class="nc">Session</span><span class="o">::</span><span class="nf">get</span><span class="p">(</span><span class="s1">'locale'</span><span class="p">,</span> <span class="nf">config</span><span class="p">(</span><span class="s1">'app.locale'</span><span class="p">,</span> <span class="s1">'en'</span><span class="p">)),</span> <span class="p">]</span> <span class="p">);</span> <span class="nc">Auth</span><span class="o">::</span><span class="nf">login</span><span class="p">(</span><span class="nv">$user</span><span class="p">,</span> <span class="nf">session</span><span class="p">(</span><span class="s1">'oauth_remember_me'</span><span class="p">,</span> <span class="kc">false</span><span class="p">));</span> <span class="c1">// Record session with device fingerprint</span> <span class="nv">$user</span><span class="o">-&gt;</span><span class="nf">userSessions</span><span class="p">()</span><span class="o">-&gt;</span><span class="nf">create</span><span class="p">([</span> <span class="s1">'session_id'</span> <span class="o">=&gt;</span> <span class="nf">request</span><span class="p">()</span><span class="o">-&gt;</span><span class="nf">session</span><span class="p">()</span><span class="o">-&gt;</span><span class="nf">getId</span><span class="p">(),</span> <span class="s1">'ip_address'</span> <span class="o">=&gt;</span> <span class="nf">request</span><span class="p">()</span><span class="o">-&gt;</span><span class="nf">getClientIp</span><span class="p">(),</span> <span class="s1">'login_method'</span> <span class="o">=&gt;</span> <span class="nv">$provider</span><span class="p">,</span> <span class="s1">'user_agent'</span> <span class="o">=&gt;</span> <span class="nf">request</span><span class="p">()</span><span class="o">-&gt;</span><span class="nf">userAgent</span><span class="p">(),</span> <span class="s1">'last_activity'</span> <span class="o">=&gt;</span> <span class="nf">now</span><span class="p">(),</span> <span class="s1">'user_device_type'</span> <span class="o">=&gt;</span> <span class="k">self</span><span class="o">::</span><span class="nf">getUserDeviceType</span><span class="p">(),</span> <span class="s1">'user_device_name'</span> <span class="o">=&gt;</span> <span class="nc">Agent</span><span class="o">::</span><span class="nf">device</span><span class="p">(),</span> <span class="s1">'user_os'</span> <span class="o">=&gt;</span> <span class="nc">Agent</span><span class="o">::</span><span class="nf">platform</span><span class="p">(),</span> <span class="s1">'user_browser'</span> <span class="o">=&gt;</span> <span class="nc">Agent</span><span class="o">::</span><span class="nf">browser</span><span class="p">(),</span> <span class="p">]);</span> <span class="c1">// Auto-accept team invitation if token exists</span> <span class="k">if</span> <span class="p">(</span><span class="nf">session</span><span class="p">()</span><span class="o">-&gt;</span><span class="nf">has</span><span class="p">(</span><span class="s1">'invitation_token'</span><span class="p">))</span> <span class="p">{</span> <span class="nv">$this</span><span class="o">-&gt;</span><span class="nf">acceptInvitation</span><span class="p">(</span><span class="nf">session</span><span class="p">(</span><span class="s1">'invitation_token'</span><span class="p">),</span> <span class="nv">$user</span><span class="p">);</span> <span class="p">}</span> <span class="k">return</span> <span class="nf">redirect</span><span class="p">()</span><span class="o">-&gt;</span><span class="nf">route</span><span class="p">(</span><span class="s1">'home'</span><span class="p">);</span> <span class="p">}</span> </code></pre> </div> <p>Key design decisions:</p> <ul> <li> <strong><code>updateOrCreate</code> on email</strong> - If the user already exists (registered via form), their account is linked to the OAuth provider. No duplicate accounts.</li> <li> <strong><code>email_verified_at = now()</code></strong> - OAuth providers have already verified the email. Skip the verification step.</li> <li> <strong>Invitation token in session</strong> - Since OAuth redirects leave the page, the invitation token is stored in the session before the redirect and retrieved in the callback.</li> </ul> <h3> Frontend (Vue 3 + Inertia v2) </h3> <p>The registration form is a modal component using Inertia's <code>useForm</code>:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight vue"><code><span class="c">&lt;!-- AppGuestRegisterModalLayout.vue --&gt;</span> <span class="nt">&lt;</span><span class="k">script</span> <span class="na">setup</span><span class="nt">&gt;</span> <span class="k">import</span> <span class="p">{</span> <span class="nx">useForm</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">@inertiajs/vue3</span><span class="dl">'</span><span class="p">;</span> <span class="kd">const</span> <span class="nx">form</span> <span class="o">=</span> <span class="nf">useForm</span><span class="p">({</span> <span class="na">name</span><span class="p">:</span> <span class="dl">''</span><span class="p">,</span> <span class="na">email</span><span class="p">:</span> <span class="nx">props</span><span class="p">.</span><span class="nx">invitation</span><span class="p">?.</span><span class="nx">email</span> <span class="o">||</span> <span class="dl">''</span><span class="p">,</span> <span class="na">password</span><span class="p">:</span> <span class="dl">''</span><span class="p">,</span> <span class="na">password_confirmation</span><span class="p">:</span> <span class="dl">''</span><span class="p">,</span> <span class="na">invitation_token</span><span class="p">:</span> <span class="nx">props</span><span class="p">.</span><span class="nx">invitation</span><span class="p">?.</span><span class="nx">token</span> <span class="o">||</span> <span class="dl">''</span><span class="p">,</span> <span class="p">});</span> <span class="kd">const</span> <span class="nx">submit</span> <span class="o">=</span> <span class="p">()</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="nx">form</span><span class="p">.</span><span class="nf">post</span><span class="p">(</span><span class="nf">route</span><span class="p">(</span><span class="dl">'</span><span class="s1">register</span><span class="dl">'</span><span class="p">),</span> <span class="p">{</span> <span class="na">onSuccess</span><span class="p">:</span> <span class="p">()</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="nx">form</span><span class="p">.</span><span class="nf">reset</span><span class="p">(</span><span class="dl">'</span><span class="s1">password</span><span class="dl">'</span><span class="p">,</span> <span class="dl">'</span><span class="s1">password_confirmation</span><span class="dl">'</span><span class="p">);</span> <span class="p">},</span> <span class="p">});</span> <span class="p">};</span> <span class="nt">&lt;/</span><span class="k">script</span><span class="nt">&gt;</span> </code></pre> </div> <p>OAuth buttons redirect to <code>/oauth/{provider}</code> with optional parameters for remember-me and invitation tokens.</p> <h2> 2. Smart Avatar System </h2> <p>This is one of those "small details, big impact" features.</p> <h3> The Problem </h3> <p>When a user signs up, what do you show as their avatar? A grey circle? A generic silhouette? That screams "unfinished product."</p> <h3> The Solution: UserLogoService </h3> <p>LaraFoundry uses a 2-layer avatar pipeline:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>User registers ↓ Check Gravatar (creativeorange/gravatar) ↓ Found? → Download → Resize to 128px → Save as JPEG ↓ No Generate initials avatar (laravolt/avatar) → 15 curated colors → Bold typography (OpenSans/Rockwell) → Deterministic (same name = same color) ↓ Save to date-organized storage (user-logos/2026/02/{uuid}.jpg) </code></pre> </div> <p>Here's the actual service:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight php"><code><span class="c1">// UserLogoService.php</span> <span class="kd">class</span> <span class="nc">UserLogoService</span> <span class="p">{</span> <span class="k">public</span> <span class="k">function</span> <span class="n">assignDefaultUserLogo</span><span class="p">(</span><span class="nv">$userDataArray</span><span class="p">,</span> <span class="nv">$useGravatar</span> <span class="o">=</span> <span class="kc">false</span><span class="p">)</span> <span class="p">{</span> <span class="nv">$userLogoName</span> <span class="o">=</span> <span class="kc">null</span><span class="p">;</span> <span class="c1">// Step 1: Try Gravatar</span> <span class="k">if</span> <span class="p">(</span><span class="nv">$useGravatar</span> <span class="o">&amp;&amp;</span> <span class="k">self</span><span class="o">::</span><span class="nf">isGravatarExists</span><span class="p">(</span><span class="nv">$userDataArray</span><span class="p">[</span><span class="s1">'email'</span><span class="p">]))</span> <span class="p">{</span> <span class="nv">$userLogoName</span> <span class="o">=</span> <span class="k">self</span><span class="o">::</span><span class="nf">getAndStorageGravatar</span><span class="p">(</span><span class="nv">$userDataArray</span><span class="p">[</span><span class="s1">'email'</span><span class="p">]);</span> <span class="p">}</span> <span class="c1">// Step 2: Fallback to generated avatar</span> <span class="k">if</span> <span class="p">(</span><span class="o">!</span><span class="nv">$useGravatar</span> <span class="o">||</span> <span class="nv">$userLogoName</span> <span class="o">===</span> <span class="kc">null</span><span class="p">)</span> <span class="p">{</span> <span class="nv">$paths</span> <span class="o">=</span> <span class="k">self</span><span class="o">::</span><span class="nf">userLogoPathPrepear</span><span class="p">();</span> <span class="nv">$avatar</span> <span class="o">=</span> <span class="k">new</span> <span class="nc">Avatar</span><span class="p">(</span><span class="nf">config</span><span class="p">(</span><span class="s1">'laravolt.avatar'</span><span class="p">));</span> <span class="nv">$avatar</span><span class="o">-&gt;</span><span class="nf">create</span><span class="p">(</span><span class="nv">$userDataArray</span><span class="p">[</span><span class="s1">'name'</span><span class="p">])</span> <span class="o">-&gt;</span><span class="nf">save</span><span class="p">(</span><span class="nv">$fullPath</span> <span class="mf">.</span> <span class="s1">'/'</span> <span class="mf">.</span> <span class="nv">$paths</span><span class="p">[</span><span class="s1">'uniqJpegFileName'</span><span class="p">],</span> <span class="mi">100</span><span class="p">);</span> <span class="k">return</span> <span class="nv">$paths</span><span class="p">[</span><span class="s1">'subfolder'</span><span class="p">]</span> <span class="mf">.</span> <span class="s1">'/'</span> <span class="mf">.</span> <span class="nv">$paths</span><span class="p">[</span><span class="s1">'uniqJpegFileName'</span><span class="p">];</span> <span class="p">}</span> <span class="k">return</span> <span class="nv">$userLogoName</span><span class="p">;</span> <span class="p">}</span> <span class="k">public</span> <span class="k">static</span> <span class="k">function</span> <span class="n">isGravatarExists</span><span class="p">(</span><span class="nv">$email</span><span class="p">)</span> <span class="p">{</span> <span class="k">return</span> <span class="nc">Gravatar</span><span class="o">::</span><span class="nf">exists</span><span class="p">(</span><span class="nv">$email</span><span class="p">);</span> <span class="p">}</span> <span class="k">public</span> <span class="k">static</span> <span class="k">function</span> <span class="n">resizeAndSaveImage</span><span class="p">(</span><span class="nv">$image</span><span class="p">,</span> <span class="nv">$path</span><span class="p">)</span> <span class="p">{</span> <span class="k">return</span> <span class="nc">Image</span><span class="o">::</span><span class="nf">read</span><span class="p">(</span><span class="nv">$image</span><span class="p">)</span><span class="o">-&gt;</span><span class="nf">scale</span><span class="p">(</span><span class="n">height</span><span class="o">:</span> <span class="mi">128</span><span class="p">)</span><span class="o">-&gt;</span><span class="nf">toJpeg</span><span class="p">(</span><span class="mi">90</span><span class="p">)</span><span class="o">-&gt;</span><span class="nf">save</span><span class="p">(</span><span class="nv">$path</span><span class="p">);</span> <span class="p">}</span> <span class="k">public</span> <span class="k">static</span> <span class="k">function</span> <span class="n">userLogoPathPrepear</span><span class="p">()</span> <span class="p">{</span> <span class="nv">$folder</span> <span class="o">=</span> <span class="nf">config</span><span class="p">(</span><span class="s1">'own.user_logo_folder'</span><span class="p">);</span> <span class="nv">$subfolder</span> <span class="o">=</span> <span class="nc">Carbon</span><span class="o">::</span><span class="nf">now</span><span class="p">()</span><span class="o">-&gt;</span><span class="nf">format</span><span class="p">(</span><span class="s1">'Y'</span><span class="p">)</span> <span class="mf">.</span> <span class="s1">'/'</span> <span class="mf">.</span> <span class="nc">Carbon</span><span class="o">::</span><span class="nf">now</span><span class="p">()</span><span class="o">-&gt;</span><span class="nf">format</span><span class="p">(</span><span class="s1">'m'</span><span class="p">);</span> <span class="nc">Storage</span><span class="o">::</span><span class="nf">disk</span><span class="p">(</span><span class="s1">'public'</span><span class="p">)</span><span class="o">-&gt;</span><span class="nf">makeDirectory</span><span class="p">(</span><span class="nv">$folder</span> <span class="mf">.</span> <span class="s1">'/'</span> <span class="mf">.</span> <span class="nv">$subfolder</span><span class="p">);</span> <span class="k">return</span> <span class="p">[</span> <span class="s1">'folder'</span> <span class="o">=&gt;</span> <span class="nv">$folder</span><span class="p">,</span> <span class="s1">'subfolder'</span> <span class="o">=&gt;</span> <span class="nv">$subfolder</span><span class="p">,</span> <span class="s1">'uniqJpegFileName'</span> <span class="o">=&gt;</span> <span class="nc">Str</span><span class="o">::</span><span class="nf">uuid</span><span class="p">()</span> <span class="mf">.</span> <span class="s1">'.jpg'</span><span class="p">,</span> <span class="p">];</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </div> <h3> Why this matters </h3> <ul> <li> <strong>Gravatar users</strong> get their existing avatar - consistency across platforms</li> <li> <strong>Everyone else</strong> gets a unique, colorful avatar - the app feels polished from second one</li> <li> <strong>Deterministic colors</strong> - "John Smith" always gets the same color, making users recognizable in lists and comments</li> <li> <strong>UUID filenames</strong> - zero collision risk, even at scale</li> <li> <strong>Date-organized storage</strong> - easy cleanup, backup, and archival</li> </ul> <h3> Packages </h3> <div class="table-wrapper-paragraph"><table> <thead> <tr> <th>Package</th> <th>Purpose</th> </tr> </thead> <tbody> <tr> <td> <code>creativeorange/gravatar</code> ~1.0</td> <td>Check &amp; download Gravatar</td> </tr> <tr> <td> <code>laravolt/avatar</code> ^6.2</td> <td>Generate initials-based avatars</td> </tr> <tr> <td><code>intervention/image</code></td> <td>Resize &amp; convert to JPEG</td> </tr> </tbody> </table></div> <h2> 3. Session &amp; Device Tracking </h2> <p>Every login in LaraFoundry creates a <code>UserSession</code> record:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight php"><code><span class="nv">$user</span><span class="o">-&gt;</span><span class="nf">userSessions</span><span class="p">()</span><span class="o">-&gt;</span><span class="nf">create</span><span class="p">([</span> <span class="s1">'session_id'</span> <span class="o">=&gt;</span> <span class="nv">$request</span><span class="o">-&gt;</span><span class="nf">session</span><span class="p">()</span><span class="o">-&gt;</span><span class="nf">getId</span><span class="p">(),</span> <span class="s1">'ip_address'</span> <span class="o">=&gt;</span> <span class="nv">$request</span><span class="o">-&gt;</span><span class="nf">getClientIp</span><span class="p">(),</span> <span class="s1">'login_method'</span> <span class="o">=&gt;</span> <span class="nv">$provider</span><span class="p">,</span> <span class="c1">// 'google', 'facebook', 'form'</span> <span class="s1">'user_agent'</span> <span class="o">=&gt;</span> <span class="nv">$request</span><span class="o">-&gt;</span><span class="nf">userAgent</span><span class="p">(),</span> <span class="s1">'last_activity'</span> <span class="o">=&gt;</span> <span class="nf">now</span><span class="p">(),</span> <span class="s1">'user_device_type'</span> <span class="o">=&gt;</span> <span class="nv">$this</span><span class="o">-&gt;</span><span class="nf">getUserDeviceType</span><span class="p">(),</span> <span class="c1">// desktop/tablet/mobile</span> <span class="s1">'user_device_name'</span> <span class="o">=&gt;</span> <span class="nc">Agent</span><span class="o">::</span><span class="nf">device</span><span class="p">(),</span> <span class="c1">// e.g., 'Macintosh'</span> <span class="s1">'user_os'</span> <span class="o">=&gt;</span> <span class="nc">Agent</span><span class="o">::</span><span class="nf">platform</span><span class="p">(),</span> <span class="c1">// e.g., 'macOS'</span> <span class="s1">'user_browser'</span> <span class="o">=&gt;</span> <span class="nc">Agent</span><span class="o">::</span><span class="nf">browser</span><span class="p">(),</span> <span class="c1">// e.g., 'Chrome'</span> <span class="p">]);</span> </code></pre> </div> <p>Device detection is handled by <code>jenssegers/agent</code> - a wrapper around Mobiledetect with a clean API.</p> <h3> What this enables </h3> <ul> <li> <strong>Security</strong>: Show users "Active Sessions" with device details (like GitHub does)</li> <li> <strong>Analytics</strong>: Which devices are your users on? Do you need a mobile-optimized experience?</li> <li> <strong>Support</strong>: "I can see you last logged in from Chrome on Windows at 3:42 PM - was that you?"</li> <li> <strong>Compliance</strong>: GDPR access logs with full context</li> </ul> <h2> 4. Auth Event Logging </h2> <p>This is the feature I wish I'd built from Day 1 in my first SaaS.</p> <p>LaraFoundry uses <code>spatie/laravel-activitylog</code> with a declarative configuration:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight php"><code><span class="c1">// ActivityLogServiceProvider.php</span> <span class="k">protected</span> <span class="kt">array</span> <span class="nv">$events</span> <span class="o">=</span> <span class="p">[</span> <span class="nc">Registered</span><span class="o">::</span><span class="n">class</span> <span class="o">=&gt;</span> <span class="p">[</span><span class="s1">'Auth'</span><span class="p">,</span> <span class="s1">'New user registered'</span><span class="p">,</span> <span class="mi">200</span><span class="p">],</span> <span class="nc">Login</span><span class="o">::</span><span class="n">class</span> <span class="o">=&gt;</span> <span class="p">[</span><span class="s1">'Auth'</span><span class="p">,</span> <span class="s1">'Login'</span><span class="p">,</span> <span class="mi">200</span><span class="p">],</span> <span class="nc">Logout</span><span class="o">::</span><span class="n">class</span> <span class="o">=&gt;</span> <span class="p">[</span><span class="s1">'Auth'</span><span class="p">,</span> <span class="s1">'Logout'</span><span class="p">,</span> <span class="mi">200</span><span class="p">],</span> <span class="nc">Failed</span><span class="o">::</span><span class="n">class</span> <span class="o">=&gt;</span> <span class="p">[</span><span class="s1">'Auth'</span><span class="p">,</span> <span class="s1">'Login failed'</span><span class="p">,</span> <span class="mi">401</span><span class="p">],</span> <span class="nc">ProfileUpdate</span><span class="o">::</span><span class="n">class</span> <span class="o">=&gt;</span> <span class="p">[</span><span class="s1">'Auth'</span><span class="p">,</span> <span class="s1">'Profile update'</span><span class="p">,</span> <span class="mi">200</span><span class="p">],</span> <span class="nc">PasswordUpdate</span><span class="o">::</span><span class="n">class</span> <span class="o">=&gt;</span> <span class="p">[</span><span class="s1">'Auth'</span><span class="p">,</span> <span class="s1">'Password update'</span><span class="p">,</span> <span class="mi">200</span><span class="p">],</span> <span class="nc">PasswordReset</span><span class="o">::</span><span class="n">class</span> <span class="o">=&gt;</span> <span class="p">[</span><span class="s1">'Auth'</span><span class="p">,</span> <span class="s1">'Password reset'</span><span class="p">,</span> <span class="mi">200</span><span class="p">],</span> <span class="p">];</span> <span class="k">public</span> <span class="k">function</span> <span class="n">boot</span><span class="p">()</span> <span class="p">{</span> <span class="k">foreach</span> <span class="p">(</span><span class="nv">$this</span><span class="o">-&gt;</span><span class="n">events</span> <span class="k">as</span> <span class="nv">$eventClass</span> <span class="o">=&gt;</span> <span class="p">[</span><span class="nv">$group</span><span class="p">,</span> <span class="nv">$description</span><span class="p">,</span> <span class="nv">$code</span><span class="p">])</span> <span class="p">{</span> <span class="nc">Event</span><span class="o">::</span><span class="nf">listen</span><span class="p">(</span><span class="nv">$eventClass</span><span class="p">,</span> <span class="k">function</span> <span class="p">(</span><span class="nv">$event</span><span class="p">)</span> <span class="k">use</span> <span class="p">(</span><span class="nv">$eventClass</span><span class="p">,</span> <span class="nv">$group</span><span class="p">,</span> <span class="nv">$description</span><span class="p">,</span> <span class="nv">$code</span><span class="p">)</span> <span class="p">{</span> <span class="nc">ActivityLogService</span><span class="o">::</span><span class="nf">logActivity</span><span class="p">(</span> <span class="nv">$event</span><span class="p">,</span> <span class="nf">class_basename</span><span class="p">(</span><span class="nv">$eventClass</span><span class="p">),</span> <span class="nv">$group</span><span class="p">,</span> <span class="nv">$description</span><span class="p">,</span> <span class="nv">$code</span> <span class="p">);</span> <span class="p">});</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </div> <h3> The design </h3> <ul> <li> <strong>Declarative</strong>: Adding a new event = one line in the array</li> <li> <strong>Grouped</strong>: Events belong to groups (Auth, Company, Tickets...) for filtering</li> <li> <strong>HTTP-code aligned</strong>: Success = 200, failure = 401/500</li> <li> <strong>Extensible</strong>: Events can implement <code>getLogProperties()</code> for custom data</li> </ul> <h3> Each log entry captures </h3> <ul> <li>User info (email, ID)</li> <li>IP address</li> <li>Device type, name, OS, browser</li> <li>Route name + HTTP method</li> <li>Full URL</li> <li>Response code</li> <li>Geo location (country, city)</li> <li>Timestamp</li> </ul> <h3> Real-world value </h3> <ol> <li> <strong>Suspicious activity</strong>: 5 failed logins from a new country → trigger alert</li> <li> <strong>OAuth analytics</strong>: 73% Google, 20% form, 7% Facebook → invest in Google UX</li> <li> <strong>GDPR compliance</strong>: Full audit trail of who accessed what, when, from where</li> <li> <strong>Support debugging</strong>: Instantly see a user's auth history when they report issues</li> </ol> <h2> 5. Team Onboarding </h2> <p>In a B2B SaaS, registration doesn't end at "create account." Users often join through team invitations.</p> <p>LaraFoundry handles this seamlessly:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight php"><code><span class="c1">// Works for both form registration and OAuth</span> <span class="k">private</span> <span class="k">function</span> <span class="n">acceptInvitation</span><span class="p">(</span><span class="kt">string</span> <span class="nv">$token</span><span class="p">,</span> <span class="kt">User</span> <span class="nv">$user</span><span class="p">):</span> <span class="kt">void</span> <span class="p">{</span> <span class="nv">$invitation</span> <span class="o">=</span> <span class="nc">CompanyInvitation</span><span class="o">::</span><span class="nf">where</span><span class="p">(</span><span class="s1">'token'</span><span class="p">,</span> <span class="nv">$token</span><span class="p">)</span> <span class="o">-&gt;</span><span class="nf">with</span><span class="p">([</span><span class="s1">'company'</span><span class="p">,</span> <span class="s1">'role'</span><span class="p">])</span> <span class="o">-&gt;</span><span class="nf">first</span><span class="p">();</span> <span class="k">if</span> <span class="p">(</span><span class="o">!</span><span class="nv">$invitation</span> <span class="o">||</span> <span class="o">!</span><span class="nv">$invitation</span><span class="o">-&gt;</span><span class="nf">canBeAccepted</span><span class="p">())</span> <span class="k">return</span><span class="p">;</span> <span class="c1">// CRITICAL: Prevent email spoofing</span> <span class="k">if</span> <span class="p">(</span><span class="nv">$user</span><span class="o">-&gt;</span><span class="n">email</span> <span class="o">!==</span> <span class="nv">$invitation</span><span class="o">-&gt;</span><span class="n">email</span><span class="p">)</span> <span class="k">return</span><span class="p">;</span> <span class="no">DB</span><span class="o">::</span><span class="nf">transaction</span><span class="p">(</span><span class="k">function</span> <span class="p">()</span> <span class="k">use</span> <span class="p">(</span><span class="nv">$user</span><span class="p">,</span> <span class="nv">$invitation</span><span class="p">)</span> <span class="p">{</span> <span class="nv">$invitation</span><span class="o">-&gt;</span><span class="n">company</span><span class="o">-&gt;</span><span class="nf">addEmployee</span><span class="p">(</span><span class="nv">$user</span><span class="p">,</span> <span class="nv">$invitation</span><span class="o">-&gt;</span><span class="n">invited_by</span><span class="p">,</span> <span class="nv">$invitation</span><span class="o">-&gt;</span><span class="n">role</span><span class="p">);</span> <span class="nv">$invitation</span><span class="o">-&gt;</span><span class="nf">markAsAccepted</span><span class="p">();</span> <span class="nf">event</span><span class="p">(</span><span class="k">new</span> <span class="nc">EmployeeInvitationAccepted</span><span class="p">(</span><span class="nv">$user</span><span class="p">,</span> <span class="nv">$invitation</span><span class="p">,</span> <span class="nv">$invitation</span><span class="o">-&gt;</span><span class="n">company</span><span class="p">));</span> <span class="p">});</span> <span class="p">}</span> </code></pre> </div> <h3> The flow </h3> <ol> <li>Admin sends invitation → generates unique token</li> <li>Invitee clicks link → registers or logs in (form or OAuth)</li> <li>Registration detects invitation token</li> <li>Validates email match (security)</li> <li>Adds user to company with assigned role</li> <li>Fires event for downstream processing (notifications, logging)</li> </ol> <h2> Tech Stack Summary </h2> <div class="table-wrapper-paragraph"><table> <thead> <tr> <th>Layer</th> <th>Technology</th> <th>Version</th> </tr> </thead> <tbody> <tr> <td>Backend</td> <td>Laravel</td> <td>12.x</td> </tr> <tr> <td>PHP</td> <td></td> <td>8.3</td> </tr> <tr> <td>Frontend</td> <td>Vue 3 + Inertia v2</td> <td>3.x / 2.x</td> </tr> <tr> <td>OAuth</td> <td>Laravel Socialite</td> <td>^5.23</td> </tr> <tr> <td>Avatars</td> <td>Gravatar + Laravolt Avatar</td> <td>~1.0 / ^6.2</td> </tr> <tr> <td>Logging</td> <td>Spatie Activity Log</td> <td>^4.10</td> </tr> <tr> <td>Device Detection</td> <td>Jenssegers Agent</td> <td>^2.6</td> </tr> <tr> <td>Image Processing</td> <td>Intervention Image</td> <td>latest</td> </tr> <tr> <td>QR Codes</td> <td>SimpleQRCode</td> <td>^4.2</td> </tr> </tbody> </table></div> <h2> 6. Testing - Proof It Works </h2> <p>A registration module without tests is just a demo. Here's how I prove it works with Pest PHP.</p> <h3> Company creation flow: </h3> <div class="highlight js-code-highlight"> <pre class="highlight php"><code><span class="nf">it</span><span class="p">(</span><span class="s1">'user can create company with step 1 (basic info)'</span><span class="p">,</span> <span class="k">function</span> <span class="p">()</span> <span class="p">{</span> <span class="nc">Event</span><span class="o">::</span><span class="nf">fake</span><span class="p">([</span><span class="nc">CompanyCreate</span><span class="o">::</span><span class="n">class</span><span class="p">]);</span> <span class="nv">$response</span> <span class="o">=</span> <span class="nv">$this</span><span class="o">-&gt;</span><span class="nf">withCookie</span><span class="p">(</span><span class="nv">$cookieName</span><span class="p">,</span> <span class="nv">$sessionId</span><span class="p">)</span> <span class="o">-&gt;</span><span class="nf">post</span><span class="p">(</span><span class="nf">route</span><span class="p">(</span><span class="s1">'new_company.create.step1'</span><span class="p">),</span> <span class="p">[</span> <span class="s1">'name'</span> <span class="o">=&gt;</span> <span class="s1">'Test Company'</span><span class="p">,</span> <span class="s1">'country'</span> <span class="o">=&gt;</span> <span class="s1">'ukraine'</span><span class="p">,</span> <span class="p">]);</span> <span class="nv">$response</span><span class="o">-&gt;</span><span class="nf">assertRedirect</span><span class="p">();</span> <span class="nv">$this</span><span class="o">-&gt;</span><span class="nf">assertDatabaseHas</span><span class="p">(</span><span class="s1">'companies'</span><span class="p">,</span> <span class="p">[</span> <span class="s1">'name'</span> <span class="o">=&gt;</span> <span class="s1">'Test Company'</span><span class="p">,</span> <span class="s1">'created_by_id'</span> <span class="o">=&gt;</span> <span class="nv">$user</span><span class="o">-&gt;</span><span class="n">id</span><span class="p">,</span> <span class="p">]);</span> <span class="nv">$company</span> <span class="o">=</span> <span class="nc">Company</span><span class="o">::</span><span class="nf">where</span><span class="p">(</span><span class="s1">'name'</span><span class="p">,</span> <span class="s1">'Test Company'</span><span class="p">)</span><span class="o">-&gt;</span><span class="nf">first</span><span class="p">();</span> <span class="nf">expect</span><span class="p">(</span><span class="nv">$company</span><span class="o">-&gt;</span><span class="n">uuid</span><span class="p">)</span><span class="o">-&gt;</span><span class="n">not</span><span class="o">-&gt;</span><span class="nf">toBeNull</span><span class="p">();</span> <span class="nf">expect</span><span class="p">(</span><span class="nv">$company</span><span class="o">-&gt;</span><span class="n">slug</span><span class="p">)</span><span class="o">-&gt;</span><span class="nf">toContain</span><span class="p">(</span><span class="s1">'test-company'</span><span class="p">);</span> <span class="nv">$this</span><span class="o">-&gt;</span><span class="nf">assertDatabaseHas</span><span class="p">(</span><span class="s1">'company_user'</span><span class="p">,</span> <span class="p">[</span> <span class="s1">'company_id'</span> <span class="o">=&gt;</span> <span class="nv">$company</span><span class="o">-&gt;</span><span class="n">id</span><span class="p">,</span> <span class="s1">'user_id'</span> <span class="o">=&gt;</span> <span class="nv">$user</span><span class="o">-&gt;</span><span class="n">id</span><span class="p">,</span> <span class="s1">'is_owner'</span> <span class="o">=&gt;</span> <span class="kc">true</span><span class="p">,</span> <span class="p">]);</span> <span class="nc">Event</span><span class="o">::</span><span class="nf">assertDispatched</span><span class="p">(</span><span class="nc">CompanyCreate</span><span class="o">::</span><span class="n">class</span><span class="p">);</span> <span class="p">});</span> </code></pre> </div> <h3> Email verification: </h3> <div class="highlight js-code-highlight"> <pre class="highlight php"><code><span class="nf">test</span><span class="p">(</span><span class="s1">'email can be verified'</span><span class="p">,</span> <span class="k">function</span> <span class="p">()</span> <span class="p">{</span> <span class="nv">$user</span> <span class="o">=</span> <span class="nc">User</span><span class="o">::</span><span class="nf">factory</span><span class="p">()</span><span class="o">-&gt;</span><span class="nf">unverified</span><span class="p">()</span><span class="o">-&gt;</span><span class="nf">create</span><span class="p">();</span> <span class="nc">Event</span><span class="o">::</span><span class="nf">fake</span><span class="p">();</span> <span class="nv">$verificationUrl</span> <span class="o">=</span> <span class="no">URL</span><span class="o">::</span><span class="nf">temporarySignedRoute</span><span class="p">(</span> <span class="s1">'verification.verify'</span><span class="p">,</span> <span class="nf">now</span><span class="p">()</span><span class="o">-&gt;</span><span class="nf">addMinutes</span><span class="p">(</span><span class="mi">60</span><span class="p">),</span> <span class="p">[</span><span class="s1">'id'</span> <span class="o">=&gt;</span> <span class="nv">$user</span><span class="o">-&gt;</span><span class="n">id</span><span class="p">,</span> <span class="s1">'hash'</span> <span class="o">=&gt;</span> <span class="nb">sha1</span><span class="p">(</span><span class="nv">$user</span><span class="o">-&gt;</span><span class="n">email</span><span class="p">)]</span> <span class="p">);</span> <span class="nv">$this</span><span class="o">-&gt;</span><span class="nf">actingAs</span><span class="p">(</span><span class="nv">$user</span><span class="p">)</span><span class="o">-&gt;</span><span class="nf">get</span><span class="p">(</span><span class="nv">$verificationUrl</span><span class="p">);</span> <span class="nc">Event</span><span class="o">::</span><span class="nf">assertDispatched</span><span class="p">(</span><span class="nc">Verified</span><span class="o">::</span><span class="n">class</span><span class="p">);</span> <span class="nf">expect</span><span class="p">(</span><span class="nv">$user</span><span class="o">-&gt;</span><span class="nf">fresh</span><span class="p">()</span><span class="o">-&gt;</span><span class="nf">hasVerifiedEmail</span><span class="p">())</span><span class="o">-&gt;</span><span class="nf">toBeTrue</span><span class="p">();</span> <span class="p">});</span> <span class="nf">test</span><span class="p">(</span><span class="s1">'email is not verified with invalid hash'</span><span class="p">,</span> <span class="k">function</span> <span class="p">()</span> <span class="p">{</span> <span class="nv">$user</span> <span class="o">=</span> <span class="nc">User</span><span class="o">::</span><span class="nf">factory</span><span class="p">()</span><span class="o">-&gt;</span><span class="nf">unverified</span><span class="p">()</span><span class="o">-&gt;</span><span class="nf">create</span><span class="p">();</span> <span class="nv">$verificationUrl</span> <span class="o">=</span> <span class="no">URL</span><span class="o">::</span><span class="nf">temporarySignedRoute</span><span class="p">(</span> <span class="s1">'verification.verify'</span><span class="p">,</span> <span class="nf">now</span><span class="p">()</span><span class="o">-&gt;</span><span class="nf">addMinutes</span><span class="p">(</span><span class="mi">60</span><span class="p">),</span> <span class="p">[</span><span class="s1">'id'</span> <span class="o">=&gt;</span> <span class="nv">$user</span><span class="o">-&gt;</span><span class="n">id</span><span class="p">,</span> <span class="s1">'hash'</span> <span class="o">=&gt;</span> <span class="nb">sha1</span><span class="p">(</span><span class="s1">'wrong-email'</span><span class="p">)]</span> <span class="p">);</span> <span class="nv">$this</span><span class="o">-&gt;</span><span class="nf">actingAs</span><span class="p">(</span><span class="nv">$user</span><span class="p">)</span><span class="o">-&gt;</span><span class="nf">get</span><span class="p">(</span><span class="nv">$verificationUrl</span><span class="p">);</span> <span class="nf">expect</span><span class="p">(</span><span class="nv">$user</span><span class="o">-&gt;</span><span class="nf">fresh</span><span class="p">()</span><span class="o">-&gt;</span><span class="nf">hasVerifiedEmail</span><span class="p">())</span><span class="o">-&gt;</span><span class="nf">toBeFalse</span><span class="p">();</span> <span class="p">});</span> </code></pre> </div> <h3> Edge cases: </h3> <div class="highlight js-code-highlight"> <pre class="highlight php"><code><span class="nf">it</span><span class="p">(</span><span class="s1">'step 1 generates unique slug when company name exists'</span><span class="p">,</span> <span class="k">function</span> <span class="p">()</span> <span class="p">{</span> <span class="c1">// Two companies with name "Duplicate Company"</span> <span class="c1">// Must get different slugs</span> <span class="nf">expect</span><span class="p">(</span><span class="nv">$company1</span><span class="o">-&gt;</span><span class="n">slug</span><span class="p">)</span><span class="o">-&gt;</span><span class="n">not</span><span class="o">-&gt;</span><span class="nf">toBe</span><span class="p">(</span><span class="nv">$company2</span><span class="o">-&gt;</span><span class="n">slug</span><span class="p">);</span> <span class="p">});</span> <span class="nf">it</span><span class="p">(</span><span class="s1">'sends company created email notification after step 1'</span><span class="p">,</span> <span class="k">function</span> <span class="p">()</span> <span class="p">{</span> <span class="nc">Queue</span><span class="o">::</span><span class="nf">fake</span><span class="p">();</span> <span class="c1">// ...</span> <span class="nc">Queue</span><span class="o">::</span><span class="nf">assertPushed</span><span class="p">(</span><span class="nc">SendCompanyCreatedJob</span><span class="o">::</span><span class="n">class</span><span class="p">);</span> <span class="p">});</span> <span class="nf">it</span><span class="p">(</span><span class="s1">'does not include sessions from other users'</span><span class="p">,</span> <span class="k">function</span> <span class="p">()</span> <span class="p">{</span> <span class="c1">// Session isolation test</span> <span class="nv">$sessions</span> <span class="o">=</span> <span class="nf">collect</span><span class="p">(</span><span class="nv">$response</span><span class="o">-&gt;</span><span class="nf">getData</span><span class="p">()[</span><span class="s1">'user'</span><span class="p">][</span><span class="s1">'user_sessions'</span><span class="p">]);</span> <span class="nf">expect</span><span class="p">(</span><span class="nv">$sessions</span><span class="o">-&gt;</span><span class="nf">pluck</span><span class="p">(</span><span class="s1">'session_id'</span><span class="p">))</span> <span class="o">-&gt;</span><span class="n">not</span><span class="o">-&gt;</span><span class="nf">toContain</span><span class="p">(</span><span class="s1">'other-user-session'</span><span class="p">);</span> <span class="p">});</span> </code></pre> </div> <h3> What the test suite covers: </h3> <ul> <li>Registration form (render, create, authenticate)</li> <li>Email verification (valid hash, invalid hash, signed URLs)</li> <li>Company creation (4-step flow, events, emails, slug uniqueness)</li> <li>Session isolation (no cross-user leaks)</li> <li>Invitation flow (job dispatch, promo codes)</li> <li>Password reset (token-based flow)</li> </ul> <h2> What's Next </h2> <p>LaraFoundry is being built in public, module by module. Each module gets extracted from production code running on Kohana.io.</p> <p><strong>Coming up:</strong></p> <ul> <li>Roles &amp; Permissions</li> <li>Multi-tenancy &amp; Team Management</li> <li>Activity Logging (the full system)</li> <li>Subscription &amp; Billing</li> </ul> <p><strong>Want to follow along?</strong></p> <ul> <li>Join the waitlist: <a href="https://larafoundry.com" rel="noopener noreferrer">larafoundry.com</a> </li> <li>Follow on Twitter/X: <a href="https://twitter.com/d_isaenko_dev" rel="noopener noreferrer">@d_isaenko_dev</a> </li> <li>Connect on LinkedIn: <a href="https://linkedin.com/in/d-isaenko-dev" rel="noopener noreferrer">Dmitry Isaenko</a> </li> </ul> <p><em>LaraFoundry is not a starter kit. It's a production-proven SaaS engine - extracted from a real product, battle-tested with real users. Build faster. Ship sooner. Focus on what makes your SaaS unique.</em></p> laravel php saas webdev Solving Flaky Session Tests in Laravel: From Chaos to Stability Dmitry Isaenko Wed, 28 Jan 2026 16:13:08 +0000 https://dev.to/d_isaenko_dev/solving-flaky-session-tests-in-laravel-from-chaos-to-stability-3d9j https://dev.to/d_isaenko_dev/solving-flaky-session-tests-in-laravel-from-chaos-to-stability-3d9j <h1> The Problem: Flaky Tests That Drive You Crazy </h1> <p>Picture this: You're building a multi-tenant Laravel CRM with custom session tracking. You have a <code>UserSession</code> model that stores active company context, last activity, and device info. You write tests. They pass. You run them again. They fail. You run them a third time. They pass.</p> <p>Welcome to <strong>flaky test hell</strong> 🔥</p> <h2> Understanding the Root Cause </h2> <p>In our application, we have middleware that checks for active user sessions:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight php"><code><span class="c1">// CheckSessionExists middleware</span> <span class="k">public</span> <span class="k">function</span> <span class="n">handle</span><span class="p">(</span><span class="nv">$request</span><span class="p">,</span> <span class="kt">Closure</span> <span class="nv">$next</span><span class="p">)</span> <span class="p">{</span> <span class="k">if</span> <span class="p">(</span><span class="nc">Auth</span><span class="o">::</span><span class="nf">check</span><span class="p">())</span> <span class="p">{</span> <span class="nv">$sessionExists</span> <span class="o">=</span> <span class="nc">UserSession</span><span class="o">::</span><span class="nf">where</span><span class="p">(</span><span class="s1">'user_id'</span><span class="p">,</span> <span class="nc">Auth</span><span class="o">::</span><span class="nf">id</span><span class="p">())</span> <span class="o">-&gt;</span><span class="nf">where</span><span class="p">(</span><span class="s1">'session_id'</span><span class="p">,</span> <span class="nf">session</span><span class="p">()</span><span class="o">-&gt;</span><span class="nf">getId</span><span class="p">())</span> <span class="o">-&gt;</span><span class="nf">exists</span><span class="p">();</span> <span class="k">if</span> <span class="p">(</span><span class="o">!</span><span class="nv">$sessionExists</span><span class="p">)</span> <span class="p">{</span> <span class="nc">Auth</span><span class="o">::</span><span class="nf">logout</span><span class="p">();</span> <span class="k">return</span> <span class="nf">redirect</span><span class="p">()</span><span class="o">-&gt;</span><span class="nf">route</span><span class="p">(</span><span class="s1">'login'</span><span class="p">);</span> <span class="p">}</span> <span class="p">}</span> <span class="k">return</span> <span class="nv">$next</span><span class="p">(</span><span class="nv">$request</span><span class="p">);</span> <span class="p">}</span> </code></pre> </div> <p>Simple, right? But when testing features protected by this middleware, our tests would randomly fail because the <code>UserSession</code> record couldn't be found.</p> <h2> First Attempt: The Naive Approach </h2> <div class="highlight js-code-highlight"> <pre class="highlight php"><code><span class="k">function</span> <span class="n">actingAsWithSession</span><span class="p">(</span><span class="nv">$user</span><span class="p">)</span> <span class="p">{</span> <span class="nv">$sessionId</span> <span class="o">=</span> <span class="nc">Str</span><span class="o">::</span><span class="nf">random</span><span class="p">(</span><span class="mi">40</span><span class="p">);</span> <span class="nf">session</span><span class="p">()</span><span class="o">-&gt;</span><span class="nf">setId</span><span class="p">(</span><span class="nv">$sessionId</span><span class="p">);</span> <span class="nf">session</span><span class="p">()</span><span class="o">-&gt;</span><span class="nf">start</span><span class="p">();</span> <span class="nf">test</span><span class="p">()</span><span class="o">-&gt;</span><span class="nf">actingAs</span><span class="p">(</span><span class="nv">$user</span><span class="p">);</span> <span class="no">DB</span><span class="o">::</span><span class="nf">table</span><span class="p">(</span><span class="s1">'user_sessions'</span><span class="p">)</span><span class="o">-&gt;</span><span class="nf">insert</span><span class="p">([</span> <span class="s1">'user_id'</span> <span class="o">=&gt;</span> <span class="nv">$user</span><span class="o">-&gt;</span><span class="n">id</span><span class="p">,</span> <span class="s1">'session_id'</span> <span class="o">=&gt;</span> <span class="nv">$sessionId</span><span class="p">,</span> <span class="s1">'active_company_id'</span> <span class="o">=&gt;</span> <span class="kc">null</span><span class="p">,</span> <span class="s1">'ip_address'</span> <span class="o">=&gt;</span> <span class="s1">'127.0.0.1'</span><span class="p">,</span> <span class="s1">'last_activity'</span> <span class="o">=&gt;</span> <span class="nf">now</span><span class="p">(),</span> <span class="s1">'created_at'</span> <span class="o">=&gt;</span> <span class="nf">now</span><span class="p">(),</span> <span class="s1">'updated_at'</span> <span class="o">=&gt;</span> <span class="nf">now</span><span class="p">(),</span> <span class="p">]);</span> <span class="k">return</span> <span class="nv">$sessionId</span><span class="p">;</span> <span class="p">}</span> </code></pre> </div> <h3> Why This Failed </h3> <div class="highlight js-code-highlight"> <pre class="highlight php"><code><span class="nf">it</span><span class="p">(</span><span class="s1">'can access protected route'</span><span class="p">,</span> <span class="k">function</span> <span class="p">()</span> <span class="p">{</span> <span class="nv">$user</span> <span class="o">=</span> <span class="nc">User</span><span class="o">::</span><span class="nf">factory</span><span class="p">()</span><span class="o">-&gt;</span><span class="nf">create</span><span class="p">();</span> <span class="nf">actingAsWithSession</span><span class="p">(</span><span class="nv">$user</span><span class="p">);</span> <span class="c1">// Creates session with ID "abc123"</span> <span class="nv">$response</span> <span class="o">=</span> <span class="nv">$this</span><span class="o">-&gt;</span><span class="nf">get</span><span class="p">(</span><span class="s1">'/dashboard'</span><span class="p">);</span> <span class="c1">// Laravel creates NEW session!</span> <span class="nv">$response</span><span class="o">-&gt;</span><span class="nf">assertOk</span><span class="p">();</span> <span class="c1">// FAILS - middleware can't find UserSession</span> <span class="p">});</span> </code></pre> </div> <p><strong>The Issue</strong>: Each HTTP request (<code>$this-&gt;get()</code>, <code>$this-&gt;post()</code>, etc.) in Pest/PHPUnit creates a fresh application instance. Without proper session persistence, Laravel generates a new session ID, making our <code>UserSession</code> record orphaned.</p> <h2> Second Attempt: Static Session ID </h2> <div class="highlight js-code-highlight"> <pre class="highlight php"><code><span class="k">function</span> <span class="n">actingAsWithSession</span><span class="p">(</span><span class="nv">$user</span><span class="p">)</span> <span class="p">{</span> <span class="k">static</span> <span class="nv">$staticSessionId</span> <span class="o">=</span> <span class="kc">null</span><span class="p">;</span> <span class="k">if</span> <span class="p">(</span><span class="nv">$staticSessionId</span> <span class="o">===</span> <span class="kc">null</span><span class="p">)</span> <span class="p">{</span> <span class="nv">$staticSessionId</span> <span class="o">=</span> <span class="nc">Str</span><span class="o">::</span><span class="nf">random</span><span class="p">(</span><span class="mi">40</span><span class="p">);</span> <span class="p">}</span> <span class="nf">session</span><span class="p">()</span><span class="o">-&gt;</span><span class="nf">setId</span><span class="p">(</span><span class="nv">$staticSessionId</span><span class="p">);</span> <span class="nf">session</span><span class="p">()</span><span class="o">-&gt;</span><span class="nf">start</span><span class="p">();</span> <span class="nf">test</span><span class="p">()</span><span class="o">-&gt;</span><span class="nf">actingAs</span><span class="p">(</span><span class="nv">$user</span><span class="p">);</span> <span class="nf">session</span><span class="p">()</span><span class="o">-&gt;</span><span class="nf">save</span><span class="p">();</span> <span class="c1">// Key addition!</span> <span class="nc">UserSession</span><span class="o">::</span><span class="nf">updateOrCreate</span><span class="p">(</span> <span class="p">[</span><span class="s1">'session_id'</span> <span class="o">=&gt;</span> <span class="nv">$staticSessionId</span><span class="p">],</span> <span class="p">[</span> <span class="s1">'user_id'</span> <span class="o">=&gt;</span> <span class="nv">$user</span><span class="o">-&gt;</span><span class="n">id</span><span class="p">,</span> <span class="s1">'active_company_id'</span> <span class="o">=&gt;</span> <span class="kc">null</span><span class="p">,</span> <span class="s1">'ip_address'</span> <span class="o">=&gt;</span> <span class="s1">'127.0.0.1'</span><span class="p">,</span> <span class="s1">'last_activity'</span> <span class="o">=&gt;</span> <span class="nf">now</span><span class="p">(),</span> <span class="p">]</span> <span class="p">);</span> <span class="k">return</span> <span class="nv">$staticSessionId</span><span class="p">;</span> <span class="p">}</span> </code></pre> </div> <h3> The Breakthrough (and New Problem) </h3> <p>Adding <code>session()-&gt;save()</code> was crucial - it forces Laravel to persist session data to the configured driver (file/redis/database).</p> <p>But now we hit a different wall:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight php"><code><span class="nf">it</span><span class="p">(</span><span class="s1">'admin and user can coexist'</span><span class="p">,</span> <span class="k">function</span> <span class="p">()</span> <span class="p">{</span> <span class="nv">$admin</span> <span class="o">=</span> <span class="nc">User</span><span class="o">::</span><span class="nf">factory</span><span class="p">()</span><span class="o">-&gt;</span><span class="nf">admin</span><span class="p">()</span><span class="o">-&gt;</span><span class="nf">create</span><span class="p">();</span> <span class="nv">$user</span> <span class="o">=</span> <span class="nc">User</span><span class="o">::</span><span class="nf">factory</span><span class="p">()</span><span class="o">-&gt;</span><span class="nf">create</span><span class="p">();</span> <span class="nf">actingAsWithSession</span><span class="p">(</span><span class="nv">$admin</span><span class="p">);</span> <span class="c1">// Sets static session ID "xyz789"</span> <span class="nf">actingAsWithSession</span><span class="p">(</span><span class="nv">$user</span><span class="p">);</span> <span class="c1">// REUSES SAME "xyz789"!</span> <span class="c1">// Both users now share the same session - chaos!</span> <span class="p">});</span> </code></pre> </div> <p><strong>Problem</strong>: The <code>static</code> variable is shared across the entire test suite. Multiple users = session collision.</p> <h2> Final Solution: User-Scoped Session Management </h2> <div class="highlight js-code-highlight"> <pre class="highlight php"><code><span class="k">function</span> <span class="n">actingAsWithSession</span><span class="p">(</span><span class="nv">$user</span><span class="p">)</span> <span class="p">{</span> <span class="c1">// Key insight: Index sessions by user ID</span> <span class="k">static</span> <span class="nv">$sessionIds</span> <span class="o">=</span> <span class="p">[];</span> <span class="k">if</span> <span class="p">(</span><span class="o">!</span><span class="k">isset</span><span class="p">(</span><span class="nv">$sessionIds</span><span class="p">[</span><span class="nv">$user</span><span class="o">-&gt;</span><span class="n">id</span><span class="p">]))</span> <span class="p">{</span> <span class="nv">$sessionIds</span><span class="p">[</span><span class="nv">$user</span><span class="o">-&gt;</span><span class="n">id</span><span class="p">]</span> <span class="o">=</span> <span class="nc">Str</span><span class="o">::</span><span class="nf">random</span><span class="p">(</span><span class="mi">40</span><span class="p">);</span> <span class="p">}</span> <span class="nv">$sessionId</span> <span class="o">=</span> <span class="nv">$sessionIds</span><span class="p">[</span><span class="nv">$user</span><span class="o">-&gt;</span><span class="n">id</span><span class="p">];</span> <span class="nf">session</span><span class="p">()</span><span class="o">-&gt;</span><span class="nf">setId</span><span class="p">(</span><span class="nv">$sessionId</span><span class="p">);</span> <span class="nf">session</span><span class="p">()</span><span class="o">-&gt;</span><span class="nf">start</span><span class="p">();</span> <span class="nf">test</span><span class="p">()</span><span class="o">-&gt;</span><span class="nf">actingAs</span><span class="p">(</span><span class="nv">$user</span><span class="p">);</span> <span class="c1">// CRITICAL: Add data to ensure session is written</span> <span class="nf">session</span><span class="p">()</span><span class="o">-&gt;</span><span class="nf">put</span><span class="p">(</span><span class="s1">'auth_check'</span><span class="p">,</span> <span class="kc">true</span><span class="p">);</span> <span class="nf">session</span><span class="p">()</span><span class="o">-&gt;</span><span class="nf">save</span><span class="p">();</span> <span class="nc">UserSession</span><span class="o">::</span><span class="nf">updateOrCreate</span><span class="p">(</span> <span class="p">[</span><span class="s1">'session_id'</span> <span class="o">=&gt;</span> <span class="nv">$sessionId</span><span class="p">],</span> <span class="p">[</span> <span class="s1">'user_id'</span> <span class="o">=&gt;</span> <span class="nv">$user</span><span class="o">-&gt;</span><span class="n">id</span><span class="p">,</span> <span class="s1">'ip_address'</span> <span class="o">=&gt;</span> <span class="s1">'127.0.0.1'</span><span class="p">,</span> <span class="s1">'last_activity'</span> <span class="o">=&gt;</span> <span class="nf">now</span><span class="p">(),</span> <span class="p">]</span> <span class="p">);</span> <span class="k">return</span> <span class="nv">$sessionId</span><span class="p">;</span> <span class="p">}</span> </code></pre> </div> <h3> Why This Works </h3> <ol> <li> <strong>User Isolation</strong>: Each user gets their own session ID stored in <code>$sessionIds[$user-&gt;id]</code> </li> <li> <strong>Session Persistence</strong>: Calling <code>session()-&gt;save()</code> writes to the driver</li> <li> <strong>Data Guarantee</strong>: Adding a marker (<code>auth_check</code>) ensures non-empty session data gets saved</li> <li> <strong>Eloquent Integration</strong>: Using <code>updateOrCreate()</code> instead of raw query handles updates gracefully</li> </ol> <h2> Real-World Usage </h2> <div class="highlight js-code-highlight"> <pre class="highlight php"><code><span class="nf">it</span><span class="p">(</span><span class="s1">'redirects blocked users from dashboard'</span><span class="p">,</span> <span class="k">function</span> <span class="p">()</span> <span class="p">{</span> <span class="nv">$user</span> <span class="o">=</span> <span class="nc">User</span><span class="o">::</span><span class="nf">factory</span><span class="p">()</span><span class="o">-&gt;</span><span class="nf">blocked</span><span class="p">()</span><span class="o">-&gt;</span><span class="nf">create</span><span class="p">();</span> <span class="nf">actingAsWithSession</span><span class="p">(</span><span class="nv">$user</span><span class="p">);</span> <span class="nv">$response</span> <span class="o">=</span> <span class="nv">$this</span><span class="o">-&gt;</span><span class="nf">get</span><span class="p">(</span><span class="nf">route</span><span class="p">(</span><span class="s1">'dashboard'</span><span class="p">));</span> <span class="nv">$response</span><span class="o">-&gt;</span><span class="nf">assertRedirect</span><span class="p">(</span><span class="nf">route</span><span class="p">(</span><span class="s1">'user_blocked'</span><span class="p">));</span> <span class="p">});</span> <span class="nf">it</span><span class="p">(</span><span class="s1">'allows multiple user contexts in same test'</span><span class="p">,</span> <span class="k">function</span> <span class="p">()</span> <span class="p">{</span> <span class="nv">$admin</span> <span class="o">=</span> <span class="nc">User</span><span class="o">::</span><span class="nf">factory</span><span class="p">()</span><span class="o">-&gt;</span><span class="nf">admin</span><span class="p">()</span><span class="o">-&gt;</span><span class="nf">create</span><span class="p">();</span> <span class="nv">$user</span> <span class="o">=</span> <span class="nc">User</span><span class="o">::</span><span class="nf">factory</span><span class="p">()</span><span class="o">-&gt;</span><span class="nf">create</span><span class="p">();</span> <span class="c1">// Each gets their own session</span> <span class="nf">actingAsWithSession</span><span class="p">(</span><span class="nv">$admin</span><span class="p">);</span> <span class="nv">$adminSession</span> <span class="o">=</span> <span class="nf">session</span><span class="p">()</span><span class="o">-&gt;</span><span class="nf">getId</span><span class="p">();</span> <span class="nf">actingAsWithSession</span><span class="p">(</span><span class="nv">$user</span><span class="p">);</span> <span class="nv">$userSession</span> <span class="o">=</span> <span class="nf">session</span><span class="p">()</span><span class="o">-&gt;</span><span class="nf">getId</span><span class="p">();</span> <span class="nf">expect</span><span class="p">(</span><span class="nv">$adminSession</span><span class="p">)</span><span class="o">-&gt;</span><span class="n">not</span><span class="o">-&gt;</span><span class="nf">toBe</span><span class="p">(</span><span class="nv">$userSession</span><span class="p">);</span> <span class="p">});</span> </code></pre> </div> <h2> Critical Configuration: phpunit.xml </h2> <p>Don't forget to set the session driver correctly:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight xml"><code><span class="nt">&lt;php&gt;</span> <span class="nt">&lt;env</span> <span class="na">name=</span><span class="s">"SESSION_DRIVER"</span> <span class="na">value=</span><span class="s">"file"</span><span class="nt">/&gt;</span> <span class="c">&lt;!-- NOT "array" - file/redis/database ensure persistence --&gt;</span> <span class="nt">&lt;/php&gt;</span> </code></pre> </div> <p>Using <code>array</code> driver in tests will cause sessions to not persist between requests!</p> <h2> Results </h2> <ul> <li>✅ <strong>100% test pass rate</strong> (previously ~60-70% due to flakiness)</li> <li>✅ <strong>Stable CI/CD pipeline</strong> (no more random failures)</li> <li>✅ <strong>Multi-user test scenarios</strong> work reliably</li> <li>✅ <strong>Team confidence</strong> in test suite restored</li> </ul> <h2> Key Takeaways </h2> <ol> <li> <strong>Understand Laravel's test lifecycle</strong>: Each HTTP request creates a new app instance</li> <li> <strong>Session persistence matters</strong>: Always <code>session()-&gt;save()</code> when testing session-dependent features</li> <li> <strong>Scope your static data</strong>: Use arrays indexed by entity ID, not single static values</li> <li> <strong>Choose the right driver</strong>: File/redis/database drivers persist; array driver doesn't</li> <li> <strong>Test determinism</strong>: If a test passes sometimes and fails others, you have a state management issue</li> </ol> <h2> Bonus: Testing Custom Middleware </h2> <p>With stable sessions, testing our session-checking middleware became trivial:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight php"><code><span class="nf">it</span><span class="p">(</span><span class="s1">'logs out users with invalid sessions'</span><span class="p">,</span> <span class="k">function</span> <span class="p">()</span> <span class="p">{</span> <span class="nv">$user</span> <span class="o">=</span> <span class="nc">User</span><span class="o">::</span><span class="nf">factory</span><span class="p">()</span><span class="o">-&gt;</span><span class="nf">create</span><span class="p">();</span> <span class="nf">test</span><span class="p">()</span><span class="o">-&gt;</span><span class="nf">actingAs</span><span class="p">(</span><span class="nv">$user</span><span class="p">);</span> <span class="c1">// NO UserSession record</span> <span class="nv">$response</span> <span class="o">=</span> <span class="nv">$this</span><span class="o">-&gt;</span><span class="nf">get</span><span class="p">(</span><span class="s1">'/dashboard'</span><span class="p">);</span> <span class="nv">$response</span><span class="o">-&gt;</span><span class="nf">assertRedirect</span><span class="p">(</span><span class="nf">route</span><span class="p">(</span><span class="s1">'login'</span><span class="p">));</span> <span class="nf">expect</span><span class="p">(</span><span class="nc">Auth</span><span class="o">::</span><span class="nf">check</span><span class="p">())</span><span class="o">-&gt;</span><span class="nf">toBeFalse</span><span class="p">();</span> <span class="p">});</span> <span class="nf">it</span><span class="p">(</span><span class="s1">'allows users with valid sessions'</span><span class="p">,</span> <span class="k">function</span> <span class="p">()</span> <span class="p">{</span> <span class="nv">$user</span> <span class="o">=</span> <span class="nc">User</span><span class="o">::</span><span class="nf">factory</span><span class="p">()</span><span class="o">-&gt;</span><span class="nf">create</span><span class="p">();</span> <span class="nf">actingAsWithSession</span><span class="p">(</span><span class="nv">$user</span><span class="p">);</span> <span class="c1">// CREATES UserSession</span> <span class="nv">$response</span> <span class="o">=</span> <span class="nv">$this</span><span class="o">-&gt;</span><span class="nf">get</span><span class="p">(</span><span class="s1">'/dashboard'</span><span class="p">);</span> <span class="nv">$response</span><span class="o">-&gt;</span><span class="nf">assertOk</span><span class="p">();</span> <span class="nf">expect</span><span class="p">(</span><span class="nc">Auth</span><span class="o">::</span><span class="nf">check</span><span class="p">())</span><span class="o">-&gt;</span><span class="nf">toBeTrue</span><span class="p">();</span> <span class="p">});</span> </code></pre> </div> <h2> Resources </h2> <ul> <li><a href="https://laravel.com/docs/testing" rel="noopener noreferrer">Laravel Testing Docs</a></li> <li><a href="https://pestphp.com" rel="noopener noreferrer">Pest PHP Documentation</a></li> <li><a href="https://laravel.com/docs/session" rel="noopener noreferrer">Laravel Session Driver Configuration</a></li> </ul> <p>Have you encountered similar testing challenges? Share your war stories in the comments! 👇</p> <p><em>This article is based on real debugging experience in a production Laravel 12 + Vue 3 + Inertia.js CRM system. The complete test suite is available in our open-source project.</em></p> laravel testing php pestphp