Skip to content

πŸ”‘ Authentication Overview

Last updated: 2025-10-09 (Europe/Paris)

RawDigs uses Laravel Sanctum and multiple guards to secure every surface of the platform. This page explains the building blocks so you know which guard, middleware, and context to lean on when wiring new features.

🧱 Guards & Surfaces

Surface Guard Description
Public web app (Inertia/React) web (Sanctum session) Stateful auth with CSRF protection for the main supporter and creator experience.
JSON API & integrations sanctum tokens Personal access tokens scoped to abilities for CLI tools, headless clients, and automations.
Filament admin filament Restricted dashboard for staff, moderators, and co-op workers with 2FA enforcement.

All guards ultimately resolve permissions through the Accounts context (organizations) and Creators context (artist membership).

🌐 Session-Based SPA Auth

The Inertia SPA authenticates via Sanctum’s cookie-based session mode:

  1. Browser fetches /sanctum/csrf-cookie.
  2. Client submits credentials to /login with the X-XSRF-TOKEN header.
  3. Laravel issues a session cookie under the web guard and returns the authenticated user.
  4. Every subsequent request carries the same cookies; middleware sets the active organization for Spatie permissions.

Refer to the detailed sequence diagram: Web Session Flow.

πŸ” Personal Access Tokens

Authenticated users can mint personal access tokens to call JSON endpoints from external clients:

  • Tokens are scoped to abilities (e.g., catalog.read, orders.view).
  • Sanctum stores hashed tokens; the plain text is surfaced once during creation.
  • Revocation lives in the Accounts dashboard, feeding audit trails to Analytics.
  • Policies and Spatie permissions still govern each request.

See the diagram: Sanctum Token Flow.

πŸ›  Filament Administration

The Filament panel sits at /admin and uses its own guard:

  • Credentials are validated against the Accounts context.
  • Optional 2FA is enforced for staff and workers.
  • Filament resources respect Spatie permissions (owner, admin, manager) and artist policies where applicable.
  • Session lifetime and password confirmation mirror config/auth.php for consistent security.

Walkthrough: Filament Login Flow.

πŸ“Œ Implementation Notes

  • Sanctum middleware (EnsureFrontendRequestsAreStateful) is enabled for the primary domain; subdomains require CORS alignment.
  • Active organization context is resolved by middleware before authorization checks (SetPermissionsTeamFromRequest).
  • Device/session logs funnel to the Accounts context for security notifications and analytics.
  • When adding new guards, ensure they register with both Laravel auth config and the Accounts service provider for consistent resolution.