Password protect a deployed site that uses Authentication so a client can see, but no one else.

The simplest solution is to use HTTP Basic Auth, which would put the whole site behind a username/password. This won't interfere with laravel at all, and is completely outside of laravels auth. In other words, you browse to the domain and immediately see a username/password prompt before you can see any content. Once it's entered, you'd then be allowed to browse the site and use it normally.

It's pretty easy to set up, but it differs depending on the web server (nginx/apache/etc). You can even set up multiple users/passwords and see which ones are accessing the site in the server logs.

I'd do that, and then just remove it after it no longer needs to be private.

For Apache: https://www.digitalocean.com/community/tutorials/how-to-set-up-password-authentication-with-apache-on-ubuntu-14-04

For Nginx: https://docs.nginx.com/nginx/admin-guide/security-controls/configuring-http-basic-authentication/

Another possibility is to allow access to the server by specific ips, and deny everything else. That's more problematic, though.

I would not play around with that kind of authentication but rather host the site somewhere secure (not on the public web).

Either on a server on the clients intranet which is only accessible from their network or put it behind a VPN on a machine you host. Or even take it as far as to put it on a virtual host running lamp/lemp that they can have on their local machines.

There are also several ready to use packages that adds this extra authentication layer to your app:

• https://github.com/code16/privat
• https://github.com/larsjanssen6/underconstruction, featured on laravel news a few months ago: https://laravel-news.com/under-construction

Thanks for the info guys! Looks like there are a few options.

My client is remote. So it has to be put online. They will need changes once they see the project, so having it in an "Under Construction" mode would work the best.