Be part of JetBrains PHPverse 2026 on June 9 – a free online event bringing PHP devs worldwide together.

troovers's avatar

Authentication inside package

I'm developing a package which is going to be quite large, and also requires authentication. The package contains "projects" which you can create. For those projects, you could give specific users access, so when they login, they see their projects.

I don't really want to rely on the general projects users table when people install my package. For instance, the columns might not have the specific names that I'm using in my project. So, I thought of adding a users table migration to my package, and requiring the project to use the package's User model class for authentication. However, I don't know if it's the nicest solution for the problem.

I could also make the user implement a callback which is used (like in Laravel Horizon) to determine whether a user should have access to a project, but then I would rely to much on the project for my package to work.

Do you have any tips on how to address this problem?

Regards,

Thomas

0 likes
2 replies
bobbybouwmann's avatar

Well your package is going to offer some service right. However Authentication is application specific. What happens when someone wants to use your package but they have an API only application. They will use a different authentication guard as well.

So I think the Horizon auth option is not as bad as you think.

Also it sounds that your package is doing way too much! It's sounds more like a project specific solution. I wouldn't see someone else use your package quickly because they might have different requirements.

If you really want to couple in your package to some User model and migration then sure do that, but make sure the README describes how to set it up. It looks like you will be using this package more often so make it work for you ;)

troovers's avatar

The Horizon option is indeed not as bad as I made it sound, but I need a little more influence on the users. To clarify: the package is going to be a simple CMS. When the user implements the auth callback, no users are required, they can just return true if necessary. But, when the package is going to be used for multiple customers, it's probably nice if the user can give other users access to the CMS for a specific account only. For that scenario, I perhaps also need to add users or give them the possibility to edit their profile.

I feel like none of the options above is "good enough". The callback method is perhaps too simple, but accessing projects tables feels hacky.

Please or to participate in this conversation.