Last Updated: 3/13/2026
Authentication & Authorization
LinkAce provides flexible authentication options including traditional email/password authentication, Single Sign-On (SSO) via OAuth/OIDC, and API token authentication.
Authentication Methods
1. Traditional Authentication
LinkAce uses Laravel Fortify for traditional username/password authentication.
Features:
- Email/password login
- Registration (can be disabled)
- Password reset
- Email verification
- Two-factor authentication support
Configuration:
- Guard:
web(session-based) - Provider:
users(Eloquent) - Password reset expiry: 60 minutes
- Password confirmation timeout: 3 hours (10800 seconds)
2. Single Sign-On (SSO)
LinkAce supports SSO via OAuth 2.0 and OpenID Connect (OIDC) providers.
Supported Providers:
- Auth0
- Authentik
- Azure (Microsoft)
- AWS Cognito
- FusionAuth
- GitHub
- GitLab
- Keycloak
- Generic OIDC
- Okta
- Zitadel
Environment Variables:
# Enable SSO
SSO_ENABLED=true
# Allow new user registration via SSO
SSO_REGISTRATION_ENABLED=true
# Disable traditional login when SSO is enabled
REGULAR_LOGIN_DISABLED=falseOAuth Fields in User Model:
oauth_provider- Provider name (e.g., “google”, “github”)oauth_id- User ID from the OAuth provider
Configuration File: config/auth.php
'sso' => [
'enabled' => env('SSO_ENABLED', false),
'registration_enabled' => env('SSO_REGISTRATION_ENABLED', true),
'regular_login_disabled' => env('REGULAR_LOGIN_DISABLED', false),
'providers' => [
'auth0',
'authentik',
'azure',
'cognito',
'fusionauth',
'google',
'github',
'gitlab',
'keycloak',
'oidc',
'okta',
'zitadel',
],
],3. API Token Authentication
LinkAce uses Laravel Sanctum for API authentication.
Features:
- Personal access tokens
- Token-based API authentication
- Token abilities/scopes (optional)
Token Types:
User API Tokens
Personal access tokens for individual users. Users can generate and manage their own API tokens from the user settings page.
Generation:
- Navigate to User Settings → API Tokens
- Click “Generate New Token”
- Copy the token (shown only once)
System API Tokens
Administrative tokens for system-level operations. These are managed by administrators.
Usage:
curl -H "Authorization: Bearer YOUR_TOKEN" \
https://your-linkace-instance.com/api/v2/linksDatabase Table: personal_access_tokens
| Column | Type | Description |
|---|---|---|
id | int | Primary key |
tokenable_type | string | Model type (User) |
tokenable_id | int | User ID |
name | string | Token name |
token | string | Hashed token |
abilities | json | Token permissions |
last_used_at | datetime | Last usage timestamp |
expires_at | datetime | Expiration (optional) |
created_at | datetime | Creation timestamp |
updated_at | datetime | Update timestamp |
Authorization
LinkAce uses Spatie Laravel Permission for role-based access control.
Roles
Default Roles:
- Admin - Full system access
- User - Standard user access
Permissions
Permissions are granular and can be assigned to roles or users directly.
Database Tables:
roles
| Column | Type |
|---|---|
id | int |
name | string |
guard_name | string |
created_at | datetime |
updated_at | datetime |
permissions
| Column | Type |
|---|---|
id | int |
name | string |
guard_name | string |
created_at | datetime |
updated_at | datetime |
model_has_roles
Links users to roles.
model_has_permissions
Links users to permissions directly.
role_has_permissions
Links roles to permissions.
Policies
LinkAce uses Laravel Policies to control access to resources.
Location: app/Policies/
Key Policies:
- Link visibility checks (public, internal, private)
- Ownership verification
- Admin-only operations
Visibility-Based Access Control
All main resources (Links, Lists, Tags) support visibility levels:
| Level | Access |
|---|---|
| Public (1) | Everyone can view |
| Internal (2) | Authenticated users can view |
| Private (3) | Only owner can view |
Implementation:
Models use the ScopesVisibility trait to automatically filter queries based on user permissions:
// Automatically filters based on current user
$links = Link::query()->get();
// Explicit scope usage
$publicLinks = Link::publicOnly()->get();
$internalLinks = Link::internalOnly()->get();
$privateLinks = Link::privateOnly()->get();The ScopesForUser trait provides user-scoped queries:
// Get links for specific user
$userLinks = Link::byUser($userId)->get();User Management
User Registration
Open Registration:
Set REGISTRATION_ENABLED=true in .env to allow public registration.
Invitation-Only:
Set REGISTRATION_ENABLED=false and use the user invitation system.
User Invitations
Admins can invite users via email.
Model: UserInvitation
Properties:
invited_by- Admin user IDemail- Invitee emailtoken- Unique invitation tokenexpires_at- Expiration timestampaccepted_at- Acceptance timestamp (null if pending)
Workflow:
- Admin sends invitation
- Invitee receives email with link
- Invitee clicks link and completes registration
- Invitation is marked as accepted
Email Verification
LinkAce supports optional email verification for new accounts.
Configuration:
Set MAIL_VERIFICATION=true to require email verification.
Security Features
Password Requirements
- Minimum length: 8 characters (Laravel default)
- Configurable via validation rules
Password Hashing
- Algorithm: bcrypt (Laravel default)
- Configurable via
config/hashing.php
Password Reset
- Token expiry: 60 minutes
- Throttling: 60 seconds between requests
- Tokens stored in
password_resetstable
Session Security
- Session driver: file/database/redis (configurable)
- Session lifetime: 120 minutes (default)
- Secure cookies in production
- HTTP-only cookies
- SameSite cookie policy
CSRF Protection
All non-API routes are protected by CSRF middleware.
Rate Limiting
API endpoints are rate-limited based on configuration:
Route::middleware(['throttle:' . config('app.api_rate_limit')])Default rate limit is defined in config/app.php.
Authentication Flow
Traditional Login Flow
- User submits email and password
- Laravel Fortify validates credentials
- User session is created
- User is redirected to dashboard
SSO Login Flow
- User clicks “Login with [Provider]”
- User is redirected to OAuth provider
- User authenticates with provider
- Provider redirects back with authorization code
- LinkAce exchanges code for access token
- LinkAce retrieves user profile from provider
- User is created/updated in LinkAce database
- User session is created
- User is redirected to dashboard
API Authentication Flow
- User generates API token in settings
- User includes token in
Authorization: Bearer TOKENheader - Laravel Sanctum validates token
- Request proceeds with authenticated user context
Configuration Files
config/auth.php
Main authentication configuration including guards, providers, and SSO settings.
config/fortify.php
Laravel Fortify features and routes.
config/sanctum.php
Laravel Sanctum token configuration.
config/permission.php
Spatie Laravel Permission configuration.
Related Controllers
Authentication
App\Http\Controllers\SocialiteController- SSO authenticationApp\Http\Controllers\RegistrationController- User registration
User Management
App\Http\Controllers\Admin\UserController- Admin user managementApp\Http\Controllers\Admin\UserInvitationController- User invitations
API
- All API controllers use
auth:sanctummiddleware - Located in
app/Http/Controllers/API/