Implementing Robust Mobile Authentication in NativePHP v3

Building authentication for mobile applications using NativePHP requires a shift in how we handle state. Unlike a standard web application where the backend and frontend often share the same environment, a mobile app acts as a client to a remote API. This tutorial demonstrates how to bridge that gap by implementing traditional email/password login and Google Laravel Socialite integration. The goal is to secure your mobile application while ensuring a smooth user experience, even during intermittent connectivity.

Prerequisites and Essential Tools

Before diving into the code, ensure you have a solid grasp of Laravel and Livewire. You will need two distinct environments:

• Mobile Repository: The NativePHP codebase that compiles into an APK or IPA.
• API Repository: A separate Laravel backend (ideally hosted via Laravel Forge) to handle database persistence and authentication logic via Laravel Sanctum.

Registration and Token Retrieval

The registration process begins with a Livewire component. We capture user data and a unique device identifier using the NativePHP Device plugin. This ID allows the backend to track which specific device owns the session.

// NativePHP Livewire Component
public function register()
{
    $device = Device::info();
    $response = Http::post('https://api.yourdomain.com/v1/auth/register', [
        'name' => $this->name,
        'email' => $this->email,
        'password' => $this->password,
        'device_name' => $device['model'],
    ]);

    if ($response->successful()) {
        session(['token' => $response->json('token')]);
        return redirect()->route('home');
    }
}

On the backend, Laravel Sanctum generates a plain-text token upon successful validation. This token becomes the "key" for all subsequent requests.

Managing Tokens and Offline Logic

Security in mobile apps involves more than just checking if a token exists. You must verify it against the server periodically. However, mobile users often lose signal. A robust middleware should handle both verification intervals (e.g., every 15 minutes) and a "grace period" for offline access.

// Middleware Logic
$lastVerified = session('token_verified_at');
if (now()->diffInMinutes($lastVerified) > 15) {
    try {
        $this->verifyTokenRemotely($token);
    } catch (ConnectionException $e) {
        // Allow offline access if verified within the last 24 hours
        if (now()->diffInHours($lastVerified) > 24) {
            return redirect()->route('login');
        }
    }
}

Social Auth with Deep Linking

To implement Google sign-in, we use Laravel Socialite on the API side. The mobile app opens a browser instance to handle the OAuth flow. Once finished, the API redirects the user back to the app using a Deep Link Scheme (e.g., nativephp://callback). You must define this scheme in your .env file to ensure the mobile OS knows to hand the data back to your application.

Storage Best Practices

While using the PHP session() is functional for demos, it is not the most secure method. NativePHP offers a Mobile Secure Storage plugin. This paid add-on uses hardware-level encryption on the device to store tokens, ensuring they survive app reloads and provide a higher security tier than standard session files.