Laravel Socialite

Overview of Mobile Auth Architecture Building authentication for mobile applications using NativePHP requires a shift in how we handle state. Unlike a standard web application where the backend and frontend often share the same environment, a mobile app acts as a client to a remote API. This tutorial demonstrates how to bridge that gap by implementing traditional email/password login and Google Socialite integration. The goal is to secure your mobile application while ensuring a smooth user experience, even during intermittent connectivity. Prerequisites and Essential Tools Before diving into the code, ensure you have a solid grasp of Laravel and Livewire. You will need two distinct environments: * **Mobile Repository:** The NativePHP codebase that compiles into an APK or IPA. * **API Repository:** A separate Laravel backend (ideally hosted via Laravel Forge) to handle database persistence and authentication logic via Laravel Sanctum. Registration and Token Retrieval The registration process begins with a Livewire component. We capture user data and a unique device identifier using the NativePHP Device plugin. This ID allows the backend to track which specific device owns the session. ```php // NativePHP Livewire Component public function register() { $device = Device::info(); $response = Http::post('https://api.yourdomain.com/v1/auth/register', [ 'name' => $this->name, 'email' => $this->email, 'password' => $this->password, 'device_name' => $device['model'], ]); if ($response->successful()) { session(['token' => $response->json('token')]); return redirect()->route('home'); } } ``` On the backend, Laravel Sanctum generates a plain-text token upon successful validation. This token becomes the "key" for all subsequent requests. Managing Tokens and Offline Logic Security in mobile apps involves more than just checking if a token exists. You must verify it against the server periodically. However, mobile users often lose signal. A robust middleware should handle both verification intervals (e.g., every 15 minutes) and a "grace period" for offline access. ```php // Middleware Logic $lastVerified = session('token_verified_at'); if (now()->diffInMinutes($lastVerified) > 15) { try { $this->verifyTokenRemotely($token); } catch (ConnectionException $e) { // Allow offline access if verified within the last 24 hours if (now()->diffInHours($lastVerified) > 24) { return redirect()->route('login'); } } } ``` Social Auth with Deep Linking To implement Google sign-in, we use Laravel Socialite on the API side. The mobile app opens a browser instance to handle the OAuth flow. Once finished, the API redirects the user back to the app using a **Deep Link Scheme** (e.g., `nativephp://callback`). You must define this scheme in your `.env` file to ensure the mobile OS knows to hand the data back to your application. Storage Best Practices While using the PHP `session()` is functional for demos, it is not the most secure method. NativePHP offers a **Mobile Secure Storage** plugin. This paid add-on uses hardware-level encryption on the device to store tokens, ensuring they survive app reloads and provide a higher security tier than standard session files.