Skip to main content
Prueba Soporte uses Laravel Breeze for session-based authentication. All task routes — and the dashboard — are protected by the auth middleware, meaning users must be logged in before they can view or manage tasks.

Route protection

The task and profile routes are wrapped in an auth middleware group in routes/web.php:
Route::middleware('auth')->group(function () {
    Route::get('/profile', [ProfileController::class, 'edit'])->name('profile.edit');
    Route::patch('/profile', [ProfileController::class, 'update'])->name('profile.update');
    Route::delete('/profile', [ProfileController::class, 'destroy'])->name('profile.destroy');

    Route::get('/tasks/index', [TaskController::class, 'index'])->name('task.index');
    Route::post('/tasks', [TaskController::class, 'store']);
    Route::put('/tasks/{id}/complete', [TaskController::class, 'update']);
    Route::delete('/tasks/{id}', [TaskController::class, 'destroy']);

    Route::get('/tasks', function () {
        return view('tasks');
    })->name('tasks');
});
The dashboard additionally requires email verification via the verified middleware:
Route::get('/dashboard', function () {
    return Inertia::render('Dashboard');
})->middleware(['auth', 'verified'])->name('dashboard');
Unauthenticated requests to any of the above routes are automatically redirected to /login by Laravel’s authentication middleware.

Session-based auth flow

Authentication is entirely session-based. On a successful login, Laravel creates a server-side session and issues a session cookie to the browser. Every subsequent request carries that cookie, and Laravel resolves the authenticated user from the session store without requiring tokens or additional headers.

Login workflow

1

Visit the login page

The root URL / renders the Auth:Login Inertia view. The guest middleware group in routes/auth.php also exposes the login form directly at /login:
Route::get('login', [AuthenticatedSessionController::class, 'create'])
    ->name('login');
2

Submit credentials

The form POSTs to /login, handled by AuthenticatedSessionController@store. Laravel validates the credentials against the users table (email + hashed password).
Route::post('login', [AuthenticatedSessionController::class, 'store']);
3

Session is created

On success, a new session is started, the user is marked as authenticated, and the browser receives a session cookie. The user is redirected to their intended destination (or /tasks/index by default — the task.index named route as configured in AuthenticatedSessionController).
4

Access protected routes

With a valid session cookie, the user can access all routes inside the auth middleware group — including /tasks and all task API endpoints.

Registration workflow

New accounts are created through /register, which is also behind the guest middleware so already-authenticated users cannot access it:
Route::get('register', [RegisteredUserController::class, 'create'])
    ->name('register');

Route::post('register', [RegisteredUserController::class, 'store']);
The registration form collects a name, email address, and password. On success, the user is automatically logged in and redirected to the dashboard.
The User model marks email_verified_at as a datetime cast, so email verification is supported. The dashboard route enforces verification via the verified middleware — users who have not verified their email will be redirected to the verification notice page.

Password reset

Full password reset is available via the following routes, all behind the guest middleware:
// Request a reset link
Route::get('forgot-password', [PasswordResetLinkController::class, 'create'])
    ->name('password.request');

Route::post('forgot-password', [PasswordResetLinkController::class, 'store'])
    ->name('password.email');

// Set a new password using the token from the email
Route::get('reset-password/{token}', [NewPasswordController::class, 'create'])
    ->name('password.reset');

Route::post('reset-password', [NewPasswordController::class, 'store'])
    ->name('password.store');
Laravel sends a signed reset link to the user’s email address. Clicking the link loads the reset form, which accepts the new password and logs the user in upon success.

Email verification

For authenticated users who have not yet verified their email, the following routes are available:
Route::get('verify-email', EmailVerificationPromptController::class)
    ->name('verification.notice');

Route::get('verify-email/{id}/{hash}', VerifyEmailController::class)
    ->middleware(['signed', 'throttle:6,1'])
    ->name('verification.verify');

Route::post('email/verification-notification', [EmailVerificationNotificationController::class, 'store'])
    ->middleware('throttle:6,1')
    ->name('verification.send');
The verification link is signed and rate-limited to 6 requests per minute to prevent abuse.

Password confirmation

Sensitive operations can require the user to re-enter their current password before proceeding:
Route::get('confirm-password', [ConfirmablePasswordController::class, 'show'])
    ->name('password.confirm');

Route::post('confirm-password', [ConfirmablePasswordController::class, 'store']);

Profile management

Authenticated users can manage their account through three profile endpoints:
MethodRouteAction
GET/profileShow the profile edit form
PATCH/profileUpdate name, email, or password
DELETE/profilePermanently delete the account
Route::get('/profile', [ProfileController::class, 'edit'])->name('profile.edit');
Route::patch('/profile', [ProfileController::class, 'update'])->name('profile.update');
Route::delete('/profile', [ProfileController::class, 'destroy'])->name('profile.destroy');
Password changes are also available via a dedicated endpoint:
Route::put('password', [PasswordController::class, 'update'])->name('password.update');

Logout

Logging out destroys the current session and invalidates the session cookie:
Route::post('logout', [AuthenticatedSessionController::class, 'destroy'])
    ->name('logout');
Logout uses a POST request (not GET) to protect against cross-site request forgery. Breeze includes the required CSRF token automatically in all forms.