n3xt0r/laravel-passport-modern-scopes

Modern scope management for Laravel Passport

Maintainers

Details

github.com/N3XT0R/laravel-passport-modern-scopes

Homepage

Source

Issues

Installs: 1 335

Dependents: 1

Suggesters: 1

Security: 0

Stars: 0

Watchers: 0

Forks: 0

Open Issues: 0

pkg:composer/n3xt0r/laravel-passport-modern-scopes

2.0.0 2026-01-01 18:22 UTC

Requires

Requires (Dev)

MIT 346c2719e08fdced03760c038b0959f363b8f8d4

  • Ilya Beliaev <info.woop@php-dev.info>

laravelN3XT0Rlaravel-passport

This package is auto-updated.

Last update: 2026-01-01 18:43:57 UTC

README

Latest Version on Packagist GitHub Tests Action Status Maintainability Code Coverage

Passport Modern Scopes

Attribute-based OAuth Scope Enforcement

Laravel Passport traditionally enforces OAuth scopes at the routing level, typically via middleware definitions in route files. While functional, this approach tends to scatter authorization rules across routes and couples controllers to infrastructure-level concerns.

This package introduces an attribute-based approach to OAuth scope enforcement.

By leveraging PHP 8 attributes and a single resolving middleware, required OAuth scopes can be declared directly on controllers or controller actions, keeping authorization rules close to the code they protect while remaining fully compatible with Laravel Passport.

Key ideas

  • OAuth scopes are declared, not wired
  • Controllers express requirements, not middleware mechanics
  • Passport remains untouched and fully in control of token validation
  • Routes stay clean and infrastructure-agnostic

Example

use N3XT0R\PassportModernScopes\Support\Attributes\RequiresScope;
use N3XT0R\PassportModernScopes\Support\Attributes\RequiresAnyScope;

#[RequiresScope('users:read')]
final class UserController
{
    public function index()
    {
        // Requires users:read
    }

    #[RequiresAnyScope('users:update', 'users:write')]
    public function update()
    {
        // Requires at least one of the given scopes
    }
}

A single middleware inspects controller attributes at runtime and enforces them using Laravel Passport’s native scope checks (tokenCan). Authentication itself remains the responsibility of your configured guard (e.g. auth:api).

Why attributes?

  • Declarative and explicit
  • No duplication between routes and controllers
  • Easy to reason about during code review
  • Static-analysis and documentation friendly
  • No magic strings scattered across route definitions

This approach provides a clean separation between authorization intent and HTTP wiring, allowing Passport-based APIs to scale without losing clarity or consistency.

Installation

composer require n3xt0r/laravel-passport-modern-scopes:^2.0

The middleware is automatically registered via the package's service provider.