Laravel With Two Types of User - Admin and User

Dec 21, 2021 2 minutes read
Security -

There are many ways to secure the admin area. You can use one default User model and check permissions based on roles and policies. But sometimes it may turn out to be too inflexible over time. Also Laravel does not suggest the right choice here and that's great. The Laravel team gives us a lot of flexibility here because everything depends on your project.

Securing applications is a mandatory step in software development. It is no secret that software becomes more and more sophisticated every day, giving hackers the opportunity to break in to web applications with little effort. The consequences for users can be severe when software isn't secure enough.

The application's admin area is an especially vulnerable part of software because it typically has unrestricted access to almost all parts of the software. Admin areas are attractive targets for hackers because they give attackers complete control over the software. Since most software packages use admin interfaces, these threats pose a real risk to anyone using any kind of software. In this article you will learn how to easily create two types of users. I assume that you already used the standard User model for the user things, so we will only focus on the new one. To do list:

  • create migration
  • create model
  • add guard
  • add provider

Create Admin migrations

# migration file

Schema::create('admins', function (Blueprint $table) {
	$table->string('username', 100);
	$table->string('password', 100);
	# you can add more fields if you want

Create Admin model

# ./app/Models/Admin.php

namespace App\Models;

use Carbon\CarbonInterface;
use Illuminate\Foundation\Auth\User as Authenticatable;

 * @property int id
 * @property string username
 * @property string password
 * @property CarbonInterface|null created_at
 * @property CarbonInterface|null updated_at
class Admin extends Authenticatable
    protected $table = 'admins';
    protected $fillable = [
    protected $hidden = [

Create AdminGuard and AdminProvider

# ./config/auth.php

'guards' => [
	// ...
	'admin' => [
    	'driver' => 'session',
        'provider' => 'admins',

'providers' => [
	// ...
	'admins' => [
		'driver' => 'eloquent',
		'model' => App\Models\Admin::class,


And that's it. Now you can use it everywhere you need with Auth facade or Request.

# routes.php
Route::middleware('auth:admin')->group(function () {
    Route::get('/admin/dashboard', [AdminDashboard::class, 'view']);

# controller
public function action(Request $request)
	# via $request
	$admin = $request->user('admin');
	# via Auth facade
	$admin = Auth::guard('admin');
	# to login
	$credentials = $request->only("username", "password");
	if (Auth::guard('admin')->attempt($credentials)) {
		return redirect()->route('admin.dashboard');
	} else {
		return view('admin.login');
Disclaimer: The opinions expressed here are my own and do not necessarily represent those of current or past employers.
Comments (0)