README

Website | Documentation | GitHub

Beautiful, customizable authentication views for Laravel 12 and 13 – Tyro Login provides professional, ready-to-use login and registration pages with multiple layout options and seamless integration with the Tyro package.

Features

Multiple Layouts - 10 beautiful layouts: centered, split-left, split-right, fullscreen, card, youtube-video, animated-birds, aurora-waves, particle-network, and tidal
Beautiful Design - Modern, professional UI out of the box
Social Login - OAuth authentication with Google, Facebook, GitHub, Twitter/X, LinkedIn, Bitbucket, GitLab, and Slack
Passkeys - Passwordless WebAuthn sign-in (via laravel/passkeys) with a one-command setup
Enhanced Security - Industry-standard security features
- Encrypted OAuth token storage at rest (using Laravel's encryption)
- Cryptographically secure OTP generation (Better Randomness)
- Session regeneration to prevent fixation attacks (on successful login and logout)
- CSRF-protected logout (only accept POST calls)
- Privacy-compliant debug logging (email addresses masked)
Highly Configurable - Customize colors, logos, redirects, and more
Lockout Protection - Rate limiting with configurable attempts and duration
Math Captcha - Simple addition/subtraction captcha for login and registration
Login OTP - Two-factor authentication via email OTP codes
Email Verification - Optional email verification for new registrations
Password Reset - Built-in forgot password and reset functionality
Beautiful Emails - Sleek, minimal HTML email templates for OTP, password reset, verification, and welcome emails
Tyro Integration - Automatic role assignment for new users if Tyro is installed
Invitation/Referral System - User-based referral links for tracking signups
Dark/Light Theme - Automatic theme detection with manual toggle
Fully Responsive - Works perfectly on all devices
Zero Build Step - No npm or webpack required, just install and use
Debug Mode - Privacy-safe debug logging for development

Requirements

PHP 8.2 or higher
Laravel 12.0 or higher

Installation

Install the package via Composer:

composer require hasinhayder/tyro-login

Run the installation command:

php artisan tyro-login:install

For social login support, use:

php artisan tyro-login:install --with-social

To install with passkey (passwordless WebAuthn) login from the start:

php artisan tyro-login:install --with-passkeys

That's it! Visit /login to see your new authentication pages.

Note: If you're updating to version 2.3.0 or later, run the migrations to set up the invitation/referral system:

php artisan migrate

Configuration

After installation, you can customize the package by editing config/tyro-login.php:

Layout Options

// Available layouts: 'centered', 'split-left', 'split-right', 'fullscreen', 'card', 'youtube-video', 'animated-birds', 'aurora-waves', 'particle-network', 'tidal'
'layout' => env('TYRO_LOGIN_LAYOUT', 'centered'),

// Background image for split and fullscreen layouts
'background_image' => env('TYRO_LOGIN_BACKGROUND_IMAGE', 'https://...'),

// YouTube video background settings (for 'youtube-video' layout)
'youtube_video' => [
    'url' => env('TYRO_LOGIN_VIDEO_URL', 'https://www.youtube.com/watch?v=dQw4w9WgXcQ'),
    'blur' => env('TYRO_LOGIN_VIDEO_BLUR', '4px'),
    'overlay_color' => env('TYRO_LOGIN_VIDEO_OVERLAY_COLOR', '#111827'),
    'overlay_opacity' => env('TYRO_LOGIN_VIDEO_OVERLAY_OPACITY', 0.1),
    'sound' => env('TYRO_LOGIN_VIDEO_SOUND', false),
],

Branding

'branding' => [
    'app_name' => env('TYRO_LOGIN_APP_NAME', 'Laravel'),
    'logo' => env('TYRO_LOGIN_LOGO', null), // URL to your logo
    'logo_height' => env('TYRO_LOGIN_LOGO_HEIGHT', '48px'),
    'logo_border_radius' => env('TYRO_LOGIN_LOGO_BORDER_RADIUS', '0'), // e.g., '50%' for circle, '8px' for rounded corners
],

Redirects

'redirects' => [
    'after_login' => env('TYRO_LOGIN_REDIRECT_AFTER_LOGIN', '/'),
    'after_logout' => env('TYRO_LOGIN_REDIRECT_AFTER_LOGOUT', '/login'),
    'after_register' => env('TYRO_LOGIN_REDIRECT_AFTER_REGISTER', '/'),
    'after_email_verification' => env('TYRO_LOGIN_REDIRECT_AFTER_EMAIL_VERIFICATION', '/login'),
],

Registration Settings

'registration' => [
    'enabled' => env('TYRO_LOGIN_REGISTRATION_ENABLED', true),
    'auto_login' => env('TYRO_LOGIN_REGISTRATION_AUTO_LOGIN', true),
    'require_email_verification' => env('TYRO_LOGIN_REQUIRE_EMAIL_VERIFICATION', false),
],

Email Verification

When email verification is enabled, users won't be logged in automatically after registration. Instead, they'll be redirected to a verification notice page and a verification link will be generated.

'registration' => [
    'require_email_verification' => env('TYRO_LOGIN_REQUIRE_EMAIL_VERIFICATION', true),
],

'verification' => [
    'expire' => env('TYRO_LOGIN_VERIFICATION_EXPIRE', 60), // Token expires in 60 minutes
],

'redirects' => [
    'after_email_verification' => env('TYRO_LOGIN_REDIRECT_AFTER_EMAIL_VERIFICATION', '/login'),
],

How it works:

User registers - Redirected to verification notice page
Verification URL is logged to Laravel logs and error_log (for development)
User clicks the link - Email is verified and user is redirected to login page
Users can request a new verification email from the notice page
If user tries to login with unverified email, they see "Email Not Verified" page

For Development: The verification URL is printed to your Laravel logs and error_log, so you can easily test without setting up email.

Password Reset

Tyro Login includes a complete password reset flow with beautiful, consistent UI.

'password_reset' => [
    'expire' => env('TYRO_LOGIN_PASSWORD_RESET_EXPIRE', 60), // Token expires in 60 minutes
],

How it works:

User clicks "Forgot Password?" on login page
User enters email - Reset link is generated
Reset URL is logged to Laravel logs and error_log (for development)
User clicks the link - Shown password reset form
User enters new password - Password updated and user is logged in

For Development: The reset URL is printed to your Laravel logs and error_log, so you can easily test without setting up email.

Tyro Integration

If you have hasinhayder/tyro installed, Tyro Login can automatically assign a default role to new users:

'tyro' => [
    'assign_default_role' => env('TYRO_LOGIN_ASSIGN_DEFAULT_ROLE', true),
    'default_role_slug' => env('TYRO_LOGIN_DEFAULT_ROLE_SLUG', 'user'),
],

Math Captcha

Add a simple math captcha to your login and/or registration forms to prevent automated submissions:

'captcha' => [
    'enabled_login' => env('TYRO_LOGIN_CAPTCHA_LOGIN', false),
    'enabled_register' => env('TYRO_LOGIN_CAPTCHA_REGISTER', false),
    'label' => 'Security Check',
    'placeholder' => 'Enter the answer',
    'error_message' => 'Incorrect answer. Please try again.',
    'min_number' => 1,
    'max_number' => 10,
],

Login OTP Verification

Add two-factor authentication via email OTP. After entering valid credentials, users receive a one-time code:

'otp' => [
    'enabled' => env('TYRO_LOGIN_OTP_ENABLED', false),
    'length' => 4,           // 4-8 digits
    'expire' => 5,           // minutes
    'max_resend' => 3,
    'resend_cooldown' => 60, // seconds
],

Features:

Beautiful OTP input with individual digit boxes
Configurable code length (4-8 digits)
Resend functionality with cooldown
Cache-based storage (no database required)

Time-Based Two-Factor Authentication (TOTP)

Secure your application with Time-Based One-Time Password (TOTP) two-factor authentication, compatible with apps like Google Authenticator, Authy, and Microsoft Authenticator.

Installation

Run Migrations: This adds two_factor_secret, two_factor_recovery_codes, and two_factor_confirmed_at columns to your users table.
```
php artisan migrate
```

Add Trait to User Model: Add the HasTwoFactorAuth trait to your User model for automatic attribute casting and encryption/decryption (optional). If this trait is not used, Tyro Login will still encrypt sensitive data using Laravel's built-in encryption.

use HasinHayder\TyroLogin\Traits\HasTwoFactorAuth;

class User extends Authenticatable
{
    use HasTwoFactorAuth;
    
    protected function casts(): array
    {
        return [
            'password' => 'hashed',
            'two_factor_confirmed_at' => 'datetime',
        ];
    }
    
    // ...
    
    protected static function booted()
    {
        static::created(function ($user) {
            // Initialize the trait's casts
            $user->initializeHasTwoFactorAuth();
        });
    }
    
    // OR simply rely on the trait's initialize method if using Laravel 10/11 standard boot
}

Note: The trait uses a custom cast EncryptedOrPlaintext to ensure secrets are stored securely.

Configuration

Enable and configure 2FA in config/tyro-login.php:

'two_factor' => [
    // Enable/disable 2FA globally
    'enabled' => env('TYRO_LOGIN_2FA_ENABLED', false),

    // Page titles and subtitles
    'setup_title' => env('TYRO_LOGIN_2FA_SETUP_TITLE', 'Two Factor Authentication'),
    'setup_subtitle' => env('TYRO_LOGIN_2FA_SETUP_SUBTITLE', 'Scan the QR code with your authenticator app.'),
    'challenge_title' => env('TYRO_LOGIN_2FA_CHALLENGE_TITLE', 'Two Factor Authentication'),
    'challenge_subtitle' => env('TYRO_LOGIN_2FA_CHALLENGE_SUBTITLE', 'Enter the code from your authenticator app.'),
    
    // Allow users to skip setup (if false, setup is mandatory)
    'allow_skip' => env('TYRO_LOGIN_2FA_ALLOW_SKIP', false),
],

How it works:

Mandatory Setup: If enabled and allow_skip is false, new users (and existing users without 2FA) are redirected to the setup wizard immediately after login/registration.
Secure Setup: Users must verify a code from their authenticator app to enable 2FA.
Recovery Codes: Upon successful setup, users are shown a set of recovery codes that can be used if they lose access to their device.
Challenge Screen: On subsequent logins, users must provide a TOTP code or a recovery code.
Security: Secrets are encrypted in the database. Users are not fully authenticated until they pass the 2FA challenge.

Passkeys (Passwordless WebAuthn)

Tyro Login supports passwordless login with passkeys (Face ID, Touch ID, Windows Hello, security keys, etc.) on top of the laravel/passkeys package. When enabled, the login page shows a "Sign in with a passkey" button followed by an "or continue with email" divider, while logged-in users can register a passkey from the dedicated /passkeys-setup page.

Requirements: Passkeys only work over HTTPS or localhost (a secure context is required by WebAuthn), and in a modern browser. The browser client is auto-loaded from a CDN, so no build step is needed.

Enabling Passkeys on an Existing Installation

The fastest way is the dedicated setup command, which installs the package, runs the migration, wires up your User model, and flips the feature flag in one go:

php artisan tyro-login:setup-passkeys

What this command does:

Runs composer require laravel/passkeys (if not already installed).
Publishes and runs the passkeys migration (creates the passkeys table).
Sets TYRO_LOGIN_PASSKEYS_ENABLED=true in your .env.

The command does not modify your User model — that's a one-time manual step. After it finishes, follow the Manual Setup instructions below to add the PasskeyAuthenticatable trait and PasskeyUser contract to your User model.

Available options:

Option	Description
`--force`	Overwrite published files / run migration without the production prompt
`--skip-dependency`	Skip the `composer require laravel/passkeys` step
`--skip-migration`	Skip publishing and running the passkeys migration

Manual Setup

If you prefer to do it by hand:

# 1. Install the package
composer require laravel/passkeys

# 2. Publish and run the migration
php artisan vendor:publish --tag=passkeys-migrations
php artisan migrate

Then update your User model to implement the PasskeyUser contract and use the PasskeyAuthenticatable trait:

use Laravel\Passkeys\Contracts\PasskeyUser;
use Laravel\Passkeys\PasskeyAuthenticatable;

class User extends Authenticatable implements PasskeyUser
{
    use PasskeyAuthenticatable;
    // ...
}

Finally, enable the feature in your .env:

TYRO_LOGIN_PASSKEYS_ENABLED=true

Configuration

You can automatically sync the latest config values by running php artisan tyro-login:update-config

or you can update manually

'passkeys' => [
    // Master switch (also requires laravel/passkeys)
    'enabled' => env('TYRO_LOGIN_PASSKEYS_ENABLED', false),

    // Divider shown under the passkey button on the login page
    'divider_text' => env('TYRO_LOGIN_PASSKEYS_DIVIDER', 'or continue with email'),

    // Login button label
    'login_button_text' => env('TYRO_LOGIN_PASSKEYS_LOGIN_BUTTON', 'Sign in with a passkey'),

    // Setup page texts
    'setup_title' => env('TYRO_LOGIN_PASSKEYS_SETUP_TITLE', 'Create a Passkey'),
    'setup_subtitle' => env('TYRO_LOGIN_PASSKEYS_SETUP_SUBTITLE', 'Set up a passkey for faster, passwordless sign-in.'),
    'setup_button_text' => env('TYRO_LOGIN_PASSKEYS_SETUP_BUTTON', 'Create passkey'),

    // Path of the auth-guarded setup page (relative to the route prefix)
    'route' => env('TYRO_LOGIN_PASSKEYS_ROUTE', 'passkeys-setup'),

    // Path of the auth-guarded manage/remove page (relative to the route prefix)
    'remove_route' => env('TYRO_LOGIN_PASSKEYS_REMOVE_ROUTE', 'remove-passkeys'),

    // Manage/remove page texts
    'remove_title' => env('TYRO_LOGIN_PASSKEYS_REMOVE_TITLE', 'Your Passkeys'),
    'remove_subtitle' => env('TYRO_LOGIN_PASSKEYS_REMOVE_SUBTITLE', 'Review and remove the passkeys linked to your account.'),
    'remove_button_text' => env('TYRO_LOGIN_PASSKEYS_REMOVE_BUTTON', 'Remove'),
    'empty_text' => env('TYRO_LOGIN_PASSKEYS_EMPTY_TEXT', 'You don\'t have any passkeys yet.'),

    // ESM URL for the @laravel/passkeys browser client. Override to self-host.
    'cdn_url' => env('TYRO_LOGIN_PASSKEYS_CDN', 'https://esm.sh/@laravel/passkeys@0.2.0'),
],

How it Works

Login page — A "Sign in with a passkey" button appears above the email form (the "or continue with email" divider sits between them). Clicking it triggers the native WebAuthn prompt; on success the user is authenticated and redirected (to redirects.after_login). The button is automatically hidden on unsupported browsers, and saved passkeys can also be surfaced via the email input's autofill (conditional UI).
Setup page — Logged-in users visit /passkeys-setup to register a passkey (optionally giving it a name like "MacBook"). Registration is performed entirely by the official @laravel/passkeys browser client against the routes registered by laravel/passkeys.
Manage page — Logged-in users visit /remove-passkeys to see every passkey linked to their account (name, authenticator, added/last-used dates) and remove any of them with one click. Each removal is scoped to the signed-in user.
Integration — Tyro Login automatically aligns laravel/passkeys with your app: passkey logins redirect to the same place as email logins, suspended users are blocked (mirroring the email flow), and the setup routes are protected only by the auth middleware (no separate password-confirmation step).

Self-Hosting the Browser Client

By default the @laravel/passkeys client is loaded from a CDN. To self-host it (e.g. for offline/CSP reasons), install and bundle it, then point the config at your asset:

npm install @laravel/passkeys

TYRO_LOGIN_PASSKEYS_CDN=/assets/passkeys.js

Notes

Passkeys are an optional feature and stay disabled by default. Existing installs without the laravel/passkeys package are completely unaffected.
Passkey login bypasses TOTP 2FA / email OTP (a passkey is itself a strong authentication factor); those checks still apply to email-based login.
To manage/delete registered passkeys, use the endpoints provided by laravel-passkeys (DELETE /user/passkeys/{id}).

Debug Mode

Enable debug logging for development:

'debug' => env('TYRO_LOGIN_DEBUG', false),

When enabled, OTP codes, verification URLs, and password reset URLs are logged to storage/logs/laravel.log in masked form.

Email Configuration

Tyro Login sends sleek, minimal HTML emails with a clean design. Each email type can be individually enabled or disabled:

'emails' => [
    // OTP verification email
    'otp' => [
        'enabled' => env('TYRO_LOGIN_EMAIL_OTP', true),
        'subject' => env('TYRO_LOGIN_EMAIL_OTP_SUBJECT', 'Your Verification Code'),
    ],

    // Password reset email
    'password_reset' => [
        'enabled' => env('TYRO_LOGIN_EMAIL_PASSWORD_RESET', true),
        'subject' => env('TYRO_LOGIN_EMAIL_PASSWORD_RESET_SUBJECT', 'Reset Your Password'),
    ],

    // Email verification email
    'verify_email' => [
        'enabled' => env('TYRO_LOGIN_EMAIL_VERIFY', true),
        'subject' => env('TYRO_LOGIN_EMAIL_VERIFY_SUBJECT', 'Verify Your Email Address'),
    ],

    // Welcome email after registration
    'welcome' => [
        'enabled' => env('TYRO_LOGIN_EMAIL_WELCOME', true),
        'subject' => env('TYRO_LOGIN_EMAIL_WELCOME_SUBJECT', null), // Uses default with app name
    ],
],

Available Emails:

OTP Email - Sent when OTP verification is enabled
Password Reset Email - Sent when user requests password reset
Email Verification Email - Sent when email verification is required
Welcome Email - Sent after successful registration (when verification is not required)

Customizing Email Templates:

Publish email templates to customize them:

php artisan tyro-login:publish --emails

Templates will be published to resources/views/vendor/tyro-login/emails/.

Available template variables:

{{ $name }} - User's name
{{ $appName }} - Application name
{{ $otp }} - OTP code (for OTP email)
{{ $resetUrl }} - Password reset URL (for password reset email)
{{ $verificationUrl }} - Verification URL (for verification email)
{{ $loginUrl }} - Login URL (for welcome email)
{{ $expiresIn }} - Expiration time in minutes

Lockout Protection

When enabled, users will be locked out after too many failed login attempts. The lockout state is stored in cache (no database required), and the cache is automatically cleared when the lockout expires.

'lockout' => [
    'enabled' => env('TYRO_LOGIN_LOCKOUT_ENABLED', true),
    'max_attempts' => env('TYRO_LOGIN_LOCKOUT_MAX_ATTEMPTS', 5),
    'duration_minutes' => env('TYRO_LOGIN_LOCKOUT_DURATION', 15),
    'message' => 'Too many failed login attempts. Please try again in :minutes minutes.',
    'title' => 'Account Temporarily Locked',
    'subtitle' => 'For your security, we\'ve temporarily locked your account.',
],

Features:

No database required - uses cache
Configurable number of attempts before lockout
Configurable lockout duration
Customizable lockout page message and title
Automatic cache cleanup when lockout expires
Real-time countdown timer on lockout page

Social Login (OAuth)

Tyro Login supports OAuth authentication using Laravel Socialite. Users can sign in with their social media accounts.

Supported Providers:

Google
Facebook
GitHub
Twitter/X
LinkedIn
Bitbucket
GitLab
Slack

Installation

Install with social login support:

php artisan tyro-login:install --with-social

Or add social login to an existing installation:

composer require laravel/socialite
php artisan vendor:publish --tag=tyro-login-migrations
php artisan migrate

Configuration

Enable Social Login Globally:

TYRO_LOGIN_SOCIAL_ENABLED=true

Enable Desired Providers:

TYRO_LOGIN_SOCIAL_GOOGLE=true
TYRO_LOGIN_SOCIAL_GITHUB=true
TYRO_LOGIN_SOCIAL_FACEBOOK=true

Configure Provider Credentials:

Add credentials to config/services.php:

'google' => [
    'client_id' => env('GOOGLE_CLIENT_ID'),
    'client_secret' => env('GOOGLE_CLIENT_SECRET'),
    'redirect' => env('GOOGLE_REDIRECT_URI'),
],

'github' => [
    'client_id' => env('GITHUB_CLIENT_ID'),
    'client_secret' => env('GITHUB_CLIENT_SECRET'),
    'redirect' => env('GITHUB_REDIRECT_URI'),
],

'facebook' => [
    'client_id' => env('FACEBOOK_CLIENT_ID'),
    'client_secret' => env('FACEBOOK_CLIENT_SECRET'),
    'redirect' => env('FACEBOOK_REDIRECT_URI'),
],

// For Twitter/X (OAuth 2.0)
'twitter' => [
    'client_id' => env('TWITTER_CLIENT_ID'),
    'client_secret' => env('TWITTER_CLIENT_SECRET'),
    'redirect' => env('TWITTER_REDIRECT_URI'),
],

// For LinkedIn (OpenID Connect)
'linkedin-openid' => [
    'client_id' => env('LINKEDIN_CLIENT_ID'),
    'client_secret' => env('LINKEDIN_CLIENT_SECRET'),
    'redirect' => env('LINKEDIN_REDIRECT_URI'),
],

// For Slack (OpenID Connect)
'slack-openid' => [
    'client_id' => env('SLACK_CLIENT_ID'),
    'client_secret' => env('SLACK_CLIENT_SECRET'),
    'redirect' => env('SLACK_REDIRECT_URI'),
],

Add Environment Variables:

# Google
GOOGLE_CLIENT_ID=your-client-id
GOOGLE_CLIENT_SECRET=your-client-secret
GOOGLE_REDIRECT_URI="${APP_URL}/auth/google/callback"

# GitHub
GITHUB_CLIENT_ID=your-client-id
GITHUB_CLIENT_SECRET=your-client-secret
GITHUB_REDIRECT_URI="${APP_URL}/auth/github/callback"

# Facebook
FACEBOOK_CLIENT_ID=your-client-id
FACEBOOK_CLIENT_SECRET=your-client-secret
FACEBOOK_REDIRECT_URI="${APP_URL}/auth/facebook/callback"

# Slack
SLACK_CLIENT_ID=your-client-id
SLACK_CLIENT_SECRET=your-client-secret
SLACK_REDIRECT_URI="${APP_URL}/auth/slack/callback"

Social Login Behavior

'social' => [
    'enabled' => env('TYRO_LOGIN_SOCIAL_ENABLED', false),

    // Link social accounts to existing users (matched by email)
    'link_existing_accounts' => env('TYRO_LOGIN_SOCIAL_LINK_EXISTING', true),

    // Automatically create new users from social login
    'auto_register' => env('TYRO_LOGIN_SOCIAL_AUTO_REGISTER', true),

    // Automatically verify user email after social login/register
    // Social providers confirm email ownership, so we can trust the email
    'auto_verify_email' => env('TYRO_LOGIN_SOCIAL_AUTO_VERIFY_EMAIL', true),

    // Text shown above social buttons
    'divider_text' => env('TYRO_LOGIN_SOCIAL_DIVIDER', 'Or continue with'),
],

How it works:

User clicks a social login button on login/register page
User is redirected to the OAuth provider for authentication
After approval, user is redirected back to your app
If user has linked social account → Log them in
If user email exists and linking is enabled → Link social account and log in
If user doesn't exist and auto-register is enabled → Create new user and log in

Automatic Email Verification:

When users authenticate via social login, their email is automatically marked as verified (if auto_verify_email is enabled). This is because OAuth providers confirm email ownership during the authentication process, so we can trust the email address provided.

Social Accounts Table:

A migration creates the social_accounts table to store:

user_id - Link to your users table
provider - The OAuth provider (google, github, etc.)
provider_user_id - User ID from the provider
provider_email - Email from the provider
provider_avatar - Avatar URL from the provider
access_token / refresh_token - OAuth tokens (encrypted)
token_expires_at - Token expiration time

Customizing Provider Labels and Icons

'social' => [
    'providers' => [
        'google' => [
            'enabled' => true,
            'label' => 'Google',  // Button text
            'icon' => 'google',   // Icon identifier
        ],
        'github' => [
            'enabled' => true,
            'label' => 'GitHub',
            'icon' => 'github',
        ],
    ],
],

Invitation/Referral System

Tyro Login includes a built-in invitation/referral system that allows users to invite others to sign up. Each user can create one unique invitation link that tracks all signups made through it.

Note

For versions older than 2.3.0, run composer update to fetch the latest files for the invitation system, then execute php artisan migrate to create the necessary database tables.

Features

One Link Per User - Each user can have exactly one invitation link
Automatic Tracking - Referral signups are automatically tracked during registration
Silent Invalid Links - Invalid or non-existing invitation hashes are silently ignored (no errors)
Prevent Self-Referrals - Users cannot use their own invitation link
Prevent Duplicates - Each user can only be referred once
Database Backed - Uses two lightweight tables for persistence

Database Tables

invitation_links - Stores unique invitation links for users
invitation_referrals - Tracks signups through invitation links

CLI Commands

Manage invitation links using the console command:

# Create a new invitation link for a user
php artisan tyro-login:invite-links --create
# or simply
php artisan tyro-login:invite-links

# List all invitation links with referral counts
php artisan tyro-login:invite-links --list

# Remove a user's invitation link
# (warns if there are referral signups)
php artisan tyro-login:invite-links --remove

# Remove all invitation links
# (requires confirmation)
php artisan tyro-login:invite-links --flush

Integration in Your Application

The registration controller automatically tracks referrals. Users can access invitation links via a query parameter:

https://your-app.com/register?invite={hash}

Important: You don't need to do anything special - Tyro Login handles referral tracking automatically during user registration.

Using the Helper Class

Access invitation data programmatically:

use HasinHayder\TyroLogin\Helpers\InvitationHelper;

// Get a user's invitation link
$invitationLink = InvitationHelper::getInvitationLinkForUser($userId);
if ($invitationLink) {
    echo $invitationLink->url; // Full URL: /register?invite={hash}
}

// Get referral count for a user
$count = InvitationHelper::getReferralCount($userId);

// Get all users referred by a specific user
$referredUsers = InvitationHelper::getReferredUsers($userId);

// Validate and track a referral manually
InvitationHelper::trackReferral($invitationHash, $newUserId);

Models

Access invitation data through Eloquent models:

use HasinHayder\TyroLogin\Models\InvitationLink;
use HasinHayder\TyroLogin\Models\InvitationReferral;

// Get invitation link with relationships
$link = InvitationLink::with('user', 'referrals')->find($id);

// Get referral with relationships
$referral = InvitationReferral::with('invitationLink', 'referredUser')->find($id);

Layout Examples

Tyro Login provides 5 stunning layout options to match your application's branding:

1. Centered Layout (Default)

Form appears in the center of the page with a gradient background.

TYRO_LOGIN_LAYOUT=centered

2. Split-Left Layout

Two-column layout with a background image on the left and the form on the right.

TYRO_LOGIN_LAYOUT=split-left
TYRO_LOGIN_BACKGROUND_IMAGE=https://images.unsplash.com/photo-1618005182384-a83a8bd57fbe?w=1920&q=80

3. Split-Right Layout

Two-column layout with the form on the left and a background image on the right.

TYRO_LOGIN_LAYOUT=split-right
TYRO_LOGIN_BACKGROUND_IMAGE=https://images.unsplash.com/photo-1618005182384-a83a8bd57fbe?w=1920&q=80

4. Fullscreen Layout

Full-screen background image with a glassmorphism form overlay featuring frosted glass effect and backdrop blur.

TYRO_LOGIN_LAYOUT=fullscreen
TYRO_LOGIN_BACKGROUND_IMAGE=https://images.unsplash.com/photo-1618005182384-a83a8bd57fbe?w=1920&q=80

5. Card Layout

Floating card design with subtle radial gradient background patterns and smooth hover animations.

TYRO_LOGIN_LAYOUT=card

6. YouTube Video Background Layout

Full-screen YouTube video background with a glassmorphism form overlay. The form sits in the center while the video plays behind it.

TYRO_LOGIN_LAYOUT=youtube-video
# YouTube video URL or video ID (default: 'https://www.youtube.com/watch?v=dQw4w9WgXcQ')
TYRO_LOGIN_VIDEO_URL=https://www.youtube.com/watch?v=dQw4w9WgXcQ
# Blur effect on the video background (default: '4px')
TYRO_LOGIN_VIDEO_BLUR=4px
# Overlay color (any CSS color value) (default: '#111827')
TYRO_LOGIN_VIDEO_OVERLAY_COLOR=#111827
# Overlay opacity (0.0 to 1.0) (default: 0.1)
TYRO_LOGIN_VIDEO_OVERLAY_OPACITY=0.1
# Enable video sound (true/false) (default: false)
TYRO_LOGIN_VIDEO_SOUND=false

Features:

Muted video by default (set TYRO_LOGIN_VIDEO_SOUND=true to enable sound)
Configurable blur effect on the video background
Customizable overlay color and opacity
Video automatically loops and plays inline
Form maintains glassmorphism effect and remains fully functional

Animated Birds Layout

A full-screen animated flock of birds flies across the background while the login form stays centered in an ultra-premium translucent glassmorphism card. The animation is pure canvas/JavaScript (no external dependencies, no network requests) and adapts its palette dynamically to the active light/dark theme (featuring a warm sunrise sky in light mode, and dusk/night sky tones in dark mode with automatically adjusted contrast).

TYRO_LOGIN_LAYOUT=animated-birds
# Single color drives both the sky background and the frosted form tint (default: '#f7f2ec')
TYRO_LOGIN_BIRDS_COLOR=#f7f2ec

Features:

Self-contained canvas animation (no images, no video, no third-party requests)
Theme-aware: warm sky in light mode, dusk tones in dark mode
Highly transparent, refined frosted glass card with high-contrast readable elements
Lightweight and GPU-friendly
Form maintains glassmorphism effect and remains fully functional

Aurora Waves Layout

Soft, flowing aurora-like gradient ribbons drift across a dark sky behind a centered glass form. The primary color drives both the background and the frosted form tint.

TYRO_LOGIN_LAYOUT=aurora-waves
# Base color (dark recommended) - drives background + form tint (default: '#0b1020')
TYRO_LOGIN_AURORA_COLOR=#0b1020
# Animation speed multiplier (default: 1)
TYRO_LOGIN_AURORA_SPEED=1
# Ribbon intensity 0 (faint) to 1 (vivid) (default: 0.5)
TYRO_LOGIN_AURORA_INTENSITY=0.5

Particle Network Layout

Floating nodes connected by faint lines - a classic "connected tech" look with optional mouse interaction (nodes repel and link to the cursor). This layout is fully theme-aware: in light mode, it displays a light background with dark particles and connections, and in dark mode, it automatically transitions to a dark background with light particles and connections.

TYRO_LOGIN_LAYOUT=particle-network
# Base color for dark mode (default: '#0f172a')
TYRO_LOGIN_PARTICLE_COLOR=#0f172a
# Particle density on a 1280x720 viewport, scales with area (default: 80)
TYRO_LOGIN_PARTICLE_DENSITY=80
# Max distance (px) linking two nodes (default: 130)
TYRO_LOGIN_PARTICLE_LINK_DISTANCE=130
# React to the mouse cursor (default: true)
TYRO_LOGIN_PARTICLE_INTERACTIVE=true

Tidal Layout

A bright seascape of layered flowing waves and rising bubbles under a soft sky glow, behind a centered frosted glass form. The primary color drives the water (and sky/bubble tint).

TYRO_LOGIN_LAYOUT=tidal
# Primary water color (default: '#1f7a8c')
TYRO_LOGIN_TIDAL_COLOR=#1f7a8c
# Wave animation speed multiplier (default: 1)
TYRO_LOGIN_TIDAL_SPEED=1
# Show rising bubbles (default: true)
TYRO_LOGIN_TIDAL_BUBBLES=true

All animated layouts (animated-birds, aurora-waves, particle-network, tidal) share:

Self-contained canvas animation (no images, no video, no third-party requests)
Theme-aware (light/dark) dynamically
One config color drives the background and the frosted glass form tint (or adapts to dark mode)
Lightweight and GPU-friendly
Form maintains glassmorphism effect and remains fully functional

All layouts support:

Dark and light themes
Fully responsive design
Customizable branding
All authentication features (OTP, captcha, email verification, etc.)

Customization

Publishing Views

To customize the views, publish them to your application:

php artisan tyro-login:publish --views

Views will be published to resources/views/vendor/tyro-login/.

Publishing Email Templates

To customize the email templates:

php artisan tyro-login:publish --emails

Email templates will be published to resources/views/vendor/tyro-login/emails/.

Publishing Everything

php artisan tyro-login:publish

This publishes config, views, email templates, and assets.

Theme Customization (shadcn Variables)

Tyro Login uses shadcn/ui CSS variables for theming, making it easy to customize colors and integrate with shadcn-based projects.

Publishing Theme Files

Publish the theme variables to customize the look and feel:

# Publish only theme variables (recommended for color customization)
php artisan tyro-login:publish-style --theme-only

# Or publish complete styles (theme + component styles)
php artisan tyro-login:publish-style

Theme files will be published to resources/views/vendor/tyro-login/partials/.

Visual Theme Editing with tweakcn (free)

The easiest way to customize your theme is using tweakcn.com:

Visit tweakcn.com
Use the visual editor to create your perfect color palette
Copy the generated CSS variables
Publish your theme: php artisan tyro-login:publish-style --theme-only
Paste the variables into resources/views/vendor/tyro-login/partials/shadcn-theme.blade.php

Theme File Structure

After publishing, your theme structure will be:

resources/views/vendor/tyro-login/partials/
├── shadcn-theme.blade.php  # Theme variables (edit this!)
└── styles.blade.php        # Component styles (includes theme)

The shadcn-theme.blade.php file contains only CSS variables, making it safe to edit without breaking component styles.

Artisan Commands

Tyro Login provides several artisan commands:

Command	Description
`php artisan tyro-login:install`	Install the package and publish configuration
`php artisan tyro-login:install --with-social`	Install with social login (Laravel Socialite) support
`php artisan tyro-login:install --with-passkeys`	Install with passkey (WebAuthn) login support
`php artisan tyro-login:setup-passkeys`	Enable passkeys on an existing installation
`php artisan tyro-login:publish`	Publish config, views, email templates, and assets
`php artisan tyro-login:publish --emails`	Publish only email templates
`php artisan tyro-login:publish-style`	Publish styles (theme + components)
`php artisan tyro-login:publish-style --theme-only`	Publish only theme variables
`php artisan tyro-login:verify-user`	Mark a user's email as verified
`php artisan tyro-login:unverify-user`	Remove email verification from a user
`php artisan tyro-login:version`	Display the current Tyro Login version
`php artisan tyro-login:doc`	Open the documentation in your browser
`php artisan tyro-login:star`	Open GitHub repository to star the project

User Verification Commands

Tyro Login provides commands to manually verify or unverify user email addresses.

Verify a single user by email:

php artisan tyro-login:verify-user john@example.com

Verify a single user by ID:

php artisan tyro-login:verify-user 123

Verify all unverified users:

php artisan tyro-login:verify-user --all

Unverify a single user:

php artisan tyro-login:unverify-user john@example.com

Unverify all verified users:

php artisan tyro-login:unverify-user --all

Reset 2FA for a user:

Currently locked out users or those who lost their device/codes can have their 2FA reset by an admin:

php artisan tyro-login:reset-2fa user@example.com
# OR
php artisan tyro-login:reset-2fa 1

These commands are useful for:

Manually verifying users during development or testing
Bulk verification of imported users
Resetting verification status for testing email flows

Routes

Tyro Login registers the following routes:

Method	URI	Name	Description
GET	`/login`	`tyro-login.login`	Show login form
POST	`/login`	`tyro-login.login.submit`	Handle login
GET	`/register`	`tyro-login.register`	Show registration form
POST	`/register`	`tyro-login.register.submit`	Handle registration
GET/POST	`/logout`	`tyro-login.logout`	Handle logout
GET	`/lockout`	`tyro-login.lockout`	Show lockout page
GET	`/email/verify`	`tyro-login.verification.notice`	Show verification notice
GET	`/email/not-verified`	`tyro-login.verification.not-verified`	Show unverified email page
GET	`/email/verify/{token}`	`tyro-login.verification.verify`	Verify email
POST	`/email/resend`	`tyro-login.verification.resend`	Resend verification email
GET	`/forgot-password`	`tyro-login.password.request`	Show forgot password form
POST	`/forgot-password`	`tyro-login.password.email`	Send reset link
GET	`/reset-password/{token}`	`tyro-login.password.reset`	Show reset form
POST	`/reset-password`	`tyro-login.password.update`	Reset password
GET	`/otp/verify`	`tyro-login.otp.verify`	Show OTP form
POST	`/otp/verify`	`tyro-login.otp.submit`	Verify OTP
POST	`/otp/resend`	`tyro-login.otp.resend`	Resend OTP
GET	`/otp/cancel`	`tyro-login.otp.cancel`	Cancel OTP verification
GET	`/auth/{provider}/redirect`	`tyro-login.social.redirect`	Redirect to OAuth provider
GET	`/auth/{provider}/callback`	`tyro-login.social.callback`	Handle OAuth callback
GET	`/passkeys-setup` ¹	`tyro-login.passkeys.setup`	Passkey registration page
GET	`/remove-passkeys` ¹	`tyro-login.passkeys.remove`	List/manage your passkeys
DELETE	`/remove-passkeys/{id}` ¹	`tyro-login.passkeys.destroy`	Delete a passkey

¹ The /passkeys-setup, /remove-passkeys and /remove-passkeys/{id} routes are only registered when passkeys are enabled (TYRO_LOGIN_PASSKEYS_ENABLED=true) and laravel/passkeys is installed. The laravel/passkeys package itself registers additional API routes (/passkeys/login, /user/passkeys, etc.) once installed.

Customizing Route Prefix

'routes' => [
    'prefix' => env('TYRO_LOGIN_ROUTE_PREFIX', 'auth'),
    // Routes will be: /auth/login, /auth/register, etc.
],

Security Features

Tyro Login implements industry-standard security practices:

Encrypted Data Storage
- OAuth access and refresh tokens encrypted at rest using Laravel's encryption
- Custom EncryptedOrPlaintext cast for seamless migration
- Protects against database compromise
Cryptographically Secure Random
- OTP codes generated using random_int() (cryptographically secure)
- Eliminates predictable patterns and statistical analysis attacks
Session Security
- Session regeneration after logout in OTP flow prevents fixation attacks
- Session regeneration on successful login prevents session fixation
- Secure session handling throughout authentication flows
CSRF Protection
- All forms include CSRF tokens
- Logout requires POST request with CSRF token
- Protection against cross-site request forgery attacks
Lockout Protection
- Temporarily lock accounts after failed attempts (cache-based, no database)
- Configurable attempts and duration
- Automatic cache cleanup when lockout expires
Email Verification
- Optional email verification for new registrations
- Secure signed URLs with expiration
- Automatic verification via social login
Secure Password Reset
- Time-limited, signed URLs for password reset
- Tokens stored in cache with expiration
- Automatic token cleanup
Password Security
- Laravel's bcrypt/argon2 hashing
- Configurable minimum password length
- Password confirmation requirement
Privacy-Safe Debug Logging
- Email addresses masked in logs (e.g., use***@example.com)
- No security tokens or sensitive URLs logged
- GDPR/CCPA compliant logging
- Structured logging format
Input Validation
- Server-side validation with proper error messages
- Protection against malicious input
- Email format validation

Integration with Tyro

Tyro Login integrates seamlessly with the Tyro package:

When a new user registers, Tyro Login can automatically assign a default role
Configure the default role slug in your config
Ensure your User model uses the HasTyroRoles trait

// In your User model
use HasinHayder\Tyro\Concerns\HasTyroRoles;

class User extends Authenticatable
{
    use HasTyroRoles;
}

Changelog

Please see CHANGELOG for more information on what has changed recently.

Contributing

Please see CONTRIBUTING for details.

Security

If you discover any security-related issues, please email hasin@hasin.me instead of using the issue tracker.

License

The MIT License (MIT). Please see License File for more information.

Credits

Hasin Hayder

Made with love for the Laravel community by Hasin Hayder

hasinhayder/tyro-login

包简介

关键字：

README 文档

README

Features

Requirements

Installation

Configuration

Layout Options

Branding

Redirects

Registration Settings

Email Verification

Password Reset

Tyro Integration

Math Captcha

Login OTP Verification

Time-Based Two-Factor Authentication (TOTP)

Installation

Configuration

Passkeys (Passwordless WebAuthn)

Enabling Passkeys on an Existing Installation

Manual Setup

Configuration

How it Works

Self-Hosting the Browser Client

Notes

Debug Mode

Email Configuration

Lockout Protection

Social Login (OAuth)

Installation

Configuration

Social Login Behavior

Customizing Provider Labels and Icons

Invitation/Referral System

Note

Features

Database Tables

CLI Commands

Integration in Your Application

Using the Helper Class

Models

Layout Examples

1. Centered Layout (Default)

2. Split-Left Layout

3. Split-Right Layout

4. Fullscreen Layout

5. Card Layout

6. YouTube Video Background Layout

Animated Birds Layout

Aurora Waves Layout

Particle Network Layout

Tidal Layout

Customization

Publishing Views

Publishing Email Templates

Publishing Everything

Theme Customization (shadcn Variables)

Publishing Theme Files

Visual Theme Editing with tweakcn (free)

Theme File Structure

Artisan Commands

User Verification Commands

Routes

Customizing Route Prefix

Security Features

Integration with Tyro

Changelog

Contributing

Security

License

Credits

统计信息

GitHub 信息

其他信息

承接程序开发