by customising Passport to return the refresh_token as a HttpOnly cookie, but this introduces other problems. We're going to park this idea for now and return to it later.

2. Personal Access Tokens
This is a very basic method for generating tokens for users. In itself, it does not attempt to do any authentication for the users session, and just provides a method for the user to generate authentication tokens for whatever they want.

3. SPA Authentication
Same as Sanctum, does not support cross-domain requests.

Summary
It appears there is no out-of-the-box solution from Sanctum or Passport for secure, persistent, cross-domain web application authentication. Therefore we have to explore custom solutions.

Custom solution
To implement this yourself you need to:

1. Use Passport Authorization Code Grant with PKCE, but modify it to:
1. Include an HttpOnly refresh_token cookie in your response instead of the JSON refresh token, along with your default access token
2. Store the access token in memory only, and make it short lived (e.g. 10-15 mins)
3. Define a custom middleware for the /oauth/token route. Laravel Passport's built-in refresh route expects a refresh_token param, and won't work with an HttpOnly cookie. Therefore your middleware will receive the refresh token cookie (using fetch's "credentials: include" or axios) and append it to the request params.
1. e.g. $request->merge(['refresh_token' => $cookie])
4. CSRF protect the /oauth/token route. Because you are now using cookies, you need to CSRF protect this route.

This solution gives you:

1. Persistence across device / browser restarts (via the HttpOnly cookie)
2. Security from XSS (Javanoscript cannot read HttpOnly cookies)
3. CSRF protection (via your custom CSRF logic)
4. Cross-domain authentication to your API via your access token

You will also need to scope the token, unless you want 1 token to authenticate all your frontends (e.g. logging in to frontend1.com logs you in to frontend2.com and frontend3.com).

Questions

1. What am I missing? This doesn't seem like a niche use case, and I'm sure someone else has solved this problem before. However I been back and forth through the docs and asked all the AI's I know, and I cannot find an existing solution.
2. If this is a niche use case without an out-of-the-box solution, how would you solve it? Is the custom solution I proposed the best way?

https://redd.it/1lxsvei
@r_php

Static Typing for the AWS SDK for PHP
https://chrastecky.dev/programming/static-typing-for-the-aws-sdk-for-php

https://redd.it/1lxvqm2
@r_php

Why are so many PHP devs just plain bad at coding?

Not even joking, I'm tired of this. So many PHP developers write total garbage and act like it's fine.
No patterns, no tests, no static analysis, nothing. Just throwing code around and praying it works. Some of them are even proud of it.

I told them to start using PHPStan, and it was like I spoke alien language. Some never even heard of it. Others said it forces unnecessary things like return types, and slows us down. WTF?

Honestly I bet a lot of ppl here never used PHPStan / Psalm or any style formatting tools like cs-fixer or rector. Or how many of you actually use declare(strict_types=1) as a default for every new file? Be honest.

This isn't rocket science. These are basic tools. If you're writing PHP and not using static analysis or formatters, you're just leaving a mess for the next dev who touches your code.

And worst part? These people dramatically increase technical debt for their companies. Working with their code becomes a total nightmare over time. But somehow they sell it to the business as performant development. Like oh we don’t need strict types, or unit tests, it just slows us down, we move fast
No you don’t. You move in circles, breaking shit

PHP isn't the problem. It’s this lazy it works so leave it mindset that kills projects slowly.

Just use the damn tools. It takes like 10 minutes to set up and saves everyone hours later

https://redd.it/1lxxhjf
@r_php

Do we really need all these long prefixes?
https://redd.it/1ly4ge8
@r_php

I made a todo-list generator for building Laravel apps, with Laravel ❤️ (work in progress)

https://redd.it/1lygdwl
@r_php

How are you all handling scheduled jobs and observability for background tasks like invoicing?

We've complex app built on top of symfony components a where we have background jobs like sending invoices, daily syncs etc.

Currently, we're triggering these jobs on a schedule and pushing them into a queue, but there's a concern around lack of observability like not knowing if a job actually ran, how long it took, or if/why it failed, unless we dig into logs or the queue backend.

Our devops team suggested moving this logic into an external workflow tool (like n8n) that calls our app’s API. That would give us history, logs, retries, error notifications, etc. But I’m still thinking whether there’s a better or more standard approach.

https://redd.it/1lynib9
@r_php

year 0 php developer here , what skills should i have at the end of the year to become irreplacable

i have just started and i wanna know me php

https://redd.it/1lyt8ax
@r_php

Weekly /r/Laravel Help Thread

Ask your Laravel help questions here. To improve your chances of getting an answer from the community, here are some tips:

What steps have you taken so far?
What have you tried from the documentation?
Did you provide any error messages you are getting?
Are you able to provide instructions to replicate the issue?
Did you provide a code example?
Please don't post a screenshot of your code. Use the code block in the Reddit text editor and ensure it's formatted correctly.

For more immediate support, you can ask in the official Laravel Discord.

Thanks and welcome to the r/Laravel community!

https://redd.it/1lyxtxm
@r_php

Kicking off the Symfony AI Initiative
https://symfony.com/blog/kicking-off-the-symfony-ai-initiative

https://redd.it/1lz31i3
@r_php

Using spatie/laravel-data with Doctrine

Haven't seen this combo yet on here. Anybody use this combination, and which Collection library do you use? I'm thinking that I will need to use doctrine/collection instead of laravel-data's so that Doctrine doesn't break.

https://redd.it/1lz5f28
@r_php

Weekly Ask Anything Thread

Feel free to ask any questions you think may not warrant a post. Asking for help here is also fine.

https://redd.it/1lzbrx5
@r_php

Built a tool to help my YouTube audience actually finish their projects, maybe it can help you too

Hey all,

Gio here from the ProgramWithGio YouTube channel. I don't post much here on Reddit, but I wanted to share a project I released some time ago.

I create coding tutorials focused on PHP & Laravel, and want to help people actually build portfolios, not just watch videos. The problem is, after watching a tutorial, people often don't know what to work on next or how to structure their learning into real projects.

So I built CodeArch. It's basically a project management tool designed to give you a guided path for building projects, so you always know what to work on next. I also built it to scratch my own itch. If you're like me, you probably have a graveyard of unfinished side projects. You start with a great idea and tons of motivation, but then scope creep sets in, you get lost in what to do next, and that initial excitement kind of fades away. CodeArch attempts to solve this by breaking down projects into clear, actionable tasks with gamified elements so you feel a sense of reward and progress after completing each one.

For my YouTube audience, this reinforces the content I create. I'm curating projects and recording full walkthroughs, so you can follow along and actually complete what we start. But I'm also designing this to be useful beyond my YouTube community, I believe it could help any developer build projects step by step with clear direction. I'd love to see if that theory holds up and if it resonates with developers outside my audience.

I'm focusing on PHP & Laravel developers since that's my niche, but the tool can work for any stack. You can create project roadmaps yourself, and in the future I'm planning to let you share them with the community or enroll in highly-ranked community project paths. You can also use the built-in AI support to generate project breakdowns with a simple prompt and select a custom stack where you describe your tech stack in the prompt. You can watch a course on YouTube, Laracasts, CodeCourse, or Udemy and then feed some of the topics you learned into CodeArch to generate a project breakdown that you can follow.

Some features I want to add if I see there's enough interest include an AI assistant for individual tasks when you get stuck, exportable project and task context for tools like Cursor, ClaudeCode, ChatGPT, etc., daily/weekly coding challenges, and the ability to share your custom project breakdowns with other developers.

It's free. Down the road I might add a premium tier with extra AI credits and features, maybe even hands-on support from me, but monetizing isn't my priority right now. I genuinely want to see if this solves the "tutorial hell" problem for other developers.

Honestly, I built this to solve my own problem of helping my audience actually start & finish projects. If it's useful beyond my YouTube community, that's awesome. If not, at least my subscribers will benefit.

Check it out at codearch.app

You can also watch the announcement video if you prefer video format: https://www.youtube.com/watch?v=jGqE4HQFwHg

Thanks!

https://redd.it/1lzdir9
@r_php

Weekly help thread

Hey there!

This subreddit isn't meant for help threads, though there's one exception to the rule: in this thread you can ask anything you want PHP related, someone will probably be able to help you out!

https://redd.it/1lzeq6p
@r_php

Laravel: Upload Large Files with Filepond and Chunks
https://www.youtube.com/watch?v=xxo2uX5HoM8

https://redd.it/1lzgqhb
@r_php

DTOs, when does it become too much?

Hi guys, I hope you are all good. I started working on a new project over the last week, and was using DTOs(nothing fancy, just read-only classes and properties), and this got me thinking, when does it become too much(or is there even anything like too much DTOs). When does DTOs become "harmful"?
Is there a point like "okay, this are too many DTOs, you should consider a different pattern or approach"?

Sorry if this seems like a vague question, I just can't get it out of my mind and thought I'd ask other Devs.


https://redd.it/1lzgnxr
@r_php

Building a code graph for PHP

Are there any tools that support codifying PHP codebases into a graph - like for Neo4j? I know there are some for Python, JavaScript, and Typenoscript. But I haven’t seen anything for PHP yet.

https://redd.it/1lzhgkz
@r_php

Using a "heartbeat" pattern for cron jobs bad practice?

I've built an app that currently uses cron jobs managed through the built-in cron manager in my Cloudways hosting panel. It's functional but hard to read, and making changes requires logging into the host panel and editing the jobs manually.

I'm considering switching to a "heartbeat" cron approach: setting up a single cron job that runs every minute and calls a noscript. That noscript would then check a database or config for scheduled tasks, log activity, and run any jobs that are due. This would also let me build a GUI in my app to manage the job schedule more easily.

Is this heartbeat-style cron setup considered bad practice? Or is there a better alternative for managing scheduled jobs in a more flexible, programmatic way?

https://redd.it/1lzjire
@r_php

NativePHP for Mobile v1.1 is released!
https://nativephp.com/blog/mobile-v1-1-is-here

https://redd.it/1lzmhk0
@r_php