Answer by fylzero for Login only if user is active using Laravel

Works on Laravel 7

I know this has already been answered many times but here was my approach and it isn't much different from some of the others but I wanted to provide a little more detailed explanation for some of the choices I made.

I decided for my app that it was ok to simply abort 403 if the user is not active, returning validation exceptions has already been fairly covered here.

My suggestion here is to override the login method from vendor/laravel/ui/auth-backend/AuthenticatesUsers.php by copying it into app/Http/Controllers/Auth/LoginController.php. I would also suggest adding this check after the throttle check as that should take precedent imo.

Here's what my LoginController looks like. Just pulling in the login method and added about 3-4 lines of code.

use AuthenticatesUsers;/** * Where to redirect users after login. * * @var string */protected $redirectTo = RouteServiceProvider::HOME;/** * Create a new controller instance. * * @return void */public function __construct(){    $this->middleware('guest')->except('logout');}/** * Handle a login request to the application. * * @param  \Illuminate\Http\Request  $request * @return \Illuminate\Http\RedirectResponse|\Illuminate\Http\Response|\Illuminate\Http\JsonResponse * * @throws \Illuminate\Validation\ValidationException */public function login(Request $request){    $this->validateLogin($request);    // If the class is using the ThrottlesLogins trait, we can automatically throttle    // the login attempts for this application. We'll key this by the username and    // the IP address of the client making these requests into this application.    if (method_exists($this, 'hasTooManyLoginAttempts') &&        $this->hasTooManyLoginAttempts($request)) {        $this->fireLockoutEvent($request);        return $this->sendLockoutResponse($request);    }    // Check if user is active    $user = User::where('email', $request->email)->first();    if ($user && !$user->active) {        abort(403, 'Your account has been disabled by an administrator.');    }    if ($this->attemptLogin($request)) {        return $this->sendLoginResponse($request);    }    // If the login attempt was unsuccessful we will increment the number of attempts    // to login and redirect the user back to the login form. Of course, when this    // user surpasses their maximum number of attempts they will get locked out.    $this->incrementLoginAttempts($request);    return $this->sendFailedLoginResponse($request);}