Thin controllers — moving logic to services/actions
Concept
Form Requests are dedicated request validation classes that keep validation logic out of controllers. They also handle authorization for the request. Using Form Requests enforces the single-responsibility principle on controllers.
php artisan make:request StoreUserRequest: Creates app/Http/Requests/StoreUserRequest.php. Two required methods: authorize() and rules().
authorize(): bool: Returns true if the request is authorized. Return false to throw a 403 Forbidden. Perform authorization checks here (policy checks, permission checks). Don't just return true blindly — if all requests are always authorized, move validation to an inline $request->validate() instead.
rules(): array: Returns the validation rules. Same format as $request->validate() rules.
Automatic injection: Type-hint the Form Request class in the controller method parameter: public function store(StoreUserRequest $request). Laravel automatically validates the request before the method runs. If validation fails, Laravel redirects back with errors (or returns JSON for API requests) — your method body never runs.
Custom messages: Override messages(): array to provide custom error messages. Override attributes(): array to rename fields in error messages.
prepareForValidation(): Override to modify input before validation runs. Use for normalizing data, setting defaults, or transforming formats.
passedValidation(): Override to run code after validation passes. Good for merging additional data.
Code Example
<?php
namespace App\Http\Requests;
use Illuminate\Foundation\Http\FormRequest;
use Illuminate\Support\Facades\Gate;
class StoreUserRequest extends FormRequest
{
/**
* Can the current user make this request?
*/
public function authorize(): bool
{
return Gate::allows('create-users');
}
/**
* Validation rules.
*/
public function rules(): array
{
return [
'name' => ['required', 'string', 'max:255'],
'email' => ['required', 'email:rfc,dns', 'unique:users,email'],
'password' => ['required', 'string', 'min:8', 'confirmed'],
'role' => ['required', 'in:admin,editor,viewer'],
'avatar' => ['nullable', 'image', 'max:2048'], // max 2MB
];
}
public function messages(): array
{
return [
'email.unique' => 'This email address is already registered.',
'password.confirmed' => 'The passwords do not match.',
];
}
public function attributes(): array
{
return [
'password' => 'password field',
];
}
// Transform input before validation
protected function prepareForValidation(): void
{
$this->merge([
'email' => strtolower($this->email ?? ''),
'role' => $this->role ?? 'viewer',
]);
}
}
// Controller — clean and focused
namespace App\Http\Controllers;
use App\Http\Requests\StoreUserRequest;
use App\Models\User;
class UserController extends Controller
{
public function store(StoreUserRequest $request): JsonResponse
{
// No validation needed here — FormRequest already validated
// $request->validated() returns only validated fields
$user = User::create($request->safe()->except('password') + [
'password' => bcrypt($request->password),
]);
return response()->json(new UserResource($user), 201);
}
}