From superpowers-laravel
Promotes Laravel route best practices: map requests to controllers only, avoid inline business logic, validation, or DB operations. Includes anti-patterns and refactoring examples for clean routes.
npx claudepluginhub jpcaparas/superpowers-laravel --plugin superpowers-laravelThis skill uses the workspace's default tool permissions.
Keep your route files clean and focused on mapping requests to controllers. Routes should never contain business logic, validation, or database operations.
Provides production-grade Laravel solutions with clean architecture, security best practices, performance optimizations, and idiomatic patterns for Laravel 10/11+. Use for features, refactoring, APIs, auth, services, DB interactions, and code reviews.
Reduces Laravel controller bloat by moving auth/validation to Form Requests, extracting logic to Actions/Services with DTOs, and using resource/single-action controllers. Useful for refactoring bloated controllers.
Provides Laravel architecture patterns for production apps: routing/controllers, Eloquent ORM, service layers, queues, events, caching, API resources.
Share bugs, ideas, or general feedback.
Keep your route files clean and focused on mapping requests to controllers. Routes should never contain business logic, validation, or database operations.
// BAD: Business logic directly in routes
Route::post('/order/{order}/cancel', function (Order $order) {
if ($order->status !== 'pending') {
return response()->json(['error' => 'Cannot cancel'], 400);
}
$order->status = 'cancelled';
$order->cancelled_at = now();
$order->save();
Mail::to($order->user)->send(new OrderCancelled($order));
return response()->json(['message' => 'Order cancelled']);
});
// BAD: Validation in routes
Route::post('/users', function (Request $request) {
$validated = $request->validate([
'name' => 'required|string|max:255',
'email' => 'required|email|unique:users',
]);
return User::create($validated);
});
// GOOD: Routes only map to controllers
Route::post('/order/{order}/cancel', [OrderController::class, 'cancel']);
Route::post('/users', [UserController::class, 'store']);
// GOOD: Use route groups for organization
Route::prefix('api/v1')->group(function () {
Route::apiResource('orders', OrderController::class);
Route::post('orders/{order}/cancel', [OrderController::class, 'cancel']);
});
// GOOD: Named routes for maintainability
Route::post('/order/{order}/cancel', [OrderController::class, 'cancel'])
->name('orders.cancel');
// GOOD: Middleware in routes, logic in controllers
Route::middleware(['auth', 'verified'])->group(function () {
Route::resource('admin/users', AdminUserController::class);
});
// app/Http/Controllers/OrderController.php
class OrderController extends Controller
{
public function __construct(
private readonly OrderCancellationService $cancellationService
) {}
public function cancel(CancelOrderRequest $request, Order $order)
{
$this->cancellationService->cancel($order);
return response()->json([
'message' => 'Order cancelled successfully'
]);
}
}
// app/Http/Requests/CancelOrderRequest.php
class CancelOrderRequest extends FormRequest
{
public function authorize(): bool
{
return $this->user()->can('cancel', $this->route('order'));
}
public function rules(): array
{
return [
'reason' => 'nullable|string|max:500',
];
}
}
// routes/web.php - Keep it minimal
Route::get('/', [HomeController::class, 'index']);
Route::get('/about', [PageController::class, 'about']);
require __DIR__ . '/auth.php';
require __DIR__ . '/admin.php';
// routes/admin.php - Separate concerns
Route::prefix('admin')
->middleware(['auth', 'admin'])
->name('admin.')
->group(function () {
Route::get('/dashboard', [AdminDashboardController::class, 'index'])
->name('dashboard');
Route::resource('users', AdminUserController::class);
});
// routes/api.php - API routes
Route::prefix('v1')->group(function () {
Route::apiResource('products', Api\ProductController::class);
Route::post('products/{product}/reviews', [Api\ReviewController::class, 'store']);
});
Routes are declarations, not implementations
Use route model binding
// Laravel automatically resolves the Order model
Route::put('/orders/{order}', [OrderController::class, 'update']);
Group related routes
Route::controller(OrderController::class)->group(function () {
Route::get('/orders', 'index');
Route::get('/orders/{order}', 'show');
Route::post('/orders', 'store');
});
Use resource controllers when appropriate
Route::resource('photos', PhotoController::class)
->only(['index', 'show'])
->names('gallery.photos');
Leverage route caching in production
sail artisan route:cache
Route closures are acceptable only for:
// Acceptable for simple static views
Route::view('/terms', 'legal.terms');
Route::view('/privacy', 'legal.privacy');
// Or simple redirects
Route::redirect('/home', '/dashboard');
Route::permanentRedirect('/old-about', '/about');
test('order cancellation route requires authentication', function () {
$order = Order::factory()->create();
$response = $this->postJson("/orders/{$order->id}/cancel");
$response->assertUnauthorized();
});
test('route names are properly defined', function () {
expect(route('orders.cancel', ['order' => 1]))
->toBe('http://localhost/orders/1/cancel');
});
Remember: If you're writing more than one line of code in a route definition, it belongs in a controller!