Fix #344 - Replace auth()->user() with Dependency Injection

[Nima8FT]

Summary

Replaced all usages of auth()->user() with proper dependency injection to improve testability and architecture.

Changes

• Updated controllers to inject Authenticatable or User instead of using global auth() helper.
• Ensured all routes using these controllers are protected by auth middleware.

Fix #344

[coderabbitai]

Walkthrough

Replaces runtime calls to auth()->user() with dependency-injected Illuminate\Contracts\Auth\Authenticatable parameters across multiple controllers. Seven controller __invoke methods now accept an Authenticatable $user parameter and use $user for user-related operations (comments, likes, counts, and comment creation). AdminMiddleware::handle() now uses $request->user() with a null check and aborts when the user is missing or is a reader. routes/web.php adds authentication middleware to post comment and post like subgroups.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

• Verify Laravel will inject the authenticated user for each modified controller method and that parameter ordering matches route/controller invocation.
• Check there are no remaining calls to auth()->user() where DI was intended.
• Inspect AdminMiddleware::handle() for correct null handling and authorization semantics (isReader() usage).
• Confirm comment creation (user_id assignment) still satisfies static analysis expectations and that phpstan-ignore rationale remains valid.
• Validate routes/web.php changes correctly require auth for the intended post comment and like endpoints and do not unintentionally restrict public routes.

Pre-merge checks and finishing touches

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 14.29% which is insufficient. The required threshold is 80.00%.	You can run @coderabbitai generate docstrings to improve docstring coverage.

✅ Passed checks (4 passed)

Check name	Status	Explanation
Title Check	✅ Passed	The pull request title "Fix #344 - Replace auth()->user() with Dependency Injection" is clear, concise, and directly summarizes the main change across the changeset. The title accurately reflects that the primary objective is to replace direct auth() helper calls with dependency injection throughout multiple controllers and middleware. The title is specific and meaningful without being overly verbose or containing vague terminology.
Linked Issues Check	✅ Passed	The code changes comprehensively address the objective stated in issue #344 to replace auth()->user() with dependency injection. All modified controllers (Comment/IndexController, Liked/DeleteController, Liked/IndexController, Main/IndexController, Post/Comment/StoreController, and Post/Like/StoreController) now accept an injected Authenticatable parameter and use it instead of calling auth()->user() directly. The AdminMiddleware has been updated to replace auth()->user() with $request->user(), and routes have been protected with auth middleware to support the dependency injection pattern.
Out of Scope Changes Check	✅ Passed	All changes in this pull request are within scope of the stated objective to replace auth()->user() with dependency injection. The controller method signature updates to inject Authenticatable parameters, the middleware refactoring to use $request->user(), and the routing changes to add auth middleware are all necessary and related to the core refactoring goal. No changes appear to introduce unrelated functionality or address separate concerns outside the dependency injection replacement initiative.
Description Check	✅ Passed	The pull request description is directly related to the changeset and accurately describes the modifications made. It outlines that all usages of auth()->user() have been replaced with dependency injection across multiple controllers, that routes have been updated to ensure proper authentication middleware protection, and that the changes improve testability and architecture. The description aligns well with the actual code changes present in the files.

✨ Finishing touches

• 📝 Generate docstrings

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment

---

📜 Recent review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 72667bd and 0e2d079.

📒 Files selected for processing (2)

• app/Http/Middleware/AdminMiddleware.php (1 hunks)
• routes/web.php (1 hunks)

🧰 Additional context used

🧬 Code graph analysis (1)

app/Http/Middleware/AdminMiddleware.php (1)

app/Models/User.php (1)

• isAdministrator (79-82)

🔇 Additional comments (2)

routes/web.php (1)

51-56: LGTM! Authentication middleware correctly added for user-dependent actions.

The auth middleware on both the comments and likes route groups ensures users are authenticated before the controllers receive the injected Authenticatable $user parameter. This aligns perfectly with the PR's objective to replace auth()->user() with dependency injection.

app/Http/Middleware/AdminMiddleware.php (1)

18-22: LGTM! Middleware correctly implements request-based authentication.

The implementation properly uses $request->user() with a null check and explicit admin verification via isAdministrator(). This approach maintains Laravel's standard middleware patterns while supporting the PR's goal of moving away from the global auth() helper.

The PHPStan suppression is necessary because the Authenticatable interface doesn't define isAdministrator() (it only exists on the concrete User model).

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 1

♻️ Duplicate comments (5)

app/Http/Controllers/Personal/Liked/IndexController.php (1)

11-14: Same binding issue: Authenticatable requires container binding.

This controller has the same Authenticatable resolution issue as Personal/Main/IndexController.php. Without proper container binding, Laravel cannot inject the authenticated user.

See the review comment on app/Http/Controllers/Personal/Main/IndexController.php (lines 11-16) for detailed solutions.

app/Http/Controllers/Personal/Comment/IndexController.php (1)

11-14: Same binding issue: Authenticatable requires container binding.

This controller has the same Authenticatable resolution issue as other controllers in this PR. Laravel cannot automatically inject the authenticated user without proper container binding.

See the review comment on app/Http/Controllers/Personal/Main/IndexController.php (lines 11-16) for detailed solutions.

app/Http/Controllers/Post/Like/StoreController.php (1)

11-14: Same binding issue: Authenticatable requires container binding.

This controller has the same Authenticatable resolution issue as other controllers in this PR. Without proper container binding, Laravel cannot inject the authenticated user.

See the review comment on app/Http/Controllers/Personal/Main/IndexController.php (lines 11-16) for detailed solutions.

app/Http/Controllers/Personal/Liked/DeleteController.php (1)

11-14: Same binding issue: Authenticatable requires container binding.

This controller has the same Authenticatable resolution issue as other controllers in this PR. Laravel cannot automatically inject the authenticated user without proper container binding.

See the review comment on app/Http/Controllers/Personal/Main/IndexController.php (lines 11-16) for detailed solutions.

app/Http/Controllers/Post/Comment/StoreController.php (1)

13-18: Same binding issue: Authenticatable requires container binding.

This controller has the same Authenticatable resolution issue as other controllers in this PR. Without proper container binding, Laravel cannot inject the authenticated user.

See the review comment on app/Http/Controllers/Personal/Main/IndexController.php (lines 11-16) for detailed solutions.

📜 Review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 1b13463 and 504fd0a.

📒 Files selected for processing (7)

• app/Http/Controllers/Personal/Comment/IndexController.php (1 hunks)
• app/Http/Controllers/Personal/Liked/DeleteController.php (1 hunks)
• app/Http/Controllers/Personal/Liked/IndexController.php (1 hunks)
• app/Http/Controllers/Personal/Main/IndexController.php (1 hunks)
• app/Http/Controllers/Post/Comment/StoreController.php (1 hunks)
• app/Http/Controllers/Post/Like/StoreController.php (1 hunks)
• app/Http/Middleware/AdminMiddleware.php (2 hunks)

🧰 Additional context used

🧬 Code graph analysis (7)

app/Http/Controllers/Personal/Main/IndexController.php (6)

app/Http/Controllers/Personal/Comment/IndexController.php (2)

• IndexController (9-18)
• __invoke (11-17)

app/Http/Controllers/Personal/Liked/IndexController.php (2)

• IndexController (9-18)
• __invoke (11-17)

app/Http/Controllers/Personal/Liked/DeleteController.php (1)

• __invoke (11-17)

app/Http/Controllers/Post/Comment/StoreController.php (1)

• __invoke (13-23)

app/Http/Controllers/Post/Like/StoreController.php (1)

• __invoke (11-17)

app/Models/User.php (1)

• likedPosts (89-92)

app/Http/Middleware/AdminMiddleware.php (1)

app/Models/User.php (1)

• isReader (84-87)

app/Http/Controllers/Post/Like/StoreController.php (5)

app/Http/Controllers/Post/Comment/StoreController.php (2)

• StoreController (11-24)
• __invoke (13-23)

app/Http/Controllers/Personal/Liked/DeleteController.php (1)

• __invoke (11-17)

app/Http/Controllers/Personal/Liked/IndexController.php (1)

• __invoke (11-17)

app/Http/Controllers/Personal/Main/IndexController.php (1)

• __invoke (11-19)

app/Models/User.php (1)

• likedPosts (89-92)

app/Http/Controllers/Personal/Comment/IndexController.php (5)

app/Http/Controllers/Personal/Liked/IndexController.php (2)

• IndexController (9-18)
• __invoke (11-17)

app/Http/Controllers/Personal/Main/IndexController.php (2)

• IndexController (9-20)
• __invoke (11-19)

app/Http/Controllers/Personal/Liked/DeleteController.php (1)

• __invoke (11-17)

app/Http/Controllers/Post/Comment/StoreController.php (1)

• __invoke (13-23)

app/Http/Controllers/Post/Like/StoreController.php (1)

• __invoke (11-17)

app/Http/Controllers/Personal/Liked/DeleteController.php (5)

app/Http/Controllers/Personal/Comment/IndexController.php (1)

• __invoke (11-17)

app/Http/Controllers/Personal/Liked/IndexController.php (1)

• __invoke (11-17)

app/Http/Controllers/Post/Like/StoreController.php (1)

• __invoke (11-17)

app/Models/Post.php (1)

• Post (61-120)

app/Models/User.php (1)

• likedPosts (89-92)

app/Http/Controllers/Post/Comment/StoreController.php (6)

app/Http/Controllers/Post/Like/StoreController.php (2)

• StoreController (9-18)
• __invoke (11-17)

app/Http/Controllers/Personal/Comment/IndexController.php (1)

• __invoke (11-17)

app/Http/Controllers/Personal/Liked/DeleteController.php (1)

• __invoke (11-17)

app/Http/Controllers/Personal/Liked/IndexController.php (1)

• __invoke (11-17)

app/Http/Controllers/Personal/Main/IndexController.php (1)

• __invoke (11-19)

app/Models/Comment.php (2)

• post (44-47)
• user (49-52)

app/Http/Controllers/Personal/Liked/IndexController.php (6)

app/Http/Controllers/Personal/Comment/IndexController.php (2)

• IndexController (9-18)
• __invoke (11-17)

app/Http/Controllers/Personal/Main/IndexController.php (2)

• IndexController (9-20)
• __invoke (11-19)

app/Http/Controllers/Personal/Liked/DeleteController.php (1)

• __invoke (11-17)

app/Http/Controllers/Post/Comment/StoreController.php (1)

• __invoke (13-23)

app/Http/Controllers/Post/Like/StoreController.php (1)

• __invoke (11-17)

app/Models/User.php (1)

• likedPosts (89-92)

🔇 Additional comments (1)

app/Http/Controllers/Personal/Main/IndexController.php (1)

11-16: Excellent! The controllers ARE routed and protected by auth middleware. Let me check if there's custom middleware handling:

Based on my comprehensive verification, I found critical information that contradicts the review comment.

Laravel automatically binds Authenticatable via its Auth service provider.

The Service Provider for Authentication binds the Authenticatable contract to a Closure, which allows the Service Container to call that closure every time an Authenticatable is asked for. This binding is part of Laravel's core framework, not something that needs to be manually configured in AppServiceProvider.php.

The code in the controller will work correctly because:

1. This will work nicely as long you are using the Authenticate Middleware, and these routes are protected by the auth middleware
2. The @phpstan-ignore-next-line comments are present because static analysis tools cannot see the dynamic runtime binding

The same pattern is used throughout the codebase in 7+ controllers (Personal/Comment, Post/Like, Personal/Liked, AdminMiddleware, etc.), all protected by auth middleware, which confirms this is working by design.

Likely an incorrect or invalid review comment.

[coderabbitai]

Actionable comments posted: 1

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (1)

routes/web.php (1)

54-56: Add auth middleware to the likes routes to support Authenticatable injection.

The StoreController expects an injected Authenticatable $user parameter. Use the auth middleware and then type-hint the Authenticatable Contract in your Controller method. Without it, unauthenticated requests will fail at runtime during dependency resolution.

-    Route::prefix('{post}/likes')->group(function () {
+    Route::prefix('{post}/likes')->middleware('auth')->group(function () {
         Route::post('/', 'App\Http\Controllers\Post\Like\StoreController')->name('post.likes.store');
     });

📜 Review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 504fd0a and 72667bd.

📒 Files selected for processing (2)

• app/Http/Middleware/AdminMiddleware.php (1 hunks)
• routes/web.php (1 hunks)

🧰 Additional context used

🧬 Code graph analysis (1)

app/Http/Middleware/AdminMiddleware.php (1)

app/Models/User.php (1)

• isReader (84-87)

🔇 Additional comments (1)

routes/web.php (1)

51-53: LGTM! Auth middleware correctly protects comment routes.

The addition of auth middleware to the comments sub-group ensures that only authenticated users can post comments, which aligns with the controller now expecting an injected Authenticatable $user parameter.