Skip to content

Email verification should work across devices #117

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
wants to merge 2 commits into
base: main
Choose a base branch
from
Open

Email verification should work across devices #117

Changes from 1 commit
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
c45f48e
Adding updates to the Verify Email Functionality
tnylea Apr 18, 2025
63a7706
removing unneccessary comment
tnylea Apr 18, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
29 changes: 21 additions & 8 deletions app/Http/Controllers/Auth/VerifyEmailController.php
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -3,26 +3,39 @@
namespace App\Http\Controllers\Auth;

use App\Http\Controllers\Controller;
use App\Models\User;
use Illuminate\Auth\Events\Verified;
use Illuminate\Foundation\Auth\EmailVerificationRequest;
use Illuminate\Http\Request;
use Illuminate\Http\RedirectResponse;
use Illuminate\Support\Facades\Auth;

class VerifyEmailController extends Controller
{
/**
* Mark the authenticated user's email address as verified.
*/
public function __invoke(EmailVerificationRequest $request): RedirectResponse
public function __invoke(Request $request, int $id, string $hash): RedirectResponse
{
if ($request->user()->hasVerifiedEmail()) {
return redirect()->intended(route('dashboard', absolute: false).'?verified=1');
if (! $request->hasValidSignature()) {
abort(403, 'Invalid or expired verification link.');
}

if ($request->user()->markEmailAsVerified()) {
/** @var \Illuminate\Contracts\Auth\MustVerifyEmail $user */
$user = $request->user();

$user = User::findOrFail($id);

if (! hash_equals($hash, sha1($user->getEmailForVerification()))) {
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Should this be calling sha1 directly? Isn't there a Laravel abstraction for this? Also bearing this in mind.

abort(403, 'Invalid verification hash.');
}

// Now you can verify the email
if (! $user->hasVerifiedEmail()) {
$user->markEmailAsVerified();

// Fire event when email is verified
event(new Verified($user));
}

// Always log the user in, regardless of verification status
Auth::login($user);
Copy link

@Synchro Synchro Apr 18, 2025
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This makes verification links a little dangerous – anyone who gets hold of one is instantly logged in with no other auth required. Usual practice after verification is to require a login, which solves that problem, though at a mild UX expense.
/cc @valorin

Note that this additional login doesn't really apply for OAuth, since verification and login are essentially the same thing there.

Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

At the very least, Auth::login() should only occur when the link is clicked the first time and the user is verified. Otherwise, it becomes a magic log in link until it expires, which potentially opens a large window for exploitation.


return redirect()->intended(route('dashboard', absolute: false).'?verified=1');
}
Expand Down