How to Verify Email Without Asking the User to Login to Laravel

Wai Yan Hein picture Wai Yan Hein · Dec 21, 2018 · Viewed 14.2k times · Source

I am developing a Laravel application. My application is using Laravel built-in auth feature. In the Laravel auth when a user registers, a verification email is sent. When a user verifies the email click on the link inside the email, the user has to login again to confirm the email if the user is not already logged in.

VerificationController

class VerificationController extends Controller
{
    use VerifiesEmails, RedirectsUsersBasedOnRoles;

    /**
     * Create a new controller instance.
     * @return void
     */
    public function __construct()
    {
        $this->middleware('auth');
        $this->middleware('signed')->only('verify');
        $this->middleware('throttle:6,1')->only('verify', 'resend');
    }

    public function redirectPath()
    {
        return $this->getRedirectTo(Auth::guard()->user());
    }
}

I tried commenting on this line.

$this->middleware('auth');

But it's s not working and instead, throwing an error. How can I enable Laravel to be able to verify email even if the user is not logged in?

Answer

Wouter Florijn picture Wouter Florijn · Jan 15, 2019

First, remove the line $this->middleware('auth');, like you did.

Next, copy the verify method from the VerifiesEmails trait to your VerificationController and change it up a bit. The method should look like this:

public function verify(Request $request)
{
    $user = User::find($request->route('id'));

    if (!hash_equals((string) $request->route('hash'), sha1($user->getEmailForVerification()))) {
        throw new AuthorizationException;
    }

    if ($user->markEmailAsVerified())
        event(new Verified($user));

    return redirect($this->redirectPath())->with('verified', true);
}

This overrides the method in the VerifiesUsers trait and removes the authorization check.

Security (correct me if I'm wrong!)

It's still secure, as the request is signed and verified. Someone could verify another user's email address if they somehow gain access to the verification email, but in 99% of cases this is hardly a risk at all.