#User Validate Email Process Flow

1 messages · Page 1 of 1 (latest)

empty cargo
#

When a a user tries to verify an email after registration, does that user normally have to be logged?
I thought it just used a signed route but I see the signature for verify email is a little more involved

Route::get('/email/verify/{id}/{hash}',
    function(EmailVerificationRequest $request) {
        $request->fulfill();
        //response here (this is an api end-point)
    })->middleware(['auth, signed'])->name('verification.verify');

EmailVerificationRequest

class EmailVerificationRequest extends FormRequest
{
    /**
     * Determine if the user is authorized to make this request.
     *
     * @return bool
     */
    public function authorize()
    {
        if (! hash_equals((string) $this->user()->getKey(), (string) $this->route('id'))) {
            return false;
        }
//...

I'm not sure what is going on here, what is $this->user()->getKey()?
I also feel like I'm in the completely wrong understanding of this with the doc saying "Determine if the user is authorized to make this request."

My flow
[User fills in reg form]
[submit]->api call to register
L9 registers user but implements MustVerifyEmail
L9 sends email (containing a page link to FE with a original param for BE)
[user clicks link and arrives at FE page with submit button]
[submit]->api call to (original L9 /email/verify/{id}/{hash}) i.e. http://127.0.0.1:8000/api/0.1/email/verify/a07b7aad-c0f0-4d9d-90f8-aef0d420998d/6d2749be3d8a90816cc773e10ae41a8ae871b65f?expires=1678921918&signature=c89638a71b973b6d1abb20637f5e151ff0880b8815a46ae2d36889fd9648a2e1

Response: 'unauthorised'
I tried removing the auth middleware flag and ended up with unknown user->key error so I'm not sure why it doesn't understand which user I'm trying to verify (surely the hash contains reference to the user?)

ebon skiff
#

sounds like you got auth middleware - which means user has to be logged in. When your user get a hash this is enough to identify but that doesn't mean they're authorized to go through the middleware. Remove auth and you'll be right

Route::get('/email/verify/{id}/{hash}',
    function(EmailVerificationRequest $request) {
        $request->fulfill();
        //response here (this is an api end-point)
    })->middleware(['signed'])->name('verification.verify');
empty cargo
#

Thanks @ebon skiff As I mentioned I tried removing the auth check but got some user key error

{
    "message": "Call to a member function getKey() on null",
    "exception": "Error",
    "file": "/home/msi/code/api.project/vendor/laravel/framework/src/Illuminate/Foundation/Auth/EmailVerificationRequest.php",
    "line": 17,
    "trace": [
        {
            "file": "/home/msi/code/api.project/vendor/laravel/framework/src/Illuminate/Container/BoundMethod.php",
            "line": 36,
            "function": "authorize",
            "class": "Illuminate\\Foundation\\Auth\\EmailVerificationRequest",
            "type": "->"
        },
        {
            "file": "/home/msi/code/api.project/vendor/laravel/framework/src/Illuminate/Container/Util.php",
            "line": 41,
            "function": "Illuminate\\Container\\{closure}",
            "class": "Illuminate\\Container\\BoundMethod",
            "type": "::"
        },
        {
            "file": "/home/msi/code/api.project/vendor/laravel/framework/src/Illuminate/Container/BoundMethod.php",
            "line": 93,
            "function": "unwrapIfClosure",
            "class": "Illuminate\\Container\\Util",
            "type": "::"
        },
   //...