Email Verification for API users

Question

Email Verification for API users

rcerljenko opened this issue 3 years ago · comments

Fortify Version: 1.8.1
Laravel Version: 8.57
PHP Version: 8.0.10
Database Driver & Version: N/A

Description:

This is also Laravel related but since I'm using Fortify to handle my auth I'm posting it here...

Email Verification controller assumes that user has an active session while trying to mark email as verified => here. Also verification routes use auth middleware on them => here.

That's great for default auth session guard (web guard) but API users use different (stateless) guards such as Sanctum or JWT so they don't have an active session and thus you can't verify your email once you click on a link that has been sent to your email account.

I'm thinking that maybe we loose the auth middleware on that routes and fetch the user from database by decrypted ID from the signed route itself.

If interested in this I can provide a PR with the proposed solution.

Dries Vints · Answer 1 · Sat Aug 28 2021 15:59:05 GMT+0800 (China Standard Time)

Why can't send you a verification request through the api with an active token? The user should already be created with a valid password and email address.

Ricardo Čerljenko · Answer 2 · Sat Aug 28 2021 16:02:46 GMT+0800 (China Standard Time)

@driesvints but registered user receives the verification link on email with laravel default flow. We can maybe override that link creation and include JWT token on that link so that is sent in the verification email?

Dries Vints · Answer 3 · Sat Aug 28 2021 16:15:31 GMT+0800 (China Standard Time)

@rcerljenko good point. In that case I'd not do that since that could lead to abuse. Probably retrieving the user from the database by its ID like you proposed is a good solution. Can you send in a PR? Thanks.

Ricardo Čerljenko · Answer 4 · Sat Aug 28 2021 16:17:22 GMT+0800 (China Standard Time)

@driesvints yes I can :)