[Spike] Email Verification - Link #10506
Closed
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
🤖 Resolves #10375
👋 Introduction
This is a sample solution to the "Email Verification" spike using links. It is close to the traditional Laravel way but is less like the way our app normally works.
Caution
This is a spike and should not be merged. It can be used as a reference for future PRs.
🕵️ Details
The branch works by creating a link with the user ID and hashed email address then sharing it as a temporary signed link. It is pretty close to the regular Laravel way of working but I've had to remove User authentication from the solution since an email link can not add a bearer token to the HTTP GET request.
This solution uses REST since that's the traditional Laravel model. I wasn't able to use that actual, built-in components from Laravel since it assumes there is only one email, that you want to verify it immediately on creation, that you're authenticating with cookies, and that you want to use the built-in email service. However, the pieces I wrote are closely based on the Laravel ones.
This solution has a lot of copy-and-paste for clarity between work email and regular email. A prod-ready solution would probably factor some of that out to make it more DRY.
Q&A
This is one option.
This wouldn't be easy with this solution - the Laravel solution is not really set up for this. I suppose it might be possible to create a page on the app that builds the GET request if the user pastes in user ID, email hash, and signature. 🤷
You can make the temporary signed links expire whenever you want.
The Laravel route has a placeholder redirect to "/home" at the end but you could substitute in a query param from the link if you wanted.
It makes me uncomfortable that we had to remove the user authentication from this but I think it's still secure with the signed link.
It's easy enough to add a throttle to a Laravel route. We've done that before
This does not invalidate previous links sent. However, when the code is redeemed it checks that the email address still matches the one in the request so it doesn't really matter.
Yes, this shown in the branch.
🧪 Testing
emailVerifiedAt
is set📸 Screenshot