Framework: email verification requires authentication

It indeed does.

@driesvints why the issue is closed....?

@musou1500 you asked if the verification required authentication and it does. If you want to propose a different solution then that's a feature request and an issue needs to be opened in the laravel/ideas repo instead.

@driesvints
thank you.
I understood that authentication is required(sorry if I misread).
may I let me know why authentication is required?
Laravel's Signed URL uses HMAC. If my understanding is correct, it is secure against known-plaintext attacks.

I guess because of the idea behind it that you usually get a verification email after you've signed up and you're still logged in then.

@driesvints I see. I assumed the use cases like backend API for a mobile application.
If registration is done via stateless API, a user needs to login on the web page to complete verification.
I think the reason for the behavior is not for security concerns.
So, I will create an issue on laravel/ideas repo. thank you.

@musou1500 in that case it's still of interest to first let the user require to sign in before verification can be done. But I guess opinions on this just differ. If you create an issue on the laravel/ideas repo and general interest agrees with that it might be re-considered.

I'd also like to suggest that this is more of a bug/oversight in the email verification process.

@driesvints you mention that:

I guess because of the idea behind it that you usually get a verification email after you've signed up and you're still logged in then.

This is not always the case. Especially when handling signups on mobile, take for example:

1. User is using Brave browser on android phone and registers to the site > Sent email verification
2. They open Gmail app and click the verification link > this opens WITHIN GMAIL
3. As it opened within gmail and not within their existing session (Brave browser) they have to login again.

From a user experience perspective, this is less than ideal and quite frustrating having to login again.

For anyone looking at this issue and wondering how to get around this, I've overridden the verify method on the controller which will automatically login the user if necessary.

namespace App\Http\Controllers\Auth;

use Auth;
use Illuminate\Http\Request;
use App\Http\Controllers\Controller;
use Illuminate\Foundation\Auth\VerifiesEmails;

class VerificationController extends Controller
{
    /*
    |--------------------------------------------------------------------------
    | Email Verification Controller
    |--------------------------------------------------------------------------
    |
    | This controller is responsible for handling email verification for any
    | user that recently registered with the application. Emails may also
    | be re-sent if the user didn't receive the original email message.
    |
    */

    use VerifiesEmails {
        verify as parentVerify;
    }

    /**
     * Where to redirect users after verification.
     *
     * @var string
     */
    protected $redirectTo = '/';

    /**
     * Create a new controller instance.
     *
     * @return void
     */
    public function __construct()
    {
        $this->middleware('auth')->except('verify');
        $this->middleware('signed')->only('verify');
        $this->middleware('throttle:6,1')->only('verify', 'resend');
    }

    /**
     * Mark the authenticated user's email address as verified.
     *
     * @param \Illuminate\Http\Request $request
     *
     * @return \Illuminate\Http\Response
     *
     * @throws \Illuminate\Auth\Access\AuthorizationException
     */
    public function verify(Request $request)
    {
        if ($request->user() && $request->user() != $request->route('id')) {
            Auth::logout();
        }

        if (! $request->user()) {
            Auth::loginUsingId($request->route('id'), true);
        }

        return $this->parentVerify($request);
    }
}

As far as I can see, there aren't any security implications in doing this as the URL signature has already been verified and any tampering with it (including attempting to login as someone else) will be met with a 403 error. But if anyone can see any issues with this implementation then please let me know.

@garygreen I see that but there's just different opinions about this. The fact that we require the person to login first is an extra security measure. We can perhaps tailor this so it's configurable to be turned off but please open up an issue on the ideas repo first to discuss how this would be implemented.

In any case this isn't a bug.

@driesvints
I opened up an issue on the ideas repo(@garygreen already left a comment on this issue)
https://github.com/laravel/ideas/issues/1632