4

I'm using the standard laravel registration system (php artisan make:auth) and i'm currently wondering how the verification of the mail in laravel works. I don't see any token or something else in the database that could be compared to the one from the "registration-complete" mail of laravel (after sign-up). So how does Laravel acutally make sure that the token is correct?

I already looked in the RegistraterController and think it must have to do something with the User::create() method that is called in the create method of the Controller. But, unfortunateley, i even can not find this method...
(My Laravel is running on version 5.8.7)

Marvin
  • 53
  • 3
  • You can look at the documentation perhaps, as the best place to find such answers: https://laravel.com/docs/master/verification – nakov Apr 06 '19 at 16:28

1 Answers1

7

Laravel uses so-called signed routes for this purpose that hash the URL with a secret key, so there is no need to store tokens. SeeIlluminate\Routing\UrlGenerator::signedRoute

This function is called via Illuminate\Auth\Notifications\VerifyEmail from Illuminate\Auth\MustVerifyEmail trait used in Illuminate\Foundation\Auth\User model.

On user request the hash is then validated by Illuminate\Routing\UrlGenerator::hasValidSignature

chyno
  • 382
  • 3
  • 13
  • Are all such URLs signed with the same key? If so, how can one change this key? If not, where are the hashes stored for comparison when the user clicks? I was hoping to use the same or similar mechanism for unsubscribing users – Ben A. Hilleli Nov 05 '20 at 14:20
  • Yes, all are signed with the same key, it uses config value `app.key`. see: https://github.com/laravel/framework/blob/43bea00fd27c76c01fd009e46725a54885f4d2a5/src/Illuminate/Routing/RoutingServiceProvider.php#L78 – chyno Nov 06 '20 at 00:00