I was wondering if I could use Signed URLs for Magic Link login (passwordless). I know people are using tokens that are stored in the database and later on compare to whom each token belongs to and if is still valid.
/**
* Get the verification URL for the given notifiable.
*
* @param \App\User $user
* @return string
*/
protected function authenticationUrl(User $user): string
{
return URL::temporarySignedRoute(
'login.magic_link.authenticate',
now()->addMinutes(10),
['uuid' => $user->uuid]
);
}
I am sending the link to my app using the Signed URLs provided with Laravel. And if the user clicks on the link he is redirected to the authenticate method.
/**
* Authenticate validated user.
*
* @param \Illuminate\Http\Request $request
* @return \Illuminate\View\View
* @throws \Illuminate\Database\Eloquent\ModelNotFoundException
*/
public function authenticate(Request $request): RedirectResponse
{
try {
$user = User::where($request->only('uuid'))->firstOrFail();
} catch (ModelNotFoundException $e) {
return redirect()->route('login.magic_link.index')
->withErrors(['email' => 'Email address could not be found.']);
}
Auth::login($user);
return redirect()->route($this->redirectTo);
}
The question is if this is safe and considered as a good practice. And if bad, can someone explain to me why?
via Chebli Mohamed
Aucun commentaire:
Enregistrer un commentaire