Laravel 5.8 Email verification with password reset

2
votes

In Laravel 5.8 you have this nice email verification feature out of the box.

However lets say the user registers an account, they receive an email verification email which they choose to ignore and later decide a password reset (note the password reset route doesn't have the email verified middleware) which fires a password reset notification. When they click on the password reset link, the user can reset their password and the application attempts to log them in but then redirects them back to verify their email since the user account dashborad route has the verify email middleware.

This authentocation flow is counter intuitive since when the user requested a password reset, that ought to have also verified their email account?

I'd like to know how you guys would tackle this process?

  1. With every password reset would you simply update the email_verified_at column if it is not verified?
  2. Do you force user to go through a double step process by forcing them to verify their email again after a password reset?
  3. Do you prevent a password reset at all by applying the verified middleware to the password reset routes, again this would require two step process before a user could fully access their account.

Any other options?

1
laravellaravel-5.8email-verificationpassword-recovery
I would stick to the 2, as that's the normal process. You cannot force the user to verify the password, if the user comes back to the site after a while and forgot the password. The weird thing is that in Laravel you've got to be authenticated in order to verify the email, otherwise it will show you the login screen :)nakov
@nakov. Why option 2? Both a password reset and email verification attempts to send a link to the registered email. You can only reset your password if you're the owner of that email.adam78
that's just the Laravel way I believe, otherwise the email_verified_at timestamp would've been touched when you reset the password. As I said above, even the email verification is not an usual one. But I never saw a page were when you reset the password it automatically verifies you. Both are separate actions. And I just gave my opinion, it does not have to be the correct one :)nakov

1 Answers

2
votes

A password reset achieves the same as the verification email (as you said yourself, too), so I would definitely go with option 1.

I'm surprised this is not already built into Laravel.