Passwordless Authentication with Laravel
This episode is for members only

Sign up to access "Passwordless Authentication with Laravel" right now.

Get started
Already a member? Sign in to continue
Playing
05. Generating a signed URL for authentication

Episodes

0%
Your progress
  • Total: 58m
  • Played: 0m
  • Remaining: 58m
Join or sign in to track your progress

Transcript

00:00
We now need to figure out how to actually generate the URL through to our login controller just here,
00:07
our session controller from this email. Now, a good start would be, of course, to pass the email into our magic login link email and then accept it into the constructor just here. So let's go ahead and accept this email into here.
00:23
And then what we could do is either do this all in the template, which I don't like, or we could generate out a URL within this class and then go ahead and use that directly within the template. So let's go ahead and create out a string URL property within here. And then let's build this up.
00:41
Let's make this insecure, first of all, or unsecure. And let's go to auth and session. And then we want to pass the email address into there, which is for root model binding to look that user up. So now what we can do is over in our template for our email, we can just put the URL directly into here.
01:01
Now, when we click on that should go through to that route and, of course, just die dump out everything that we've seen. So let's enter our email address, hit get magic link and let's head over to here, click login. And that should take us over to where we dumped out login and also where we dumped out the user that we want to authenticate. So that's working really nicely.
01:22
Now, the only issue with this is that it's not secure. If you know the user's email address that you want to authenticate as, anyone could now just hit this URL and log in as that user. Of course, once we implement the functionality for that. So that's not great.
01:38
We really want to make sure this is secure. And to do that, we're going to use signed URLs within Varavel. We don't need to install anything additional for this to work. This is all built in for us.
01:51
So let's get rid of this because that's not going to work for what we're doing here. Instead, what we're going to do is put in the URL facade and we're going to generate a temporary signed route. Let's take a look at how this works. So the first argument here is the route name that you want to go through to.
02:08
The second argument is the expiration that we want to use. We want this link that we're generating to expire after a certain amount of time because we don't want to have this open for any longer than necessary for the user to check their email and actually click on it. So we need to come up with a sensible expiration date for this. Now, we're going to start out using the now function within Varavel, which gives us back a carbon instance.
02:34
And then we can just add on some minutes to this. So let's just say 10 minutes. That seems like a sensible default for this just in case the user is a little bit delayed. But that's pretty much all we need to do.
02:46
Now, the third argument are just the parameters that we want to send through to here. And we're just going to send through the user's email address so we can identify them with route model binding and we have access to the email inside of here. So that's now generated a signed route. Let's hop over and just start the process again and see how this changes the structure of the URL.
03:06
So let's go over to our client here. Click on this, click on login, and there we go. So we've got all the session and the email address. But now you can see Varavel's added in this expiry timestamp and a signature as well.
03:19
So I can go ahead and hit this. The only issue we've got at the moment is if we modify anything about this, nothing really happens. So we've generated this signed expiring link, but nothing's happening when we change around this data. So it's not actually taking effect.
03:36
For this to work, what we need to do is over in the locking controller, we need to apply some middleware. So let's go ahead and bring in our constructor here and we're going to go ahead and say this middleware and we're going to bring in the signed middleware. Easy as that. We can also go ahead and add in the guest middleware here if we want to as well.
03:56
Or, of course, we can do this all over on the routes. Let's do that on the routes because we've been doing this so far. So let's go ahead and apply that middleware again to the route and that's going to be signed and we want to make sure we're a guest. So now if we head over to that same URL that we just modified, you can see we get an invalid signature.
04:14
Let's just click on that again from our mail client. You can see it now works. If we modify anything about this signature, it's not going to work. So this link now needs to have come from that user's email account where they are receiving that email and where we're generating that signed URL.

Episode summary

In this episode, we're focusing on generating a signed URL for our authentication system — specifically, for those "magic login" links that get emailed to users.

We kick things off by showing how to pass the user's email into our magic login email and create a regular URL to the login/session route. We make it so clicking this link logs the user in based on their email. While that works, it isn't secure: anyone knowing the email could just hit the URL and log in as that user.

To fix that, we switch over to using Laravel's built-in signed URLs. We show you how to use the URL facade to generate a temporary signed route that expires after a set amount of time (like 10 minutes). This not only makes sure the link can't be used forever, but also ensures nobody can tamper with it — Laravel adds an expiration timestamp and a cryptographic signature to the URL.

Next, we apply the necessary middleware to our login route so only requests with a valid signature will work, and the user also has to be a guest (not already logged in). We test what happens if you try to tweak the URL: Laravel instantly blocks it with an invalid signature error.

By the end of the episode, you've gone from a wide-open login URL to a secure, time-limited, signed link that keeps your users safe — all with pretty much out-of-the-box Laravel features!

Episode discussion

No comments, yet. Be the first!