In this episode, we're focusing on generating a signed URL for our authentication system — specifically, for those "magic login" links that get emailed to users.
We kick things off by showing how to pass the user's email into our magic login email and create a regular URL to the login/session route. We make it so clicking this link logs the user in based on their email. While that works, it isn't secure: anyone knowing the email could just hit the URL and log in as that user.
To fix that, we switch over to using Laravel's built-in signed URLs. We show you how to use the URL facade to generate a temporary signed route that expires after a set amount of time (like 10 minutes). This not only makes sure the link can't be used forever, but also ensures nobody can tamper with it — Laravel adds an expiration timestamp and a cryptographic signature to the URL.
Next, we apply the necessary middleware to our login route so only requests with a valid signature will work, and the user also has to be a guest (not already logged in). We test what happens if you try to tweak the URL: Laravel instantly blocks it with an invalid signature error.
By the end of the episode, you've gone from a wide-open login URL to a secure, time-limited, signed link that keeps your users safe — all with pretty much out-of-the-box Laravel features!