Sign up to access "Passwordless Authentication with Laravel" right now.

our session controller from this email. Now, a good start would be, of course, to pass the email into our magic login link email and then accept it into the constructor just here. So let's go ahead and accept this email into here.

And then what we could do is either do this all in the template, which I don't like, or we could generate out a URL within this class and then go ahead and use that directly within the template. So let's go ahead and create out a string URL property within here. And then let's build this up.

Let's make this insecure, first of all, or unsecure. And let's go to auth and session. And then we want to pass the email address into there, which is for root model binding to look that user up. So now what we can do is over in our template for our email, we can just put the URL directly into here.

Now, when we click on that should go through to that route and, of course, just die dump out everything that we've seen. So let's enter our email address, hit get magic link and let's head over to here, click login. And that should take us over to where we dumped out login and also where we dumped out the user that we want to authenticate. So that's working really nicely.

Now, the only issue with this is that it's not secure. If you know the user's email address that you want to authenticate as, anyone could now just hit this URL and log in as that user. Of course, once we implement the functionality for that. So that's not great.

We really want to make sure this is secure. And to do that, we're going to use signed URLs within Varavel. We don't need to install anything additional for this to work. This is all built in for us.

So let's get rid of this because that's not going to work for what we're doing here. Instead, what we're going to do is put in the URL facade and we're going to generate a temporary signed route. Let's take a look at how this works. So the first argument here is the route name that you want to go through to.

The second argument is the expiration that we want to use. We want this link that we're generating to expire after a certain amount of time because we don't want to have this open for any longer than necessary for the user to check their email and actually click on it. So we need to come up with a sensible expiration date for this. Now, we're going to start out using the now function within Varavel, which gives us back a carbon instance.

And then we can just add on some minutes to this. So let's just say 10 minutes. That seems like a sensible default for this just in case the user is a little bit delayed. But that's pretty much all we need to do.

Now, the third argument are just the parameters that we want to send through to here. And we're just going to send through the user's email address so we can identify them with route model binding and we have access to the email inside of here. So that's now generated a signed route. Let's hop over and just start the process again and see how this changes the structure of the URL.

So let's go over to our client here. Click on this, click on login, and there we go. So we've got all the session and the email address. But now you can see Varavel's added in this expiry timestamp and a signature as well.

So I can go ahead and hit this. The only issue we've got at the moment is if we modify anything about this, nothing really happens. So we've generated this signed expiring link, but nothing's happening when we change around this data. So it's not actually taking effect.

For this to work, what we need to do is over in the locking controller, we need to apply some middleware. So let's go ahead and bring in our constructor here and we're going to go ahead and say this middleware and we're going to bring in the signed middleware. Easy as that. We can also go ahead and add in the guest middleware here if we want to as well.

Or, of course, we can do this all over on the routes. Let's do that on the routes because we've been doing this so far. So let's go ahead and apply that middleware again to the route and that's going to be signed and we want to make sure we're a guest. So now if we head over to that same URL that we just modified, you can see we get an invalid signature.

Let's just click on that again from our mail client. You can see it now works. If we modify anything about this signature, it's not going to work. So this link now needs to have come from that user's email account where they are receiving that email and where we're generating that signed URL.