Best practice for handling user visiting expired E-mail verification link?

Posted 1 month ago by lukio_3

Hi,

For those of you using the Laravel 5.7+ inbuilt E-mail verification boilerplate code.

The expiry time on the email verification link is set at 60 minutes.

This is fine if your user verifies within this period but if the user drops out of the signup process temporarily, or you are not enforcing verification until later on* then it is not uncommon for the user to click the verification link after the 60 minutes has expired.

If the user does that they are met with a 403 error - invalid signature. Not a great experience and likely to result in a support request. (In reality all they need to do is generate another link which they can do in the app).

I see a few options (below) but wanted to find out what others have been doing to combat this? Are there any other options?

  1. Somehow intercept the 403 error and redirect to a /verify route where the user can request another link. However, an app may generate other 403 errors for other signed routes and therefore would need a way to pick out this 403 error specifically?

  2. As above but automatically send a new link and inform the user of the same. "This link has expired, we've sent you a fresh one".

  3. Extend the 60 minutes timeout (this is not a config option and so requires extending \Illuminate\Auth\Notifications\VerifyEmail as far as I can tell from SO : https://stackoverflow.com/a/53638176).

*in my case I am only enforcing verification before being able to do specific actions like sending emails or download pdfs. I tested enforcing the email verification before being able to do any action, but the wait for the email disrupted the sign up process too much - even though I am using postmark.app for my emails (fastest transactional email delivery times).

Please sign in or create an account to participate in this conversation.