Level 73
@jove for a verification email that's called a signed url that is being sent, you can read more on that here:
https://laravel.com/docs/master/urls#signed-urls
and here are the three methods from the UrlGenerator.php class that do the checking:
/**
* Determine if the given request has a valid signature.
*
* @param \Illuminate\Http\Request $request
* @param bool $absolute
* @return bool
*/
public function hasValidSignature(Request $request, $absolute = true)
{
return $this->hasCorrectSignature($request, $absolute)
&& $this->signatureHasNotExpired($request);
}
/**
* Determine if the signature from the given request matches the URL.
*
* @param \Illuminate\Http\Request $request
* @param bool $absolute
* @return bool
*/
public function hasCorrectSignature(Request $request, $absolute = true)
{
$url = $absolute ? $request->url() : '/'.$request->path();
$original = rtrim($url.'?'.Arr::query(
Arr::except($request->query(), 'signature')
), '?');
$signature = hash_hmac('sha256', $original, call_user_func($this->keyResolver));
return hash_equals($signature, (string) $request->query('signature', ''));
}
/**
* Determine if the expires timestamp from the given request is not from the past.
*
* @param \Illuminate\Http\Request $request
* @return bool
*/
public function signatureHasNotExpired(Request $request)
{
$expires = $request->query('expires');
return ! ($expires && Carbon::now()->getTimestamp() > $expires);
}
So in short, the token does not need to be stored in the DB in order to be validated. After the verification is complete the timestamp is stored in your users table in the email_verified_at field.
3 likes