Be part of JetBrains PHPverse 2026 on June 9 – a free online event bringing PHP devs worldwide together.

calin.ionut's avatar

how to implement email verification ?

I am not sure if I understood correctly the mechanism of email verification (Laravel 6). (https://laravel.com/docs/6.x/verification)

Currently I am using:

$this->middleware('auth');

in every controller that needs the user to be authenticated.

Should I use only:

$this->middleware('verified');

or both of them ?

$this->middleware('auth');
$this->middleware('verified');

I want to implement the email confirmation (because most of the users when creating an account they use fake emails...).

For example, How do you proceed if the user has not confirmed the email in 60 min ?

Implement a cron job to test if the user has not verified the email account in 60 min, and then delete the account?

0 likes
6 replies
bugsysha's avatar

Add implements MustVerifyEmail to User.php

class User extends Authenticatable implements MustVerifyEmail

Add to your web.php

Auth::routes(['verify' => true]);

Since they do not cancel each other out you can use both auth and verified.

For example, How do you proceed if the user has not confirmed the email in 60 min? Implement a cron job to test if the user has not verified the email account in 60 min, and then delete the account?

I just leave them as they are.

calin.ionut's avatar

@bugsysha

I just leave them as they are.

but how about this:

If the user enters another email (for example not his - and of course it can't be verified), and then later another user want to register with that email address (his email address) ?

He can't .... because the account already exists with that email address. Right?

bugsysha's avatar

If the user enters another email (for example not his - and of course it can't be verified), and then later a another user want to register with that email address (his email address) ?

Chances of that happening are very low so you are worrying about something that can be resolved by contacting support by an email.

He can't .... because the account already exists with that email address. Right?

Yes he can cause he can hit forgot password and all good.

Snapey's avatar

remember that a user is still logged in even if they don't verify their email. Think carefully about what they are allowed to do when not verified

Also,if verifying is a condition of using the application then you can have a daily job that deletes accounts created x days ago that are unverified.

1 like
Snapey's avatar

In that case, personally I would change the registration process.

  • Create your own form that gets the users email
  • Check that the email does not already exist
  • Sent the user an email containing a secure url which has their email embedded
  • When they get the email, they click the link
  • The link goes to a page where you validate the secure url, get the email address from the link and ask them for a password
  • when they post the password, create an account as per normal registration flow

Please or to participate in this conversation.