Level 73
I would create and verify the account before doing any charges. Any time the user changes emails it should be verified before the change is made permanent.
Mar 11, 2022
1
Level 6
Possible security issue with email verification?
I'm trying to implement a paid subscribtion during registration flow with Laravel Breeze and Cashier but have a security concern so would love a second set of eyes on the flow.
- User registers
- User is logged in and redirected to subscribe route (email verification email is not sent yet)
- User chooses a plan which subscribes via Stripe checkout
- The stripe web hook controller then triggers the email verification email to be sent. Any important actions are protected by the verified middleware in the meantime.
- I would present an option to change the email on the verify screen.
Does anybody see any issues with this flow and how it would interact with Stripe customer data?
The potential issue I can see is if someone mistakenly enters the email for someone else then that person could hijack a paid account with a forgotten password request. Can this be avoided? I would really like to avoid forcing the user to verify the email during checkout.
Thanks
Please or to participate in this conversation.