3

I've implemented email verification schema for default Authentication mechanism of Laravel. However I'm stuck on how to prevent users with unverified emails from logging in.

I can test if user credentials are valid but then I can not retrieve user based on those credentials (Auth::validate).

Alternatively I could use Auth::attempt or Auth::once to log user, but then, they are logged in even though they may have unverified email.

I need either a way to query users by credentials, or a way to log user out in the same request. (bonus points if I can do it in LoginController after validation hook, thus returning proper error notice to user.

przemo_li
  • 3,932
  • 4
  • 35
  • 60
  • https://laravel.com/docs/5.0/extending#authentication – online Thomas Aug 04 '17 at 14:10
  • That docs look old. For 5.4 it returns 404. – przemo_li Aug 04 '17 at 14:14
  • It does, but extending functionality is what you are looking for. I also noticed that Laravel removed some articles that are still very interesting to read. Secondary: https://stackoverflow.com/questions/31015606/login-only-if-user-is-active-using-laravel – online Thomas Aug 04 '17 at 14:16

1 Answers1

4

You can pass in additional parameters to Auth::attempt():

For example:

if (Auth::attempt(['email' => $email, 'password' => $password, 'verified' => 1])) {
    // The user is active, not suspended, and exists.
}

Source: https://laravel.com/docs/5.4/authentication#authenticating-users (under "Specifying Additional Conditions")

przemo_li
  • 3,932
  • 4
  • 35
  • 60
ntzm
  • 4,663
  • 2
  • 31
  • 35