feat: Implement email verification and configure production environment for HTTPS with Let's Encrypt.

CrushedDEV · CrushedDEV · commit b5fa87fc2850 · 2026-01-05T20:57:57.000+01:00
diff --git a/app/Http/Controllers/Auth/VerifyEmailController.php b/app/Http/Controllers/Auth/VerifyEmailController.php
@@ -3,28 +3,40 @@
 namespace App\Http\Controllers\Auth;
 
 use App\Http\Controllers\Controller;
+use App\Models\User;
 use Illuminate\Auth\Events\Verified;
-use Illuminate\Foundation\Auth\EmailVerificationRequest;
+use Illuminate\Http\Request;
 use Illuminate\Http\RedirectResponse;
+use Illuminate\Support\Facades\Auth;
 
 class VerifyEmailController extends Controller
 {
     /**
      * Mark the authenticated user's email address as verified.
      */
-    public function __invoke(EmailVerificationRequest $request): RedirectResponse
+    public function __invoke(Request $request, $id, $hash): RedirectResponse
     {
-        if ($request->user()->hasVerifiedEmail()) {
-            return redirect()->intended(route('explore', absolute: false).'?verified=1');
+        $user = User::find($id);
+
+        if (!$user) {
+            abort(404);
         }
 
-        if ($request->user()->markEmailAsVerified()) {
-            /** @var \Illuminate\Contracts\Auth\MustVerifyEmail $user */
-            $user = $request->user();
+        if (!hash_equals((string) $hash, sha1($user->getEmailForVerification()))) {
+            abort(403);
+        }
 
+        if ($user->hasVerifiedEmail()) {
+            return redirect()->intended(route('explore', absolute: false) . '?verified=1');
+        }
+
+        if ($user->markEmailAsVerified()) {
             event(new Verified($user));
+
+            // Auto-login the user since they just verified
+            Auth::login($user);
         }
 
-        return redirect()->intended(route('explore', absolute: false).'?verified=1');
+        return redirect()->intended(route('explore', absolute: false) . '?verified=1');
     }
-}
+}
diff --git a/app/Notifications/CustomVerifyEmail.php b/app/Notifications/CustomVerifyEmail.php
@@ -14,7 +14,7 @@ protected function verificationUrl($notifiable)
     {
         return URL::temporarySignedRoute(
             'verification.verify',
-            Carbon::now()->addMinutes(Config::get('auth.verification.expire', 60)),
+            Carbon::now()->addMinutes(30),
             ['id' => $notifiable->getKey(), 'hash' => sha1($notifiable->getEmailForVerification())]
         );
     }
@@ -30,5 +30,5 @@ public function toMail($notifiable)
         return (new VerifyEmailCustom($url, $name))
             ->to($notifiable->email, $name);
     }
-    
+
 }
diff --git a/docker-compose.prod.yml b/docker-compose.prod.yml
@@ -46,15 +46,27 @@ services:
         restart: unless-stopped
         ports:
             - "80:80"
+            - "443:443"
         volumes:
             - ./docker/nginx/default.conf:/etc/nginx/conf.d/default.conf
             - public_data:/var/www/public
             - storage_data:/var/www/storage
+            - ./docker/certbot/conf:/etc/letsencrypt
+            - ./docker/certbot/www:/var/www/certbot
         depends_on:
             - app
         networks:
             - app-network
 
+    certbot:
+        image: certbot/certbot
+        container_name: dropmix-certbot
+        volumes:
+            - ./docker/certbot/conf:/etc/letsencrypt
+            - ./docker/certbot/www:/var/www/certbot
+        networks:
+            - app-network
+
     queue:
         image: dropmix-app
         container_name: dropmix-queue
diff --git a/docker/nginx/default.conf b/docker/nginx/default.conf
@@ -1,5 +1,25 @@
 server {
     listen 80;
+    server_name dropmixr.es www.dropmixr.es;
+
+    location /.well-known/acme-challenge/ {
+        root /var/www/certbot;
+    }
+
+    location / {
+        return 301 https://$host$request_uri;
+    }
+}
+
+server {
+    listen 443 ssl;
+    server_name dropmixr.es www.dropmixr.es;
+
+    ssl_certificate /etc/letsencrypt/live/dropmixr.es/fullchain.pem;
+    ssl_certificate_key /etc/letsencrypt/live/dropmixr.es/privkey.pem;
+    include /etc/letsencrypt/options-ssl-nginx.conf;
+    ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem;
+
     index index.php index.html;
     error_log  /var/log/nginx/error.log;
     access_log /var/log/nginx/access.log;
diff --git a/docker/nginx/init-letsencrypt.sh b/docker/nginx/init-letsencrypt.sh
@@ -0,0 +1,77 @@
+#!/bin/bash
+
+if ! [ -x "$(command -v docker-compose)" ]; then
+  echo 'Error: docker-compose is not installed.' >&2
+  exit 1
+fi
+
+domains=(dropmixr.es www.dropmixr.es)
+rsa_key_size=4096
+data_path="./docker/certbot"
+email="rojito7676@gmail.com" # PLEASE UPDATE THIS TO YOUR REAL EMAIL
+staging=0 # Set to 1 if you're testing your setup to avoid hitting request limits
+
+if [ -d "$data_path" ]; then
+  read -p "Existing data found for $domains. Continue and replace existing certificate? (y/N) " decision
+  if [ "$decision" != "Y" ] && [ "$decision" != "y" ]; then
+    exit
+  fi
+fi
+
+if [ ! -e "$data_path/conf/options-ssl-nginx.conf" ] || [ ! -e "$data_path/conf/ssl-dhparams.pem" ]; then
+  echo "### Downloading recommended TLS parameters ..."
+  mkdir -p "$data_path/conf"
+  curl -s https://raw.githubusercontent.com/certbot/certbot/master/certbot-nginx/certbot_nginx/_internal/tls_configs/options-ssl-nginx.conf > "$data_path/conf/options-ssl-nginx.conf"
+  curl -s https://raw.githubusercontent.com/certbot/certbot/master/certbot/certbot/ssl-dhparams.pem > "$data_path/conf/ssl-dhparams.pem"
+  echo
+fi
+
+echo "### Creating dummy certificate for $domains ..."
+path="/etc/letsencrypt/live/$domains"
+mkdir -p "$data_path/conf/live/$domains"
+docker-compose -f docker-compose.prod.yml run --rm --entrypoint "\
+  openssl req -x509 -nodes -newkey rsa:$rsa_key_size -days 1\
+    -keyout '$path/privkey.pem' \
+    -out '$path/fullchain.pem' \
+    -subj '/CN=localhost'" certbot
+echo
+
+echo "### Starting nginx ..."
+docker-compose -f docker-compose.prod.yml up --force-recreate -d webserver
+echo
+
+echo "### Deleting dummy certificate for $domains ..."
+docker-compose -f docker-compose.prod.yml run --rm --entrypoint "\
+  rm -Rf /etc/letsencrypt/live/$domains && \
+  rm -Rf /etc/letsencrypt/archive/$domains && \
+  rm -Rf /etc/letsencrypt/renewal/$domains.conf" certbot
+echo
+
+echo "### Requesting Let's Encrypt certificate for $domains ..."
+#Join $domains to -d args
+domain_args=""
+for domain in "${domains[@]}"; do
+  domain_args="$domain_args -d $domain"
+done
+
+# Select appropriate email arg
+case "$email" in
+  "") email_arg="--register-unsafely-without-email" ;;
+  *) email_arg="-m $email" ;;
+esac
+
+# Enable staging mode if needed
+if [ $staging != "0" ]; then staging_arg="--staging"; fi
+
+docker-compose -f docker-compose.prod.yml run --rm --entrypoint "\
+  certbot certonly --webroot -w /var/www/certbot \
+    $staging_arg \
+    $email_arg \
+    $domain_args \
+    --rsa-key-size $rsa_key_size \
+    --agree-tos \
+    --force-renewal" certbot
+echo
+
+echo "### Reloading nginx ..."
+docker-compose -f docker-compose.prod.yml exec webserver nginx -s reload
diff --git a/routes/auth.php b/routes/auth.php
@@ -10,7 +10,13 @@
 use App\Http\Controllers\Auth\VerifyEmailController;
 use Illuminate\Support\Facades\Route;
 
+Route::get('verify-email/{id}/{hash}', [VerifyEmailController::class, '__invoke'])
+    ->middleware(['signed', 'throttle:6,1'])
+    ->name('verification.verify');
+
 Route::middleware('guest')->group(function () {
+
+
     Route::get('register', [RegisteredUserController::class, 'create'])
         ->name('register');
 
@@ -38,9 +44,7 @@
     Route::get('verify-email', EmailVerificationPromptController::class)
         ->name('verification.notice');
 
-    Route::get('verify-email/{id}/{hash}', VerifyEmailController::class)
-        ->middleware(['signed', 'throttle:6,1'])
-        ->name('verification.verify');
+
 
     Route::post('email/verification-notification', [EmailVerificationNotificationController::class, 'store'])
         ->middleware('throttle:6,1')
diff --git a/tests/Feature/Auth/EmailVerificationTest.php b/tests/Feature/Auth/EmailVerificationTest.php
@@ -22,23 +22,66 @@ public function test_email_verification_screen_can_be_rendered()
         $response->assertStatus(200);
     }
 
-    public function test_email_can_be_verified()
+    public function test_email_can_be_verified_and_autologs_in()
     {
         $user = User::factory()->unverified()->create();
 
         Event::fake();
 
         $verificationUrl = URL::temporarySignedRoute(
             'verification.verify',
-            now()->addMinutes(60),
+            now()->addMinutes(30),
             ['id' => $user->id, 'hash' => sha1($user->email)]
         );
 
-        $response = $this->actingAs($user)->get($verificationUrl);
+        // Access without being logged in
+        $response = $this->get($verificationUrl);
 
         Event::assertDispatched(Verified::class);
         $this->assertTrue($user->fresh()->hasVerifiedEmail());
-        $response->assertRedirect(route('explore', absolute: false).'?verified=1');
+        $this->assertAuthenticatedAs($user);
+        $response->assertRedirect(route('explore', absolute: false) . '?verified=1');
+    }
+
+    public function test_verified_user_cannot_autologin_with_verification_link()
+    {
+        $user = User::factory()->create(); // Verified by default
+        $this->assertTrue($user->hasVerifiedEmail());
+
+        $verificationUrl = URL::temporarySignedRoute(
+            'verification.verify',
+            now()->addMinutes(30),
+            ['id' => $user->id, 'hash' => sha1($user->email)]
+        );
+
+        // Ensure we are guest
+        $this->assertGuest();
+
+        // Access link
+        $response = $this->get($verificationUrl);
+
+        // Should be redirected but NOT logged in
+        $response->assertRedirect(route('explore', absolute: false) . '?verified=1');
+        $this->assertGuest();
+    }
+
+    public function test_verification_link_expires_after_30_minutes()
+    {
+        $user = User::factory()->unverified()->create();
+
+        $verificationUrl = URL::temporarySignedRoute(
+            'verification.verify',
+            now()->addMinutes(30),
+            ['id' => $user->id, 'hash' => sha1($user->email)]
+        );
+
+        // Travel to future
+        $this->travel(31)->minutes();
+
+        $response = $this->get($verificationUrl);
+
+        $response->assertStatus(403);
+        $this->assertFalse($user->fresh()->hasVerifiedEmail());
     }
 
     public function test_email_is_not_verified_with_invalid_hash()
@@ -47,11 +90,11 @@ public function test_email_is_not_verified_with_invalid_hash()
 
         $verificationUrl = URL::temporarySignedRoute(
             'verification.verify',
-            now()->addMinutes(60),
+            now()->addMinutes(30),
             ['id' => $user->id, 'hash' => sha1('wrong-email')]
         );
 
-        $this->actingAs($user)->get($verificationUrl);
+        $this->get($verificationUrl);
 
         $this->assertFalse($user->fresh()->hasVerifiedEmail());
     }

Original file line number	Diff line number	Diff line change
`@@ -14,7 +14,7 @@ protected function verificationUrl($notifiable)`
`14`	`14`	`{`
`15`	`15`	`return URL::temporarySignedRoute(`
`16`	`16`	`'verification.verify',`
`17`		`- Carbon::now()->addMinutes(Config::get('auth.verification.expire', 60)),`
	`17`	`+ Carbon::now()->addMinutes(30),`
`18`	`18`	`['id' => $notifiable->getKey(), 'hash' => sha1($notifiable->getEmailForVerification())]`
`19`	`19`	`);`
`20`	`20`	`}`
`@@ -30,5 +30,5 @@ public function toMail($notifiable)`
`30`	`30`	`return (new VerifyEmailCustom($url, $name))`
`31`	`31`	`->to($notifiable->email, $name);`
`32`	`32`	`}`
`33`		`-`
	`33`	`+`
`34`	`34`	`}`