Laravel 5 is a big change over the previous version. It is even more opinionated and makes heavy use of modern PHP language features.
It also includes, like previous versions, the scaffolding for user authentication and management. This includes user account creation and password reseting. It does not include email activation of new user accounts.
I searched for ready-made email activation solutions, but I struggled to find decent ones. I did find the following two blog posts:
These posts got me started, but they’re either too outdated (not specifically for Laravel 5) or make the error of modifying core files. And the one that specifically uses Laravel 5 was not doing this in a very Laravel 5 way.
The Laravel 5 Way
The answer I found was to use Middleware.
You see, I really didn’t want to recreate the built in user authentication and password reset functionality. That code is really well integrated and works well.
I realised that I could enforce an email activation flow between authenticating a user and using any controller that needs an authenticated user by using my own middleware layer.
I created my middleware as per the instructions in the Laravel documentation and set it up to do the following for my controllers that require an authenticated and activated user:
I added my middleware to any controllers that require activated users. Simply adding to the controller’s middleware.
This will cause my middleware to be executed after the user has logged in and before the controller begins processing the requested method.
Here is my middleware that is saved as app/Http/Middleware/UserConfirmed.php:
If you look carefully, you’ll see that I use the authenticated user’s object to get and set the users tables new “confirmed” and “confirmation_code” fields.
This approach is great! No extra database queries unless the user has not received an activation token yet and the activation page is only accessible if the user is already authenticated.
I will add the ability for a user to send themselves a new token or to manually enter a token into the activation page instead of allowing a user to click a link in the email.
I must still resolve the process flow if an unauthenticated user tries to activate their account.