Updated hashing algo for verify email URL

anonaddy · Oct 6, 2021 · dd0ea08 · dd0ea08
1 parent 0478d9e
commit dd0ea08
Show file tree

Hide file tree

Showing 10 changed files with 212 additions and 74 deletions.
diff --git a/app/Http/Controllers/Auth/VerificationController.php b/app/Http/Controllers/Auth/VerificationController.php
@@ -9,6 +9,7 @@
 use Illuminate\Auth\Events\Verified;
 use Illuminate\Foundation\Auth\VerifiesEmails;
 use Illuminate\Http\Request;
+use Illuminate\Support\Facades\Hash;
 
 class VerificationController extends Controller
 {
@@ -64,7 +65,7 @@ public function verify(Request $request)
             throw new AuthorizationException;
         }
 
-        if (! hash_equals((string) $request->route('hash'), sha1($verifiable->getEmailForVerification()))) {
+        if (! Hash::check($verifiable->getEmailForVerification(), (string) base64_decode($request->route('hash')))) {
             throw new AuthorizationException;
         }
 

diff --git a/app/Models/Recipient.php b/app/Models/Recipient.php
@@ -2,10 +2,10 @@
 
 namespace App\Models;
 
+use App\Notifications\CustomVerifyEmail;
 use App\Notifications\UsernameReminder;
 use App\Traits\HasEncryptedAttributes;
 use App\Traits\HasUuid;
-use Illuminate\Auth\Notifications\VerifyEmail;
 use Illuminate\Database\Eloquent\Factories\HasFactory;
 use Illuminate\Database\Eloquent\Model;
 
@@ -138,7 +138,7 @@ public function markEmailAsVerified()
      */
     public function sendEmailVerificationNotification()
     {
-        $this->notify(new VerifyEmail);
+        $this->notify(new CustomVerifyEmail);
     }
 
     /**

diff --git a/app/Models/User.php b/app/Models/User.php
@@ -2,6 +2,7 @@
 
 namespace App\Models;
 
+use App\Notifications\CustomVerifyEmail;
 use App\Traits\HasEncryptedAttributes;
 use App\Traits\HasUuid;
 use Illuminate\Contracts\Auth\MustVerifyEmail;
@@ -266,6 +267,16 @@ public function enableCatchAll()
         $this->update(['catch_all' => true]);
     }
 
+    /**
+     * Send the email verification notification.
+     *
+     * @return void
+     */
+    public function sendEmailVerificationNotification()
+    {
+        $this->notify(new CustomVerifyEmail);
+    }
+
     public function hasVerifiedDefaultRecipient()
     {
         return ! is_null($this->defaultRecipient->email_verified_at);

diff --git a/app/Notifications/CustomVerifyEmail.php b/app/Notifications/CustomVerifyEmail.php
@@ -0,0 +1,71 @@
+<?php
+
+namespace App\Notifications;
+
+use App\Models\User;
+use Illuminate\Auth\Notifications\VerifyEmail;
+use Illuminate\Bus\Queueable;
+use Illuminate\Contracts\Queue\ShouldBeEncrypted;
+use Illuminate\Contracts\Queue\ShouldQueue;
+use Illuminate\Notifications\Messages\MailMessage;
+use Illuminate\Support\Carbon;
+use Illuminate\Support\Facades\Config;
+use Illuminate\Support\Facades\Hash;
+use Illuminate\Support\Facades\Lang;
+use Illuminate\Support\Facades\URL;
+
+class CustomVerifyEmail extends VerifyEmail implements ShouldQueue, ShouldBeEncrypted
+{
+    use Queueable;
+
+    /**
+     * Build the mail representation of the notification.
+     *
+     * @param  mixed  $notifiable
+     * @return \Illuminate\Notifications\Messages\MailMessage
+     */
+    public function toMail($notifiable)
+    {
+        $verificationUrl = $this->verificationUrl($notifiable);
+
+        if (static::$toMailCallback) {
+            return call_user_func(static::$toMailCallback, $notifiable, $verificationUrl);
+        }
+
+        $feedbackId = $notifiable instanceof User ? 'VU:anonaddy' : 'VR:anonaddy';
+        $recipientId = $notifiable instanceof User ? $notifiable->default_recipient_id : $notifiable->id;
+
+        return (new MailMessage)
+            ->subject(Lang::get('Verify Email Address'))
+            ->markdown('mail.verify_email', [
+                'verificationUrl' => $verificationUrl,
+                'recipientId' => $recipientId
+            ])
+            ->withSwiftMessage(function ($message) use ($feedbackId) {
+                $message->getHeaders()
+                        ->addTextHeader('Feedback-ID', $feedbackId);
+            });
+    }
+
+    /**
+     * Get the verification URL for the given notifiable.
+     *
+     * @param  mixed  $notifiable
+     * @return string
+     */
+    protected function verificationUrl($notifiable)
+    {
+        if (static::$createUrlCallback) {
+            return call_user_func(static::$createUrlCallback, $notifiable);
+        }
+
+        return URL::temporarySignedRoute(
+            'verification.verify',
+            Carbon::now()->addMinutes(Config::get('auth.verification.expire', 60)),
+            [
+                'id' => $notifiable->getKey(),
+                'hash' => base64_encode(Hash::make($notifiable->getEmailForVerification())),
+            ]
+        );
+    }
+}
diff --git a/composer.lock b/composer.lock
diff --git a/config/version.yml b/config/version.yml
@@ -5,9 +5,9 @@ current:
   major: 0
   minor: 8
   patch: 4
-  prerelease: ''
+  prerelease: 1-g0478d9e
   buildmetadata: ''
-  commit: 14de41
+  commit: 0478d9
   timestamp:
     year: 2020
     month: 10