Securing Admin Access: Implementing Email Verification with Laravel and Filament Middleware
Securing Admin Panels: The Importance of Email Verification
Imagine an admin panel where critical actions are performed, but the identity of the user is not fully verified. This introduces a significant security vulnerability. For the Breniapp/brenia project, a robust application built with Laravel and Filament, enhancing security by ensuring user email verification was a key objective, particularly for non-superadmin users accessing the administrative interface.
The challenge was to implement a seamless email verification flow that prevents unverified non-superadmin users from accessing the admin panel, while also providing necessary bypasses for specific scenarios like superadmin access or active impersonation sessions. This ensures a higher level of trust in user identities within the system, without disrupting legitimate administrative workflows.
The Middleware Approach: A Gatekeeper for Access
Laravel's middleware pattern provides an elegant solution for filtering HTTP requests entering your application. For Breniapp/brenia, we leveraged this pattern by introducing a custom EnsureEmailIsVerified middleware. This middleware is strategically placed within the Filament admin authentication chain, acting as a gatekeeper.
When a user attempts to access the admin panel, this middleware intercepts the request. Its primary role is to check if the authenticated user has a verified email address (indicated by the email_verified_at timestamp). If the email is not verified, the user is redirected to a branded email verification notice screen, preventing further access to sensitive admin areas.
Bypassing the Gate: When Exceptions Are Necessary
While strict email verification is crucial, some users or scenarios warrant an exception. The EnsureEmailIsVerified middleware was designed with specific bypass logic:
- Superadmins: Users identified as superadmins (via a
isSuperAdmin()method on theUsermodel) are exempt from email verification requirements. This allows core administrators immediate access without needing to verify their email, streamlining their workflow. - Impersonation Sessions: During an active impersonation session (e.g., a superadmin debugging as another user), the impersonated user also bypasses the verification check. This prevents the impersonator from being locked out due to the impersonated user's unverified email, ensuring a smooth debugging experience.
These bypasses are critical for maintaining operational flexibility without compromising the overall security posture for regular admin users.
Implementing the Verification Flow
To facilitate the email verification process, a new EmailVerificationController was introduced. This controller manages the various aspects of the verification lifecycle:
- Notice Action: Displays the branded verification notice page to unverified users.
- Send Action: Handles requests to resend the verification email, with built-in throttling (
6,1requests per minute) to prevent abuse. - Verify Action: Processes the signed verification link sent to the user's email, marking their email as verified upon success.
The User model was also formally updated to implement the Illuminate\Contracts\Auth\MustVerifyEmail interface. While it already utilized the Illuminate\Auth\MustVerifyEmail trait (which provides the necessary methods like hasVerifiedEmail()), explicitly implementing the interface clarifies its contract and enhances type hinting.
Code Spotlight: Middleware and User Model
Here's a conceptual look at the middleware and user model components:
namespace App\Http\Middleware;
use Closure;
use Illuminate\Http\Request;
use Illuminate\Contracts\Auth\MustVerifyEmail;
use Symfony\Component\HttpFoundation\Response;
class EnsureEmailIsVerified
{
public function handle(Request $request, Closure $next): Response
{
$user = $request->user();
// Check if user is logged in and needs verification
if ($user && $user instanceof MustVerifyEmail && !$user->hasVerifiedEmail()) {
// Bypass for superadmins or active impersonation
if ($user->isSuperAdmin() || \Lab404\Impersonate\Services\ImpersonateManager::isImpersonating()) {
return $next($request);
}
// Redirect or return 403 for unverified users
return $request->expectsJson()
? abort(403, 'Your email address is not verified.')
: redirect()->route('verification.notice');
}
return $next($request);
}
}
namespace App\Models;
use Illuminate\Contracts\Auth\MustVerifyEmail;
use Illuminate\Foundation\Auth\User as Authenticatable;
use Illuminate\Auth\MustVerifyEmail as MustVerifyEmailTrait;
// ... other necessary imports
class User extends Authenticatable implements MustVerifyEmail
{
use MustVerifyEmailTrait; // Provides hasVerifiedEmail(), markEmailAsVerified(), etc.
// ... other model properties and methods
public function isSuperAdmin(): bool
{
// Implement your superadmin logic here (e.g., check a role, flag, or specific email)
return $this->email === '[email protected]';
}
}
Ensuring Smooth Transition: The Backfill Migration
Introducing a new security gate like email verification can inadvertently lock out existing users. To prevent this, a backfill migration was created. This migration iterated through all existing users in the database and automatically set their email_verified_at timestamp. This effectively "grandfathers" all previous registrations, ensuring that the new email verification requirement only applies to new user registrations going forward.
Robust Security and Seamless Integration
This implementation significantly bolsters the security of the Breniapp/brenia admin panel by mandating email verification for most users. The use of Laravel's middleware pattern provided a clean and extensible way to enforce this policy, while carefully considered bypasses maintained flexibility for critical roles. Comprehensive feature tests, covering various scenarios from verified users to impersonated unverified users, ensured the robustness and correctness of the new verification flow, culminating in a more secure and reliable administrative experience.
