Support the ongoing development of Laravel.io →
mattltm
posted 5 years ago
Configuration Authentication Security

I'm looking at using Spark for a new project but I'm not that keen on the current registration process. I've not been able to find a demo to play with so I can only go by what I have seen on live sites that use Spark.

From what I can see, it works like this:

  1. New user creates an account and is immediately logged in.
  2. Spark sends a email validation that the user has to click in order to activate their account and can't do anything in their account until this is done.

That's all fine but there's something else that I don't like and that I consider to be a small security issue (in my use case) and against best practice (according to Troy Hunt):

A bad actor can load the registration form, enter any email address and Spark will confirm if that email address is in use on the system. In my use case for a local service, a small business could be using my service and another local competitor could enter the known email addresses of a rival to confirm if they are using the service.

My ideal solution would be to enter the registration details then:

  1. Return the new user to a login screen with a message like "A verification email has been sent to your email address. Please verify your account before you can log in. ".
  2. If the registered email address is not in use on the system, send a verification email.
  3. If the email address is in use on the system, send an email explaining that there is already an active account and provide a link to the password reset function.

With this flow, a valid user with an unregistered email address can create an account with no problems, a valid user with an email that is already registered (maybe the user forgot they had an account) will get a reminder email and a bad actor will not get any information regarding active accounts and email addresses that are using the service.

I guess my questions are:

Have I got the current registration flow correct? Does Spark confirm if an email is in use from the registration page by default? Can Spark be configured to work as per my ideal solution?

Last updated 3 years ago.
0

Sign in to participate in this thread!

Eventy

Your banner here too?

mattltm mattltm Joined 28 Jul 2015

Moderators

We'd like to thank these amazing companies for supporting us

Eventy NativePHP
Fathom
Forge
Envoyer
Beyond Code
BairesDev
N-iX
Litslink

Your logo here?

Laravel.io

The Laravel portal for problem solving, knowledge sharing and community building.

Laravel.io

Forum Articles Pastebin

Socials

X (Twitter) Bluesky Bluesky GitHub

The community

Laravel Laravel Laravel News Laravel News
Laracasts Laracasts Laravel Podcast Laravel Podcast
© 2025 Laravel.io - All rights reserved.
Terms of service Privacy policy Advertise