Security & Recovery
Modul ini mencakup endpoint API v1 terkait verifikasi email, refresh sesi, logout, dan reset password.
Daftar route
| Method | Path | Controller@method | Middleware |
|---|---|---|---|
| GET | /api/auth/email-verify/{email} | AuthController@verifyEmail | publik |
| GET | /api/auth/email-resend | AuthController@resendEmail | publik |
| POST | /api/auth/password-token | AuthController@sendResetPasswordToken | publik |
| POST | /api/auth/password-reset | AuthController@resetPassword | publik |
| POST | /api/auth/refresh-token | AuthController@refreshToken | throttle.custom |
| DELETE | /api/auth | AuthController@logout | auth.xtoken, verified:api |
Email verification
1) Verify email link
GET /api/auth/email-verify/{email}- Controller:
AuthController@verifyEmail
Behavior:
{email}berisi email terenkripsi AES, lalu didecrypt di controller.- Jika user tidak ditemukan: error
auth.email_not_found(404). - Jika sudah terverifikasi: sukses
auth.email_verified. - Jika token/verifikasi redis expired: kirim ulang email verifikasi dan balas error
auth.email_verification_link_expired. - Jika valid: email ditandai verified + trigger event
EmailVerified.
2) Resend verification email
GET /api/auth/email-resend- Controller:
AuthController@resendEmail - Request validation:
ResendEmailRequest
Payload (query/body):
{
"email": "user@example.com"
}
Response:
- sukses:
auth.resend_successfully - jika user tidak ditemukan tetap balas sukses (hindari enumeration)
Password reset flow
1) Send reset token/link
POST /api/auth/password-token- Controller:
AuthController@sendResetPasswordToken - Request validation:
SendResetPasswordTokenRequest
Payload:
{
"email": "user@example.com"
}
Behavior:
- Memanggil broker Laravel password reset:
Password::broker('users')->sendResetLink(...). - Untuk
INVALID_USERmaupunRESET_LINK_SENT, API tetap balas pesan sukses reset-link sent.
Response:
- sukses: message
passwords.sent(viaPassword::RESET_LINK_SENT) - gagal lain:
sendError(..., 400)
2) Reset password
POST /api/auth/password-reset- Controller:
AuthController@resetPassword - Request validation:
ResetPasswordRequest
Payload:
| Field | Type | Required | Keterangan |
|---|---|---|---|
token | string | Ya | token reset dari email |
email | string | Ya | email terenkripsi AES |
password | string | Ya | min 8, huruf besar/kecil, angka, simbol |
password_confirmation | string | Ya | harus sama dengan password |
Behavior utama:
- Decrypt
email, cek user. - Eksekusi reset via password broker.
- Saat sukses:
- simpan password baru (hash),
- lock withdraw sementara berdasar
Dict::TYPE_WITHDRAW_LOCK_HOUR, - hapus redis reset-attempt dan token sesi user.
- Ada throttling/reset-attempt per IP menggunakan Redis.
Response:
- sukses:
passwords.reset - gagal token/user:
api.invalid_token(401) - gagal throttle:
api.reset_password_throttle(429) - gagal lain:
sendError(..., 400)
Session security
1) Refresh token
POST /api/auth/refresh-token- Controller:
AuthController@refreshToken - Middleware:
throttle.custom
Payload:
{
"refreshToken": "<refresh-token>"
}
Response sukses:
xToken.tokenxToken.expiresAtrefreshTokenbaru- message:
auth.token_refreshed
2) Logout
DELETE /api/auth- Controller:
AuthController@logout - Middleware:
auth.xtoken,verified:api
Behavior:
- Hapus token akses user (
tokens()->delete()). - Hapus token sesi pada Redis (
deleteRedisToken(userId)).
Response:
- sukses:
auth.logged_out