email verification for unauthenticated user

[whoami15]

• Laravel Version: 7.28.4
• PHP Version: 7.3
• Database Driver & Version: MariaDB 10.3.25
• Auth Scaffolding: laravel/ui

Description:

I'm preventing showing of This action is unauthorized when user is not authenticated and click the verify email. I've found a stackoverflow related question here to solve the issue. But I'm thinking of security that's why I'm here to ask because you guys know how it all works.

Code:

class VerificationController extends Controller
{
    use VerifiesEmails {
        verify as originalVerify;
    }
    public function __construct()
    {
        $this->middleware('auth'); // DON'T REMOVE THIS
        $this->middleware('signed')->only('verify');
        $this->middleware('throttle:6,1')->only('verify', 'resend');
    }

    public function verify(Request $request)
    {
        $request->setUserResolver(function () use ($request) {
            return User::findOrFail($request->route('id'));
        });
        return $this->originalVerify($request);
    }
}

So when an email confirmation link is clicked by an unauthenticated user the following will happen:

User will be redirected to the login view 1
User enters credentials; logs in successfully 2
User will be redirect back to the email confirmation URL
Email will be marked as confirmed
1 The email will not be marked as confirmed at this point.

2 The user may enter bad credentials multiple times. As soon as he enters the correct credentials he will be redirected to the intended email confirmation URL.

[bbashy]

I don't see a proper process shown here. To do a list you need to format it properly.

The user may enter bad credentials multiple times.

What does this mean? Login has rate limiting.