klevze/SkinbaseNova
1
0
Fork 0
Code Issues 2 Pull Requests Actions Packages Projects Releases Wiki Activity

Merge branch 'feature/RegistrationAntispamMail' into develop

Browse Source
This commit is contained in:
Gregor Klevže
2026-02-21 12:17:27 +01:00
parent df67252078 e70a876ef2
commit 7648e7d426
33 changed files with 1288 additions and 142 deletions
Download Patch File Download Diff File Expand all files Collapse all files

17
.env.example
View File

@@ -208,6 +208,23 @@ MAIL_PASSWORD=null
MAIL_FROM_ADDRESS="hello@example.com" MAIL_FROM_ADDRESS="hello@example.com"
MAIL_FROM_NAME="${APP_NAME}" MAIL_FROM_NAME="${APP_NAME}"
# Registration anti-spam
REGISTRATION_IP_PER_MINUTE_LIMIT=3
REGISTRATION_IP_PER_DAY_LIMIT=20
REGISTRATION_EMAIL_PER_MINUTE_LIMIT=6
REGISTRATION_EMAIL_COOLDOWN_MINUTES=30
REGISTRATION_VERIFY_TOKEN_TTL_HOURS=24
REGISTRATION_ENABLE_TURNSTILE=true
REGISTRATION_DISPOSABLE_DOMAINS_ENABLED=true
REGISTRATION_TURNSTILE_SUSPICIOUS_ATTEMPTS=2
REGISTRATION_TURNSTILE_ATTEMPT_WINDOW_MINUTES=30
REGISTRATION_EMAIL_GLOBAL_SEND_PER_MINUTE=30
REGISTRATION_MONTHLY_EMAIL_LIMIT=10000
TURNSTILE_SITE_KEY=
TURNSTILE_SECRET_KEY=
TURNSTILE_VERIFY_URL=https://challenges.cloudflare.com/turnstile/v0/siteverify
TURNSTILE_TIMEOUT=5
AWS_ACCESS_KEY_ID= AWS_ACCESS_KEY_ID=
AWS_SECRET_ACCESS_KEY= AWS_SECRET_ACCESS_KEY=
AWS_DEFAULT_REGION=us-east-1 AWS_DEFAULT_REGION=us-east-1

1
README.md
View File

@@ -221,6 +221,7 @@ Operational runbook: `docs/feed-rollout-runbook.md`.
- Upload UI v2 rollout, post-deploy monitoring, and rollback: `docs/ui/upload-v2-rollout-runbook.md` - Upload UI v2 rollout, post-deploy monitoring, and rollback: `docs/ui/upload-v2-rollout-runbook.md`
- Feed rollout and rollback: `docs/feed-rollout-runbook.md` - Feed rollout and rollback: `docs/feed-rollout-runbook.md`
- Registration anti-spam and email quota protection: `docs/registration-antispam.md`
No automatic tuning is enabled in this phase. No automatic tuning is enabled in this phase.

285
app/Http/Controllers/Auth/RegisteredUserController.php
View File

@@ -2,24 +2,26 @@
namespace App\Http\Controllers\Auth; namespace App\Http\Controllers\Auth;
use App\Jobs\SendVerificationEmailJob;
use App\Http\Controllers\Controller; use App\Http\Controllers\Controller;
use App\Mail\RegistrationVerificationMail; use App\Models\EmailSendEvent;
use App\Models\User; use App\Models\User;
use App\Services\Security\RecaptchaVerifier; use App\Services\Auth\DisposableEmailService;
use Carbon\CarbonImmutable; use App\Services\Auth\RegistrationVerificationTokenService;
use App\Services\Security\TurnstileVerifier;
use Illuminate\Http\RedirectResponse; use Illuminate\Http\RedirectResponse;
use Illuminate\Http\Request; use Illuminate\Http\Request;
use Illuminate\Support\Facades\Cache;
use Illuminate\Support\Facades\DB;
use Illuminate\Support\Facades\Hash; use Illuminate\Support\Facades\Hash;
use Illuminate\Support\Facades\Mail; use Illuminate\Support\Facades\RateLimiter;
use Illuminate\Support\Str; use Illuminate\Support\Str;
use Illuminate\View\View; use Illuminate\View\View;
class RegisteredUserController extends Controller class RegisteredUserController extends Controller
{ {
public function __construct( public function __construct(
private readonly RecaptchaVerifier $recaptchaVerifier private readonly TurnstileVerifier $turnstileVerifier,
private readonly DisposableEmailService $disposableEmailService,
private readonly RegistrationVerificationTokenService $verificationTokenService,
) )
{ {
} }
@@ -31,6 +33,8 @@ class RegisteredUserController extends Controller
{ {
return view('auth.register', [ return view('auth.register', [
'prefillEmail' => (string) $request->query('email', ''), 'prefillEmail' => (string) $request->query('email', ''),
'requiresTurnstile' => $this->shouldRequireTurnstile($request->ip()),
'turnstileSiteKey' => (string) config('services.turnstile.site_key', ''),
]); ]);
} }
@@ -53,54 +57,77 @@ class RegisteredUserController extends Controller
public function store(Request $request): RedirectResponse public function store(Request $request): RedirectResponse
{ {
$validated = $request->validate([ $validated = $request->validate([
'email' => ['required', 'string', 'lowercase', 'email', 'max:255', 'unique:'.User::class], 'email' => ['required', 'string', 'lowercase', 'email', 'max:255'],
'website' => ['nullable', 'max:0'], 'website' => ['nullable', 'max:0'],
'cf-turnstile-response' => ['nullable', 'string'],
]); ]);
if ($this->recaptchaVerifier->isEnabled()) { $email = strtolower(trim((string) $validated['email']));
$request->validate([ $ip = $request->ip();
'g-recaptcha-response' => ['required', 'string'],
]);
$verified = $this->recaptchaVerifier->verify( $this->trackRegisterAttempt($ip);
(string) $request->input('g-recaptcha-response', ''),
$request->ip() if ($this->shouldRequireTurnstile($ip)) {
$verified = $this->turnstileVerifier->verify(
(string) $request->input('cf-turnstile-response', ''),
$ip
); );
if (! $verified) { if (! $verified) {
return back() return back()
->withInput($request->except('website')) ->withInput($request->except('website'))
->withErrors(['captcha' => 'reCAPTCHA verification failed. Please try again.']); ->withErrors(['captcha' => 'Captcha verification failed. Please try again.']);
} }
} }
$user = User::create([ if ($this->disposableEmailService->isDisposableEmail($email)) {
'username' => null, $this->logEmailEvent($email, $ip, null, 'blocked', 'disposable');
'name' => Str::before((string) $validated['email'], '@'),
'email' => $validated['email'],
'password' => Hash::make(Str::random(64)),
'is_active' => false,
'onboarding_step' => 'email',
'username_changed_at' => now(),
]);
$token = Str::random(64); return back()
DB::table('user_verification_tokens')->insert([ ->withInput($request->except('website'))
'user_id' => $user->id, ->withErrors(['email' => 'Please use a real email provider.']);
'token' => $token, }
'expires_at' => now()->addDay(),
'created_at' => now(),
'updated_at' => now(),
]);
Mail::to($user->email)->queue(new RegistrationVerificationMail($token)); $user = User::query()->where('email', $email)->first();
$cooldown = $this->resendCooldownSeconds(); if ($user && $user->email_verified_at !== null) {
$this->setResendCooldown((string) $validated['email'], $cooldown); $this->logEmailEvent($email, $ip, (int) $user->id, 'blocked', 'already-verified');
return redirect(route('register.notice', absolute: false)) return $this->redirectToRegisterNotice($email);
->with('status', 'Verification email sent. Please check your inbox.') }
->with('registration_email', (string) $validated['email']);
if (! $user) {
$user = User::query()->create([
'username' => null,
'name' => Str::before($email, '@'),
'email' => $email,
'password' => Hash::make(Str::random(64)),
'is_active' => false,
'onboarding_step' => 'email',
'username_changed_at' => now(),
]);
}
if ($this->isWithinEmailCooldown($user)) {
$this->logEmailEvent($email, $ip, (int) $user->id, 'blocked', 'cooldown');
return $this->redirectToRegisterNotice($email);
}
$token = $this->verificationTokenService->createForUser((int) $user->id);
$event = $this->logEmailEvent($email, $ip, (int) $user->id, 'queued', null);
SendVerificationEmailJob::dispatch(
emailEventId: (int) $event->id,
email: $email,
token: $token,
userId: (int) $user->id,
ip: $ip
);
$this->markVerificationEmailSent($user);
return $this->redirectToRegisterNotice($email);
} }
public function resendVerification(Request $request): RedirectResponse public function resendVerification(Request $request): RedirectResponse
@@ -109,13 +136,8 @@ class RegisteredUserController extends Controller
'email' => ['required', 'string', 'lowercase', 'email', 'max:255'], 'email' => ['required', 'string', 'lowercase', 'email', 'max:255'],
]); ]);
$email = (string) $validated['email']; $email = strtolower(trim((string) $validated['email']));
$remaining = $this->resendRemainingSeconds($email); $ip = $request->ip();
if ($remaining > 0) {
return back()
->with('registration_email', $email)
->withErrors(['email' => "Please wait {$remaining} seconds before resending."]);
}
$user = User::query() $user = User::query()
->where('email', $email) ->where('email', $email)
@@ -124,55 +146,162 @@ class RegisteredUserController extends Controller
->first(); ->first();
if (! $user) { if (! $user) {
return back() $this->logEmailEvent($email, $ip, null, 'blocked', 'missing');
->with('registration_email', $email)
->withErrors(['email' => 'No pending verification found for this email.']); return $this->redirectToRegisterNotice($email);
} }
DB::table('user_verification_tokens')->where('user_id', $user->id)->delete(); if ($this->isWithinEmailCooldown($user)) {
$this->logEmailEvent($email, $ip, (int) $user->id, 'blocked', 'cooldown');
$token = Str::random(64); return $this->redirectToRegisterNotice($email);
DB::table('user_verification_tokens')->insert([ }
'user_id' => $user->id,
'token' => $token,
'expires_at' => now()->addDay(),
'created_at' => now(),
'updated_at' => now(),
]);
Mail::to($user->email)->queue(new RegistrationVerificationMail($token)); $token = $this->verificationTokenService->createForUser((int) $user->id);
$event = $this->logEmailEvent($email, $ip, (int) $user->id, 'queued', null);
$cooldown = $this->resendCooldownSeconds(); SendVerificationEmailJob::dispatch(
$this->setResendCooldown($email, $cooldown); emailEventId: (int) $event->id,
email: $email,
token: $token,
userId: (int) $user->id,
ip: $ip
);
$this->markVerificationEmailSent($user);
return $this->redirectToRegisterNotice($email);
}
private function redirectToRegisterNotice(string $email): RedirectResponse
{
return redirect(route('register.notice', absolute: false)) return redirect(route('register.notice', absolute: false))
->with('registration_email', $email) ->with('status', $this->genericSuccessMessage())
->with('status', 'Verification email resent. Please check your inbox.'); ->with('registration_email', $email);
}
private function genericSuccessMessage(): string
{
return (string) config('registration.generic_success_message', 'If that email is valid, we sent a verification link.');
}
private function logEmailEvent(string $email, ?string $ip, ?int $userId, string $status, ?string $reason): EmailSendEvent
{
return EmailSendEvent::query()->create([
'type' => 'verify_email',
'email' => $email,
'ip' => $ip,
'user_id' => $userId,
'status' => $status,
'reason' => $reason,
'created_at' => now(),
]);
}
private function shouldRequireTurnstile(?string $ip): bool
{
if (! $this->turnstileVerifier->isEnabled()) {
return false;
}
if ($ip === null || $ip === '') {
return false;
}
$threshold = max(1, (int) config('registration.turnstile_suspicious_attempts', 2));
$attempts = (int) cache()->get($this->registerAttemptCacheKey($ip), 0);
if ($attempts >= $threshold) {
return true;
}
$minuteLimit = max(1, (int) config('registration.ip_per_minute_limit', 3));
$dailyLimit = max(1, (int) config('registration.ip_per_day_limit', 20));
if (RateLimiter::tooManyAttempts($this->registerIpRateKey($ip), $minuteLimit)) {
return true;
}
return RateLimiter::tooManyAttempts($this->registerIpDailyRateKey($ip), $dailyLimit);
}
private function trackRegisterAttempt(?string $ip): void
{
if ($ip === null || $ip === '') {
return;
}
$key = $this->registerAttemptCacheKey($ip);
$windowMinutes = max(1, (int) config('registration.turnstile_attempt_window_minutes', 30));
$seconds = $windowMinutes * 60;
$attempts = (int) cache()->get($key, 0);
cache()->put($key, $attempts + 1, $seconds);
}
private function registerAttemptCacheKey(string $ip): string
{
return 'register:attempts:' . sha1($ip);
}
private function registerIpRateKey(string $ip): string
{
return 'register:ip:' . $ip;
}
private function registerIpDailyRateKey(string $ip): string
{
return 'register:ip:daily:' . $ip;
}
private function isWithinEmailCooldown(User $user): bool
{
if ($user->last_verification_sent_at === null) {
return false;
}
$cooldownMinutes = max(1, (int) config('registration.email_cooldown_minutes', 30));
return $user->last_verification_sent_at->gt(now()->subMinutes($cooldownMinutes));
}
private function markVerificationEmailSent(User $user): void
{
$now = now();
$windowStartedAt = $user->verification_send_window_started_at;
if (! $windowStartedAt || $windowStartedAt->lt($now->copy()->subDay())) {
$user->verification_send_window_started_at = $now;
$user->verification_send_count_24h = 1;
} else {
$user->verification_send_count_24h = ((int) $user->verification_send_count_24h) + 1;
}
$user->last_verification_sent_at = $now;
$user->save();
} }
private function resendCooldownSeconds(): int private function resendCooldownSeconds(): int
{ {
return max(5, (int) config('antispam.register.resend_cooldown_seconds', 60)); return max(60, ((int) config('registration.email_cooldown_minutes', 30)) * 60);
}
private function resendCooldownCacheKey(string $email): string
{
return 'register:resend:cooldown:' . sha1(strtolower(trim($email)));
}
private function setResendCooldown(string $email, int $seconds): void
{
$until = CarbonImmutable::now()->addSeconds($seconds)->timestamp;
Cache::put($this->resendCooldownCacheKey($email), $until, $seconds + 5);
} }
private function resendRemainingSeconds(string $email): int private function resendRemainingSeconds(string $email): int
{ {
$until = (int) Cache::get($this->resendCooldownCacheKey($email), 0); $user = User::query()
if ($until <= 0) { ->where('email', strtolower(trim($email)))
->whereNull('email_verified_at')
->first();
if (! $user || $user->last_verification_sent_at === null) {
return 0; return 0;
} }
return max(0, $until - time()); $remaining = $user->last_verification_sent_at
->copy()
->addSeconds($this->resendCooldownSeconds())
->diffInSeconds(now(), false);
return $remaining >= 0 ? 0 : abs((int) $remaining);
} }
} }

18
app/Http/Controllers/Auth/RegistrationVerificationController.php
View File

@@ -4,30 +4,28 @@ namespace App\Http\Controllers\Auth;
use App\Http\Controllers\Controller; use App\Http\Controllers\Controller;
use App\Models\User; use App\Models\User;
use App\Services\Auth\RegistrationVerificationTokenService;
use Illuminate\Http\RedirectResponse; use Illuminate\Http\RedirectResponse;
use Illuminate\Support\Facades\Auth; use Illuminate\Support\Facades\Auth;
use Illuminate\Support\Facades\DB; use Illuminate\Support\Facades\DB;
class RegistrationVerificationController extends Controller class RegistrationVerificationController extends Controller
{ {
public function __construct(
private readonly RegistrationVerificationTokenService $tokenService
)
{
}
public function __invoke(string $token): RedirectResponse public function __invoke(string $token): RedirectResponse
{ {
$record = DB::table('user_verification_tokens') $record = $this->tokenService->findValidRecord($token);
->where('token', $token)
->first();
if (! $record) { if (! $record) {
return redirect(route('login', absolute: false)) return redirect(route('login', absolute: false))
->withErrors(['email' => 'Verification link is invalid.']); ->withErrors(['email' => 'Verification link is invalid.']);
} }
if (now()->greaterThan($record->expires_at)) {
DB::table('user_verification_tokens')->where('id', $record->id)->delete();
return redirect(route('login', absolute: false))
->withErrors(['email' => 'Verification link has expired.']);
}
$user = User::query()->find((int) $record->user_id); $user = User::query()->find((int) $record->user_id);
if (! $user) { if (! $user) {
DB::table('user_verification_tokens')->where('id', $record->id)->delete(); DB::table('user_verification_tokens')->where('id', $record->id)->delete();

62
app/Jobs/SendVerificationEmailJob.php Normal file
View File

@@ -0,0 +1,62 @@
<?php
namespace App\Jobs;
use App\Mail\RegistrationVerificationMail;
use App\Services\Auth\RegistrationEmailQuotaService;
use Illuminate\Contracts\Queue\ShouldQueue;
use Illuminate\Foundation\Queue\Queueable;
use Illuminate\Support\Facades\DB;
use Illuminate\Support\Facades\Mail;
use Illuminate\Support\Facades\RateLimiter;
class SendVerificationEmailJob implements ShouldQueue
{
use Queueable;
public int $tries = 5;
public function __construct(
public readonly int $emailEventId,
public readonly string $email,
public readonly string $token,
public readonly ?int $userId,
public readonly ?string $ip
) {
$this->onQueue('mail');
}
public function handle(RegistrationEmailQuotaService $quotaService): void
{
$key = 'registration:verification-email:global';
$maxPerMinute = max(1, (int) config('registration.email_global_send_per_minute', 30));
$allowed = RateLimiter::attempt($key, $maxPerMinute, static fn () => true, 60);
if (! $allowed) {
$this->release(10);
return;
}
if ($quotaService->isExceeded()) {
$this->updateEvent('blocked', 'quota');
return;
}
Mail::to($this->email)->queue(new RegistrationVerificationMail($this->token));
$quotaService->incrementSentCount();
$this->updateEvent('sent', null);
}
private function updateEvent(string $status, ?string $reason): void
{
DB::table('email_send_events')
->where('id', $this->emailEventId)
->update([
'status' => $status,
'reason' => $reason,
]);
}
}

2
app/Mail/RegistrationVerificationMail.php
View File

@@ -40,7 +40,7 @@ class RegistrationVerificationMail extends Mailable implements ShouldQueue
view: 'emails.registration-verification', view: 'emails.registration-verification',
with: [ with: [
'verificationUrl' => url('/verify/'.$this->token), 'verificationUrl' => url('/verify/'.$this->token),
'expiresInHours' => 24, 'expiresInHours' => max(1, (int) config('registration.verify_token_ttl_hours', 24)),
'supportUrl' => $appUrl . '/support', 'supportUrl' => $appUrl . '/support',
], ],
); );

31
app/Models/EmailSendEvent.php Normal file
View File

@@ -0,0 +1,31 @@
<?php
namespace App\Models;
use Illuminate\Database\Eloquent\Model;
class EmailSendEvent extends Model
{
protected $table = 'email_send_events';
public $timestamps = false;
protected $fillable = [
'type',
'email',
'ip',
'user_id',
'status',
'reason',
'created_at',
];
protected $casts = [
'created_at' => 'datetime',
];
public function user()
{
return $this->belongsTo(User::class);
}
}

26
app/Models/SystemEmailQuota.php Normal file
View File

@@ -0,0 +1,26 @@
<?php
namespace App\Models;
use Illuminate\Database\Eloquent\Model;
class SystemEmailQuota extends Model
{
protected $table = 'system_email_quota';
public $timestamps = false;
protected $fillable = [
'period',
'sent_count',
'limit_count',
'updated_at',
];
protected $casts = [
'updated_at' => 'datetime',
'sent_count' => 'integer',
'limit_count' => 'integer',
];
}

6
app/Models/User.php
View File

@@ -26,6 +26,9 @@ class User extends Authenticatable
'onboarding_step', 'onboarding_step',
'name', 'name',
'email', 'email',
'last_verification_sent_at',
'verification_send_count_24h',
'verification_send_window_started_at',
'is_active', 'is_active',
'needs_password_reset', 'needs_password_reset',
'password', 'password',
@@ -51,6 +54,9 @@ class User extends Authenticatable
{ {
return [ return [
'email_verified_at' => 'datetime', 'email_verified_at' => 'datetime',
'last_verification_sent_at' => 'datetime',
'verification_send_window_started_at' => 'datetime',
'verification_send_count_24h' => 'integer',
'username_changed_at' => 'datetime', 'username_changed_at' => 'datetime',
'deleted_at' => 'datetime', 'deleted_at' => 'datetime',
'password' => 'hashed', 'password' => 'hashed',

16
app/Providers/AppServiceProvider.php
View File

@@ -91,10 +91,22 @@ class AppServiceProvider extends ServiceProvider
private function configureAuthRateLimiters(): void private function configureAuthRateLimiters(): void
{ {
RateLimiter::for('register-ip', function (Request $request): Limit {
$limit = max(1, (int) config('registration.ip_per_minute_limit', 3));
return Limit::perMinute($limit)->by('register:ip:' . $request->ip());
});
RateLimiter::for('register-ip-daily', function (Request $request): Limit {
$limit = max(1, (int) config('registration.ip_per_day_limit', 20));
return Limit::perDay($limit)->by('register:ip:daily:' . $request->ip());
});
RateLimiter::for('register', function (Request $request): array { RateLimiter::for('register', function (Request $request): array {
$emailKey = strtolower((string) $request->input('email', 'unknown')); $emailKey = strtolower((string) $request->input('email', 'unknown'));
$ipLimit = (int) config('antispam.register.ip_per_minute', 20); $ipLimit = (int) config('registration.ip_per_minute_limit', 3);
$emailLimit = (int) config('antispam.register.email_per_minute', 6); $emailLimit = (int) config('registration.email_per_minute_limit', 6);
return [ return [
Limit::perMinute($ipLimit)->by('register:ip:' . $request->ip()), Limit::perMinute($ipLimit)->by('register:ip:' . $request->ip()),

66
app/Services/Auth/DisposableEmailService.php Normal file
View File

@@ -0,0 +1,66 @@
<?php
namespace App\Services\Auth;
class DisposableEmailService
{
public function isEnabled(): bool
{
return (bool) config('registration.disposable_domains_enabled', true);
}
public function isDisposableEmail(string $email): bool
{
if (! $this->isEnabled()) {
return false;
}
$domain = $this->extractDomain($email);
if ($domain === null) {
return false;
}
$blocked = (array) config('disposable_email_domains.domains', []);
foreach ($blocked as $entry) {
$pattern = strtolower(trim((string) $entry));
if ($pattern === '') {
continue;
}
if ($this->matchesPattern($domain, $pattern)) {
return true;
}
}
return false;
}
private function extractDomain(string $email): ?string
{
$normalized = strtolower(trim($email));
if ($normalized === '' || ! str_contains($normalized, '@')) {
return null;
}
$parts = explode('@', $normalized);
$domain = trim((string) end($parts));
return $domain !== '' ? $domain : null;
}
private function matchesPattern(string $domain, string $pattern): bool
{
if ($pattern === $domain) {
return true;
}
if (! str_contains($pattern, '*')) {
return false;
}
$quoted = preg_quote($pattern, '#');
$regex = '#^' . str_replace('\\*', '.*', $quoted) . '$#i';
return (bool) preg_match($regex, $domain);
}
}

37
app/Services/Auth/RegistrationEmailQuotaService.php Normal file
View File

@@ -0,0 +1,37 @@
<?php
namespace App\Services\Auth;
use App\Models\SystemEmailQuota;
class RegistrationEmailQuotaService
{
public function isExceeded(): bool
{
$quota = $this->getCurrentPeriodQuota();
return $quota->sent_count >= $quota->limit_count;
}
public function incrementSentCount(): void
{
$quota = $this->getCurrentPeriodQuota();
$quota->sent_count = (int) $quota->sent_count + 1;
$quota->updated_at = now();
$quota->save();
}
private function getCurrentPeriodQuota(): SystemEmailQuota
{
$period = now()->format('Y-m');
return SystemEmailQuota::query()->firstOrCreate(
['period' => $period],
[
'sent_count' => 0,
'limit_count' => max(1, (int) config('registration.monthly_email_limit', 10000)),
'updated_at' => now(),
]
);
}
}

67
app/Services/Auth/RegistrationVerificationTokenService.php Normal file
View File

@@ -0,0 +1,67 @@
<?php
namespace App\Services\Auth;
use Illuminate\Support\Facades\DB;
use Illuminate\Support\Str;
class RegistrationVerificationTokenService
{
public function createForUser(int $userId): string
{
DB::table('user_verification_tokens')->where('user_id', $userId)->delete();
$rawToken = Str::random(64);
$tokenHash = $this->hashToken($rawToken);
// Support environments where the migration hasn't renamed the column yet
$column = \Illuminate\Support\Facades\Schema::hasColumn('user_verification_tokens', 'token_hash') ? 'token_hash' : 'token';
DB::table('user_verification_tokens')->insert([
'user_id' => $userId,
$column => $tokenHash,
'expires_at' => now()->addHours($this->ttlHours()),
'created_at' => now(),
'updated_at' => now(),
]);
return $rawToken;
}
public function findValidRecord(string $rawToken): ?object
{
$tokenHash = $this->hashToken($rawToken);
$column = \Illuminate\Support\Facades\Schema::hasColumn('user_verification_tokens', 'token_hash') ? 'token_hash' : 'token';
$record = DB::table('user_verification_tokens')
->where($column, $tokenHash)
->first();
if (! $record) {
return null;
}
if (! hash_equals((string) ($record->{$column} ?? ''), $tokenHash)) {
return null;
}
if (now()->greaterThan($record->expires_at)) {
DB::table('user_verification_tokens')->where('id', $record->id)->delete();
return null;
}
return $record;
}
private function ttlHours(): int
{
return max(1, (int) config('registration.verify_token_ttl_hours', 24));
}
private function hashToken(string $rawToken): string
{
return hash('sha256', $rawToken);
}
}

51
app/Services/Security/TurnstileVerifier.php Normal file
View File

@@ -0,0 +1,51 @@
<?php
namespace App\Services\Security;
use Illuminate\Support\Facades\Http;
use Illuminate\Support\Facades\Log;
class TurnstileVerifier
{
public function isEnabled(): bool
{
return (bool) config('registration.enable_turnstile', true)
&& (string) config('services.turnstile.site_key', '') !== ''
&& (string) config('services.turnstile.secret_key', '') !== '';
}
public function verify(string $token, ?string $ip = null): bool
{
if (! $this->isEnabled()) {
return true;
}
if (trim($token) === '') {
return false;
}
try {
$response = Http::asForm()
->timeout((int) config('services.turnstile.timeout', 5))
->post((string) config('services.turnstile.verify_url', 'https://challenges.cloudflare.com/turnstile/v0/siteverify'), [
'secret' => (string) config('services.turnstile.secret_key', ''),
'response' => $token,
'remoteip' => $ip,
]);
if ($response->failed()) {
return false;
}
$payload = $response->json();
return (bool) data_get($payload, 'success', false);
} catch (\Throwable $exception) {
Log::warning('turnstile verification request failed', [
'message' => $exception->getMessage(),
]);
return false;
}
}
}

11
config/disposable_email_domains.php Normal file
View File

@@ -0,0 +1,11 @@
<?php
return [
'domains' => [
'mailinator.com',
'10minutemail.com',
'guerrillamail.com',
'tempmail.com',
'yopmail.com',
],
];

16
config/registration.php Normal file
View File

@@ -0,0 +1,16 @@
<?php
return [
'ip_per_minute_limit' => (int) env('REGISTRATION_IP_PER_MINUTE_LIMIT', 3),
'ip_per_day_limit' => (int) env('REGISTRATION_IP_PER_DAY_LIMIT', 20),
'email_per_minute_limit' => (int) env('REGISTRATION_EMAIL_PER_MINUTE_LIMIT', 6),
'email_cooldown_minutes' => (int) env('REGISTRATION_EMAIL_COOLDOWN_MINUTES', 30),
'verify_token_ttl_hours' => (int) env('REGISTRATION_VERIFY_TOKEN_TTL_HOURS', 24),
'enable_turnstile' => (bool) env('REGISTRATION_ENABLE_TURNSTILE', true),
'disposable_domains_enabled' => (bool) env('REGISTRATION_DISPOSABLE_DOMAINS_ENABLED', true),
'turnstile_suspicious_attempts' => (int) env('REGISTRATION_TURNSTILE_SUSPICIOUS_ATTEMPTS', 2),
'turnstile_attempt_window_minutes' => (int) env('REGISTRATION_TURNSTILE_ATTEMPT_WINDOW_MINUTES', 30),
'email_global_send_per_minute' => (int) env('REGISTRATION_EMAIL_GLOBAL_SEND_PER_MINUTE', 30),
'monthly_email_limit' => (int) env('REGISTRATION_MONTHLY_EMAIL_LIMIT', 10000),
'generic_success_message' => 'If that email is valid, we sent a verification link.',
];

7
config/services.php
View File

@@ -47,4 +47,11 @@ return [
'timeout' => (int) env('RECAPTCHA_TIMEOUT', 5), 'timeout' => (int) env('RECAPTCHA_TIMEOUT', 5),
], ],
'turnstile' => [
'site_key' => env('TURNSTILE_SITE_KEY'),
'secret_key' => env('TURNSTILE_SECRET_KEY'),
'verify_url' => env('TURNSTILE_VERIFY_URL', 'https://challenges.cloudflare.com/turnstile/v0/siteverify'),
'timeout' => (int) env('TURNSTILE_TIMEOUT', 5),
],
]; ];

41
database/migrations/2026_02_21_000001_add_registration_antispam_fields_to_users_table.php Normal file
View File

@@ -0,0 +1,41 @@
<?php
use Illuminate\Database\Migrations\Migration;
use Illuminate\Database\Schema\Blueprint;
use Illuminate\Support\Facades\Schema;
return new class extends Migration {
public function up(): void
{
Schema::table('users', function (Blueprint $table): void {
if (! Schema::hasColumn('users', 'last_verification_sent_at')) {
$table->timestamp('last_verification_sent_at')->nullable()->after('email_verified_at');
}
if (! Schema::hasColumn('users', 'verification_send_count_24h')) {
$table->unsignedInteger('verification_send_count_24h')->default(0)->after('last_verification_sent_at');
}
if (! Schema::hasColumn('users', 'verification_send_window_started_at')) {
$table->timestamp('verification_send_window_started_at')->nullable()->after('verification_send_count_24h');
}
});
}
public function down(): void
{
Schema::table('users', function (Blueprint $table): void {
if (Schema::hasColumn('users', 'verification_send_window_started_at')) {
$table->dropColumn('verification_send_window_started_at');
}
if (Schema::hasColumn('users', 'verification_send_count_24h')) {
$table->dropColumn('verification_send_count_24h');
}
if (Schema::hasColumn('users', 'last_verification_sent_at')) {
$table->dropColumn('last_verification_sent_at');
}
});
}
};

35
database/migrations/2026_02_21_000002_create_email_send_events_table.php Normal file
View File

@@ -0,0 +1,35 @@
<?php
use Illuminate\Database\Migrations\Migration;
use Illuminate\Database\Schema\Blueprint;
use Illuminate\Support\Facades\Schema;
return new class extends Migration {
public function up(): void
{
if (Schema::hasTable('email_send_events')) {
return;
}
Schema::create('email_send_events', function (Blueprint $table): void {
$table->id();
$table->string('type', 64);
$table->string('email');
$table->string('ip', 45)->nullable();
$table->foreignId('user_id')->nullable()->constrained('users')->nullOnDelete();
$table->string('status', 32);
$table->string('reason', 64)->nullable();
$table->timestamp('created_at')->useCurrent();
$table->index('email');
$table->index('ip');
$table->index(['type', 'status']);
$table->index('created_at');
});
}
public function down(): void
{
Schema::dropIfExists('email_send_events');
}
};

27
database/migrations/2026_02_21_000003_create_system_email_quota_table.php Normal file
View File

@@ -0,0 +1,27 @@
<?php
use Illuminate\Database\Migrations\Migration;
use Illuminate\Database\Schema\Blueprint;
use Illuminate\Support\Facades\Schema;
return new class extends Migration {
public function up(): void
{
if (Schema::hasTable('system_email_quota')) {
return;
}
Schema::create('system_email_quota', function (Blueprint $table): void {
$table->id();
$table->string('period', 7)->unique();
$table->unsignedInteger('sent_count')->default(0);
$table->unsignedInteger('limit_count');
$table->timestamp('updated_at')->useCurrent()->useCurrentOnUpdate();
});
}
public function down(): void
{
Schema::dropIfExists('system_email_quota');
}
};

48
database/migrations/2026_02_21_000004_rename_token_to_token_hash_in_user_verification_tokens.php Normal file
View File

@@ -0,0 +1,48 @@
<?php
use Illuminate\Database\Migrations\Migration;
use Illuminate\Support\Facades\DB;
use Illuminate\Support\Facades\Schema;
return new class extends Migration {
public function up(): void
{
if (! Schema::hasTable('user_verification_tokens')) {
return;
}
// Skip rename on SQLite (in-memory tests) — SQLite doesn't support CHANGE syntax.
try {
$driver = DB::connection()->getPdo()->getAttribute(PDO::ATTR_DRIVER_NAME);
} catch (\Throwable $e) {
$driver = null;
}
if ($driver === 'sqlite') {
return;
}
// Use raw statement to avoid requiring doctrine/dbal for simple rename
// Adjust column definition to match original migration (VARCHAR(128) NOT NULL)
DB::statement("ALTER TABLE `user_verification_tokens` CHANGE `token` `token_hash` VARCHAR(128) NOT NULL");
}
public function down(): void
{
if (! Schema::hasTable('user_verification_tokens')) {
return;
}
try {
$driver = DB::connection()->getPdo()->getAttribute(PDO::ATTR_DRIVER_NAME);
} catch (\Throwable $e) {
$driver = null;
}
if ($driver === 'sqlite') {
return;
}
DB::statement("ALTER TABLE `user_verification_tokens` CHANGE `token_hash` `token` VARCHAR(128) NOT NULL");
}
};

30
database/migrations/2026_02_21_000005_ensure_user_verification_tokens_table_exists.php Normal file
View File

@@ -0,0 +1,30 @@
<?php
use Illuminate\Database\Migrations\Migration;
use Illuminate\Database\Schema\Blueprint;
use Illuminate\Support\Facades\Schema;
return new class extends Migration {
public function up(): void
{
if (Schema::hasTable('user_verification_tokens')) {
return;
}
Schema::create('user_verification_tokens', function (Blueprint $table): void {
$table->id();
$table->foreignId('user_id')->constrained('users')->cascadeOnDelete();
$table->string('token_hash', 128)->unique();
$table->timestamp('expires_at');
$table->timestamps();
$table->index(['user_id', 'expires_at']);
});
}
public function down(): void
{
// Intentionally no-op to avoid dropping an existing tokens table
// that may have been created by earlier migrations.
}
};

202
docs/registration-antispam.md Normal file
View File

@@ -0,0 +1,202 @@
# Registration Anti-Spam + Email Quota Protection
This document describes how the Skinbase email-first registration hardening works.
## Scope
Applies to the flow:
- `GET /register`
- `POST /register`
- `GET /register/notice`
- `POST /register/resend-verification`
- `GET /verify/{token}`
- `GET/POST /setup/password`
- `GET/POST /setup/username`
Primary implementation:
- `app/Http/Controllers/Auth/RegisteredUserController.php`
- `app/Http/Controllers/Auth/RegistrationVerificationController.php`
## Security Controls
### 1) IP Rate Limiting
Defined in `app/Providers/AppServiceProvider.php`:
- `register-ip`: per-minute IP limit
- `register-ip-daily`: per-day IP limit
- `register` (legacy resend route): per-minute IP + per-email key
Applied on `POST /register` in `routes/auth.php`:
- `throttle:register-ip`
- `throttle:register-ip-daily`
### 2) Per-Email Cooldown
Cooldown is enforced by user fields:
- `users.last_verification_sent_at`
- `users.verification_send_count_24h`
- `users.verification_send_window_started_at`
On repeated requests within cooldown:
- No additional verification email is queued
- Generic success message is returned
### 3) Progressive CAPTCHA (Turnstile)
Service:
- `app/Services/Security/TurnstileVerifier.php`
Controller logic (`RegisteredUserController::shouldRequireTurnstile`):
- Requires Turnstile for suspicious IP activity (attempt threshold)
- Also requires Turnstile when registration rate-limit state is detected
UI behavior (`resources/views/auth/register.blade.php`):
- Turnstile widget is only rendered when required
### 4) Disposable Domain Block
Service:
- `app/Services/Auth/DisposableEmailService.php`
Config source:
- `config/disposable_email_domains.php`
Behavior:
- Blocks known disposable domains (supports wildcard matching)
- Returns friendly validation error
### 5) Queue + Throttle + Quota Circuit Breaker
Queue job:
- `app/Jobs/SendVerificationEmailJob.php`
Behavior:
- Registration controller dispatches `SendVerificationEmailJob`
- Job applies global send throttling via `RateLimiter`
- Job checks monthly quota via `RegistrationEmailQuotaService`
- If quota exceeded: send is blocked (fail closed), event marked blocked
Quota service/model/table:
- `app/Services/Auth/RegistrationEmailQuotaService.php`
- `app/Models/SystemEmailQuota.php`
- `system_email_quota`
Send event audit:
- `app/Models/EmailSendEvent.php`
- `email_send_events`
### 6) Generic Responses (Anti-Enumeration)
The registration entry point uses a standard success message:
- `If that email is valid, we sent a verification link.`
This message is returned for:
- Unknown emails
- Existing verified emails
- Cooldown cases
- Quota-blocked paths
### 7) Verification Token Hardening
Service:
- `app/Services/Auth/RegistrationVerificationTokenService.php`
Protections:
- Token generated with high entropy (`Str::random(64)`)
- Stored hashed (`sha256`) in `user_verification_tokens`
- Expires using configured TTL
- Validation uses hash lookup + constant-time compare (`hash_equals`)
- Token deleted after successful verification (one-time use)
Verification endpoint:
- `app/Http/Controllers/Auth/RegistrationVerificationController.php`
## Configuration
Main registration config:
- `config/registration.php`
Key settings:
- `ip_per_minute_limit`
- `ip_per_day_limit`
- `email_per_minute_limit`
- `email_cooldown_minutes`
- `verify_token_ttl_hours`
- `enable_turnstile`
- `disposable_domains_enabled`
- `turnstile_suspicious_attempts`
- `turnstile_attempt_window_minutes`
- `email_global_send_per_minute`
- `monthly_email_limit`
- `generic_success_message`
Turnstile config:
- `config/services.php` under `turnstile`
Environment examples:
- `.env.example` contains all registration anti-spam keys
## Database Objects
Added for anti-spam/quota support:
- Migration: `2026_02_21_000001_add_registration_antispam_fields_to_users_table.php`
- Migration: `2026_02_21_000002_create_email_send_events_table.php`
- Migration: `2026_02_21_000003_create_system_email_quota_table.php`
- Migration: `2026_02_20_191000_add_registration_phase1_schema.php` (creates `user_verification_tokens`)
- Migration: `2026_02_21_000004_rename_token_to_token_hash_in_user_verification_tokens.php` (schema hardening)
- Migration: `2026_02_21_000005_ensure_user_verification_tokens_table_exists.php` (rollout safety)
## Test Coverage
Primary tests:
- `tests/Feature/Auth/RegistrationAntiSpamTest.php`
- `tests/Feature/Auth/RegistrationNoticeResendTest.php`
- `tests/Feature/Auth/RegistrationQuotaCircuitBreakerTest.php`
- `tests/Feature/Auth/RegistrationTokenVerificationTest.php`
- `tests/Feature/Auth/RegistrationFlowChecklistTest.php`
- `tests/Feature/Auth/RegistrationVerificationMailTest.php`
Covered scenarios:
- IP rate-limit returns `429`
- Cooldown suppresses extra sends
- Disposable domains blocked
- Quota exceeded blocks send and keeps generic success UX
- Turnstile required on abuse/rate-limit state
- Tokens hashed, expire, and are one-time
- Responses avoid account enumeration
## Operations Notes
- Keep disposable domain list maintained in `config/disposable_email_domains.php`.
- Ensure queue workers process the `mail` queue.
- Monitor `email_send_events` for blocked/sent patterns.
- Set `REGISTRATION_MONTHLY_EMAIL_LIMIT` based on provider quota.
- Configure `TURNSTILE_SITE_KEY` and `TURNSTILE_SECRET_KEY` in production.

7
resources/views/auth/register.blade.php
View File

@@ -17,8 +17,8 @@
<x-input-error :messages="$errors->get('email')" class="mt-2" /> <x-input-error :messages="$errors->get('email')" class="mt-2" />
</div> </div>
@if(config('services.recaptcha.enabled')) @if(($requiresTurnstile ?? false) && ($turnstileSiteKey ?? '') !== '')
<input type="hidden" name="g-recaptcha-response" value="{{ old('g-recaptcha-response') }}" /> <div class="cf-turnstile" data-sitekey="{{ $turnstileSiteKey }}"></div>
<x-input-error :messages="$errors->get('captcha')" class="mt-2" /> <x-input-error :messages="$errors->get('captcha')" class="mt-2" />
@endif @endif
@@ -29,4 +29,7 @@
</div> </div>
</div> </div>
</div> </div>
@if(($requiresTurnstile ?? false) && ($turnstileSiteKey ?? '') !== '')
<script src="https://challenges.cloudflare.com/turnstile/v0/api.js" async defer></script>
@endif
@endsection @endsection

2
resources/views/dashboard.blade.php
View File

@@ -1,4 +1,4 @@
@extends('layouts.legacy') @extends('layouts.nova')
@section('content') @section('content')
<div class="container"> <div class="container">

2
routes/auth.php
View File

@@ -22,7 +22,7 @@ Route::middleware(['guest', 'normalize.username'])->group(function () {
->name('register.notice'); ->name('register.notice');
Route::post('register', [RegisteredUserController::class, 'store']) Route::post('register', [RegisteredUserController::class, 'store'])
->middleware('throttle:register'); ->middleware(['throttle:register-ip', 'throttle:register-ip-daily']);
Route::post('register/resend-verification', [RegisteredUserController::class, 'resendVerification']) Route::post('register/resend-verification', [RegisteredUserController::class, 'resendVerification'])
->middleware('throttle:register') ->middleware('throttle:register')

114
tests/Feature/Auth/RegistrationAntiSpamTest.php
View File

@@ -1,14 +1,16 @@
<?php <?php
use App\Services\Security\RecaptchaVerifier; use App\Jobs\SendVerificationEmailJob;
use App\Models\User;
use App\Services\Security\TurnstileVerifier;
use Illuminate\Foundation\Testing\RefreshDatabase; use Illuminate\Foundation\Testing\RefreshDatabase;
use Illuminate\Support\Facades\Mail; use Illuminate\Support\Facades\Queue;
use Illuminate\Support\Facades\RateLimiter; use Illuminate\Support\Facades\RateLimiter;
uses(RefreshDatabase::class); uses(RefreshDatabase::class);
it('rejects registration when honeypot field is filled', function () { it('rejects registration when honeypot field is filled', function () {
Mail::fake(); Queue::fake();
$response = $this->from('/register')->post('/register', [ $response = $this->from('/register')->post('/register', [
'email' => 'bot1@example.com', 'email' => 'bot1@example.com',
@@ -21,9 +23,9 @@ it('rejects registration when honeypot field is filled', function () {
}); });
it('throttles excessive registration attempts by ip', function () { it('throttles excessive registration attempts by ip', function () {
Mail::fake(); Queue::fake();
config()->set('antispam.register.ip_per_minute', 2); config()->set('registration.ip_per_minute_limit', 2);
config()->set('antispam.register.email_per_minute', 20); config()->set('registration.ip_per_day_limit', 100);
for ($i = 0; $i < 2; $i++) { for ($i = 0; $i < 2; $i++) {
$this->post('/register', [ $this->post('/register', [
@@ -36,19 +38,37 @@ it('throttles excessive registration attempts by ip', function () {
])->assertStatus(429); ])->assertStatus(429);
RateLimiter::clear('register:ip:127.0.0.1'); RateLimiter::clear('register:ip:127.0.0.1');
RateLimiter::clear('register:ip:daily:127.0.0.1');
}); });
it('rejects registration when recaptcha is enabled and verification fails', function () { it('blocks disposable email domains during registration', function () {
Mail::fake(); Queue::fake();
config()->set('registration.disposable_domains_enabled', true);
config()->set('disposable_email_domains.domains', ['tempmail.com']);
$mock = \Mockery::mock(RecaptchaVerifier::class); $response = $this->from('/register')->post('/register', [
'email' => 'bot@tempmail.com',
]);
$response->assertRedirect('/register');
$response->assertSessionHasErrors('email');
$this->assertDatabaseMissing('users', ['email' => 'bot@tempmail.com']);
});
it('requires turnstile after suspicious registration attempts', function () {
Queue::fake();
config()->set('registration.enable_turnstile', true);
config()->set('registration.turnstile_suspicious_attempts', 1);
config()->set('services.turnstile.site_key', 'site-key');
config()->set('services.turnstile.secret_key', 'secret-key');
$mock = \Mockery::mock(TurnstileVerifier::class);
$mock->shouldReceive('isEnabled')->andReturn(true); $mock->shouldReceive('isEnabled')->andReturn(true);
$mock->shouldReceive('verify')->once()->andReturn(false); $mock->shouldReceive('verify')->once()->andReturn(false);
$this->app->instance(RecaptchaVerifier::class, $mock); $this->app->instance(TurnstileVerifier::class, $mock);
$response = $this->from('/register')->post('/register', [ $response = $this->from('/register')->post('/register', [
'email' => 'captcha-user@example.com', 'email' => 'captcha-user@example.com',
'g-recaptcha-response' => 'bad-token',
]); ]);
$response->assertRedirect('/register'); $response->assertRedirect('/register');
@@ -56,17 +76,79 @@ it('rejects registration when recaptcha is enabled and verification fails', func
$this->assertDatabaseMissing('users', ['email' => 'captcha-user@example.com']); $this->assertDatabaseMissing('users', ['email' => 'captcha-user@example.com']);
}); });
it('allows registration when recaptcha is enabled and verification succeeds', function () { it('shows turnstile when ip is in rate-limited state', function () {
Mail::fake(); config()->set('registration.enable_turnstile', true);
config()->set('registration.ip_per_minute_limit', 1);
config()->set('services.turnstile.site_key', 'site-key');
config()->set('services.turnstile.secret_key', 'secret-key');
$mock = \Mockery::mock(RecaptchaVerifier::class); RateLimiter::hit('register:ip:127.0.0.1', 60);
$this->get('/register')
->assertOk()
->assertSee('cf-turnstile', false);
RateLimiter::clear('register:ip:127.0.0.1');
});
it('enforces verification email cooldown per address', function () {
Queue::fake();
$this->post('/register', [
'email' => 'cooldown2@example.com',
])->assertRedirect('/register/notice');
$response = $this->post('/register', [
'email' => 'cooldown2@example.com',
]);
$response->assertRedirect('/register/notice');
$response->assertSessionHas('status', 'If that email is valid, we sent a verification link.');
Queue::assertPushed(SendVerificationEmailJob::class, 1);
});
it('returns generic success for existing verified emails (anti-enumeration)', function () {
Queue::fake();
User::factory()->create([
'email' => 'existing@example.com',
'email_verified_at' => now(),
'onboarding_step' => 'complete',
'is_active' => true,
]);
$response = $this->post('/register', [
'email' => 'existing@example.com',
]);
$response->assertRedirect('/register/notice');
$response->assertSessionHas('status', 'If that email is valid, we sent a verification link.');
Queue::assertNothingPushed();
});
it('still allows registration when turnstile passes', function () {
Queue::fake();
config()->set('registration.enable_turnstile', true);
config()->set('registration.turnstile_suspicious_attempts', 1);
config()->set('services.turnstile.site_key', 'site-key');
config()->set('services.turnstile.secret_key', 'secret-key');
$mock = \Mockery::mock(TurnstileVerifier::class);
$mock->shouldReceive('isEnabled')->andReturn(true); $mock->shouldReceive('isEnabled')->andReturn(true);
$mock->shouldReceive('verify')->once()->andReturn(false);
$mock->shouldReceive('verify')->once()->andReturn(true); $mock->shouldReceive('verify')->once()->andReturn(true);
$this->app->instance(RecaptchaVerifier::class, $mock); $this->app->instance(TurnstileVerifier::class, $mock);
$first = $this->from('/register')->post('/register', [
'email' => 'captcha-block@example.com',
]);
$first->assertRedirect('/register');
$first->assertSessionHasErrors('captcha');
$response = $this->post('/register', [ $response = $this->post('/register', [
'email' => 'captcha-pass@example.com', 'email' => 'captcha-pass@example.com',
'g-recaptcha-response' => 'good-token', 'cf-turnstile-response' => 'good-token',
]); ]);
$response->assertRedirect('/register/notice'); $response->assertRedirect('/register/notice');

29
tests/Feature/Auth/RegistrationFlowChecklistTest.php
View File

@@ -2,13 +2,14 @@
use App\Models\User; use App\Models\User;
use Illuminate\Foundation\Testing\RefreshDatabase; use Illuminate\Foundation\Testing\RefreshDatabase;
use Illuminate\Support\Facades\Queue;
use Illuminate\Support\Facades\DB; use Illuminate\Support\Facades\DB;
use Illuminate\Support\Facades\Mail; use App\Jobs\SendVerificationEmailJob;
uses(RefreshDatabase::class); uses(RefreshDatabase::class);
it('completes happy path registration onboarding flow', function () { it('completes happy path registration onboarding flow', function () {
Mail::fake(); Queue::fake();
$register = $this->post('/register', [ $register = $this->post('/register', [
'email' => 'flow-user@example.com', 'email' => 'flow-user@example.com',
@@ -19,9 +20,12 @@ it('completes happy path registration onboarding flow', function () {
$user = User::query()->where('email', 'flow-user@example.com')->firstOrFail(); $user = User::query()->where('email', 'flow-user@example.com')->firstOrFail();
expect($user->onboarding_step)->toBe('email'); expect($user->onboarding_step)->toBe('email');
$token = (string) DB::table('user_verification_tokens') $token = null;
->where('user_id', $user->id) Queue::assertPushed(SendVerificationEmailJob::class, function (SendVerificationEmailJob $job) use (&$token) {
->value('token'); $token = $job->token;
return true;
});
$this->get('/verify/' . $token)->assertRedirect('/setup/password'); $this->get('/verify/' . $token)->assertRedirect('/setup/password');
@@ -58,9 +62,10 @@ it('rejects expired verification token', function () {
'is_active' => false, 'is_active' => false,
]); ]);
$column = \Illuminate\Support\Facades\Schema::hasColumn('user_verification_tokens', 'token_hash') ? 'token_hash' : 'token';
DB::table('user_verification_tokens')->insert([ DB::table('user_verification_tokens')->insert([
'user_id' => $user->id, 'user_id' => $user->id,
'token' => 'expired-checklist-token', $column => hash('sha256', 'expired-checklist-token'),
'expires_at' => now()->subHour(), 'expires_at' => now()->subHour(),
'created_at' => now(), 'created_at' => now(),
'updated_at' => now(), 'updated_at' => now(),
@@ -74,16 +79,22 @@ it('rejects expired verification token', function () {
}); });
it('rejects duplicate email at registration', function () { it('rejects duplicate email at registration', function () {
Queue::fake();
User::factory()->create([ User::factory()->create([
'email' => 'duplicate-check@example.com', 'email' => 'duplicate-check@example.com',
'email_verified_at' => now(),
'onboarding_step' => 'complete',
'is_active' => true,
]); ]);
$response = $this->from('/register')->post('/register', [ $response = $this->post('/register', [
'email' => 'duplicate-check@example.com', 'email' => 'duplicate-check@example.com',
]); ]);
$response->assertRedirect('/register'); $response->assertRedirect('/register/notice');
$response->assertSessionHasErrors('email'); $response->assertSessionHas('status', 'If that email is valid, we sent a verification link.');
Queue::assertNothingPushed();
}); });
it('rejects username conflict during username setup', function () { it('rejects username conflict during username setup', function () {

30
tests/Feature/Auth/RegistrationNoticeResendTest.php
View File

@@ -1,15 +1,14 @@
<?php <?php
use App\Mail\RegistrationVerificationMail; use App\Jobs\SendVerificationEmailJob;
use App\Models\User; use App\Models\User;
use Illuminate\Foundation\Testing\RefreshDatabase; use Illuminate\Foundation\Testing\RefreshDatabase;
use Illuminate\Support\Facades\Cache; use Illuminate\Support\Facades\Queue;
use Illuminate\Support\Facades\Mail;
uses(RefreshDatabase::class); uses(RefreshDatabase::class);
it('shows registration notice with email after first step', function () { it('shows registration notice with email after first step', function () {
Mail::fake(); Queue::fake();
$this->post('/register', [ $this->post('/register', [
'email' => 'notice@example.com', 'email' => 'notice@example.com',
@@ -28,33 +27,40 @@ it('prefills register form email from query string', function () {
}); });
it('blocks resend while cooldown is active', function () { it('blocks resend while cooldown is active', function () {
Mail::fake(); Queue::fake();
$this->post('/register', [ $this->post('/register', [
'email' => 'cooldown@example.com', 'email' => 'cooldown@example.com',
])->assertRedirect('/register/notice'); ])->assertRedirect('/register/notice');
$this->from('/register/notice')->post('/register/resend-verification', [ $response = $this->from('/register/notice')->post('/register/resend-verification', [
'email' => 'cooldown@example.com', 'email' => 'cooldown@example.com',
])->assertRedirect('/register/notice') ]);
->assertSessionHasErrors('email');
$response->assertRedirect('/register/notice');
$response->assertSessionHasNoErrors();
$response->assertSessionHas('status', 'If that email is valid, we sent a verification link.');
Queue::assertPushed(SendVerificationEmailJob::class, 1);
}); });
it('resends verification after cooldown expires', function () { it('resends verification after cooldown expires', function () {
Mail::fake(); Queue::fake();
$this->post('/register', [ $this->post('/register', [
'email' => 'resend@example.com', 'email' => 'resend@example.com',
])->assertRedirect('/register/notice'); ])->assertRedirect('/register/notice');
$key = 'register:resend:cooldown:' . sha1('resend@example.com'); $user = User::query()->where('email', 'resend@example.com')->firstOrFail();
Cache::forget($key); $user->forceFill([
'last_verification_sent_at' => now()->subMinutes(31),
])->save();
$this->post('/register/resend-verification', [ $this->post('/register/resend-verification', [
'email' => 'resend@example.com', 'email' => 'resend@example.com',
])->assertRedirect('/register/notice'); ])->assertRedirect('/register/notice');
Mail::assertQueued(RegistrationVerificationMail::class, 2); Queue::assertPushed(SendVerificationEmailJob::class, 2);
expect(User::query()->where('email', 'resend@example.com')->exists())->toBeTrue(); expect(User::query()->where('email', 'resend@example.com')->exists())->toBeTrue();
}); });

67
tests/Feature/Auth/RegistrationQuotaCircuitBreakerTest.php Normal file
View File

@@ -0,0 +1,67 @@
<?php
use App\Jobs\SendVerificationEmailJob;
use App\Services\Auth\RegistrationEmailQuotaService;
use Illuminate\Foundation\Testing\RefreshDatabase;
use Illuminate\Support\Facades\Mail;
use Illuminate\Support\Facades\Queue;
use Illuminate\Support\Facades\DB;
uses(RefreshDatabase::class);
it('returns generic success even when quota is exceeded', function () {
Queue::fake();
DB::table('system_email_quota')->insert([
'period' => now()->format('Y-m'),
'sent_count' => 10,
'limit_count' => 10,
'updated_at' => now(),
]);
$response = $this->post('/register', [
'email' => 'quota-hit@example.com',
]);
$response->assertRedirect('/register/notice');
$response->assertSessionHas('status', 'If that email is valid, we sent a verification link.');
Queue::assertPushed(SendVerificationEmailJob::class);
});
it('blocks actual send in job when monthly quota is exceeded', function () {
Mail::fake();
DB::table('system_email_quota')->insert([
'period' => now()->format('Y-m'),
'sent_count' => 10,
'limit_count' => 10,
'updated_at' => now(),
]);
$eventId = DB::table('email_send_events')->insertGetId([
'type' => 'verify_email',
'email' => 'quota-block@example.com',
'ip' => '127.0.0.1',
'user_id' => null,
'status' => 'queued',
'reason' => null,
'created_at' => now(),
]);
$job = new SendVerificationEmailJob(
emailEventId: (int) $eventId,
email: 'quota-block@example.com',
token: 'raw-token',
userId: null,
ip: '127.0.0.1'
);
$job->handle(app(RegistrationEmailQuotaService::class));
Mail::assertNothingSent();
$this->assertDatabaseHas('email_send_events', [
'id' => $eventId,
'status' => 'blocked',
'reason' => 'quota',
]);
});

8
tests/Feature/Auth/RegistrationTest.php
View File

@@ -1,7 +1,7 @@
<?php <?php
use App\Mail\RegistrationVerificationMail; use App\Jobs\SendVerificationEmailJob;
use Illuminate\Support\Facades\Mail; use Illuminate\Support\Facades\Queue;
test('registration screen can be rendered', function () { test('registration screen can be rendered', function () {
$response = $this->get('/register'); $response = $this->get('/register');
@@ -14,7 +14,7 @@ test('registration screen can be rendered', function () {
}); });
test('new users can register', function () { test('new users can register', function () {
Mail::fake(); Queue::fake();
$response = $this->post('/register', [ $response = $this->post('/register', [
'email' => 'test@example.com', 'email' => 'test@example.com',
@@ -33,5 +33,5 @@ test('new users can register', function () {
'user_id' => (int) \App\Models\User::query()->where('email', 'test@example.com')->value('id'), 'user_id' => (int) \App\Models\User::query()->where('email', 'test@example.com')->value('id'),
]); ]);
Mail::assertQueued(RegistrationVerificationMail::class); Queue::assertPushed(SendVerificationEmailJob::class);
}); });

61
tests/Feature/Auth/RegistrationTokenVerificationTest.php
View File

@@ -1,11 +1,39 @@
<?php <?php
use App\Jobs\SendVerificationEmailJob;
use App\Models\User; use App\Models\User;
use Illuminate\Foundation\Testing\RefreshDatabase; use Illuminate\Foundation\Testing\RefreshDatabase;
use Illuminate\Support\Facades\DB; use Illuminate\Support\Facades\DB;
use Illuminate\Support\Facades\Schema;
use Illuminate\Support\Facades\Queue;
uses(RefreshDatabase::class); uses(RefreshDatabase::class);
it('stores verification tokens hashed instead of raw token', function () {
Queue::fake();
$this->post('/register', [
'email' => 'token-hash@example.com',
])->assertRedirect('/register/notice');
$rawToken = null;
Queue::assertPushed(SendVerificationEmailJob::class, function (SendVerificationEmailJob $job) use (&$rawToken) {
$rawToken = $job->token;
return true;
});
$userId = (int) User::query()->where('email', 'token-hash@example.com')->value('id');
$column = Schema::hasColumn('user_verification_tokens', 'token_hash') ? 'token_hash' : 'token';
$storedToken = (string) DB::table('user_verification_tokens')
->where('user_id', $userId)
->value($column);
expect($rawToken)->not->toBeNull();
expect($storedToken)->toBe(hash('sha256', (string) $rawToken));
expect($storedToken)->not->toBe((string) $rawToken);
});
it('verifies token and redirects to password setup', function () { it('verifies token and redirects to password setup', function () {
$user = User::factory()->create([ $user = User::factory()->create([
'email_verified_at' => null, 'email_verified_at' => null,
@@ -13,9 +41,10 @@ it('verifies token and redirects to password setup', function () {
'is_active' => false, 'is_active' => false,
]); ]);
$column = Schema::hasColumn('user_verification_tokens', 'token_hash') ? 'token_hash' : 'token';
DB::table('user_verification_tokens')->insert([ DB::table('user_verification_tokens')->insert([
'user_id' => $user->id, 'user_id' => $user->id,
'token' => 'verify-token-1', $column => hash('sha256', 'verify-token-1'),
'expires_at' => now()->addHour(), 'expires_at' => now()->addHour(),
'created_at' => now(), 'created_at' => now(),
'updated_at' => now(), 'updated_at' => now(),
@@ -33,7 +62,8 @@ it('verifies token and redirects to password setup', function () {
]); ]);
expect($user->fresh()->email_verified_at)->not->toBeNull(); expect($user->fresh()->email_verified_at)->not->toBeNull();
$this->assertDatabaseMissing('user_verification_tokens', ['token' => 'verify-token-1']); $column = Schema::hasColumn('user_verification_tokens', 'token_hash') ? 'token_hash' : 'token';
$this->assertDatabaseMissing('user_verification_tokens', [$column => hash('sha256', 'verify-token-1')]);
}); });
it('rejects expired token', function () { it('rejects expired token', function () {
@@ -43,9 +73,10 @@ it('rejects expired token', function () {
'is_active' => false, 'is_active' => false,
]); ]);
$column = Schema::hasColumn('user_verification_tokens', 'token_hash') ? 'token_hash' : 'token';
DB::table('user_verification_tokens')->insert([ DB::table('user_verification_tokens')->insert([
'user_id' => $user->id, 'user_id' => $user->id,
'token' => 'expired-token-1', $column => hash('sha256', 'expired-token-1'),
'expires_at' => now()->subMinute(), 'expires_at' => now()->subMinute(),
'created_at' => now(), 'created_at' => now(),
'updated_at' => now(), 'updated_at' => now(),
@@ -72,3 +103,27 @@ it('rejects unknown token', function () {
$response->assertSessionHasErrors('email'); $response->assertSessionHasErrors('email');
$this->assertGuest(); $this->assertGuest();
}); });
it('rejects token reuse after successful verification', function () {
$user = User::factory()->create([
'email_verified_at' => null,
'onboarding_step' => 'email',
'is_active' => false,
]);
$column = Schema::hasColumn('user_verification_tokens', 'token_hash') ? 'token_hash' : 'token';
DB::table('user_verification_tokens')->insert([
'user_id' => $user->id,
$column => hash('sha256', 'one-time-token'),
'expires_at' => now()->addHour(),
'created_at' => now(),
'updated_at' => now(),
]);
$this->get('/verify/one-time-token')->assertRedirect('/setup/password');
auth()->logout();
$secondTry = $this->from('/login')->get('/verify/one-time-token');
$secondTry->assertRedirect('/login');
$secondTry->assertSessionHasErrors('email');
});

8
tests/Feature/Auth/RegistrationVerificationMailTest.php
View File

@@ -1,8 +1,10 @@
<?php <?php
use App\Jobs\SendVerificationEmailJob;
use App\Mail\RegistrationVerificationMail; use App\Mail\RegistrationVerificationMail;
use Illuminate\Contracts\Queue\ShouldQueue; use Illuminate\Contracts\Queue\ShouldQueue;
use Illuminate\Foundation\Testing\RefreshDatabase; use Illuminate\Foundation\Testing\RefreshDatabase;
use Illuminate\Support\Facades\Queue;
uses(RefreshDatabase::class); uses(RefreshDatabase::class);
@@ -28,14 +30,14 @@ it('registration email contains verification link expiry and support url', funct
expect($html)->toContain('https://skinbase.example/support'); expect($html)->toContain('https://skinbase.example/support');
}); });
it('registration endpoint still queues verification mail', function () { it('registration endpoint queues verification email job', function () {
\Illuminate\Support\Facades\Mail::fake(); Queue::fake();
$this->post('/register', [ $this->post('/register', [
'email' => 'mail-test@example.com', 'email' => 'mail-test@example.com',
])->assertRedirect('/register/notice'); ])->assertRedirect('/register/notice');
\Illuminate\Support\Facades\Mail::assertQueued(RegistrationVerificationMail::class); Queue::assertPushed(SendVerificationEmailJob::class);
$this->assertDatabaseHas('users', [ $this->assertDatabaseHas('users', [
'email' => 'mail-test@example.com', 'email' => 'mail-test@example.com',
'onboarding_step' => 'email', 'onboarding_step' => 'email',