From df67252078af1176127e432dca2aaba053551253 Mon Sep 17 00:00:00 2001 From: Gregor Klevze Date: Sat, 21 Feb 2026 12:14:22 +0100 Subject: [PATCH] fix --- PR_REGISTRATION_ANTISPAM.md | 43 +++++++++++++++++++++++++++++++++++++ 1 file changed, 43 insertions(+) create mode 100644 PR_REGISTRATION_ANTISPAM.md diff --git a/PR_REGISTRATION_ANTISPAM.md b/PR_REGISTRATION_ANTISPAM.md new file mode 100644 index 00000000..295b86bf --- /dev/null +++ b/PR_REGISTRATION_ANTISPAM.md @@ -0,0 +1,43 @@ +# PR Title +feat(auth): complete registration anti-spam + email quota protection + +## Summary +Implements the registration anti-spam and quota hardening spec end-to-end for the email-first onboarding flow. + +### What changed +- Added registration anti-spam config and disposable domain config. +- Added progressive Turnstile verification service and wiring. +- Added registration rate limiters and route middleware (`register-ip`, `register-ip-daily`). +- Implemented per-email cooldown and generic anti-enumeration responses. +- Added queued verification sending job with global throttle + quota circuit breaker. +- Added quota and disposable-domain services. +- Hardened verification tokens (hashed storage lookup, expiry, one-time use). +- Added/updated migrations: + - cooldown fields on `users` + - `email_send_events` + - `system_email_quota` + - token column hardening (`token` -> `token_hash`) + - rollout safety migration to ensure `user_verification_tokens` table exists +- Added models: `EmailSendEvent`, `SystemEmailQuota`. +- Added/updated auth registration tests and runbook docs. + +## Verification +- `php artisan migrate` ✅ +- `php artisan test` ✅ +- Focused token hardening tests ✅ (`RegistrationTokenVerificationTest`) + +## Notes +- Current local branch: `feat/registration-antispam-complete` +- Local commit: `b239af9` +- Push/PR creation is currently blocked because this repo has no configured git remote and `gh` CLI is not installed. + +## Commands to finish PR after remote setup +```bash +git remote add origin +git push -u origin feat/registration-antispam-complete +``` + +Then open PR in your Git host UI using: +- Base: `main` (or your default branch) +- Compare: `feat/registration-antispam-complete` +- Body: copy this file