post('/register', [ 'email' => 'token-hash@example.com', ])->assertRedirect('/register/notice'); $rawToken = null; Queue::assertPushed(SendVerificationEmailJob::class, function (SendVerificationEmailJob $job) use (&$rawToken) { $rawToken = $job->token; return true; }); $userId = (int) User::query()->where('email', 'token-hash@example.com')->value('id'); $column = Schema::hasColumn('user_verification_tokens', 'token_hash') ? 'token_hash' : 'token'; $storedToken = (string) DB::table('user_verification_tokens') ->where('user_id', $userId) ->value($column); expect($rawToken)->not->toBeNull(); expect($storedToken)->toBe(hash('sha256', (string) $rawToken)); expect($storedToken)->not->toBe((string) $rawToken); }); it('verifies token and redirects to password setup', function () { $user = User::factory()->create([ 'email_verified_at' => null, 'onboarding_step' => 'email', 'is_active' => false, ]); $column = Schema::hasColumn('user_verification_tokens', 'token_hash') ? 'token_hash' : 'token'; DB::table('user_verification_tokens')->insert([ 'user_id' => $user->id, $column => hash('sha256', 'verify-token-1'), 'expires_at' => now()->addHour(), 'created_at' => now(), 'updated_at' => now(), ]); $response = $this->get('/verify/verify-token-1'); $response->assertRedirect('/setup/password'); $this->assertAuthenticatedAs($user->fresh()); $this->assertDatabaseHas('users', [ 'id' => $user->id, 'onboarding_step' => 'verified', 'is_active' => 1, ]); expect($user->fresh()->email_verified_at)->not->toBeNull(); $column = Schema::hasColumn('user_verification_tokens', 'token_hash') ? 'token_hash' : 'token'; $this->assertDatabaseMissing('user_verification_tokens', [$column => hash('sha256', 'verify-token-1')]); }); it('rejects expired token', function () { $user = User::factory()->create([ 'email_verified_at' => null, 'onboarding_step' => 'email', 'is_active' => false, ]); $column = Schema::hasColumn('user_verification_tokens', 'token_hash') ? 'token_hash' : 'token'; DB::table('user_verification_tokens')->insert([ 'user_id' => $user->id, $column => hash('sha256', 'expired-token-1'), 'expires_at' => now()->subMinute(), 'created_at' => now(), 'updated_at' => now(), ]); $response = $this->from('/login')->get('/verify/expired-token-1'); $response->assertRedirect('/login'); $response->assertSessionHasErrors('email'); $this->assertGuest(); $this->assertDatabaseHas('users', [ 'id' => $user->id, 'onboarding_step' => 'email', 'is_active' => 0, ]); expect($user->fresh()->email_verified_at)->toBeNull(); }); it('rejects unknown token', function () { $response = $this->from('/login')->get('/verify/not-real-token'); $response->assertRedirect('/login'); $response->assertSessionHasErrors('email'); $this->assertGuest(); }); it('rejects token reuse after successful verification', function () { $user = User::factory()->create([ 'email_verified_at' => null, 'onboarding_step' => 'email', 'is_active' => false, ]); $column = Schema::hasColumn('user_verification_tokens', 'token_hash') ? 'token_hash' : 'token'; DB::table('user_verification_tokens')->insert([ 'user_id' => $user->id, $column => hash('sha256', 'one-time-token'), 'expires_at' => now()->addHour(), 'created_at' => now(), 'updated_at' => now(), ]); $this->get('/verify/one-time-token')->assertRedirect('/setup/password'); auth()->logout(); $secondTry = $this->from('/login')->get('/verify/one-time-token'); $secondTry->assertRedirect('/login'); $secondTry->assertSessionHasErrors('email'); });