create([ 'email_verified_at' => null, 'onboarding_step' => 'email', 'is_active' => false, ]); DB::table('user_verification_tokens')->insert([ 'user_id' => $user->id, 'token' => 'verify-token-1', 'expires_at' => now()->addHour(), 'created_at' => now(), 'updated_at' => now(), ]); $response = $this->get('/verify/verify-token-1'); $response->assertRedirect('/setup/password'); $this->assertAuthenticatedAs($user->fresh()); $this->assertDatabaseHas('users', [ 'id' => $user->id, 'onboarding_step' => 'verified', 'is_active' => 1, ]); expect($user->fresh()->email_verified_at)->not->toBeNull(); $this->assertDatabaseMissing('user_verification_tokens', ['token' => 'verify-token-1']); }); it('rejects expired token', function () { $user = User::factory()->create([ 'email_verified_at' => null, 'onboarding_step' => 'email', 'is_active' => false, ]); DB::table('user_verification_tokens')->insert([ 'user_id' => $user->id, 'token' => 'expired-token-1', 'expires_at' => now()->subMinute(), 'created_at' => now(), 'updated_at' => now(), ]); $response = $this->from('/login')->get('/verify/expired-token-1'); $response->assertRedirect('/login'); $response->assertSessionHasErrors('email'); $this->assertGuest(); $this->assertDatabaseHas('users', [ 'id' => $user->id, 'onboarding_step' => 'email', 'is_active' => 0, ]); expect($user->fresh()->email_verified_at)->toBeNull(); }); it('rejects unknown token', function () { $response = $this->from('/login')->get('/verify/not-real-token'); $response->assertRedirect('/login'); $response->assertSessionHasErrors('email'); $this->assertGuest(); });