SkinbaseNova/PR_REGISTRATION_ANTISPAM.md

PR Title

feat(auth): complete registration anti-spam + email quota protection

Summary

Implements the registration anti-spam and quota hardening spec end-to-end for the email-first onboarding flow.

What changed

• Added registration anti-spam config and disposable domain config.
• Added progressive Turnstile verification service and wiring.
• Added registration rate limiters and route middleware (register-ip, register-ip-daily).
• Implemented per-email cooldown and generic anti-enumeration responses.
• Added queued verification sending job with global throttle + quota circuit breaker.
• Added quota and disposable-domain services.
• Hardened verification tokens (hashed storage lookup, expiry, one-time use).
• Added/updated migrations:
  • cooldown fields on users
  • email_send_events
  • system_email_quota
  • token column hardening (token -> token_hash)
  • rollout safety migration to ensure user_verification_tokens table exists
• Added models: EmailSendEvent, SystemEmailQuota.
• Added/updated auth registration tests and runbook docs.

Verification

• php artisan migrate ✅
• php artisan test ✅
• Focused token hardening tests ✅ (RegistrationTokenVerificationTest)

Notes

• Current local branch: feat/registration-antispam-complete
• Local commit: b239af9
• Push/PR creation is currently blocked because this repo has no configured git remote and gh CLI is not installed.

Commands to finish PR after remote setup

git remote add origin <your-repo-url>
git push -u origin feat/registration-antispam-complete

Then open PR in your Git host UI using:

• Base: main (or your default branch)
• Compare: feat/registration-antispam-complete
• Body: copy this file