SkinbaseNova/tests/Feature/Auth/RegistrationTokenVerificationTest.php

<?php

use App\Jobs\SendVerificationEmailJob;
use App\Models\User;
use Illuminate\Foundation\Testing\RefreshDatabase;
use Illuminate\Support\Facades\DB;
use Illuminate\Support\Facades\Schema;
use Illuminate\Support\Facades\Queue;

uses(RefreshDatabase::class);

it('stores verification tokens hashed instead of raw token', function () {
    Queue::fake();

    $this->post('/register', [
        'email' => 'token-hash@example.com',
    ])->assertRedirect('/register/notice');

    $rawToken = null;
    Queue::assertPushed(SendVerificationEmailJob::class, function (SendVerificationEmailJob $job) use (&$rawToken) {
        $rawToken = $job->token;

        return true;
    });

    $userId = (int) User::query()->where('email', 'token-hash@example.com')->value('id');
    $column = Schema::hasColumn('user_verification_tokens', 'token_hash') ? 'token_hash' : 'token';
    $storedToken = (string) DB::table('user_verification_tokens')
        ->where('user_id', $userId)
        ->value($column);

    expect($rawToken)->not->toBeNull();
    expect($storedToken)->toBe(hash('sha256', (string) $rawToken));
    expect($storedToken)->not->toBe((string) $rawToken);
});

it('verifies token and redirects to password setup', function () {
    $user = User::factory()->create([
        'email_verified_at' => null,
        'onboarding_step' => 'email',
        'is_active' => false,
    ]);

    $column = Schema::hasColumn('user_verification_tokens', 'token_hash') ? 'token_hash' : 'token';
    DB::table('user_verification_tokens')->insert([
        'user_id' => $user->id,
        $column => hash('sha256', 'verify-token-1'),
        'expires_at' => now()->addHour(),
        'created_at' => now(),
        'updated_at' => now(),
    ]);

    $response = $this->get('/verify/verify-token-1');

    $response->assertRedirect('/setup/password');
    $this->assertAuthenticatedAs($user->fresh());

    $this->assertDatabaseHas('users', [
        'id' => $user->id,
        'onboarding_step' => 'verified',
        'is_active' => 1,
    ]);

    expect($user->fresh()->email_verified_at)->not->toBeNull();
    $column = Schema::hasColumn('user_verification_tokens', 'token_hash') ? 'token_hash' : 'token';
    $this->assertDatabaseMissing('user_verification_tokens', [$column => hash('sha256', 'verify-token-1')]);
});

it('rejects expired token', function () {
    $user = User::factory()->create([
        'email_verified_at' => null,
        'onboarding_step' => 'email',
        'is_active' => false,
    ]);

    $column = Schema::hasColumn('user_verification_tokens', 'token_hash') ? 'token_hash' : 'token';
    DB::table('user_verification_tokens')->insert([
        'user_id' => $user->id,
        $column => hash('sha256', 'expired-token-1'),
        'expires_at' => now()->subMinute(),
        'created_at' => now(),
        'updated_at' => now(),
    ]);

    $response = $this->from('/login')->get('/verify/expired-token-1');

    $response->assertRedirect('/login');
    $response->assertSessionHasErrors('email');
    $this->assertGuest();

    $this->assertDatabaseHas('users', [
        'id' => $user->id,
        'onboarding_step' => 'email',
        'is_active' => 0,
    ]);
    expect($user->fresh()->email_verified_at)->toBeNull();
});

it('rejects unknown token', function () {
    $response = $this->from('/login')->get('/verify/not-real-token');

    $response->assertRedirect('/login');
    $response->assertSessionHasErrors('email');
    $this->assertGuest();
});

it('rejects token reuse after successful verification', function () {
    $user = User::factory()->create([
        'email_verified_at' => null,
        'onboarding_step' => 'email',
        'is_active' => false,
    ]);

    $column = Schema::hasColumn('user_verification_tokens', 'token_hash') ? 'token_hash' : 'token';
    DB::table('user_verification_tokens')->insert([
        'user_id' => $user->id,
        $column => hash('sha256', 'one-time-token'),
        'expires_at' => now()->addHour(),
        'created_at' => now(),
        'updated_at' => now(),
    ]);

    $this->get('/verify/one-time-token')->assertRedirect('/setup/password');
    auth()->logout();

    $secondTry = $this->from('/login')->get('/verify/one-time-token');
    $secondTry->assertRedirect('/login');
    $secondTry->assertSessionHasErrors('email');
});