SkinbaseNova/tests/Feature/Auth/RegistrationTokenVerificationTest.php

<?php

use App\Models\User;
use Illuminate\Foundation\Testing\RefreshDatabase;
use Illuminate\Support\Facades\DB;

uses(RefreshDatabase::class);

it('verifies token and redirects to password setup', function () {
    $user = User::factory()->create([
        'email_verified_at' => null,
        'onboarding_step' => 'email',
        'is_active' => false,
    ]);

    DB::table('user_verification_tokens')->insert([
        'user_id' => $user->id,
        'token' => 'verify-token-1',
        'expires_at' => now()->addHour(),
        'created_at' => now(),
        'updated_at' => now(),
    ]);

    $response = $this->get('/verify/verify-token-1');

    $response->assertRedirect('/setup/password');
    $this->assertAuthenticatedAs($user->fresh());

    $this->assertDatabaseHas('users', [
        'id' => $user->id,
        'onboarding_step' => 'verified',
        'is_active' => 1,
    ]);

    expect($user->fresh()->email_verified_at)->not->toBeNull();
    $this->assertDatabaseMissing('user_verification_tokens', ['token' => 'verify-token-1']);
});

it('rejects expired token', function () {
    $user = User::factory()->create([
        'email_verified_at' => null,
        'onboarding_step' => 'email',
        'is_active' => false,
    ]);

    DB::table('user_verification_tokens')->insert([
        'user_id' => $user->id,
        'token' => 'expired-token-1',
        'expires_at' => now()->subMinute(),
        'created_at' => now(),
        'updated_at' => now(),
    ]);

    $response = $this->from('/login')->get('/verify/expired-token-1');

    $response->assertRedirect('/login');
    $response->assertSessionHasErrors('email');
    $this->assertGuest();

    $this->assertDatabaseHas('users', [
        'id' => $user->id,
        'onboarding_step' => 'email',
        'is_active' => 0,
    ]);
    expect($user->fresh()->email_verified_at)->toBeNull();
});

it('rejects unknown token', function () {
    $response = $this->from('/login')->get('/verify/not-real-token');

    $response->assertRedirect('/login');
    $response->assertSessionHasErrors('email');
    $this->assertGuest();
});