feat(auth): complete registration anti-spam and quota hardening

app/Services/Auth/RegistrationVerificationTokenService.php

@@ -0,0 +1,67 @@
+<?php
+
+namespace App\Services\Auth;
+
+use Illuminate\Support\Facades\DB;
+use Illuminate\Support\Str;
+
+class RegistrationVerificationTokenService
+{
+    public function createForUser(int $userId): string
+    {
+        DB::table('user_verification_tokens')->where('user_id', $userId)->delete();
+
+        $rawToken = Str::random(64);
+        $tokenHash = $this->hashToken($rawToken);
+
+        // Support environments where the migration hasn't renamed the column yet
+        $column = \Illuminate\Support\Facades\Schema::hasColumn('user_verification_tokens', 'token_hash') ? 'token_hash' : 'token';
+
+        DB::table('user_verification_tokens')->insert([
+            'user_id' => $userId,
+            $column => $tokenHash,
+            'expires_at' => now()->addHours($this->ttlHours()),
+            'created_at' => now(),
+            'updated_at' => now(),
+        ]);
+
+        return $rawToken;
+    }
+
+    public function findValidRecord(string $rawToken): ?object
+    {
+        $tokenHash = $this->hashToken($rawToken);
+
+        $column = \Illuminate\Support\Facades\Schema::hasColumn('user_verification_tokens', 'token_hash') ? 'token_hash' : 'token';
+
+        $record = DB::table('user_verification_tokens')
+            ->where($column, $tokenHash)
+            ->first();
+
+        if (! $record) {
+            return null;
+        }
+
+        if (! hash_equals((string) ($record->{$column} ?? ''), $tokenHash)) {
+            return null;
+        }
+
+        if (now()->greaterThan($record->expires_at)) {
+            DB::table('user_verification_tokens')->where('id', $record->id)->delete();
+
+            return null;
+        }
+
+        return $record;
+    }
+
+    private function ttlHours(): int
+    {
+        return max(1, (int) config('registration.verify_token_ttl_hours', 24));
+    }
+
+    private function hashToken(string $rawToken): string
+    {
+        return hash('sha256', $rawToken);
+    }
+}