klevze/SkinbaseNova
1
0
Fork 0
Code Issues 2 Pull Requests Actions Packages Projects Releases Wiki Activity

feat(auth): complete registration anti-spam and quota hardening

Browse Source
This commit is contained in:
Gregor Klevže
2026-02-21 12:13:01 +01:00
parent 4fb95c872b
commit b239af9619
33 changed files with 1288 additions and 142 deletions
Download Patch File Download Diff File Expand all files Collapse all files

114
tests/Feature/Auth/RegistrationAntiSpamTest.php
View File

@@ -1,14 +1,16 @@
<?php
use App\Services\Security\RecaptchaVerifier;
use App\Jobs\SendVerificationEmailJob;
use App\Models\User;
use App\Services\Security\TurnstileVerifier;
use Illuminate\Foundation\Testing\RefreshDatabase;
use Illuminate\Support\Facades\Mail;
use Illuminate\Support\Facades\Queue;
use Illuminate\Support\Facades\RateLimiter;
uses(RefreshDatabase::class);
it('rejects registration when honeypot field is filled', function () {
Mail::fake();
Queue::fake();
$response = $this->from('/register')->post('/register', [
'email' => 'bot1@example.com',
@@ -21,9 +23,9 @@ it('rejects registration when honeypot field is filled', function () {
});
it('throttles excessive registration attempts by ip', function () {
Mail::fake();
config()->set('antispam.register.ip_per_minute', 2);
config()->set('antispam.register.email_per_minute', 20);
Queue::fake();
config()->set('registration.ip_per_minute_limit', 2);
config()->set('registration.ip_per_day_limit', 100);
for ($i = 0; $i < 2; $i++) {
$this->post('/register', [
@@ -36,19 +38,37 @@ it('throttles excessive registration attempts by ip', function () {
])->assertStatus(429);
RateLimiter::clear('register:ip:127.0.0.1');
RateLimiter::clear('register:ip:daily:127.0.0.1');
});
it('rejects registration when recaptcha is enabled and verification fails', function () {
Mail::fake();
it('blocks disposable email domains during registration', function () {
Queue::fake();
config()->set('registration.disposable_domains_enabled', true);
config()->set('disposable_email_domains.domains', ['tempmail.com']);
$mock = \Mockery::mock(RecaptchaVerifier::class);
$response = $this->from('/register')->post('/register', [
'email' => 'bot@tempmail.com',
]);
$response->assertRedirect('/register');
$response->assertSessionHasErrors('email');
$this->assertDatabaseMissing('users', ['email' => 'bot@tempmail.com']);
});
it('requires turnstile after suspicious registration attempts', function () {
Queue::fake();
config()->set('registration.enable_turnstile', true);
config()->set('registration.turnstile_suspicious_attempts', 1);
config()->set('services.turnstile.site_key', 'site-key');
config()->set('services.turnstile.secret_key', 'secret-key');
$mock = \Mockery::mock(TurnstileVerifier::class);
$mock->shouldReceive('isEnabled')->andReturn(true);
$mock->shouldReceive('verify')->once()->andReturn(false);
$this->app->instance(RecaptchaVerifier::class, $mock);
$this->app->instance(TurnstileVerifier::class, $mock);
$response = $this->from('/register')->post('/register', [
'email' => 'captcha-user@example.com',
'g-recaptcha-response' => 'bad-token',
]);
$response->assertRedirect('/register');
@@ -56,17 +76,79 @@ it('rejects registration when recaptcha is enabled and verification fails', func
$this->assertDatabaseMissing('users', ['email' => 'captcha-user@example.com']);
});
it('allows registration when recaptcha is enabled and verification succeeds', function () {
Mail::fake();
it('shows turnstile when ip is in rate-limited state', function () {
config()->set('registration.enable_turnstile', true);
config()->set('registration.ip_per_minute_limit', 1);
config()->set('services.turnstile.site_key', 'site-key');
config()->set('services.turnstile.secret_key', 'secret-key');
$mock = \Mockery::mock(RecaptchaVerifier::class);
RateLimiter::hit('register:ip:127.0.0.1', 60);
$this->get('/register')
->assertOk()
->assertSee('cf-turnstile', false);
RateLimiter::clear('register:ip:127.0.0.1');
});
it('enforces verification email cooldown per address', function () {
Queue::fake();
$this->post('/register', [
'email' => 'cooldown2@example.com',
])->assertRedirect('/register/notice');
$response = $this->post('/register', [
'email' => 'cooldown2@example.com',
]);
$response->assertRedirect('/register/notice');
$response->assertSessionHas('status', 'If that email is valid, we sent a verification link.');
Queue::assertPushed(SendVerificationEmailJob::class, 1);
});
it('returns generic success for existing verified emails (anti-enumeration)', function () {
Queue::fake();
User::factory()->create([
'email' => 'existing@example.com',
'email_verified_at' => now(),
'onboarding_step' => 'complete',
'is_active' => true,
]);
$response = $this->post('/register', [
'email' => 'existing@example.com',
]);
$response->assertRedirect('/register/notice');
$response->assertSessionHas('status', 'If that email is valid, we sent a verification link.');
Queue::assertNothingPushed();
});
it('still allows registration when turnstile passes', function () {
Queue::fake();
config()->set('registration.enable_turnstile', true);
config()->set('registration.turnstile_suspicious_attempts', 1);
config()->set('services.turnstile.site_key', 'site-key');
config()->set('services.turnstile.secret_key', 'secret-key');
$mock = \Mockery::mock(TurnstileVerifier::class);
$mock->shouldReceive('isEnabled')->andReturn(true);
$mock->shouldReceive('verify')->once()->andReturn(false);
$mock->shouldReceive('verify')->once()->andReturn(true);
$this->app->instance(RecaptchaVerifier::class, $mock);
$this->app->instance(TurnstileVerifier::class, $mock);
$first = $this->from('/register')->post('/register', [
'email' => 'captcha-block@example.com',
]);
$first->assertRedirect('/register');
$first->assertSessionHasErrors('captcha');
$response = $this->post('/register', [
'email' => 'captcha-pass@example.com',
'g-recaptcha-response' => 'good-token',
'cf-turnstile-response' => 'good-token',
]);
$response->assertRedirect('/register/notice');

29
tests/Feature/Auth/RegistrationFlowChecklistTest.php
View File

@@ -2,13 +2,14 @@
use App\Models\User;
use Illuminate\Foundation\Testing\RefreshDatabase;
use Illuminate\Support\Facades\Queue;
use Illuminate\Support\Facades\DB;
use Illuminate\Support\Facades\Mail;
use App\Jobs\SendVerificationEmailJob;
uses(RefreshDatabase::class);
it('completes happy path registration onboarding flow', function () {
Mail::fake();
Queue::fake();
$register = $this->post('/register', [
'email' => 'flow-user@example.com',
@@ -19,9 +20,12 @@ it('completes happy path registration onboarding flow', function () {
$user = User::query()->where('email', 'flow-user@example.com')->firstOrFail();
expect($user->onboarding_step)->toBe('email');
$token = (string) DB::table('user_verification_tokens')
->where('user_id', $user->id)
->value('token');
$token = null;
Queue::assertPushed(SendVerificationEmailJob::class, function (SendVerificationEmailJob $job) use (&$token) {
$token = $job->token;
return true;
});
$this->get('/verify/' . $token)->assertRedirect('/setup/password');
@@ -58,9 +62,10 @@ it('rejects expired verification token', function () {
'is_active' => false,
]);
$column = \Illuminate\Support\Facades\Schema::hasColumn('user_verification_tokens', 'token_hash') ? 'token_hash' : 'token';
DB::table('user_verification_tokens')->insert([
'user_id' => $user->id,
'token' => 'expired-checklist-token',
$column => hash('sha256', 'expired-checklist-token'),
'expires_at' => now()->subHour(),
'created_at' => now(),
'updated_at' => now(),
@@ -74,16 +79,22 @@ it('rejects expired verification token', function () {
});
it('rejects duplicate email at registration', function () {
Queue::fake();
User::factory()->create([
'email' => 'duplicate-check@example.com',
'email_verified_at' => now(),
'onboarding_step' => 'complete',
'is_active' => true,
]);
$response = $this->from('/register')->post('/register', [
$response = $this->post('/register', [
'email' => 'duplicate-check@example.com',
]);
$response->assertRedirect('/register');
$response->assertSessionHasErrors('email');
$response->assertRedirect('/register/notice');
$response->assertSessionHas('status', 'If that email is valid, we sent a verification link.');
Queue::assertNothingPushed();
});
it('rejects username conflict during username setup', function () {

30
tests/Feature/Auth/RegistrationNoticeResendTest.php
View File

@@ -1,15 +1,14 @@
<?php
use App\Mail\RegistrationVerificationMail;
use App\Jobs\SendVerificationEmailJob;
use App\Models\User;
use Illuminate\Foundation\Testing\RefreshDatabase;
use Illuminate\Support\Facades\Cache;
use Illuminate\Support\Facades\Mail;
use Illuminate\Support\Facades\Queue;
uses(RefreshDatabase::class);
it('shows registration notice with email after first step', function () {
Mail::fake();
Queue::fake();
$this->post('/register', [
'email' => 'notice@example.com',
@@ -28,33 +27,40 @@ it('prefills register form email from query string', function () {
});
it('blocks resend while cooldown is active', function () {
Mail::fake();
Queue::fake();
$this->post('/register', [
'email' => 'cooldown@example.com',
])->assertRedirect('/register/notice');
$this->from('/register/notice')->post('/register/resend-verification', [
$response = $this->from('/register/notice')->post('/register/resend-verification', [
'email' => 'cooldown@example.com',
])->assertRedirect('/register/notice')
->assertSessionHasErrors('email');
]);
$response->assertRedirect('/register/notice');
$response->assertSessionHasNoErrors();
$response->assertSessionHas('status', 'If that email is valid, we sent a verification link.');
Queue::assertPushed(SendVerificationEmailJob::class, 1);
});
it('resends verification after cooldown expires', function () {
Mail::fake();
Queue::fake();
$this->post('/register', [
'email' => 'resend@example.com',
])->assertRedirect('/register/notice');
$key = 'register:resend:cooldown:' . sha1('resend@example.com');
Cache::forget($key);
$user = User::query()->where('email', 'resend@example.com')->firstOrFail();
$user->forceFill([
'last_verification_sent_at' => now()->subMinutes(31),
])->save();
$this->post('/register/resend-verification', [
'email' => 'resend@example.com',
])->assertRedirect('/register/notice');
Mail::assertQueued(RegistrationVerificationMail::class, 2);
Queue::assertPushed(SendVerificationEmailJob::class, 2);
expect(User::query()->where('email', 'resend@example.com')->exists())->toBeTrue();
});

67
tests/Feature/Auth/RegistrationQuotaCircuitBreakerTest.php Normal file
View File

@@ -0,0 +1,67 @@
<?php
use App\Jobs\SendVerificationEmailJob;
use App\Services\Auth\RegistrationEmailQuotaService;
use Illuminate\Foundation\Testing\RefreshDatabase;
use Illuminate\Support\Facades\Mail;
use Illuminate\Support\Facades\Queue;
use Illuminate\Support\Facades\DB;
uses(RefreshDatabase::class);
it('returns generic success even when quota is exceeded', function () {
Queue::fake();
DB::table('system_email_quota')->insert([
'period' => now()->format('Y-m'),
'sent_count' => 10,
'limit_count' => 10,
'updated_at' => now(),
]);
$response = $this->post('/register', [
'email' => 'quota-hit@example.com',
]);
$response->assertRedirect('/register/notice');
$response->assertSessionHas('status', 'If that email is valid, we sent a verification link.');
Queue::assertPushed(SendVerificationEmailJob::class);
});
it('blocks actual send in job when monthly quota is exceeded', function () {
Mail::fake();
DB::table('system_email_quota')->insert([
'period' => now()->format('Y-m'),
'sent_count' => 10,
'limit_count' => 10,
'updated_at' => now(),
]);
$eventId = DB::table('email_send_events')->insertGetId([
'type' => 'verify_email',
'email' => 'quota-block@example.com',
'ip' => '127.0.0.1',
'user_id' => null,
'status' => 'queued',
'reason' => null,
'created_at' => now(),
]);
$job = new SendVerificationEmailJob(
emailEventId: (int) $eventId,
email: 'quota-block@example.com',
token: 'raw-token',
userId: null,
ip: '127.0.0.1'
);
$job->handle(app(RegistrationEmailQuotaService::class));
Mail::assertNothingSent();
$this->assertDatabaseHas('email_send_events', [
'id' => $eventId,
'status' => 'blocked',
'reason' => 'quota',
]);
});

8
tests/Feature/Auth/RegistrationTest.php
View File

@@ -1,7 +1,7 @@
<?php
use App\Mail\RegistrationVerificationMail;
use Illuminate\Support\Facades\Mail;
use App\Jobs\SendVerificationEmailJob;
use Illuminate\Support\Facades\Queue;
test('registration screen can be rendered', function () {
$response = $this->get('/register');
@@ -14,7 +14,7 @@ test('registration screen can be rendered', function () {
});
test('new users can register', function () {
Mail::fake();
Queue::fake();
$response = $this->post('/register', [
'email' => 'test@example.com',
@@ -33,5 +33,5 @@ test('new users can register', function () {
'user_id' => (int) \App\Models\User::query()->where('email', 'test@example.com')->value('id'),
]);
Mail::assertQueued(RegistrationVerificationMail::class);
Queue::assertPushed(SendVerificationEmailJob::class);
});

61
tests/Feature/Auth/RegistrationTokenVerificationTest.php
View File

@@ -1,11 +1,39 @@
<?php
use App\Jobs\SendVerificationEmailJob;
use App\Models\User;
use Illuminate\Foundation\Testing\RefreshDatabase;
use Illuminate\Support\Facades\DB;
use Illuminate\Support\Facades\Schema;
use Illuminate\Support\Facades\Queue;
uses(RefreshDatabase::class);
it('stores verification tokens hashed instead of raw token', function () {
Queue::fake();
$this->post('/register', [
'email' => 'token-hash@example.com',
])->assertRedirect('/register/notice');
$rawToken = null;
Queue::assertPushed(SendVerificationEmailJob::class, function (SendVerificationEmailJob $job) use (&$rawToken) {
$rawToken = $job->token;
return true;
});
$userId = (int) User::query()->where('email', 'token-hash@example.com')->value('id');
$column = Schema::hasColumn('user_verification_tokens', 'token_hash') ? 'token_hash' : 'token';
$storedToken = (string) DB::table('user_verification_tokens')
->where('user_id', $userId)
->value($column);
expect($rawToken)->not->toBeNull();
expect($storedToken)->toBe(hash('sha256', (string) $rawToken));
expect($storedToken)->not->toBe((string) $rawToken);
});
it('verifies token and redirects to password setup', function () {
$user = User::factory()->create([
'email_verified_at' => null,
@@ -13,9 +41,10 @@ it('verifies token and redirects to password setup', function () {
'is_active' => false,
]);
$column = Schema::hasColumn('user_verification_tokens', 'token_hash') ? 'token_hash' : 'token';
DB::table('user_verification_tokens')->insert([
'user_id' => $user->id,
'token' => 'verify-token-1',
$column => hash('sha256', 'verify-token-1'),
'expires_at' => now()->addHour(),
'created_at' => now(),
'updated_at' => now(),
@@ -33,7 +62,8 @@ it('verifies token and redirects to password setup', function () {
]);
expect($user->fresh()->email_verified_at)->not->toBeNull();
$this->assertDatabaseMissing('user_verification_tokens', ['token' => 'verify-token-1']);
$column = Schema::hasColumn('user_verification_tokens', 'token_hash') ? 'token_hash' : 'token';
$this->assertDatabaseMissing('user_verification_tokens', [$column => hash('sha256', 'verify-token-1')]);
});
it('rejects expired token', function () {
@@ -43,9 +73,10 @@ it('rejects expired token', function () {
'is_active' => false,
]);
$column = Schema::hasColumn('user_verification_tokens', 'token_hash') ? 'token_hash' : 'token';
DB::table('user_verification_tokens')->insert([
'user_id' => $user->id,
'token' => 'expired-token-1',
$column => hash('sha256', 'expired-token-1'),
'expires_at' => now()->subMinute(),
'created_at' => now(),
'updated_at' => now(),
@@ -72,3 +103,27 @@ it('rejects unknown token', function () {
$response->assertSessionHasErrors('email');
$this->assertGuest();
});
it('rejects token reuse after successful verification', function () {
$user = User::factory()->create([
'email_verified_at' => null,
'onboarding_step' => 'email',
'is_active' => false,
]);
$column = Schema::hasColumn('user_verification_tokens', 'token_hash') ? 'token_hash' : 'token';
DB::table('user_verification_tokens')->insert([
'user_id' => $user->id,
$column => hash('sha256', 'one-time-token'),
'expires_at' => now()->addHour(),
'created_at' => now(),
'updated_at' => now(),
]);
$this->get('/verify/one-time-token')->assertRedirect('/setup/password');
auth()->logout();
$secondTry = $this->from('/login')->get('/verify/one-time-token');
$secondTry->assertRedirect('/login');
$secondTry->assertSessionHasErrors('email');
});

8
tests/Feature/Auth/RegistrationVerificationMailTest.php
View File

@@ -1,8 +1,10 @@
<?php
use App\Jobs\SendVerificationEmailJob;
use App\Mail\RegistrationVerificationMail;
use Illuminate\Contracts\Queue\ShouldQueue;
use Illuminate\Foundation\Testing\RefreshDatabase;
use Illuminate\Support\Facades\Queue;
uses(RefreshDatabase::class);
@@ -28,14 +30,14 @@ it('registration email contains verification link expiry and support url', funct
expect($html)->toContain('https://skinbase.example/support');
});
it('registration endpoint still queues verification mail', function () {
\Illuminate\Support\Facades\Mail::fake();
it('registration endpoint queues verification email job', function () {
Queue::fake();
$this->post('/register', [
'email' => 'mail-test@example.com',
])->assertRedirect('/register/notice');
\Illuminate\Support\Facades\Mail::assertQueued(RegistrationVerificationMail::class);
Queue::assertPushed(SendVerificationEmailJob::class);
$this->assertDatabaseHas('users', [
'email' => 'mail-test@example.com',
'onboarding_step' => 'email',