feat(auth): complete registration anti-spam and quota hardening

tests/Feature/Auth/RegistrationTokenVerificationTest.php

@@ -1,11 +1,39 @@
 <?php
 
+use App\Jobs\SendVerificationEmailJob;
 use App\Models\User;
 use Illuminate\Foundation\Testing\RefreshDatabase;
 use Illuminate\Support\Facades\DB;
+use Illuminate\Support\Facades\Schema;
+use Illuminate\Support\Facades\Queue;
 
 uses(RefreshDatabase::class);
 
+it('stores verification tokens hashed instead of raw token', function () {
+    Queue::fake();
+
+    $this->post('/register', [
+        'email' => 'token-hash@example.com',
+    ])->assertRedirect('/register/notice');
+
+    $rawToken = null;
+    Queue::assertPushed(SendVerificationEmailJob::class, function (SendVerificationEmailJob $job) use (&$rawToken) {
+        $rawToken = $job->token;
+
+        return true;
+    });
+
+    $userId = (int) User::query()->where('email', 'token-hash@example.com')->value('id');
+    $column = Schema::hasColumn('user_verification_tokens', 'token_hash') ? 'token_hash' : 'token';
+    $storedToken = (string) DB::table('user_verification_tokens')
+        ->where('user_id', $userId)
+        ->value($column);
+
+    expect($rawToken)->not->toBeNull();
+    expect($storedToken)->toBe(hash('sha256', (string) $rawToken));
+    expect($storedToken)->not->toBe((string) $rawToken);
+});
+
 it('verifies token and redirects to password setup', function () {
     $user = User::factory()->create([
         'email_verified_at' => null,
@@ -13,9 +41,10 @@ it('verifies token and redirects to password setup', function () {
         'is_active' => false,
     ]);
 
+    $column = Schema::hasColumn('user_verification_tokens', 'token_hash') ? 'token_hash' : 'token';
     DB::table('user_verification_tokens')->insert([
         'user_id' => $user->id,
-        'token' => 'verify-token-1',
+        $column => hash('sha256', 'verify-token-1'),
         'expires_at' => now()->addHour(),
         'created_at' => now(),
         'updated_at' => now(),
@@ -33,7 +62,8 @@ it('verifies token and redirects to password setup', function () {
     ]);
 
     expect($user->fresh()->email_verified_at)->not->toBeNull();
-    $this->assertDatabaseMissing('user_verification_tokens', ['token' => 'verify-token-1']);
+    $column = Schema::hasColumn('user_verification_tokens', 'token_hash') ? 'token_hash' : 'token';
+    $this->assertDatabaseMissing('user_verification_tokens', [$column => hash('sha256', 'verify-token-1')]);
 });
 
 it('rejects expired token', function () {
@@ -43,9 +73,10 @@ it('rejects expired token', function () {
         'is_active' => false,
     ]);
 
+    $column = Schema::hasColumn('user_verification_tokens', 'token_hash') ? 'token_hash' : 'token';
     DB::table('user_verification_tokens')->insert([
         'user_id' => $user->id,
-        'token' => 'expired-token-1',
+        $column => hash('sha256', 'expired-token-1'),
         'expires_at' => now()->subMinute(),
         'created_at' => now(),
         'updated_at' => now(),
@@ -72,3 +103,27 @@ it('rejects unknown token', function () {
     $response->assertSessionHasErrors('email');
     $this->assertGuest();
 });
+
+it('rejects token reuse after successful verification', function () {
+    $user = User::factory()->create([
+        'email_verified_at' => null,
+        'onboarding_step' => 'email',
+        'is_active' => false,
+    ]);
+
+    $column = Schema::hasColumn('user_verification_tokens', 'token_hash') ? 'token_hash' : 'token';
+    DB::table('user_verification_tokens')->insert([
+        'user_id' => $user->id,
+        $column => hash('sha256', 'one-time-token'),
+        'expires_at' => now()->addHour(),
+        'created_at' => now(),
+        'updated_at' => now(),
+    ]);
+
+    $this->get('/verify/one-time-token')->assertRedirect('/setup/password');
+    auth()->logout();
+
+    $secondTry = $this->from('/login')->get('/verify/one-time-token');
+    $secondTry->assertRedirect('/login');
+    $secondTry->assertSessionHasErrors('email');
+});