withoutMiddleware([DecideWhatToDoWithUser::class, CheckForcePasswordReset::class]); Once::flush(); if (! InstanceSettings::find(0)) { $settings = new InstanceSettings; $settings->id = 0; $settings->saveQuietly(); } }); describe('email verification hash', function () { test('sha256 hash is accepted and marks the user verified', function () { $user = User::factory()->create([ 'email' => 'verify-me@example.com', 'email_verified_at' => null, ]); $url = URL::temporarySignedRoute('verify.verify', now()->addHour(), [ 'id' => $user->getKey(), 'hash' => hash('sha256', $user->getEmailForVerification()), ]); $this->actingAs($user)->get($url)->assertRedirect(); $user->refresh(); expect($user->email_verified_at)->not->toBeNull(); }); test('legacy sha1 hash is rejected', function () { $user = User::factory()->create([ 'email' => 'legacy-sha1@example.com', 'email_verified_at' => null, ]); $url = URL::temporarySignedRoute('verify.verify', now()->addHour(), [ 'id' => $user->getKey(), 'hash' => sha1($user->getEmailForVerification()), ]); $this->actingAs($user)->get($url)->assertStatus(403); $user->refresh(); expect($user->email_verified_at)->toBeNull(); }); test('tampered signature is rejected', function () { $user = User::factory()->create([ 'email' => 'tampered@example.com', 'email_verified_at' => null, ]); $url = URL::temporarySignedRoute('verify.verify', now()->addHour(), [ 'id' => $user->getKey(), 'hash' => hash('sha256', $user->getEmailForVerification()), ]); $tampered = $url.'x'; $this->actingAs($user)->get($tampered)->assertStatus(403); }); });