[3.x] Add email verification route (#247)

Author: joelbutcher

src/Http/Controllers/Auth/VerifyEmailController.php

@@ -0,0 +1,21 @@
+<?php
+
+declare(strict_types=1);
+
+namespace Cachet\Http\Controllers\Auth;
+
+use Illuminate\Foundation\Auth\EmailVerificationRequest;
+use Illuminate\Http\RedirectResponse;
+
+final class VerifyEmailController
+{
+    /**
+     * Mark the authenticated user's email address as verified.
+     */
+    public function __invoke(EmailVerificationRequest $request): RedirectResponse
+    {
+        $request->fulfill();
+
+        return redirect()->intended(route('cachet.status-page', absolute: false).'?verified=1');
+    }
+}

src/Models/User.php

@@ -4,6 +4,7 @@
 
 use Cachet\Concerns\CachetUser;
 use Cachet\Database\Factories\UserFactory;
+use Illuminate\Auth\MustVerifyEmail as MustVerifyEmailTrait;
 use Illuminate\Contracts\Auth\MustVerifyEmail;
 use Illuminate\Contracts\Translation\HasLocalePreference;
 use Illuminate\Database\Eloquent\Factories\Factory;
@@ -23,7 +24,7 @@
 class User extends Authenticatable implements CachetUser, HasLocalePreference, MustVerifyEmail
 {
     /** @use HasFactory<\Cachet\Database\Factories\UserFactory> */
-    use HasApiTokens, HasFactory, Notifiable;
+    use HasApiTokens, HasFactory, Notifiable, MustVerifyEmailTrait;
 
     /**
      * The attributes that are mass assignable.

src/PendingRouteRegistration.php

@@ -2,6 +2,8 @@
 
 namespace Cachet;
 
+use Cachet\Http\Controllers\Auth\EmailVerificationPromptController;
+use Cachet\Http\Controllers\Auth\VerifyEmailController;
 use Cachet\Http\Controllers\HealthController;
 use Cachet\Http\Controllers\RssController;
 use Cachet\Http\Controllers\Setup\SetupController;
@@ -40,9 +42,22 @@ public function register(): void
                 $router->get('/health', HealthController::class)->name('health');
 
                 $router->get('/rss', RssController::class)->name('rss');
+
             });
+
+        $this->registerEmailVerificationRoutes();
+    }
+
+    private function registerEmailVerificationRoutes(): void
+    {
+        Route::middleware('auth')->group(function () {
+            Route::get('verify-email/{id}/{hash}', VerifyEmailController::class)
+                ->middleware(['signed', 'throttle:6,1'])
+                ->name('verification.verify');
+        });
     }
 
+
     /**
      * Handle the object's destruction.
      *

tests/Feature/Http/Controllers/Auth/EmailVerificationTest.php

@@ -0,0 +1,45 @@
+<?php
+
+declare(strict_types=1);
+
+namespace Cachet\Tests\Feature\Auth;
+
+use Illuminate\Auth\Events\Verified;
+use Illuminate\Support\Facades\Event;
+use Illuminate\Support\Facades\URL;
+use Workbench\App\User;
+
+use function Pest\Laravel\actingAs;
+use function PHPUnit\Framework\assertFalse;
+use function PHPUnit\Framework\assertTrue;
+
+test('email can be verified', function () {
+    $user = User::factory()->unverified()->create();
+
+    Event::fake();
+
+    $verificationUrl = URL::temporarySignedRoute(
+        'verification.verify',
+        now()->addMinutes(60),
+        ['id' => $user->id, 'hash' => sha1($user->email)]
+    );
+
+    $response = actingAs($user)->get($verificationUrl);
+
+    Event::assertDispatched(Verified::class);
+    assertTrue($user->fresh()->hasVerifiedEmail());
+    $response->assertRedirect(route('cachet.status-page', absolute: false).'?verified=1');
+});
+
+test('email is not verified with invalid hash', function () {
+    $user = User::factory()->unverified()->create();
+
+    $verificationUrl = URL::temporarySignedRoute(
+        'verification.verify',
+        now()->addMinutes(60),
+        ['id' => $user->id, 'hash' => sha1('wrong-email')]
+    );
+
+    actingAs($user)->get($verificationUrl);
+    assertFalse($user->fresh()->hasVerifiedEmail());
+});

workbench/database/factories/UserFactory.php

@@ -44,4 +44,14 @@ public function active()
             ];
         });
     }
+
+    /**
+     * Indicate that the model's email address should be unverified.
+     */
+    public function unverified(): static
+    {
+        return $this->state(fn (array $attributes) => [
+            'email_verified_at' => null,
+        ]);
+    }
 }