feat: Add email verification for new users

Implement Laravel's MustVerifyEmail, verification routes, and protected middleware to ensure users verify their email before accessing protected routes. Improves security and prevents fake sign-ups.
Implement email.verified middleware (EnsureEmailIsVerified Middleware)
Updated the test to factor in email verification

Author: remioluwatomi

app/Http/Controllers/Api/V1/Auth/AuthController.php

@@ -6,6 +6,7 @@
 use App\Models\User;
 use App\Models\Organisation;
 use App\Services\OrganisationService;
+use Illuminate\Auth\Events\Registered;
 use Illuminate\Http\Request;
 use Illuminate\Support\Facades\DB;
 use Illuminate\Support\Facades\Hash;
@@ -67,7 +68,7 @@ public function store(Request $request)
             $token = JWTAuth::fromUser($user);
 
             $is_superadmin = in_array($user->role, ['admin']);
-
+            
             DB::commit();
 
             $email_template_id = null;
@@ -77,6 +78,8 @@ public function store(Request $request)
                 $email_template_id = $emailTemplate->id;
             }
 
+            event(new Registered($user));
+
             return response()->json([
                 'status_code' => 201,
                 'message' => 'User Created Successfully',

app/Http/Controllers/Api/V1/Auth/VerificationController.php

@@ -0,0 +1,59 @@
+<?php
+
+namespace App\Http\Controllers\Api\V1\Auth;
+
+use App\Http\Controllers\Controller;
+use Illuminate\Foundation\Auth\EmailVerificationRequest;
+use Illuminate\Http\Request;
+
+class VerificationController extends Controller
+{
+    //
+
+
+    public function emailNotice($request)
+    {
+
+        return response()->json([
+            'status_code' => 403,
+            'message' => 'Email not verified. Please verify your email to continue.',
+            'status' => 'error',
+            'data' => []
+        ], 403);
+    }
+
+    public function verifyEmail(EmailVerificationRequest $request)
+    {
+        $request->fulfill();
+
+        return response()->json([
+            'status_code' => 200,
+            'message' => 'Email verified successfully',
+            'status' => 'success',
+            'data' => []
+        ], 200);
+    }
+
+    public function resendEmail(Request $request) 
+    {
+        $user = $request->user();
+
+    if ($user->hasVerifiedEmail()) {
+        return response()->json([
+            'status_code' => 400,
+            'message' => 'Email already verified.',
+            'status' => 'error',
+            'data' => []
+        ], 400);
+    }
+
+    $user->sendEmailVerificationNotification();
+
+    return response()->json([
+        'status_code' => 200,
+        'message' => 'Verification email resent successfully.',
+        'status' => 'success',
+        'data' => []
+    ], 200);
+    }
+}

app/Http/Kernel.php

@@ -70,5 +70,6 @@ class Kernel extends HttpKernel
         'verified' => \Illuminate\Auth\Middleware\EnsureEmailIsVerified::class,
         'admin' => \App\Http\Middleware\AdminMiddleware::class,
         'superadmin' => \App\Http\Middleware\SuperAdminMiddleware::class,
+        'email.verified' => \App\Http\Middleware\EnsureEmailIsVerified::class,
     ];
 }

app/Http/Middleware/EnsureEmailIsVerified.php

@@ -0,0 +1,31 @@
+<?php
+
+namespace App\Http\Middleware;
+
+use Closure;
+use Illuminate\Http\Request;
+use Symfony\Component\HttpFoundation\Response;
+
+class EnsureEmailIsVerified
+{
+    /**
+     * Handle an incoming request.
+     *
+     * @param  \Closure(\Illuminate\Http\Request): (\Symfony\Component\HttpFoundation\Response)  $next
+     */
+    public function handle(Request $request, Closure $next): Response
+    {
+        // Ensure user is authenticated
+        dump($request->user);
+        if (! $request->user() || ! $request->user()->hasVerifiedEmail()) {
+            return response()->json([
+                'status_code' => 403,
+                'message' => 'Email not verified. Please verify your email to continue.',
+                'status' => 'error',
+                'data' => []
+            ], 403);
+        }
+
+        return $next($request);
+    }
+}

app/Models/User.php

@@ -2,6 +2,7 @@
 
 namespace App\Models;
 
+use Illuminate\Contracts\Auth\MustVerifyEmail;
 use Illuminate\Database\Eloquent\Factories\HasFactory;
 use Illuminate\Database\Eloquent\SoftDeletes;
 use Illuminate\Foundation\Auth\User as Authenticatable;
@@ -15,7 +16,7 @@
 use Illuminate\Auth\Passwords\CanResetPassword;
 use Illuminate\Contracts\Auth\CanResetPassword as CanResetPasswordContract;
 
-class User extends Authenticatable  implements JWTSubject, CanResetPasswordContract
+class User extends Authenticatable  implements JWTSubject, CanResetPasswordContract, MustVerifyEmail
 {
     use HasApiTokens, HasFactory, Notifiable, HasUuids, CanResetPassword, SoftDeletes;
 
@@ -41,6 +42,7 @@ class User extends Authenticatable  implements JWTSubject, CanResetPasswordContr
         'email',
         'password',
         'role',
+        'email_verified_at'
     ];
 
     /* protected $fillable = [

routes/api.php

@@ -1,5 +1,6 @@
 <?php
 
+use App\Http\Controllers\Api\V1\Auth\VerificationController;
 use Illuminate\Support\Facades\Route;
 use App\Http\Controllers\QuestController;
 use App\Http\Controllers\Api\V1\JobController;
@@ -77,6 +78,13 @@
     Route::post('/api-status', [ApiStatusCheckerController::class, 'store']);
 
     Route::post('/auth/register', [AuthController::class, 'store']);
+
+
+    Route::get('/auth/email/verify', [VerificationController::class, 'emailNotice'])->middleware('auth')->name('verification.notice');
+    Route::get('/auth/email/verify/{id}/{hash}', [VerificationController::class,'verifyEmail'])->middleware(['auth', 'signed'])->name('verification.verify');
+    Route::post('/auth/email/verification-notification', [VerificationController::class, 'resendEmail'])->middleware(['auth', 'throttle:6,1'])->name('verification.send');
+
+
     Route::post('/auth/login', [LoginController::class, 'login']);
     Route::post('/auth/logout', [LoginController::class, 'logout'])->middleware('auth:api');
     Route::post('/auth/password-reset-email', ForgetPasswordRequestController::class)->name('password.reset');
@@ -96,7 +104,7 @@
     Route::get('/auth/facebook/callback', [SocialAuthController::class, 'callbackFromFacebook']);
     Route::post('/auth/facebook/callback', [SocialAuthController::class, 'saveFacebookRequest']);
 
-    Route::middleware('auth:api')->group(function () {
+    Route::middleware(['auth:api', 'email.verified'])->group(function () {
 
         Route::get('/users/stats', [UserController::class, 'stats']);
         Route::apiResource('/users', UserController::class);
@@ -123,7 +131,7 @@
 
     Route::middleware('throttle:10,1')->get('/topics/search', [ArticleController::class, 'search']);
 
-    Route::middleware('auth:api')->group(function () {
+    Route::middleware(['auth:api', 'email.verified'])->group(function () {
 
         Route::get('/organisations/{orgId}/products/search', [ProductController::class, 'search']);
 
@@ -141,7 +149,7 @@
 
 
     //comment
-    Route::middleware('auth:api')->group(function () {
+    Route::middleware(['auth:api', 'email.verified'])->group(function () {
         Route::post('/blogs/{blogId}/comments', [CommentController::class, 'createComment']);
         Route::post('/comments/{commentId}/reply', [CommentController::class, 'replyComment']);
         Route::post('/comments/{commentId}/like', [CommentController::class, 'likeComment']);
@@ -179,14 +187,14 @@
     Route::get('/squeeze-pages-users', [SqueezePageUserController::class, 'index']);
 
 
-    Route::middleware(['auth:api', 'admin'])->group(function () {
+    Route::middleware(['auth:api', 'admin', 'email.verified'])->group(function () {
         Route::get('/email-templates', [EmailTemplateController::class, 'index']);
         Route::post('/email-templates', [EmailTemplateController::class, 'store']);
         Route::patch('/email-templates/{id}', [EmailTemplateController::class, 'update']);
         Route::delete('/email-templates/{id}', [EmailTemplateController::class, 'destroy']);
     });
 
-    Route::middleware(['auth:api', 'admin'])->group(function () {
+    Route::middleware(['auth:api', 'admin', 'email.verified'])->group(function () {
         // Dashboard
         Route::get('/users-list', [AdminDashboardController::class, 'getUsers']);
     });
@@ -199,7 +207,7 @@
     Route::post('/invite', [InvitationAcceptanceController::class, 'acceptInvitationPost']);
 
 
-    Route::middleware('auth:api')->group(function () {
+    Route::middleware(['auth:api', 'email.verified'])->group(function () {
 
         // Subscriptions, Plans and Features
         Route::apiResource('/features', FeatureController::class);
@@ -275,10 +283,10 @@
     });
     Route::get('/notification-settings', [NotificationSettingController::class, 'show']);
 
-    Route::middleware(['auth:api', 'admin'])->get('/customers', [CustomerController::class, 'index']);
+    Route::middleware(['auth:api', 'admin', 'email.verified'])->get('/customers', [CustomerController::class, 'index']);
 
     //Blogs
-    Route::group(['middleware' => ['auth.jwt', 'admin']], function () {
+    Route::group(['middleware' => ['auth.jwt', 'email.verified' ,'admin']], function () {
         Route::post('/blogs', [BlogController::class, 'store']);
         Route::patch('/blogs/edit/{id}', [BlogController::class, 'update'])->name('admin.blogs.update');
         Route::delete('/blogs/{id}', [BlogController::class, 'destroy']);
@@ -304,7 +312,7 @@
     Route::get('/blogs/{id}', [BlogController::class, 'show']);
     Route::get('/blogs', [BlogController::class, 'index']);
 
-    Route::group(['middleware' => ['auth:api']], function () {
+    Route::group(['middleware' => ['auth:api', 'email.verified']], function () {
         Route::post('/user/preferences', [PreferenceController::class, 'store']);
         Route::put('/user/preferences/{id}', [PreferenceController::class, 'update']);
         Route::get('/user/preferences', [PreferenceController::class, 'index']);
@@ -315,15 +323,15 @@
     });
 
     //region get and update
-    Route::group(['middleware' => ['auth:api']], function () {
+    Route::group(['middleware' => ['auth:api', 'email.verified']], function () {
         Route::put('/regions/{user_id}', [PreferenceController::class, 'updateRegion']);
         Route::get('/regions/{user_id}', [PreferenceController::class, 'showRegion']);
     });
     // Notification settings
     Route::patch('/notification-settings/{user_id}', [NotificationPreferenceController::class, 'update']);
 
 
-    Route::middleware(['auth:api', 'admin'])->group(function () {
+    Route::middleware(['auth:api', 'email.verified', 'admin'])->group(function () {
         //Email Template
         Route::apiResource('email-templates', EmailTemplateController::class);
     });
@@ -339,8 +347,8 @@
     // User Notification
     Route::patch('/notifications/{notification}', [UserNotificationController::class, 'update']);
     Route::delete('/notifications', [UserNotificationController::class, 'destroy']);
-    Route::post('/notifications', [UserNotificationController::class, 'create'])->middleware('auth.jwt');
-    Route::get('/notifications', [UserNotificationController::class, 'getByUser'])->middleware('auth.jwt');
+    Route::post('/notifications', [UserNotificationController::class, 'create'])->middleware(['auth.jwt', 'email.verified']);
+    Route::get('/notifications', [UserNotificationController::class, 'getByUser'])->middleware(['auth.jwt', 'email.verified']);
     //Timezone
     Route::get('/timezones', [TimezoneController::class, 'index']);
 

tests/Feature/InvitationTest.php

@@ -29,6 +29,11 @@ public function setUp(): void
             'last_name' => 'User',
         ]);
 
+        //pseudo email verification
+        $user = User::where('email', 'test@example.com')->first();
+        $user->email_verified_at = now();
+        $user->save();
+
         // Login the user
         $loginResponse = $this->postJson('/api/v1/auth/login', [
             'email' => 'test@example.com',

tests/Feature/UserDeletionTest.php

@@ -25,6 +25,7 @@ public function test_user_not_found_during_deletion()
             'password' => bcrypt('@Bulldozer01'), // Admin password
             'role' => 'admin',
             'is_verified' => 1,
+            'email_verified_at' => now()
         ]);
 
         // Attempt to delete a non-existent user
@@ -51,6 +52,7 @@ public function test_unauthorized_user_deleting_another_user()
             'password' => bcrypt('password'),
             'role' => 'user',
             'is_verified' => 1,
+            'email_verified_at' => now()
         ]);
 
         $anotherUser = User::create([
@@ -86,6 +88,7 @@ public function test_admin_deleting_user()
             'password' => bcrypt('@Bulldozer01'), // Admin password
             'role' => 'admin',
             'is_verified' => 1,
+            'email_verified_at' => now()
         ]);
 
         $user = User::create([
@@ -122,6 +125,7 @@ public function test_super_admin_deleting_user()
             'password' => bcrypt('@Bulldozer01'),
             'role' => 'superAdmin',
             'is_verified' => 1,
+            'email_verified_at' => now()
         ]);
 
         $anotherUser = User::create([
@@ -158,6 +162,7 @@ public function test_deleting_self_as_super_admin()
             'password' => bcrypt('@Bulldozer01'),
             'role' => 'superAdmin',
             'is_verified' => 1,
+            'email_verified_at' => now()
         ]);
 
         // Delete self as a super admin