feat(api): password reset endpoints with portal URL

Add forgot-password and reset-password API routes with rate limiting. Customize reset URL to point to portal frontend via AppServiceProvider. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
2026-04-13 07:39:11 +02:00
parent 7228ad9f5a
commit 02c4b4fd5f
4 changed files with 212 additions and 1 deletions
--- a/api/tests/Feature/Api/V1/PasswordResetTest.php
+++ b/api/tests/Feature/Api/V1/PasswordResetTest.php
@@ -0,0 +1,154 @@
+<?php
+
+declare(strict_types=1);
+
+namespace Tests\Feature\Api\V1;
+
+use App\Models\User;
+use Illuminate\Foundation\Testing\RefreshDatabase;
+use Illuminate\Support\Facades\Hash;
+use Illuminate\Support\Facades\Notification;
+use Illuminate\Support\Facades\Password;
+use Tests\TestCase;
+
+class PasswordResetTest extends TestCase
+{
+    use RefreshDatabase;
+
+    // ─── Forgot Password ────────────────────────────────────────────────
+
+    public function test_forgot_password_returns_success_for_existing_email(): void
+    {
+        Notification::fake();
+
+        User::factory()->create(['email' => 'jan@voorbeeld.nl']);
+
+        $response = $this->postJson('/api/v1/auth/forgot-password', [
+            'email' => 'jan@voorbeeld.nl',
+        ]);
+
+        $response->assertOk();
+        $response->assertJsonPath('message', 'Als dit emailadres bij ons bekend is, ontvang je een link om je wachtwoord te resetten.');
+    }
+
+    public function test_forgot_password_returns_same_success_for_nonexisting_email(): void
+    {
+        $response = $this->postJson('/api/v1/auth/forgot-password', [
+            'email' => 'onbekend@voorbeeld.nl',
+        ]);
+
+        $response->assertOk();
+        $response->assertJsonPath('message', 'Als dit emailadres bij ons bekend is, ontvang je een link om je wachtwoord te resetten.');
+    }
+
+    public function test_forgot_password_validates_email_required(): void
+    {
+        $response = $this->postJson('/api/v1/auth/forgot-password', []);
+
+        $response->assertStatus(422);
+        $response->assertJsonValidationErrors('email');
+    }
+
+    public function test_forgot_password_validates_email_format(): void
+    {
+        $response = $this->postJson('/api/v1/auth/forgot-password', [
+            'email' => 'not-an-email',
+        ]);
+
+        $response->assertStatus(422);
+        $response->assertJsonValidationErrors('email');
+    }
+
+    public function test_forgot_password_is_rate_limited(): void
+    {
+        for ($i = 0; $i < 5; $i++) {
+            $this->postJson('/api/v1/auth/forgot-password', [
+                'email' => 'test@voorbeeld.nl',
+            ]);
+        }
+
+        $response = $this->postJson('/api/v1/auth/forgot-password', [
+            'email' => 'test@voorbeeld.nl',
+        ]);
+
+        $response->assertStatus(429);
+    }
+
+    // ─── Reset Password ─────────────────────────────────────────────────
+
+    public function test_reset_password_with_valid_token(): void
+    {
+        $user = User::factory()->create(['email' => 'jan@voorbeeld.nl']);
+
+        $token = Password::createToken($user);
+
+        $response = $this->postJson('/api/v1/auth/reset-password', [
+            'token' => $token,
+            'email' => 'jan@voorbeeld.nl',
+            'password' => 'nieuwwachtwoord123',
+            'password_confirmation' => 'nieuwwachtwoord123',
+        ]);
+
+        $response->assertOk();
+        $response->assertJsonPath('message', 'Wachtwoord succesvol gewijzigd.');
+
+        // Verify password was actually changed
+        $user->refresh();
+        $this->assertTrue(Hash::check('nieuwwachtwoord123', $user->password));
+    }
+
+    public function test_reset_password_with_invalid_token_returns_422(): void
+    {
+        User::factory()->create(['email' => 'jan@voorbeeld.nl']);
+
+        $response = $this->postJson('/api/v1/auth/reset-password', [
+            'token' => 'invalid-token-here',
+            'email' => 'jan@voorbeeld.nl',
+            'password' => 'nieuwwachtwoord123',
+            'password_confirmation' => 'nieuwwachtwoord123',
+        ]);
+
+        $response->assertStatus(422);
+    }
+
+    public function test_reset_password_requires_confirmation(): void
+    {
+        $user = User::factory()->create(['email' => 'jan@voorbeeld.nl']);
+
+        $token = Password::createToken($user);
+
+        $response = $this->postJson('/api/v1/auth/reset-password', [
+            'token' => $token,
+            'email' => 'jan@voorbeeld.nl',
+            'password' => 'nieuwwachtwoord123',
+        ]);
+
+        $response->assertStatus(422);
+        $response->assertJsonValidationErrors('password');
+    }
+
+    public function test_reset_password_requires_minimum_length(): void
+    {
+        $user = User::factory()->create(['email' => 'jan@voorbeeld.nl']);
+
+        $token = Password::createToken($user);
+
+        $response = $this->postJson('/api/v1/auth/reset-password', [
+            'token' => $token,
+            'email' => 'jan@voorbeeld.nl',
+            'password' => 'short',
+            'password_confirmation' => 'short',
+        ]);
+
+        $response->assertStatus(422);
+        $response->assertJsonValidationErrors('password');
+    }
+
+    public function test_reset_password_validates_required_fields(): void
+    {
+        $response = $this->postJson('/api/v1/auth/reset-password', []);
+
+        $response->assertStatus(422);
+        $response->assertJsonValidationErrors(['token', 'email', 'password']);
+    }
+}