bert.hausmans/crewli
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

feat: password reset, email change with verification, and password change

Browse Source 
Password reset: multi-app support with custom notification linking to correct
frontend (app/portal/admin). Email change: self-service with password
confirmation and admin-initiated, both sending verification to new address
with 24h expiry. Confirmation sent to old email on completion. Password
change: authenticated endpoint revoking other sessions.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
This commit is contained in:
bert.hausmans
2026-04-14 15:38:54 +02:00
parent 53100d4f6d
commit 836cffa232
42 changed files with 2643 additions and 67 deletions
Download Patch File Download Diff File Expand all files Collapse all files

55
api/app/Http/Controllers/Api/V1/AccountController.php Normal file
View File

@@ -0,0 +1,55 @@
<?php
declare(strict_types=1);
namespace App\Http\Controllers\Api\V1;
use App\Http\Controllers\Controller;
use Illuminate\Http\JsonResponse;
use Illuminate\Http\Request;
use Illuminate\Support\Facades\Hash;
use Illuminate\Validation\Rules\Password;
use Illuminate\Validation\ValidationException;
final class AccountController extends Controller
{
/**
* POST /api/v1/me/change-password
* Authenticated user changes their own password.
*/
public function changePassword(Request $request): JsonResponse
{
$validated = $request->validate([
'current_password' => ['required'],
'password' => ['required', 'confirmed', Password::min(8)->mixedCase()->numbers()],
]);
$user = $request->user();
if (! Hash::check($validated['current_password'], $user->password)) {
throw ValidationException::withMessages([
'current_password' => ['Het huidige wachtwoord is onjuist.'],
]);
}
$user->update([
'password' => Hash::make($validated['password']),
]);
// Revoke all OTHER tokens (keep current session)
$currentToken = $user->currentAccessToken();
if ($currentToken instanceof \Laravel\Sanctum\PersonalAccessToken) {
$user->tokens()->where('id', '!=', $currentToken->id)->delete();
} else {
// TransientToken (test) or no token — revoke all
$user->tokens()->delete();
}
activity()
->causedBy($user)
->performedOn($user)
->log('user.password_changed');
return $this->success(message: 'Je wachtwoord is succesvol gewijzigd.');
}
}

71
api/app/Http/Controllers/Api/V1/EmailChangeController.php Normal file
View File

@@ -0,0 +1,71 @@
<?php
declare(strict_types=1);
namespace App\Http\Controllers\Api\V1;
use App\Http\Controllers\Controller;
use App\Services\EmailChangeService;
use Illuminate\Http\JsonResponse;
use Illuminate\Http\Request;
use Illuminate\Support\Facades\Hash;
use Illuminate\Validation\ValidationException;
final class EmailChangeController extends Controller
{
public function __construct(private readonly EmailChangeService $service) {}
/**
* POST /api/v1/me/change-email
* User requests to change their own email.
*/
public function request(Request $request): JsonResponse
{
$validated = $request->validate([
'new_email' => ['required', 'email', 'max:255'],
'password' => ['required'],
'app' => ['required', 'in:app,portal,admin'],
]);
// Verify current password
if (! Hash::check($validated['password'], $request->user()->password)) {
throw ValidationException::withMessages([
'password' => ['Het huidige wachtwoord is onjuist.'],
]);
}
$frontendUrls = [
'admin' => config('app.frontend_admin_url'),
'app' => config('app.frontend_app_url'),
'portal' => config('app.frontend_portal_url'),
];
$this->service->requestChange(
$request->user(),
$validated['new_email'],
$request->user(),
$frontendUrls[$validated['app']],
);
return $this->success(
message: 'Er is een verificatiemail verstuurd naar ' . $validated['new_email'] . '.',
);
}
/**
* POST /api/v1/verify-email-change
* Public endpoint verifies the token from the email link.
*/
public function verify(Request $request): JsonResponse
{
$validated = $request->validate([
'token' => ['required', 'string'],
]);
$this->service->verifyChange($validated['token']);
return $this->success(
message: 'Je e-mailadres is succesvol gewijzigd.',
);
}
}

28
api/app/Http/Controllers/Api/V1/MemberController.php
View File

@@ -10,7 +10,9 @@ use App\Http\Resources\Api\V1\MemberCollection;
use App\Http\Resources\Api\V1\MemberResource;
use App\Models\Organisation;
use App\Models\User;
use App\Services\EmailChangeService;
use Illuminate\Http\JsonResponse;
use Illuminate\Http\Request;
use Illuminate\Support\Facades\Gate;
final class MemberController extends Controller
@@ -81,4 +83,30 @@ final class MemberController extends Controller
return response()->json(null, 204);
}
/**
* POST /api/v1/organisations/{organisation}/members/{user}/change-email
* Admin changes a member's email (sends verification to new address).
*/
public function changeEmail(Request $request, Organisation $organisation, User $user): JsonResponse
{
Gate::authorize('invite', $organisation);
$validated = $request->validate([
'new_email' => ['required', 'email', 'max:255'],
]);
$frontendUrl = config('app.frontend_app_url');
app(EmailChangeService::class)->requestChange(
$user,
$validated['new_email'],
$request->user(),
$frontendUrl,
);
return $this->success(
message: 'Er is een verificatiemail verstuurd naar ' . $validated['new_email'] . '.',
);
}
}

39
api/app/Http/Controllers/Api/V1/PasswordResetController.php
View File

@@ -5,6 +5,8 @@ declare(strict_types=1);
namespace App\Http\Controllers\Api\V1;
use App\Http\Controllers\Controller;
use App\Models\User;
use App\Notifications\ResetPasswordNotification;
use Illuminate\Http\JsonResponse;
use Illuminate\Http\Request;
use Illuminate\Support\Facades\Hash;
@@ -15,34 +17,57 @@ final class PasswordResetController extends Controller
{
public function sendResetLink(Request $request): JsonResponse
{
$request->validate(['email' => 'required|email']);
$request->validate([
'email' => ['required', 'email'],
'app' => ['required', 'in:app,portal,admin'],
]);
Password::sendResetLink(['email' => strtolower($request->email)]);
$frontendUrls = [
'admin' => config('app.frontend_admin_url'),
'app' => config('app.frontend_app_url'),
'portal' => config('app.frontend_portal_url'),
];
$frontendUrl = $frontendUrls[$request->input('app')];
Password::sendResetLink(
['email' => strtolower($request->email)],
function (User $user, string $token) use ($frontendUrl) {
$user->notify(new ResetPasswordNotification($token, $frontendUrl));
}
);
// Always return success (don't leak whether email exists)
return $this->success(
message: 'Als dit emailadres bij ons bekend is, ontvang je een link om je wachtwoord te resetten.'
message: 'Als dit e-mailadres bij ons bekend is, ontvang je een link om je wachtwoord te herstellen.'
);
}
public function resetPassword(Request $request): JsonResponse
{
$request->validate([
'token' => 'required',
'email' => 'required|email',
'token' => ['required'],
'email' => ['required', 'email'],
'password' => ['required', 'confirmed', PasswordRule::min(8)->mixedCase()->numbers()],
]);
$status = Password::reset(
$request->only('email', 'password', 'password_confirmation', 'token'),
function ($user, $password) {
function (User $user, string $password) {
$user->forceFill(['password' => Hash::make($password)])->save();
// Revoke all existing tokens (force re-login everywhere)
$user->tokens()->delete();
activity()
->causedBy($user)
->performedOn($user)
->log('user.password_reset');
}
);
if ($status === Password::PASSWORD_RESET) {
return $this->success(message: 'Wachtwoord succesvol gewijzigd.');
return $this->success(message: 'Je wachtwoord is succesvol gewijzigd. Je kunt nu inloggen.');
}
return $this->error(__($status), 422);