feat: password reset, email change with verification, and password change
Password reset: multi-app support with custom notification linking to correct frontend (app/portal/admin). Email change: self-service with password confirmation and admin-initiated, both sending verification to new address with 24h expiry. Confirmation sent to old email on completion. Password change: authenticated endpoint revoking other sessions. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
This commit is contained in:
@@ -5,6 +5,8 @@ declare(strict_types=1);
|
||||
namespace App\Http\Controllers\Api\V1;
|
||||
|
||||
use App\Http\Controllers\Controller;
|
||||
use App\Models\User;
|
||||
use App\Notifications\ResetPasswordNotification;
|
||||
use Illuminate\Http\JsonResponse;
|
||||
use Illuminate\Http\Request;
|
||||
use Illuminate\Support\Facades\Hash;
|
||||
@@ -15,34 +17,57 @@ final class PasswordResetController extends Controller
|
||||
{
|
||||
public function sendResetLink(Request $request): JsonResponse
|
||||
{
|
||||
$request->validate(['email' => 'required|email']);
|
||||
$request->validate([
|
||||
'email' => ['required', 'email'],
|
||||
'app' => ['required', 'in:app,portal,admin'],
|
||||
]);
|
||||
|
||||
Password::sendResetLink(['email' => strtolower($request->email)]);
|
||||
$frontendUrls = [
|
||||
'admin' => config('app.frontend_admin_url'),
|
||||
'app' => config('app.frontend_app_url'),
|
||||
'portal' => config('app.frontend_portal_url'),
|
||||
];
|
||||
|
||||
$frontendUrl = $frontendUrls[$request->input('app')];
|
||||
|
||||
Password::sendResetLink(
|
||||
['email' => strtolower($request->email)],
|
||||
function (User $user, string $token) use ($frontendUrl) {
|
||||
$user->notify(new ResetPasswordNotification($token, $frontendUrl));
|
||||
}
|
||||
);
|
||||
|
||||
// Always return success (don't leak whether email exists)
|
||||
return $this->success(
|
||||
message: 'Als dit emailadres bij ons bekend is, ontvang je een link om je wachtwoord te resetten.'
|
||||
message: 'Als dit e-mailadres bij ons bekend is, ontvang je een link om je wachtwoord te herstellen.'
|
||||
);
|
||||
}
|
||||
|
||||
public function resetPassword(Request $request): JsonResponse
|
||||
{
|
||||
$request->validate([
|
||||
'token' => 'required',
|
||||
'email' => 'required|email',
|
||||
'token' => ['required'],
|
||||
'email' => ['required', 'email'],
|
||||
'password' => ['required', 'confirmed', PasswordRule::min(8)->mixedCase()->numbers()],
|
||||
]);
|
||||
|
||||
$status = Password::reset(
|
||||
$request->only('email', 'password', 'password_confirmation', 'token'),
|
||||
function ($user, $password) {
|
||||
function (User $user, string $password) {
|
||||
$user->forceFill(['password' => Hash::make($password)])->save();
|
||||
|
||||
// Revoke all existing tokens (force re-login everywhere)
|
||||
$user->tokens()->delete();
|
||||
|
||||
activity()
|
||||
->causedBy($user)
|
||||
->performedOn($user)
|
||||
->log('user.password_reset');
|
||||
}
|
||||
);
|
||||
|
||||
if ($status === Password::PASSWORD_RESET) {
|
||||
return $this->success(message: 'Wachtwoord succesvol gewijzigd.');
|
||||
return $this->success(message: 'Je wachtwoord is succesvol gewijzigd. Je kunt nu inloggen.');
|
||||
}
|
||||
|
||||
return $this->error(__($status), 422);
|
||||
|
||||
Reference in New Issue
Block a user