feat: password reset, email change with verification, and password change

Password reset: multi-app support with custom notification linking to correct frontend (app/portal/admin). Email change: self-service with password confirmation and admin-initiated, both sending verification to new address with 24h expiry. Confirmation sent to old email on completion. Password change: authenticated endpoint revoking other sessions. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
2026-04-14 15:38:54 +02:00
parent 53100d4f6d
commit 836cffa232
42 changed files with 2643 additions and 67 deletions
--- a/api/app/Services/EmailChangeService.php
+++ b/api/app/Services/EmailChangeService.php
@@ -0,0 +1,157 @@
+<?php
+
+declare(strict_types=1);
+
+namespace App\Services;
+
+use App\Enums\EmailChangeStatus;
+use App\Mail\EmailChangedConfirmationMail;
+use App\Mail\VerifyEmailChangeMail;
+use App\Models\EmailChangeRequest;
+use App\Models\Person;
+use App\Models\User;
+use Illuminate\Support\Facades\DB;
+use Illuminate\Support\Facades\Mail;
+use Illuminate\Support\Str;
+use Illuminate\Validation\ValidationException;
+
+final class EmailChangeService
+{
+    /**
+     * Request an email change. Sends verification to the NEW email.
+     */
+    public function requestChange(
+        User $user,
+        string $newEmail,
+        User $requestedBy,
+        string $frontendUrl,
+    ): EmailChangeRequest {
+        // Validate new email is not already in use
+        if (User::where('email', $newEmail)->where('id', '!=', $user->id)->exists()) {
+            throw ValidationException::withMessages([
+                'new_email' => ['Dit e-mailadres is al in gebruik door een ander account.'],
+            ]);
+        }
+
+        // Cancel any existing pending requests for this user
+        EmailChangeRequest::where('user_id', $user->id)
+            ->where('status', EmailChangeStatus::PENDING)
+            ->update(['status' => EmailChangeStatus::CANCELLED->value]);
+
+        // Generate secure token
+        $plainToken = Str::random(64);
+
+        $request = EmailChangeRequest::create([
+            'user_id' => $user->id,
+            'current_email' => $user->email,
+            'new_email' => $newEmail,
+            'token' => hash('sha256', $plainToken),
+            'requested_by_user_id' => $requestedBy->id,
+            'status' => EmailChangeStatus::PENDING,
+            'expires_at' => now()->addHours(24),
+        ]);
+
+        // Send verification email to the NEW address
+        Mail::to($newEmail)->send(new VerifyEmailChangeMail(
+            user: $user,
+            newEmail: $newEmail,
+            token: $plainToken,
+            frontendUrl: $frontendUrl,
+            requestedBy: $requestedBy,
+        ));
+
+        activity()
+            ->causedBy($requestedBy)
+            ->performedOn($user)
+            ->withProperties([
+                'current_email' => $user->email,
+                'new_email' => $newEmail,
+                'is_self_change' => $user->id === $requestedBy->id,
+            ])
+            ->log('user.email_change_requested');
+
+        return $request;
+    }
+
+    /**
+     * Verify and execute the email change.
+     */
+    public function verifyChange(string $plainToken): EmailChangeRequest
+    {
+        $hashedToken = hash('sha256', $plainToken);
+
+        $request = EmailChangeRequest::where('token', $hashedToken)
+            ->where('status', EmailChangeStatus::PENDING)
+            ->first();
+
+        if (! $request) {
+            throw ValidationException::withMessages([
+                'token' => ['Ongeldige of verlopen verificatielink.'],
+            ]);
+        }
+
+        if ($request->isExpired()) {
+            $request->update(['status' => EmailChangeStatus::EXPIRED]);
+            throw ValidationException::withMessages([
+                'token' => ['Deze verificatielink is verlopen. Vraag opnieuw een e-mailwijziging aan.'],
+            ]);
+        }
+
+        // Final check: new email still not in use
+        if (User::where('email', $request->new_email)
+            ->where('id', '!=', $request->user_id)->exists()) {
+            $request->update(['status' => EmailChangeStatus::CANCELLED]);
+            throw ValidationException::withMessages([
+                'new_email' => ['Dit e-mailadres is inmiddels in gebruik door een ander account.'],
+            ]);
+        }
+
+        $user = $request->user;
+        $oldEmail = $user->email;
+
+        DB::transaction(function () use ($request, $user) {
+            // Update user email
+            $user->update(['email' => $request->new_email]);
+
+            // Mark request as verified
+            $request->update([
+                'status' => EmailChangeStatus::VERIFIED,
+                'verified_at' => now(),
+            ]);
+        });
+
+        // Send confirmation to the OLD email address
+        Mail::to($oldEmail)->send(new EmailChangedConfirmationMail(
+            user: $user,
+            oldEmail: $oldEmail,
+            newEmail: $request->new_email,
+        ));
+
+        // Revoke all tokens (force re-login with new email)
+        $user->tokens()->delete();
+
+        // Log linked person email context
+        $persons = Person::where('user_id', $user->id)->get();
+        foreach ($persons as $person) {
+            activity()
+                ->causedBy($user)
+                ->performedOn($person)
+                ->withProperties([
+                    'old_user_email' => $oldEmail,
+                    'new_user_email' => $request->new_email,
+                    'person_email_unchanged' => $person->email,
+                ])
+                ->log('person.linked_user_email_changed');
+        }
+
+        activity()
+            ->performedOn($user)
+            ->withProperties([
+                'old_email' => $oldEmail,
+                'new_email' => $request->new_email,
+            ])
+            ->log('user.email_changed');
+
+        return $request;
+    }
+}