bert.hausmans/crewli
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

feat: password reset, email change with verification, and password change

Browse Source 
Password reset: multi-app support with custom notification linking to correct
frontend (app/portal/admin). Email change: self-service with password
confirmation and admin-initiated, both sending verification to new address
with 24h expiry. Confirmation sent to old email on completion. Password
change: authenticated endpoint revoking other sessions.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
This commit is contained in:
bert.hausmans
2026-04-14 15:38:54 +02:00
parent 53100d4f6d
commit 836cffa232
42 changed files with 2643 additions and 67 deletions
Download Patch File Download Diff File Expand all files Collapse all files

303
api/tests/Feature/Api/V1/EmailChangeTest.php Normal file
View File

@@ -0,0 +1,303 @@
<?php
declare(strict_types=1);
namespace Tests\Feature\Api\V1;
use App\Enums\EmailChangeStatus;
use App\Mail\EmailChangedConfirmationMail;
use App\Mail\VerifyEmailChangeMail;
use App\Models\EmailChangeRequest;
use App\Models\Organisation;
use App\Models\User;
use Illuminate\Foundation\Testing\RefreshDatabase;
use Illuminate\Support\Facades\Mail;
use Tests\TestCase;
class EmailChangeTest extends TestCase
{
use RefreshDatabase;
// ─── Self-Service Email Change ──────────────────────────────────────
public function test_user_can_request_email_change(): void
{
Mail::fake();
$user = User::factory()->create([
'email' => 'oud@voorbeeld.nl',
'password' => bcrypt('wachtwoord123'),
]);
$response = $this->actingAs($user)->postJson('/api/v1/me/change-email', [
'new_email' => 'nieuw@voorbeeld.nl',
'password' => 'wachtwoord123',
'app' => 'app',
]);
$response->assertOk();
$this->assertDatabaseHas('email_change_requests', [
'user_id' => $user->id,
'current_email' => 'oud@voorbeeld.nl',
'new_email' => 'nieuw@voorbeeld.nl',
'status' => 'pending',
]);
Mail::assertQueued(VerifyEmailChangeMail::class, function ($mail) {
return $mail->hasTo('nieuw@voorbeeld.nl');
});
}
public function test_email_change_requires_correct_password(): void
{
$user = User::factory()->create([
'password' => bcrypt('wachtwoord123'),
]);
$response = $this->actingAs($user)->postJson('/api/v1/me/change-email', [
'new_email' => 'nieuw@voorbeeld.nl',
'password' => 'foutwachtwoord',
'app' => 'app',
]);
$response->assertStatus(422);
$response->assertJsonValidationErrors('password');
}
public function test_email_change_rejects_already_used_email(): void
{
User::factory()->create(['email' => 'bezet@voorbeeld.nl']);
$user = User::factory()->create([
'password' => bcrypt('wachtwoord123'),
]);
$response = $this->actingAs($user)->postJson('/api/v1/me/change-email', [
'new_email' => 'bezet@voorbeeld.nl',
'password' => 'wachtwoord123',
'app' => 'app',
]);
$response->assertStatus(422);
$response->assertJsonValidationErrors('new_email');
}
public function test_email_change_requires_authentication(): void
{
$response = $this->postJson('/api/v1/me/change-email', [
'new_email' => 'nieuw@voorbeeld.nl',
'password' => 'wachtwoord123',
'app' => 'app',
]);
$response->assertStatus(401);
}
public function test_duplicate_pending_request_cancels_old_one(): void
{
Mail::fake();
$user = User::factory()->create([
'email' => 'oud@voorbeeld.nl',
'password' => bcrypt('wachtwoord123'),
]);
// First request
$this->actingAs($user)->postJson('/api/v1/me/change-email', [
'new_email' => 'eerste@voorbeeld.nl',
'password' => 'wachtwoord123',
'app' => 'app',
]);
$firstRequest = EmailChangeRequest::where('new_email', 'eerste@voorbeeld.nl')->first();
$this->assertEquals('pending', $firstRequest->status->value);
// Second request
$this->actingAs($user)->postJson('/api/v1/me/change-email', [
'new_email' => 'tweede@voorbeeld.nl',
'password' => 'wachtwoord123',
'app' => 'app',
]);
$firstRequest->refresh();
$this->assertEquals('cancelled', $firstRequest->status->value);
$secondRequest = EmailChangeRequest::where('new_email', 'tweede@voorbeeld.nl')->first();
$this->assertEquals('pending', $secondRequest->status->value);
}
// ─── Email Change Verification ──────────────────────────────────────
public function test_verify_email_change_with_valid_token(): void
{
Mail::fake();
$user = User::factory()->create(['email' => 'oud@voorbeeld.nl']);
$plainToken = 'test-token-12345678901234567890123456789012345678901234567890123456';
EmailChangeRequest::create([
'user_id' => $user->id,
'current_email' => 'oud@voorbeeld.nl',
'new_email' => 'nieuw@voorbeeld.nl',
'token' => hash('sha256', $plainToken),
'requested_by_user_id' => $user->id,
'status' => EmailChangeStatus::PENDING,
'expires_at' => now()->addHours(24),
]);
$response = $this->postJson('/api/v1/verify-email-change', [
'token' => $plainToken,
]);
$response->assertOk();
$user->refresh();
$this->assertEquals('nieuw@voorbeeld.nl', $user->email);
Mail::assertQueued(EmailChangedConfirmationMail::class, function ($mail) {
return $mail->hasTo('oud@voorbeeld.nl');
});
}
public function test_verify_email_change_revokes_all_tokens(): void
{
Mail::fake();
$user = User::factory()->create(['email' => 'oud@voorbeeld.nl']);
$user->createToken('test-token');
$plainToken = 'test-token-12345678901234567890123456789012345678901234567890123456';
EmailChangeRequest::create([
'user_id' => $user->id,
'current_email' => 'oud@voorbeeld.nl',
'new_email' => 'nieuw@voorbeeld.nl',
'token' => hash('sha256', $plainToken),
'requested_by_user_id' => $user->id,
'status' => EmailChangeStatus::PENDING,
'expires_at' => now()->addHours(24),
]);
$this->postJson('/api/v1/verify-email-change', [
'token' => $plainToken,
]);
$this->assertCount(0, $user->tokens()->get());
}
public function test_verify_email_change_with_expired_token(): void
{
$user = User::factory()->create(['email' => 'oud@voorbeeld.nl']);
$plainToken = 'test-token-12345678901234567890123456789012345678901234567890123456';
EmailChangeRequest::create([
'user_id' => $user->id,
'current_email' => 'oud@voorbeeld.nl',
'new_email' => 'nieuw@voorbeeld.nl',
'token' => hash('sha256', $plainToken),
'requested_by_user_id' => $user->id,
'status' => EmailChangeStatus::PENDING,
'expires_at' => now()->subHour(),
]);
$response = $this->postJson('/api/v1/verify-email-change', [
'token' => $plainToken,
]);
$response->assertStatus(422);
$response->assertJsonValidationErrors('token');
}
public function test_verify_email_change_with_invalid_token(): void
{
$response = $this->postJson('/api/v1/verify-email-change', [
'token' => 'completely-invalid-token',
]);
$response->assertStatus(422);
$response->assertJsonValidationErrors('token');
}
public function test_verify_email_change_fails_if_email_taken_between_request_and_verify(): void
{
$user = User::factory()->create(['email' => 'oud@voorbeeld.nl']);
$plainToken = 'test-token-12345678901234567890123456789012345678901234567890123456';
EmailChangeRequest::create([
'user_id' => $user->id,
'current_email' => 'oud@voorbeeld.nl',
'new_email' => 'nieuw@voorbeeld.nl',
'token' => hash('sha256', $plainToken),
'requested_by_user_id' => $user->id,
'status' => EmailChangeStatus::PENDING,
'expires_at' => now()->addHours(24),
]);
// Another user takes the email
User::factory()->create(['email' => 'nieuw@voorbeeld.nl']);
$response = $this->postJson('/api/v1/verify-email-change', [
'token' => $plainToken,
]);
$response->assertStatus(422);
$response->assertJsonValidationErrors('new_email');
}
// ─── Admin Email Change ─────────────────────────────────────────────
public function test_admin_can_change_member_email(): void
{
Mail::fake();
$organisation = Organisation::factory()->create();
$admin = User::factory()->create();
$organisation->users()->attach($admin, ['role' => 'org_admin']);
$member = User::factory()->create(['email' => 'lid@voorbeeld.nl']);
$organisation->users()->attach($member, ['role' => 'org_member']);
$response = $this->actingAs($admin)->postJson(
"/api/v1/organisations/{$organisation->id}/members/{$member->id}/change-email",
['new_email' => 'nieuw-lid@voorbeeld.nl'],
);
$response->assertOk();
Mail::assertQueued(VerifyEmailChangeMail::class, function ($mail) {
return $mail->hasTo('nieuw-lid@voorbeeld.nl');
});
}
public function test_non_admin_cannot_change_member_email(): void
{
$organisation = Organisation::factory()->create();
$member = User::factory()->create();
$organisation->users()->attach($member, ['role' => 'org_member']);
$otherMember = User::factory()->create(['email' => 'ander@voorbeeld.nl']);
$organisation->users()->attach($otherMember, ['role' => 'org_member']);
$response = $this->actingAs($member)->postJson(
"/api/v1/organisations/{$organisation->id}/members/{$otherMember->id}/change-email",
['new_email' => 'nieuw@voorbeeld.nl'],
);
$response->assertStatus(403);
}
public function test_unauthenticated_cannot_change_member_email(): void
{
$organisation = Organisation::factory()->create();
$member = User::factory()->create();
$organisation->users()->attach($member, ['role' => 'org_member']);
$response = $this->postJson(
"/api/v1/organisations/{$organisation->id}/members/{$member->id}/change-email",
['new_email' => 'nieuw@voorbeeld.nl'],
);
$response->assertStatus(401);
}
}

118
api/tests/Feature/Api/V1/PasswordChangeTest.php Normal file
View File

@@ -0,0 +1,118 @@
<?php
declare(strict_types=1);
namespace Tests\Feature\Api\V1;
use App\Models\User;
use Illuminate\Foundation\Testing\RefreshDatabase;
use Illuminate\Support\Facades\Hash;
use Tests\TestCase;
class PasswordChangeTest extends TestCase
{
use RefreshDatabase;
public function test_user_can_change_password(): void
{
$user = User::factory()->create([
'password' => bcrypt('OudWachtwoord1'),
]);
$response = $this->actingAs($user)->postJson('/api/v1/me/change-password', [
'current_password' => 'OudWachtwoord1',
'password' => 'NieuwWachtwoord1',
'password_confirmation' => 'NieuwWachtwoord1',
]);
$response->assertOk();
$user->refresh();
$this->assertTrue(Hash::check('NieuwWachtwoord1', $user->password));
}
public function test_password_change_requires_correct_current_password(): void
{
$user = User::factory()->create([
'password' => bcrypt('OudWachtwoord1'),
]);
$response = $this->actingAs($user)->postJson('/api/v1/me/change-password', [
'current_password' => 'FoutWachtwoord1',
'password' => 'NieuwWachtwoord1',
'password_confirmation' => 'NieuwWachtwoord1',
]);
$response->assertStatus(422);
$response->assertJsonValidationErrors('current_password');
}
public function test_password_change_revokes_other_tokens(): void
{
$user = User::factory()->create([
'password' => bcrypt('OudWachtwoord1'),
]);
// Create two tokens
$currentToken = $user->createToken('current-session');
$otherToken = $user->createToken('other-session');
$this->assertCount(2, $user->tokens()->get());
// Act as user with the current token
$response = $this->withHeaders([
'Authorization' => 'Bearer ' . $currentToken->plainTextToken,
])->postJson('/api/v1/me/change-password', [
'current_password' => 'OudWachtwoord1',
'password' => 'NieuwWachtwoord1',
'password_confirmation' => 'NieuwWachtwoord1',
]);
$response->assertOk();
// Only the current session token should remain
$this->assertCount(1, $user->tokens()->get());
}
public function test_password_change_requires_confirmation(): void
{
$user = User::factory()->create([
'password' => bcrypt('OudWachtwoord1'),
]);
$response = $this->actingAs($user)->postJson('/api/v1/me/change-password', [
'current_password' => 'OudWachtwoord1',
'password' => 'NieuwWachtwoord1',
]);
$response->assertStatus(422);
$response->assertJsonValidationErrors('password');
}
public function test_password_change_requires_authentication(): void
{
$response = $this->postJson('/api/v1/me/change-password', [
'current_password' => 'OudWachtwoord1',
'password' => 'NieuwWachtwoord1',
'password_confirmation' => 'NieuwWachtwoord1',
]);
$response->assertStatus(401);
}
public function test_password_change_enforces_password_rules(): void
{
$user = User::factory()->create([
'password' => bcrypt('OudWachtwoord1'),
]);
$response = $this->actingAs($user)->postJson('/api/v1/me/change-password', [
'current_password' => 'OudWachtwoord1',
'password' => 'short',
'password_confirmation' => 'short',
]);
$response->assertStatus(422);
$response->assertJsonValidationErrors('password');
}
}

80
api/tests/Feature/Api/V1/PasswordResetTest.php
View File

@@ -5,6 +5,7 @@ declare(strict_types=1);
namespace Tests\Feature\Api\V1;
use App\Models\User;
use App\Notifications\ResetPasswordNotification;
use Illuminate\Foundation\Testing\RefreshDatabase;
use Illuminate\Support\Facades\Hash;
use Illuminate\Support\Facades\Notification;
@@ -21,38 +22,53 @@ class PasswordResetTest extends TestCase
{
Notification::fake();
User::factory()->create(['email' => 'jan@voorbeeld.nl']);
$user = User::factory()->create(['email' => 'jan@voorbeeld.nl']);
$response = $this->postJson('/api/v1/auth/forgot-password', [
'email' => 'jan@voorbeeld.nl',
'app' => 'app',
]);
$response->assertOk();
$response->assertJsonPath('message', 'Als dit emailadres bij ons bekend is, ontvang je een link om je wachtwoord te resetten.');
Notification::assertSentTo($user, ResetPasswordNotification::class);
}
public function test_forgot_password_returns_same_success_for_nonexisting_email(): void
{
$response = $this->postJson('/api/v1/auth/forgot-password', [
'email' => 'onbekend@voorbeeld.nl',
'app' => 'app',
]);
$response->assertOk();
$response->assertJsonPath('message', 'Als dit emailadres bij ons bekend is, ontvang je een link om je wachtwoord te resetten.');
}
public function test_forgot_password_requires_app_parameter(): void
{
$response = $this->postJson('/api/v1/auth/forgot-password', [
'email' => 'jan@voorbeeld.nl',
]);
$response->assertStatus(422);
$response->assertJsonValidationErrors('app');
}
public function test_forgot_password_validates_app_values(): void
{
$response = $this->postJson('/api/v1/auth/forgot-password', [
'email' => 'jan@voorbeeld.nl',
'app' => 'invalid',
]);
$response->assertStatus(422);
$response->assertJsonValidationErrors('app');
}
public function test_forgot_password_validates_email_required(): void
{
$response = $this->postJson('/api/v1/auth/forgot-password', []);
$response->assertStatus(422);
$response->assertJsonValidationErrors('email');
}
public function test_forgot_password_validates_email_format(): void
{
$response = $this->postJson('/api/v1/auth/forgot-password', [
'email' => 'not-an-email',
'app' => 'app',
]);
$response->assertStatus(422);
@@ -64,11 +80,13 @@ class PasswordResetTest extends TestCase
for ($i = 0; $i < 5; $i++) {
$this->postJson('/api/v1/auth/forgot-password', [
'email' => 'test@voorbeeld.nl',
'app' => 'portal',
]);
}
$response = $this->postJson('/api/v1/auth/forgot-password', [
'email' => 'test@voorbeeld.nl',
'app' => 'portal',
]);
$response->assertStatus(429);
@@ -90,13 +108,30 @@ class PasswordResetTest extends TestCase
]);
$response->assertOk();
$response->assertJsonPath('message', 'Wachtwoord succesvol gewijzigd.');
// Verify password was actually changed
$user->refresh();
$this->assertTrue(Hash::check('NieuwWachtwoord1', $user->password));
}
public function test_reset_password_revokes_all_tokens(): void
{
$user = User::factory()->create(['email' => 'jan@voorbeeld.nl']);
$user->createToken('test-token');
$this->assertCount(1, $user->tokens);
$token = Password::createToken($user);
$this->postJson('/api/v1/auth/reset-password', [
'token' => $token,
'email' => 'jan@voorbeeld.nl',
'password' => 'NieuwWachtwoord1',
'password_confirmation' => 'NieuwWachtwoord1',
]);
$this->assertCount(0, $user->tokens()->get());
}
public function test_reset_password_with_invalid_token_returns_422(): void
{
User::factory()->create(['email' => 'jan@voorbeeld.nl']);
@@ -127,23 +162,6 @@ class PasswordResetTest extends TestCase
$response->assertJsonValidationErrors('password');
}
public function test_reset_password_requires_minimum_length(): void
{
$user = User::factory()->create(['email' => 'jan@voorbeeld.nl']);
$token = Password::createToken($user);
$response = $this->postJson('/api/v1/auth/reset-password', [
'token' => $token,
'email' => 'jan@voorbeeld.nl',
'password' => 'short',
'password_confirmation' => 'short',
]);
$response->assertStatus(422);
$response->assertJsonValidationErrors('password');
}
public function test_reset_password_validates_required_fields(): void
{
$response = $this->postJson('/api/v1/auth/reset-password', []);

2
api/tests/Feature/Security/AuthenticationSecurityTest.php
View File

@@ -100,6 +100,7 @@ final class AuthenticationSecurityTest extends TestCase
{
$response = $this->postJson('/api/v1/auth/forgot-password', [
'email' => 'nonexistent@example.com',
'app' => 'app',
]);
// Must return 200 regardless — don't leak whether email exists
@@ -112,6 +113,7 @@ final class AuthenticationSecurityTest extends TestCase
$response = $this->postJson('/api/v1/auth/forgot-password', [
'email' => $user->email,
'app' => 'app',
]);
$response->assertOk();