bert.hausmans/crewli
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

feat: password reset, email change with verification, and password change

Browse Source 
Password reset: multi-app support with custom notification linking to correct
frontend (app/portal/admin). Email change: self-service with password
confirmation and admin-initiated, both sending verification to new address
with 24h expiry. Confirmation sent to old email on completion. Password
change: authenticated endpoint revoking other sessions.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
This commit is contained in:
bert.hausmans
2026-04-14 15:38:54 +02:00
parent 53100d4f6d
commit 836cffa232
42 changed files with 2643 additions and 67 deletions
Download Patch File Download Diff File Expand all files Collapse all files

118
api/tests/Feature/Api/V1/PasswordChangeTest.php Normal file
View File

@@ -0,0 +1,118 @@
<?php
declare(strict_types=1);
namespace Tests\Feature\Api\V1;
use App\Models\User;
use Illuminate\Foundation\Testing\RefreshDatabase;
use Illuminate\Support\Facades\Hash;
use Tests\TestCase;
class PasswordChangeTest extends TestCase
{
use RefreshDatabase;
public function test_user_can_change_password(): void
{
$user = User::factory()->create([
'password' => bcrypt('OudWachtwoord1'),
]);
$response = $this->actingAs($user)->postJson('/api/v1/me/change-password', [
'current_password' => 'OudWachtwoord1',
'password' => 'NieuwWachtwoord1',
'password_confirmation' => 'NieuwWachtwoord1',
]);
$response->assertOk();
$user->refresh();
$this->assertTrue(Hash::check('NieuwWachtwoord1', $user->password));
}
public function test_password_change_requires_correct_current_password(): void
{
$user = User::factory()->create([
'password' => bcrypt('OudWachtwoord1'),
]);
$response = $this->actingAs($user)->postJson('/api/v1/me/change-password', [
'current_password' => 'FoutWachtwoord1',
'password' => 'NieuwWachtwoord1',
'password_confirmation' => 'NieuwWachtwoord1',
]);
$response->assertStatus(422);
$response->assertJsonValidationErrors('current_password');
}
public function test_password_change_revokes_other_tokens(): void
{
$user = User::factory()->create([
'password' => bcrypt('OudWachtwoord1'),
]);
// Create two tokens
$currentToken = $user->createToken('current-session');
$otherToken = $user->createToken('other-session');
$this->assertCount(2, $user->tokens()->get());
// Act as user with the current token
$response = $this->withHeaders([
'Authorization' => 'Bearer ' . $currentToken->plainTextToken,
])->postJson('/api/v1/me/change-password', [
'current_password' => 'OudWachtwoord1',
'password' => 'NieuwWachtwoord1',
'password_confirmation' => 'NieuwWachtwoord1',
]);
$response->assertOk();
// Only the current session token should remain
$this->assertCount(1, $user->tokens()->get());
}
public function test_password_change_requires_confirmation(): void
{
$user = User::factory()->create([
'password' => bcrypt('OudWachtwoord1'),
]);
$response = $this->actingAs($user)->postJson('/api/v1/me/change-password', [
'current_password' => 'OudWachtwoord1',
'password' => 'NieuwWachtwoord1',
]);
$response->assertStatus(422);
$response->assertJsonValidationErrors('password');
}
public function test_password_change_requires_authentication(): void
{
$response = $this->postJson('/api/v1/me/change-password', [
'current_password' => 'OudWachtwoord1',
'password' => 'NieuwWachtwoord1',
'password_confirmation' => 'NieuwWachtwoord1',
]);
$response->assertStatus(401);
}
public function test_password_change_enforces_password_rules(): void
{
$user = User::factory()->create([
'password' => bcrypt('OudWachtwoord1'),
]);
$response = $this->actingAs($user)->postJson('/api/v1/me/change-password', [
'current_password' => 'OudWachtwoord1',
'password' => 'short',
'password_confirmation' => 'short',
]);
$response->assertStatus(422);
$response->assertJsonValidationErrors('password');
}
}