feat: password reset, email change with verification, and password change

Password reset: multi-app support with custom notification linking to correct frontend (app/portal/admin). Email change: self-service with password confirmation and admin-initiated, both sending verification to new address with 24h expiry. Confirmation sent to old email on completion. Password change: authenticated endpoint revoking other sessions. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
2026-04-14 15:38:54 +02:00
parent 53100d4f6d
commit 836cffa232
42 changed files with 2643 additions and 67 deletions
--- a/api/tests/Feature/Api/V1/PasswordResetTest.php
+++ b/api/tests/Feature/Api/V1/PasswordResetTest.php
@@ -5,6 +5,7 @@ declare(strict_types=1);
 namespace Tests\Feature\Api\V1;

 use App\Models\User;
+use App\Notifications\ResetPasswordNotification;
 use Illuminate\Foundation\Testing\RefreshDatabase;
 use Illuminate\Support\Facades\Hash;
 use Illuminate\Support\Facades\Notification;
@@ -21,38 +22,53 @@ class PasswordResetTest extends TestCase
    {
        Notification::fake();

-        User::factory()->create(['email' => 'jan@voorbeeld.nl']);
+        $user = User::factory()->create(['email' => 'jan@voorbeeld.nl']);

        $response = $this->postJson('/api/v1/auth/forgot-password', [
            'email' => 'jan@voorbeeld.nl',
+            'app' => 'app',
        ]);

        $response->assertOk();
-        $response->assertJsonPath('message', 'Als dit emailadres bij ons bekend is, ontvang je een link om je wachtwoord te resetten.');
+
+        Notification::assertSentTo($user, ResetPasswordNotification::class);
    }

    public function test_forgot_password_returns_same_success_for_nonexisting_email(): void
    {
        $response = $this->postJson('/api/v1/auth/forgot-password', [
            'email' => 'onbekend@voorbeeld.nl',
+            'app' => 'app',
        ]);

        $response->assertOk();
-        $response->assertJsonPath('message', 'Als dit emailadres bij ons bekend is, ontvang je een link om je wachtwoord te resetten.');
+    }
+
+    public function test_forgot_password_requires_app_parameter(): void
+    {
+        $response = $this->postJson('/api/v1/auth/forgot-password', [
+            'email' => 'jan@voorbeeld.nl',
+        ]);
+
+        $response->assertStatus(422);
+        $response->assertJsonValidationErrors('app');
+    }
+
+    public function test_forgot_password_validates_app_values(): void
+    {
+        $response = $this->postJson('/api/v1/auth/forgot-password', [
+            'email' => 'jan@voorbeeld.nl',
+            'app' => 'invalid',
+        ]);
+
+        $response->assertStatus(422);
+        $response->assertJsonValidationErrors('app');
    }

    public function test_forgot_password_validates_email_required(): void
-    {
-        $response = $this->postJson('/api/v1/auth/forgot-password', []);
-
-        $response->assertStatus(422);
-        $response->assertJsonValidationErrors('email');
-    }
-
-    public function test_forgot_password_validates_email_format(): void
    {
        $response = $this->postJson('/api/v1/auth/forgot-password', [
-            'email' => 'not-an-email',
+            'app' => 'app',
        ]);

        $response->assertStatus(422);
@@ -64,11 +80,13 @@ class PasswordResetTest extends TestCase
        for ($i = 0; $i < 5; $i++) {
            $this->postJson('/api/v1/auth/forgot-password', [
                'email' => 'test@voorbeeld.nl',
+                'app' => 'portal',
            ]);
        }

        $response = $this->postJson('/api/v1/auth/forgot-password', [
            'email' => 'test@voorbeeld.nl',
+            'app' => 'portal',
        ]);

        $response->assertStatus(429);
@@ -90,13 +108,30 @@ class PasswordResetTest extends TestCase
        ]);

        $response->assertOk();
-        $response->assertJsonPath('message', 'Wachtwoord succesvol gewijzigd.');

-        // Verify password was actually changed
        $user->refresh();
        $this->assertTrue(Hash::check('NieuwWachtwoord1', $user->password));
    }

+    public function test_reset_password_revokes_all_tokens(): void
+    {
+        $user = User::factory()->create(['email' => 'jan@voorbeeld.nl']);
+        $user->createToken('test-token');
+
+        $this->assertCount(1, $user->tokens);
+
+        $token = Password::createToken($user);
+
+        $this->postJson('/api/v1/auth/reset-password', [
+            'token' => $token,
+            'email' => 'jan@voorbeeld.nl',
+            'password' => 'NieuwWachtwoord1',
+            'password_confirmation' => 'NieuwWachtwoord1',
+        ]);
+
+        $this->assertCount(0, $user->tokens()->get());
+    }
+
    public function test_reset_password_with_invalid_token_returns_422(): void
    {
        User::factory()->create(['email' => 'jan@voorbeeld.nl']);
@@ -127,23 +162,6 @@ class PasswordResetTest extends TestCase
        $response->assertJsonValidationErrors('password');
    }

-    public function test_reset_password_requires_minimum_length(): void
-    {
-        $user = User::factory()->create(['email' => 'jan@voorbeeld.nl']);
-
-        $token = Password::createToken($user);
-
-        $response = $this->postJson('/api/v1/auth/reset-password', [
-            'token' => $token,
-            'email' => 'jan@voorbeeld.nl',
-            'password' => 'short',
-            'password_confirmation' => 'short',
-        ]);
-
-        $response->assertStatus(422);
-        $response->assertJsonValidationErrors('password');
-    }
-
    public function test_reset_password_validates_required_fields(): void
    {
        $response = $this->postJson('/api/v1/auth/reset-password', []);