feat(api): registration auth, account creation, check-email & email notifications

- Add POST /public/check-email endpoint with rate limiting (10/min) - Create user accounts during volunteer registration (new or returning) - Returning volunteers authenticate with existing password - Add password validation to VolunteerRegistrationRequest - Normalize emails to lowercase throughout registration flow - Handle race condition on duplicate accounts gracefully - Create RegistrationConfirmationMail, RegistrationApprovedMail, RegistrationRejectedMail - Wire approval/rejection emails into PersonController - Add POST persons/{person}/reject endpoint - Trigger TagSyncService on registration and approval - Add CheckEmailTest, PersonApprovalEmailTest, extend VolunteerRegistrationTest Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
2026-04-13 00:37:04 +02:00
parent 4df82d8358
commit 8435e74fd3
17 changed files with 802 additions and 38 deletions
--- a/api/tests/Feature/Api/V1/PersonApprovalEmailTest.php
+++ b/api/tests/Feature/Api/V1/PersonApprovalEmailTest.php
@@ -0,0 +1,153 @@
+<?php
+
+declare(strict_types=1);
+
+namespace Tests\Feature\Api\V1;
+
+use App\Mail\RegistrationApprovedMail;
+use App\Mail\RegistrationRejectedMail;
+use App\Models\CrowdType;
+use App\Models\Event;
+use App\Models\Organisation;
+use App\Models\Person;
+use App\Models\User;
+use Database\Seeders\RoleSeeder;
+use Illuminate\Foundation\Testing\RefreshDatabase;
+use Illuminate\Support\Facades\Mail;
+use Laravel\Sanctum\Sanctum;
+use Tests\TestCase;
+
+class PersonApprovalEmailTest extends TestCase
+{
+    use RefreshDatabase;
+
+    private User $orgAdmin;
+    private Organisation $organisation;
+    private Event $event;
+    private CrowdType $crowdType;
+
+    protected function setUp(): void
+    {
+        parent::setUp();
+        $this->seed(RoleSeeder::class);
+
+        $this->organisation = Organisation::factory()->create();
+        $this->orgAdmin = User::factory()->create();
+        $this->organisation->users()->attach($this->orgAdmin, ['role' => 'org_admin']);
+
+        $this->event = Event::factory()->create([
+            'organisation_id' => $this->organisation->id,
+        ]);
+
+        $this->crowdType = CrowdType::factory()->systemType('VOLUNTEER')->create([
+            'organisation_id' => $this->organisation->id,
+        ]);
+    }
+
+    public function test_approving_person_sends_approved_email(): void
+    {
+        Mail::fake();
+
+        $person = Person::factory()->create([
+            'event_id' => $this->event->id,
+            'crowd_type_id' => $this->crowdType->id,
+            'status' => 'pending',
+            'email' => 'volunteer@test.nl',
+        ]);
+
+        Sanctum::actingAs($this->orgAdmin);
+
+        $response = $this->postJson("/api/v1/events/{$this->event->id}/persons/{$person->id}/approve");
+
+        $response->assertOk();
+
+        Mail::assertQueued(RegistrationApprovedMail::class, function ($mail) {
+            return $mail->hasTo('volunteer@test.nl');
+        });
+    }
+
+    public function test_rejecting_person_sends_rejected_email_with_reason(): void
+    {
+        Mail::fake();
+
+        $person = Person::factory()->create([
+            'event_id' => $this->event->id,
+            'crowd_type_id' => $this->crowdType->id,
+            'status' => 'pending',
+            'email' => 'volunteer@test.nl',
+        ]);
+
+        Sanctum::actingAs($this->orgAdmin);
+
+        $response = $this->postJson("/api/v1/events/{$this->event->id}/persons/{$person->id}/reject", [
+            'reason' => 'Geen beschikbaarheid op de juiste momenten.',
+        ]);
+
+        $response->assertOk();
+
+        $this->assertDatabaseHas('persons', [
+            'id' => $person->id,
+            'status' => 'rejected',
+        ]);
+
+        Mail::assertQueued(RegistrationRejectedMail::class, function ($mail) {
+            return $mail->hasTo('volunteer@test.nl')
+                && $mail->reason === 'Geen beschikbaarheid op de juiste momenten.';
+        });
+    }
+
+    public function test_rejecting_person_sends_rejected_email_without_reason(): void
+    {
+        Mail::fake();
+
+        $person = Person::factory()->create([
+            'event_id' => $this->event->id,
+            'crowd_type_id' => $this->crowdType->id,
+            'status' => 'pending',
+            'email' => 'volunteer@test.nl',
+        ]);
+
+        Sanctum::actingAs($this->orgAdmin);
+
+        $response = $this->postJson("/api/v1/events/{$this->event->id}/persons/{$person->id}/reject");
+
+        $response->assertOk();
+
+        Mail::assertQueued(RegistrationRejectedMail::class, function ($mail) {
+            return $mail->hasTo('volunteer@test.nl')
+                && $mail->reason === null;
+        });
+    }
+
+    public function test_unauthenticated_cannot_approve(): void
+    {
+        $person = Person::factory()->create([
+            'event_id' => $this->event->id,
+            'crowd_type_id' => $this->crowdType->id,
+            'status' => 'pending',
+        ]);
+
+        $response = $this->postJson("/api/v1/events/{$this->event->id}/persons/{$person->id}/approve");
+
+        $response->assertStatus(401);
+    }
+
+    public function test_outsider_cannot_approve(): void
+    {
+        $outsider = User::factory()->create();
+        $otherOrg = Organisation::factory()->create();
+        $otherOrg->users()->attach($outsider, ['role' => 'org_admin']);
+
+        $person = Person::factory()->create([
+            'event_id' => $this->event->id,
+            'crowd_type_id' => $this->crowdType->id,
+            'status' => 'pending',
+        ]);
+
+        Sanctum::actingAs($outsider);
+
+        $response = $this->postJson("/api/v1/events/{$this->event->id}/persons/{$person->id}/approve");
+
+        $response->assertStatus(403);
+    }
+}