feat: passwordless registration — defer account creation to approval

Removes password from the volunteer registration form. Account creation is now deferred to the approval step: Backend: - Registration creates Person without User (user_id=null) - On approval, system finds or creates User by person.email - New accounts get a "set password" email with activation link - Existing accounts get a portal link email - Added registration_source column to persons (self/organizer) - Fuzzy name matching skipped for self-registered persons - person.email is always source of truth for account linking Frontend: - Registration form no longer collects password - Email check shows info alert with login suggestion - New wachtwoord-instellen.vue page for account activation - PasswordRequirements.vue component (reused on reset page) - Success page updated with activation messaging Tests: 837 passed (all updated for new flow) Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
2026-04-16 03:27:47 +02:00
parent 0221e7f6d3
commit c4a23b6763
22 changed files with 539 additions and 493 deletions
--- a/api/app/Http/Controllers/Api/V1/PersonController.php
+++ b/api/app/Http/Controllers/Api/V1/PersonController.php
@@ -23,6 +23,9 @@ use App\Services\TagSyncService;
 use Illuminate\Http\JsonResponse;
 use Illuminate\Http\Request;
 use Illuminate\Support\Facades\Gate;
+use Illuminate\Support\Facades\Hash;
+use Illuminate\Support\Facades\Password;
+use Illuminate\Support\Str;
 use Illuminate\Validation\ValidationException;

 final class PersonController extends Controller
@@ -166,9 +169,40 @@ final class PersonController extends Controller

        $person->update(['status' => 'approved']);

+        // Link person to user account (create if needed) using person.email as source of truth
+        $userCreated = false;
+        if ($person->email && ! $person->user_id) {
+            $user = User::where('email', strtolower($person->email))->first();
+
+            if (! $user) {
+                $user = User::create([
+                    'first_name' => $person->first_name,
+                    'last_name' => $person->last_name,
+                    'email' => strtolower($person->email),
+                    'password' => Hash::make(Str::random(40)),
+                ]);
+                $userCreated = true;
+            }
+
+            $person->user_id = $user->id;
+            $person->save();
+        }
+
        $this->tagSyncService->syncFromRegistration($person);

        if ($person->email) {
+            $portalUrl = config('app.frontend_portal_url');
+
+            if ($userCreated) {
+                // New account — send "set password" email with token
+                $user = User::find($person->user_id);
+                $token = Password::broker()->createToken($user);
+                $actionUrl = $portalUrl . '/wachtwoord-instellen?token=' . $token . '&email=' . urlencode($user->email);
+            } else {
+                // Existing account — send portal link
+                $actionUrl = $portalUrl . '/evenementen';
+            }
+
            $this->emailService->send(
                type: EmailTemplateType::REGISTRATION_APPROVED,
                recipientEmail: $person->email,
@@ -177,7 +211,7 @@ final class PersonController extends Controller
                    'event_name' => $event->name,
                    'organisation_name' => $organisation->name,
                ],
-                actionUrl: config('app.frontend_portal_url'),
+                actionUrl: $actionUrl,
                organisation: $organisation,
                eventId: $event->id,
                personId: $person->id,
@@ -185,6 +219,15 @@ final class PersonController extends Controller
            );
        }

+        activity('registration')
+            ->causedBy(auth()->user())
+            ->performedOn($person)
+            ->withProperties([
+                'user_created' => $userCreated,
+                'user_email' => $person->email,
+            ])
+            ->log('person.approved');
+
        return $this->success(new PersonResource($person->fresh()->load('crowdType')));
    }

--- a/api/app/Http/Controllers/Api/V1/VolunteerRegistrationController.php
+++ b/api/app/Http/Controllers/Api/V1/VolunteerRegistrationController.php
@@ -4,12 +4,10 @@ declare(strict_types=1);

 namespace App\Http\Controllers\Api\V1;

-use App\Enums\IdentityMatchStatus;
 use App\Http\Controllers\Controller;
 use App\Http\Requests\Api\V1\VolunteerRegistrationRequest;
 use App\Http\Resources\Api\V1\PersonResource;
 use App\Models\Event;
-use App\Models\PersonIdentityMatch;
 use App\Services\VolunteerRegistrationService;
 use Illuminate\Http\JsonResponse;

@@ -31,13 +29,8 @@ final class VolunteerRegistrationController extends Controller

        $person->load('crowdType');

-        $hasExistingAccount = PersonIdentityMatch::where('person_id', $person->id)
-            ->where('status', IdentityMatchStatus::PENDING)
-            ->exists();
-
        $responseData = [
            'person' => new PersonResource($person),
-            'has_existing_account' => $hasExistingAccount,
        ];

        if ($person->wasRecentlyCreated) {