feat: platform admin backend — controllers, services, routes, tests

Add cross-organisation admin API endpoints behind role:super_admin middleware: - AdminOrganisationController: CRUD with search, filter, billing_status management - AdminUserController: user management with role assignment across orgs - AdminStatsController: platform-wide aggregate statistics - AdminActivityLogController: filterable activity log viewer - AdminImpersonationController + ImpersonationService: user impersonation with token-based session management and activity logging - BillingStatus enum, form requests, API resources, 23 feature tests Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
2026-04-14 23:33:16 +02:00
parent ec31646a93
commit ddf26dad33
18 changed files with 1299 additions and 0 deletions
--- a/api/tests/Feature/Api/V1/Admin/AdminImpersonationTest.php
+++ b/api/tests/Feature/Api/V1/Admin/AdminImpersonationTest.php
@@ -0,0 +1,124 @@
+<?php
+
+declare(strict_types=1);
+
+namespace Tests\Feature\Api\V1\Admin;
+
+use App\Models\User;
+use Database\Seeders\RoleSeeder;
+use Illuminate\Foundation\Testing\RefreshDatabase;
+use Laravel\Sanctum\Sanctum;
+use Spatie\Activitylog\Models\Activity;
+use Tests\TestCase;
+
+class AdminImpersonationTest extends TestCase
+{
+    use RefreshDatabase;
+
+    private User $superAdmin;
+    private User $targetUser;
+    private User $otherSuperAdmin;
+
+    protected function setUp(): void
+    {
+        parent::setUp();
+        $this->seed(RoleSeeder::class);
+
+        $this->superAdmin = User::factory()->create();
+        $this->superAdmin->assignRole('super_admin');
+
+        $this->targetUser = User::factory()->create();
+
+        $this->otherSuperAdmin = User::factory()->create();
+        $this->otherSuperAdmin->assignRole('super_admin');
+    }
+
+    // ─── Start ───────────────────────────────────────────────
+
+    public function test_start_creates_token_for_target_user(): void
+    {
+        Sanctum::actingAs($this->superAdmin);
+
+        $response = $this->postJson("/api/v1/admin/impersonate/{$this->targetUser->id}");
+
+        $response->assertOk();
+        $response->assertJsonStructure([
+            'data' => ['token', 'user' => ['id', 'email'], 'admin_id'],
+        ]);
+        $response->assertJsonPath('data.user.id', $this->targetUser->id);
+        $response->assertJsonPath('data.admin_id', $this->superAdmin->id);
+
+        $this->assertDatabaseHas('personal_access_tokens', [
+            'tokenable_id' => $this->targetUser->id,
+            'name' => 'impersonation-by-' . $this->superAdmin->id,
+        ]);
+    }
+
+    public function test_start_denied_for_non_super_admin(): void
+    {
+        Sanctum::actingAs($this->targetUser);
+
+        $response = $this->postJson("/api/v1/admin/impersonate/{$this->targetUser->id}");
+
+        $response->assertForbidden();
+    }
+
+    public function test_start_denied_when_target_is_super_admin(): void
+    {
+        Sanctum::actingAs($this->superAdmin);
+
+        $response = $this->postJson("/api/v1/admin/impersonate/{$this->otherSuperAdmin->id}");
+
+        $response->assertForbidden();
+    }
+
+    // ─── Stop ────────────────────────────────────────────────
+
+    public function test_stop_deletes_impersonation_token(): void
+    {
+        // Start impersonation
+        Sanctum::actingAs($this->superAdmin);
+        $startResponse = $this->postJson("/api/v1/admin/impersonate/{$this->targetUser->id}");
+        $token = $startResponse->json('data.token');
+
+        // Reset auth state so the Bearer token takes effect
+        $this->app['auth']->forgetGuards();
+
+        $response = $this->withHeader('Authorization', "Bearer {$token}")
+            ->postJson('/api/v1/admin/stop-impersonation');
+
+        $response->assertOk();
+        $response->assertJsonPath('data.user.id', $this->superAdmin->id);
+
+        $this->assertDatabaseMissing('personal_access_tokens', [
+            'tokenable_id' => $this->targetUser->id,
+            'name' => 'impersonation-by-' . $this->superAdmin->id,
+        ]);
+    }
+
+    // ─── Activity Log ────────────────────────────────────────
+
+    public function test_activity_log_records_start_and_stop(): void
+    {
+        Sanctum::actingAs($this->superAdmin);
+        $startResponse = $this->postJson("/api/v1/admin/impersonate/{$this->targetUser->id}");
+        $token = $startResponse->json('data.token');
+
+        $this->assertDatabaseHas('activity_log', [
+            'event' => 'admin.impersonation.started',
+            'causer_id' => $this->superAdmin->id,
+            'subject_id' => $this->targetUser->id,
+        ]);
+
+        // Reset auth state so the Bearer token takes effect
+        $this->app['auth']->forgetGuards();
+
+        $this->withHeader('Authorization', "Bearer {$token}")
+            ->postJson('/api/v1/admin/stop-impersonation');
+
+        $this->assertDatabaseHas('activity_log', [
+            'event' => 'admin.impersonation.stopped',
+            'subject_id' => $this->targetUser->id,
+        ]);
+    }
+}