bert.hausmans/crewli
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
adab3be78170d00a9b80e328342779de9e79b778
crewli/api/tests/Feature/Auth/MfaSetupControllerTest.php
bert.hausmans c62f377668 fix: MFA setup completion not updating UI state 
Root cause: the MFA status endpoint returned `mfa_enabled` as the JSON
key but the TypeScript MfaStatus interface expected `enabled`. At
runtime, `mfaStatus.value?.enabled` was always `undefined`, so
`isEnabled` was always false — the banner never hid and the method
cards never showed "Geconfigureerd".

Additionally, the auth store had no way to re-fetch /auth/me after
initialization, so `mfaSetupRequired` was never properly refreshed
from the backend after MFA setup.

Fixes:
- Rename `mfa_enabled` → `enabled` in the MFA status endpoint response
  to match the TypeScript type (and the /auth/me MeResource which
  already used `enabled`)
- Add `refreshUser()` to the auth store for post-initialization
  re-fetching of /auth/me
- Call `refreshUser()` in onSetupCompleted so the store reflects the
  backend state without a full page reload
- Update backend tests to match the renamed response key

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
2026-04-15 22:30:58 +02:00

193 lines
5.5 KiB
PHP
Raw Blame History

<?php
declare(strict_types=1);
namespace Tests\Feature\Auth;
use App\Enums\MfaMethod;
use App\Models\MfaBackupCode;
use App\Models\User;
use App\Services\MfaService;
use Illuminate\Foundation\Testing\RefreshDatabase;
use PragmaRX\Google2FA\Google2FA;
use Tests\TestCase;
class MfaSetupControllerTest extends TestCase
{
use RefreshDatabase;
private Google2FA $google2fa;
protected function setUp(): void
{
parent::setUp();
$this->google2fa = new Google2FA();
}
public function test_setup_totp_returns_qr_code(): void
{
$user = User::factory()->create();
$response = $this->actingAs($user)->postJson('/api/v1/auth/mfa/setup/totp');
$response->assertOk()
->assertJsonStructure([
'data' => ['secret', 'qr_code_url', 'provisioning_uri'],
]);
}
public function test_confirm_totp_returns_backup_codes(): void
{
$user = User::factory()->create();
// Start setup
$setupResponse = $this->actingAs($user)->postJson('/api/v1/auth/mfa/setup/totp');
$secret = $setupResponse->json('data.secret');
$validCode = $this->google2fa->getCurrentOtp($secret);
// Confirm
$response = $this->actingAs($user)->postJson('/api/v1/auth/mfa/setup/totp/confirm', [
'code' => $validCode,
]);
$response->assertOk()
->assertJson([
'data' => [
'mfa_enabled' => true,
'method' => 'totp',
],
])
->assertJsonStructure([
'data' => ['backup_codes'],
]);
$this->assertCount(10, $response->json('data.backup_codes'));
}
public function test_confirm_totp_with_invalid_code_fails(): void
{
$user = User::factory()->create();
$this->actingAs($user)->postJson('/api/v1/auth/mfa/setup/totp');
$response = $this->actingAs($user)->postJson('/api/v1/auth/mfa/setup/totp/confirm', [
'code' => '000000',
]);
$response->assertStatus(422)
->assertJson(['message' => 'Ongeldige verificatiecode.']);
}
public function test_disable_requires_valid_code(): void
{
$user = $this->createUserWithTotp();
$secret = decrypt($user->mfa_secret);
$validCode = $this->google2fa->getCurrentOtp($secret);
$response = $this->actingAs($user)->postJson('/api/v1/auth/mfa/disable', [
'code' => $validCode,
'method' => 'totp',
]);
$response->assertOk();
$user->refresh();
$this->assertFalse($user->mfa_enabled);
}
public function test_disable_with_invalid_code_fails(): void
{
$user = $this->createUserWithTotp();
$response = $this->actingAs($user)->postJson('/api/v1/auth/mfa/disable', [
'code' => '000000',
'method' => 'totp',
]);
$response->assertStatus(422)
->assertJson(['message' => 'Ongeldige verificatiecode.']);
$user->refresh();
$this->assertTrue($user->mfa_enabled);
}
public function test_regenerate_backup_codes_requires_mfa_enabled(): void
{
$user = User::factory()->create();
$response = $this->actingAs($user)->postJson('/api/v1/auth/mfa/backup-codes', [
'code' => '123456',
]);
$response->assertStatus(422)
->assertJson(['message' => 'MFA is niet ingeschakeld.']);
}
public function test_regenerate_backup_codes_with_valid_totp(): void
{
$user = $this->createUserWithTotp();
$secret = decrypt($user->mfa_secret);
$validCode = $this->google2fa->getCurrentOtp($secret);
$response = $this->actingAs($user)->postJson('/api/v1/auth/mfa/backup-codes', [
'code' => $validCode,
]);
$response->assertOk()
->assertJsonStructure(['data' => ['backup_codes']]);
$this->assertCount(10, $response->json('data.backup_codes'));
}
public function test_status_returns_correct_state(): void
{
$user = User::factory()->create();
$response = $this->actingAs($user)->getJson('/api/v1/auth/mfa/status');
$response->assertOk()
->assertJson([
'data' => [
'enabled' => false,
'method' => null,
'confirmed_at' => null,
'backup_codes_remaining' => 0,
],
]);
}
public function test_status_returns_enabled_state(): void
{
$user = $this->createUserWithTotp();
$response = $this->actingAs($user)->getJson('/api/v1/auth/mfa/status');
$response->assertOk()
->assertJson([
'data' => [
'enabled' => true,
'method' => 'totp',
'backup_codes_remaining' => 10,
],
]);
}
public function test_unauthenticated_cannot_access_setup(): void
{
$this->postJson('/api/v1/auth/mfa/setup/totp')
->assertUnauthorized();
}
private function createUserWithTotp(): User
{
$user = User::factory()->create();
$mfaService = app(MfaService::class);
$setupResult = $mfaService->setupTotp($user);
$secret = $setupResult['secret'];
$validCode = $this->google2fa->getCurrentOtp($secret);
$mfaService->confirmTotp($user, $validCode);
return $user->refresh();
}
}
Reference in New Issue View Git Blame Copy Permalink