WS-2: Magic-Link für Firmen & Pressekontakte vereinheitlicht + Schreibzugriff

Magic-Link und Pressekontakt-Zugang zu einer Seite (/anmeldelink) zusammengeführt;
altes Login-Modal entfernt, /pressekontakt-zugang leitet weiter.

- ContactAccessService deckt jetzt Firmen-E-Mail UND Pressekontakt-E-Mail ab,
  portalübergreifend (ohne PortalScope). Eine E-Mail mehrfach hinterlegt → genau
  ein Account, dem alle Firmen + Kontakte zugeordnet werden.
- Zugeordnete Firmen erhalten Pivot-Rolle 'responsible' (Schreibzugriff auf
  Stammdaten, Kontakte, Pressemitteilungen) statt nur 'member'; bestehende
  Lese-Pivots werden hochgestuft, Owner bleiben unangetastet.
- Neuer Login-Listener (SyncCompanyMembershipsOnLogin) frischt die Zuordnungen
  bei JEDEM Login (Magic-Link, Passwort, Google) auf – auch nachträglich (API)
  hinzugekommene Firmen/Kontakte mit gleicher E-Mail greifen.
- Auth-Bereich erzwingt Hellmodus: aus dem Portal übernommene .dark-Klasse wird
  am <html> entfernt (Login war im Dark Mode hängengeblieben).
- Tests: Firmen-E-Mail-Login, Multi-Firmen-Aggregation, Schreibzugriff/Upgrade,
  Per-Login-Re-Sync, Auth-Hellmodus. Sicherheits-Doku aktualisiert.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>

tests/Feature/Auth/AuthenticationTest.php

@@ -13,6 +13,19 @@ test('login screen can be rendered', function () {
     $response->assertStatus(200);
 });
 
+test('the auth area forces light mode and never inherits the portal dark class', function () {
+    /** @var TestCase $this */
+    $portalUrl = rtrim((string) config('domains.domain_portal_url', 'http://pressekonto.test'), '/');
+
+    // Auch mit gesetztem Dark-Cookie aus dem Portal bleibt der Login hell:
+    // das <html>-Tag trägt keine .dark-Klasse und das Strip-Skript ist präsent.
+    $response = $this->withCookie('flux_appearance', 'dark')->get($portalUrl.'/login');
+
+    $response->assertStatus(200);
+    $response->assertSee("classList.remove('dark')", false);
+    expect($response->getContent())->not->toContain('<html lang="en" class="dark"');
+});
+
 test('users can authenticate using the login screen', function () {
     /** @var TestCase $this */
     // Super-Admin damit canAccessAdmin() === true → Login-Redirect auf /dashboard.

tests/Feature/Auth/ContactAccessTest.php

@@ -75,7 +75,7 @@ test('requesting access reuses an existing user without creating a duplicate', f
     Mail::assertSent(MagicLoginLink::class);
 });
 
-test('the contact access form responds neutrally and triggers the service', function () {
+test('the magic link form responds neutrally and triggers the service for a contact', function () {
     /** @var TestCase $this */
     Mail::fake();
 
@@ -85,9 +85,9 @@ test('the contact access form responds neutrally and triggers the service', func
         'portal' => $company->portal->value,
     ]);
 
-    Volt::test('auth.contact-access')
+    Volt::test('auth.magic-link')
         ->set('email', 'form@example.test')
-        ->call('requestAccess')
+        ->call('requestLink')
         ->assertHasNoErrors()
         ->assertSet('email', '');
 
@@ -95,6 +95,160 @@ test('the contact access form responds neutrally and triggers the service', func
     expect(User::query()->where('email', 'form@example.test')->exists())->toBeTrue();
 });
 
+test('the magic link form sends a link to an existing active user without a contact', function () {
+    /** @var TestCase $this */
+    Mail::fake();
+
+    $user = User::factory()->create(['email' => 'plain@example.test', 'is_active' => true]);
+    $user->assignRole('customer');
+
+    Volt::test('auth.magic-link')
+        ->set('email', 'plain@example.test')
+        ->call('requestLink')
+        ->assertHasNoErrors()
+        ->assertSet('email', '');
+
+    Mail::assertSent(MagicLoginLink::class, fn (MagicLoginLink $mail) => $mail->user->is($user));
+});
+
+test('requestMagicAccess does nothing for an unknown email', function () {
+    /** @var TestCase $this */
+    Mail::fake();
+
+    $sent = app(ContactAccessService::class)->requestMagicAccess('nobody@example.test');
+
+    expect($sent)->toBeFalse();
+    expect(User::query()->where('email', 'nobody@example.test')->exists())->toBeFalse();
+    Mail::assertNothingSent();
+});
+
+test('requestMagicAccess does not send to an inactive existing user', function () {
+    /** @var TestCase $this */
+    Mail::fake();
+
+    User::factory()->create(['email' => 'off@example.test', 'is_active' => false]);
+
+    $sent = app(ContactAccessService::class)->requestMagicAccess('off@example.test');
+
+    expect($sent)->toBeFalse();
+    Mail::assertNothingSent();
+});
+
+test('a later-added company with the same email is linked on the next password login', function () {
+    /** @var TestCase $this */
+    $user = User::factory()->create(['email' => 'sync@example.test', 'is_active' => true]);
+    $user->assignRole('customer');
+
+    // Firma kommt NACH dem Account dazu (z. B. per API) und trägt dieselbe E-Mail.
+    $company = Company::factory()->presseecho()->create(['email' => 'sync@example.test']);
+
+    expect($user->accessibleCompanyIds())->not->toContain($company->id);
+
+    Volt::test('auth.login')
+        ->set('email', 'sync@example.test')
+        ->set('password', 'password')
+        ->call('login')
+        ->assertHasNoErrors();
+
+    // Der Login-Hook (SyncCompanyMembershipsOnLogin) hat die Firma verknüpft.
+    expect($user->fresh()->accessibleCompanyIds())->toContain($company->id);
+});
+
+test('a magic-link account can manage (edit) the company it was linked to', function () {
+    /** @var TestCase $this */
+    Mail::fake();
+
+    $company = Company::factory()->presseecho()->create(['email' => 'verantwortlich@example.test']);
+
+    app(ContactAccessService::class)->requestMagicAccess('verantwortlich@example.test');
+
+    $user = User::query()->where('email', 'verantwortlich@example.test')->firstOrFail();
+
+    // Schreibzugriff (CompanyPolicy::update) – nicht nur Lesezugriff.
+    expect($user->can('update', $company))->toBeTrue();
+    expect($user->can('view', $company))->toBeTrue();
+});
+
+test('an existing read-only member is upgraded to responsible on magic access', function () {
+    /** @var TestCase $this */
+    Mail::fake();
+
+    $company = Company::factory()->presseecho()->create(['email' => 'upgrade@example.test']);
+
+    $user = User::factory()->create(['email' => 'upgrade@example.test', 'is_active' => true]);
+    $user->assignRole('customer');
+    // Vorher nur Lesezugriff.
+    $user->companies()->attach($company->id, ['role' => 'member']);
+
+    expect($user->can('update', $company))->toBeFalse();
+
+    app(ContactAccessService::class)->requestMagicAccess('upgrade@example.test');
+
+    expect($user->fresh()->can('update', $company))->toBeTrue();
+    // Genau ein Pivot-Eintrag, jetzt 'responsible'.
+    expect($user->companies()->withoutGlobalScopes()->whereKey($company->id)->count())->toBe(1);
+});
+
+test('a company email lazily creates an account scoped to that company', function () {
+    /** @var TestCase $this */
+    Mail::fake();
+
+    $company = Company::factory()->presseecho()->create([
+        'email' => 'firma@example.test',
+        'name' => 'Firma AG',
+    ]);
+
+    // Gross-/Kleinschreibung egal.
+    $sent = app(ContactAccessService::class)->requestMagicAccess('Firma@Example.test');
+
+    expect($sent)->toBeTrue();
+
+    $user = User::query()->where('email', 'firma@example.test')->firstOrFail();
+
+    expect($user->is_active)->toBeTrue();
+    expect($user->hasVerifiedEmail())->toBeTrue();
+    expect($user->hasRole('customer'))->toBeTrue();
+    // Kein Kontaktname hinterlegt → Firmenname als Account-Name.
+    expect($user->name)->toBe('Firma AG');
+    expect($user->accessibleCompanyIds())->toContain($company->id);
+
+    Mail::assertSent(MagicLoginLink::class, fn (MagicLoginLink $mail) => $mail->user->is($user));
+});
+
+test('one account is created for an email stored across multiple companies and contacts', function () {
+    /** @var TestCase $this */
+    Mail::fake();
+
+    // Dieselbe E-Mail an zwei Firmen (verschiedene Portale) direkt hinterlegt …
+    $companyA = Company::factory()->presseecho()->create(['email' => 'multi@example.test']);
+    $companyB = Company::factory()->businessportal24()->create(['email' => 'multi@example.test']);
+
+    // … und zusätzlich als Pressekontakt einer dritten Firma.
+    $companyC = Company::factory()->presseecho()->create(['email' => 'andere@example.test']);
+    Contact::factory()->for($companyC)->create([
+        'email' => 'multi@example.test',
+        'portal' => $companyC->portal->value,
+    ]);
+
+    $sent = app(ContactAccessService::class)->requestMagicAccess('multi@example.test');
+
+    expect($sent)->toBeTrue();
+
+    // Genau EIN Account für die E-Mail.
+    expect(User::query()->where('email', 'multi@example.test')->count())->toBe(1);
+
+    $user = User::query()->where('email', 'multi@example.test')->firstOrFail();
+    $ids = $user->accessibleCompanyIds();
+
+    // ALLE drei Firmen zugeordnet (zwei per Firmen-E-Mail, eine per Kontakt),
+    // portalübergreifend.
+    expect($ids)->toContain($companyA->id);
+    expect($ids)->toContain($companyB->id);
+    expect($ids)->toContain($companyC->id);
+
+    Mail::assertSent(MagicLoginLink::class, 1);
+});
+
 test('requesting access does not mutate an existing inactive account', function () {
     /** @var TestCase $this */
     Mail::fake();
@@ -126,10 +280,10 @@ test('the honeypot blocks bots without creating an account', function () {
         'portal' => $company->portal->value,
     ]);
 
-    Volt::test('auth.contact-access')
+    Volt::test('auth.magic-link')
         ->set('email', 'bot-target@example.test')
         ->set('website', 'http://spam.example')
-        ->call('requestAccess')
+        ->call('requestLink')
         ->assertHasNoErrors();
 
     Mail::assertNothingSent();

tests/Feature/Auth/MagicLinkLoginTest.php

@@ -8,13 +8,13 @@ use Illuminate\Support\Facades\Mail;
 use Livewire\Volt\Volt as LivewireVolt;
 use Tests\TestCase;
 
-test('user can request a magic login link from login page', function () {
+test('user can request a magic login link from the magic-link page', function () {
     Mail::fake();
     $user = User::factory()->create(['is_active' => true]);
 
-    LivewireVolt::test('auth.login')
-        ->set('magicEmail', $user->email)
-        ->call('sendMagicLink')
+    LivewireVolt::test('auth.magic-link')
+        ->set('email', $user->email)
+        ->call('requestLink')
         ->assertHasNoErrors();
 
     Mail::assertSent(MagicLoginLink::class, function (MagicLoginLink $mail) use ($user) {
@@ -27,25 +27,24 @@ test('user can request a magic login link from login page', function () {
     expect($magicLink->token_hash)->toHaveLength(64);
 });
 
-test('the magic link modal validates its own email field and closes on success', function () {
+test('the magic link form validates its email field and clears on success', function () {
     Mail::fake();
     $user = User::factory()->create(['is_active' => true]);
 
     // Leere Eingabe → Validierungsfehler, keine Mail.
-    LivewireVolt::test('auth.login')
-        ->set('magicEmail', '')
-        ->call('sendMagicLink')
-        ->assertHasErrors(['magicEmail']);
+    LivewireVolt::test('auth.magic-link')
+        ->set('email', '')
+        ->call('requestLink')
+        ->assertHasErrors(['email']);
 
     Mail::assertNothingSent();
 
-    // Gültige Eingabe → Feld wird geleert, Schließen-Event wird ausgelöst.
-    LivewireVolt::test('auth.login')
-        ->set('magicEmail', $user->email)
-        ->call('sendMagicLink')
+    // Gültige Eingabe → Feld wird geleert.
+    LivewireVolt::test('auth.magic-link')
+        ->set('email', $user->email)
+        ->call('requestLink')
         ->assertHasNoErrors()
-        ->assertSet('magicEmail', '')
-        ->assertDispatched('magic-link-sent');
+        ->assertSet('email', '');
 });
 
 test('magic link requests are rate limited per email', function () {
@@ -54,16 +53,16 @@ test('magic link requests are rate limited per email', function () {
     $user = User::factory()->create(['is_active' => true]);
 
     foreach (range(1, 3) as $ignored) {
-        LivewireVolt::test('auth.login')
-            ->set('magicEmail', $user->email)
-            ->call('sendMagicLink')
+        LivewireVolt::test('auth.magic-link')
+            ->set('email', $user->email)
+            ->call('requestLink')
             ->assertHasNoErrors();
     }
 
-    LivewireVolt::test('auth.login')
-        ->set('magicEmail', $user->email)
-        ->call('sendMagicLink')
-        ->assertHasErrors(['magicEmail']);
+    LivewireVolt::test('auth.magic-link')
+        ->set('email', $user->email)
+        ->call('requestLink')
+        ->assertHasErrors(['email']);
 
     Mail::assertSent(MagicLoginLink::class, 3);
 });
@@ -75,9 +74,9 @@ test('admin can login with a valid magic link and lands on admin dashboard', fun
     $user = User::factory()->create(['is_active' => true]);
     $user->assignRole('admin');
 
-    LivewireVolt::test('auth.login')
-        ->set('magicEmail', $user->email)
-        ->call('sendMagicLink');
+    LivewireVolt::test('auth.magic-link')
+        ->set('email', $user->email)
+        ->call('requestLink');
 
     $sentMail = null;
 
@@ -107,9 +106,9 @@ test('customer is redirected to me dashboard after magic link login', function (
     $customer = User::factory()->create(['is_active' => true]);
     $customer->assignRole('customer');
 
-    LivewireVolt::test('auth.login')
-        ->set('magicEmail', $customer->email)
-        ->call('sendMagicLink');
+    LivewireVolt::test('auth.magic-link')
+        ->set('email', $customer->email)
+        ->call('requestLink');
 
     $sentMail = null;
     Mail::assertSent(MagicLoginLink::class, function (MagicLoginLink $mail) use (&$sentMail) {