WS-6: E-Mail-Verifizierung, Auth-Flow-Fixes & Legacy-Rollen-Sicherheitsfix

E-Mail-Verifizierung (Entscheidung 15.06.):
- User implementiert MustVerifyEmail; Registrierung legt inaktives, rollenloses
  Konto an und leitet auf die Danke-/Notice-Seite; Registered-Event versendet die
  Verifizierungsmail. Bestätigter Link aktiviert das Konto + vergibt customer-Rolle
  (ActivateUserAfterVerification). Backfill-Migration setzt email_verified_at für
  alle Bestands-User (sonst würde die verified-Middleware ~59k aktive Legacy-User
  aussperren). Seeder-User verifiziert.

Auth-Flow-Korrekturen:
- Magic-Link-Consume: rollensicherer Redirect ohne intended() (Customer landete
  sonst per stale intended=/dashboard im 403-Admin-Bereich).
- Guest-Redirect (bootstrap/app.php) rollen-/verifizierungsbewusst statt fix
  /dashboard – schließt die 403-Sackgasse auf /login und /register.
- Logout auf der Notice-Seite via echtes POST-Formular statt Livewire-Action
  (behebt 419 beim Session-Invalidate).
- Magic-Link-Anforderung über eigenes Modal mit separater E-Mail-Eingabe.
- Unverifizierte Login-Versuche landen auf der Notice-Seite.

Sicherheitsfix Legacy-Rollen:
- UserImporter mappte Alt-Gruppe 2 (Self-Publisher) auf editor (= Admin-Zugriff).
  Mapping auf customer korrigiert; Daten-Migration stuft die 65.950 fälschlichen
  Legacy-Editoren auf customer herab. Echte admin/api-only bleiben unberührt.

Tests: Registration, EmailVerification, Authentication (Guest-Redirect),
MagicLinkLogin (Modal/Redirect/Regression), Legacy-Import (Gruppen-Mapping).

Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>

tests/Feature/Auth/AuthenticationTest.php

@@ -1,6 +1,7 @@
 <?php
 
 use App\Models\User;
+use Database\Seeders\RolesAndPermissionsSeeder;
 use Livewire\Volt\Volt as LivewireVolt;
 use Tests\TestCase;
 
@@ -34,6 +35,20 @@ test('users can authenticate using the login screen', function () {
     expect($user->last_login_ip)->toBe('127.0.0.1');
 });
 
+test('unverified users are redirected to the verification notice on login', function () {
+    /** @var TestCase $this */
+    $user = User::factory()->unverified()->create(['is_active' => false]);
+
+    LivewireVolt::test('auth.login')
+        ->set('email', $user->email)
+        ->set('password', 'password')
+        ->call('login')
+        ->assertHasNoErrors()
+        ->assertRedirect(route('verification.notice', absolute: false));
+
+    $this->assertAuthenticated();
+});
+
 test('users can not authenticate with invalid password', function () {
     /** @var TestCase $this */
     $user = User::factory()->create();
@@ -48,6 +63,30 @@ test('users can not authenticate with invalid password', function () {
     $this->assertGuest();
 });
 
+test('an authenticated customer visiting guest routes is not trapped on the admin dashboard', function () {
+    /** @var TestCase $this */
+    $this->seed(RolesAndPermissionsSeeder::class);
+    $customer = User::factory()->create(['is_active' => true]);
+    $customer->assignRole('customer');
+
+    $this->actingAs($customer)->get('/login')->assertRedirect(route('me.dashboard'));
+    $this->actingAs($customer)->get('/register')->assertRedirect(route('me.dashboard'));
+});
+
+test('an authenticated admin visiting guest routes lands on the admin dashboard', function () {
+    /** @var TestCase $this */
+    $admin = User::factory()->superAdmin()->create();
+
+    $this->actingAs($admin)->get('/login')->assertRedirect(route('dashboard'));
+});
+
+test('an unverified authenticated user visiting guest routes lands on the notice', function () {
+    /** @var TestCase $this */
+    $user = User::factory()->unverified()->create(['is_active' => false]);
+
+    $this->actingAs($user)->get('/login')->assertRedirect(route('verification.notice'));
+});
+
 test('users can logout', function () {
     /** @var TestCase $this */
     $user = User::factory()->create();

tests/Feature/Auth/EmailVerificationTest.php

@@ -1,35 +1,39 @@
 <?php
 
 use App\Models\User;
+use Database\Seeders\RolesAndPermissionsSeeder;
 use Illuminate\Auth\Events\Verified;
 use Illuminate\Support\Facades\Event;
 use Illuminate\Support\Facades\URL;
-use Laravel\Fortify\Features;
+use Tests\TestCase;
 
-/**
- * Fortify's emailVerification feature is intentionally disabled in
- * config/fortify.php (Volt handles the verification notice instead).
- * The tests below cover the Fortify-issued signed URL flow and become
- * relevant again once the feature is re-enabled.
- */
-beforeEach(function () {
-    if (! Features::enabled(Features::emailVerification())) {
-        $this->markTestSkipped('Fortify emailVerification feature is disabled.');
-    }
+test('the verification notice can be rendered for an unverified user', function () {
+    /** @var TestCase $this */
+    $user = User::factory()->unverified()->create(['is_active' => false]);
+
+    $this->actingAs($user)
+        ->get('/verify-email')
+        ->assertStatus(200)
+        // Abmelden läuft über ein echtes POST-Formular auf die Logout-Route,
+        // nicht über eine Livewire-Action (verhindert den 419 beim Session-Invalidate).
+        ->assertSee('action="'.route('logout').'"', false)
+        ->assertSee('method="POST"', false);
 });
 
-test('email verification screen can be rendered', function () {
-    $user = User::factory()->unverified()->create();
+test('an unverified user is redirected away from the panel to the notice', function () {
+    /** @var TestCase $this */
+    $user = User::factory()->unverified()->create(['is_active' => false]);
 
-    $response = $this->actingAs($user)->get('/verify-email');
-
-    $response->assertStatus(200);
+    $this->actingAs($user)
+        ->get(route('me.dashboard'))
+        ->assertRedirect(route('verification.notice'));
 });
 
-test('email can be verified', function () {
-    $user = User::factory()->unverified()->create();
+test('confirming the signed link verifies, activates and grants the customer role', function () {
+    /** @var TestCase $this */
+    $this->seed(RolesAndPermissionsSeeder::class);
 
-    Event::fake();
+    $user = User::factory()->unverified()->create(['is_active' => false]);
 
     $verificationUrl = URL::temporarySignedRoute(
         'verification.verify',
@@ -37,16 +41,37 @@ test('email can be verified', function () {
         ['id' => $user->id, 'hash' => sha1($user->email)]
     );
 
-    $response = $this->actingAs($user)->get($verificationUrl);
+    $this->actingAs($user)
+        ->get($verificationUrl)
+        ->assertRedirect(route('me.dashboard', absolute: false).'?verified=1');
 
-    Event::assertDispatched(Verified::class);
+    $user->refresh();
 
-    expect($user->fresh()->hasVerifiedEmail())->toBeTrue();
-    $response->assertRedirect(route('dashboard', absolute: false).'?verified=1');
+    expect($user->hasVerifiedEmail())->toBeTrue();
+    expect($user->is_active)->toBeTrue();
+    expect($user->hasRole('customer'))->toBeTrue();
 });
 
-test('email is not verified with invalid hash', function () {
-    $user = User::factory()->unverified()->create();
+test('verification dispatches the Verified event', function () {
+    /** @var TestCase $this */
+    Event::fake();
+
+    $user = User::factory()->unverified()->create(['is_active' => false]);
+
+    $verificationUrl = URL::temporarySignedRoute(
+        'verification.verify',
+        now()->addMinutes(60),
+        ['id' => $user->id, 'hash' => sha1($user->email)]
+    );
+
+    $this->actingAs($user)->get($verificationUrl);
+
+    Event::assertDispatched(Verified::class);
+});
+
+test('the email is not verified with an invalid hash', function () {
+    /** @var TestCase $this */
+    $user = User::factory()->unverified()->create(['is_active' => false]);
 
     $verificationUrl = URL::temporarySignedRoute(
         'verification.verify',
@@ -54,7 +79,7 @@ test('email is not verified with invalid hash', function () {
         ['id' => $user->id, 'hash' => sha1('wrong-email')]
     );
 
-    $this->actingAs($user)->get($verificationUrl);
+    $this->actingAs($user)->get($verificationUrl)->assertForbidden();
 
     expect($user->fresh()->hasVerifiedEmail())->toBeFalse();
 });

tests/Feature/Auth/MagicLinkLoginTest.php

@@ -13,7 +13,7 @@ test('user can request a magic login link from login page', function () {
     $user = User::factory()->create(['is_active' => true]);
 
     LivewireVolt::test('auth.login')
-        ->set('email', $user->email)
+        ->set('magicEmail', $user->email)
         ->call('sendMagicLink')
         ->assertHasNoErrors();
 
@@ -27,6 +27,27 @@ test('user can request a magic login link from login page', function () {
     expect($magicLink->token_hash)->toHaveLength(64);
 });
 
+test('the magic link modal validates its own email field and closes on success', function () {
+    Mail::fake();
+    $user = User::factory()->create(['is_active' => true]);
+
+    // Leere Eingabe → Validierungsfehler, keine Mail.
+    LivewireVolt::test('auth.login')
+        ->set('magicEmail', '')
+        ->call('sendMagicLink')
+        ->assertHasErrors(['magicEmail']);
+
+    Mail::assertNothingSent();
+
+    // Gültige Eingabe → Feld wird geleert, Schließen-Event wird ausgelöst.
+    LivewireVolt::test('auth.login')
+        ->set('magicEmail', $user->email)
+        ->call('sendMagicLink')
+        ->assertHasNoErrors()
+        ->assertSet('magicEmail', '')
+        ->assertDispatched('magic-link-sent');
+});
+
 test('admin can login with a valid magic link and lands on admin dashboard', function () {
     /** @var TestCase $this */
     $this->seed(RolesAndPermissionsSeeder::class);
@@ -35,7 +56,7 @@ test('admin can login with a valid magic link and lands on admin dashboard', fun
     $user->assignRole('admin');
 
     LivewireVolt::test('auth.login')
-        ->set('email', $user->email)
+        ->set('magicEmail', $user->email)
         ->call('sendMagicLink');
 
     $sentMail = null;
@@ -67,7 +88,7 @@ test('customer is redirected to me dashboard after magic link login', function (
     $customer->assignRole('customer');
 
     LivewireVolt::test('auth.login')
-        ->set('email', $customer->email)
+        ->set('magicEmail', $customer->email)
         ->call('sendMagicLink');
 
     $sentMail = null;
@@ -84,6 +105,29 @@ test('customer is redirected to me dashboard after magic link login', function (
     $this->assertAuthenticatedAs($customer);
 });
 
+test('a stale intended admin url does not send a customer into the 403 admin area', function () {
+    /** @var TestCase $this */
+    $this->seed(RolesAndPermissionsSeeder::class);
+    $customer = User::factory()->create(['is_active' => true]);
+    $customer->assignRole('customer');
+
+    $plainToken = 'intended-token';
+    MagicLink::query()->create([
+        'user_id' => $customer->id,
+        'token_hash' => hash('sha256', $plainToken),
+        'purpose' => 'login',
+        'expires_at' => now()->addMinutes(5),
+    ]);
+
+    // Als Gast zuvor /dashboard besucht → intended-URL liegt in der Session.
+    $this->withSession(['url.intended' => route('dashboard')]);
+
+    $this->get(route('magic-links.consume', ['token' => $plainToken]))
+        ->assertRedirect(route('me.dashboard', absolute: false));
+
+    $this->assertAuthenticatedAs($customer);
+});
+
 test('expired magic link can not be used', function () {
     /** @var TestCase $this */
     $user = User::factory()->create(['is_active' => true]);

tests/Feature/Auth/RegistrationTest.php

@@ -1,28 +1,54 @@
 <?php
 
+use App\Models\User;
+use Illuminate\Auth\Notifications\VerifyEmail;
+use Illuminate\Support\Facades\Notification;
 use Livewire\Volt\Volt;
+use Tests\TestCase;
 
 test('registration screen can be rendered', function () {
+    /** @var TestCase $this */
     $response = $this->get('/register');
 
     $response->assertStatus(200);
 });
 
-test('new users can register', function () {
-    // terms_accepted ist seit dem Hub-Auth-Refresh Pflicht (AGB-Checkbox).
-    // Frisch registrierte User haben keine Rolle → Login-Code fällt auf '/'
-    // zurück (siehe Phase 1 rollen-basierter Redirect in login/register).
-    $response = Volt::test('auth.register')
+test('new users register inactive and are sent to the verification notice', function () {
+    /** @var TestCase $this */
+    Notification::fake();
+
+    Volt::test('auth.register')
         ->set('name', 'Test User')
         ->set('email', 'test@example.com')
         ->set('password', 'password')
         ->set('password_confirmation', 'password')
         ->set('terms_accepted', true)
-        ->call('register');
-
-    $response
+        ->call('register')
         ->assertHasNoErrors()
-        ->assertRedirect('/');
+        ->assertRedirect(route('verification.notice', absolute: false));
 
     $this->assertAuthenticated();
+
+    $user = User::where('email', 'test@example.com')->firstOrFail();
+
+    // Konto bleibt bis zur Verifizierung inaktiv, rollenlos und unverifiziert.
+    expect($user->is_active)->toBeFalse();
+    expect($user->hasVerifiedEmail())->toBeFalse();
+    expect($user->roles()->count())->toBe(0);
+
+    Notification::assertSentTo($user, VerifyEmail::class);
+});
+
+test('registration requires accepting the terms', function () {
+    /** @var TestCase $this */
+    Volt::test('auth.register')
+        ->set('name', 'Test User')
+        ->set('email', 'terms@example.com')
+        ->set('password', 'password')
+        ->set('password_confirmation', 'password')
+        ->set('terms_accepted', false)
+        ->call('register')
+        ->assertHasErrors(['terms_accepted']);
+
+    expect(User::where('email', 'terms@example.com')->exists())->toBeFalse();
 });