Kevin Adametz
d98d297524
- Magic-Link-Versand im Login rate-limited (E-Mail+IP 3/h und IP-only 15/h); verhindert Mail-Fluten und das Entwerten aktiver Links. - Inaktive (aber verifizierte) User werden beim Passwort-Login zentral blockiert (Auth::logout + Fehler) – sichert nur-auth/verified-Routen ab. - Rollensicherer Login-Redirect: gemerkte intended-Admin-URLs schicken einen Customer nicht mehr in den 403, sondern auf das rollengerechte Ziel. - ContactAccess prüft is_active vor jeder Mutation: deaktivierte Bestands- Accounts werden durch eine Anfrage weder verändert noch angemailt. - Magic-Link-Verbrauch atomar (UPDATE … whereNull(consumed_at)) – Single-Use auch bei parallelen Requests. - Sicherheits-Doku um diese Härtungen + Captcha-Empfehlung ergänzt. Tests: Rate-Limit, intended-Admin-URL für Customer, inaktiver Login, ContactAccess ohne Mutation inaktiver Accounts. Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
131 lines
4.3 KiB
PHP
131 lines
4.3 KiB
PHP
<?php
|
|
|
|
use App\Models\User;
|
|
use Database\Seeders\RolesAndPermissionsSeeder;
|
|
use Livewire\Volt\Volt as LivewireVolt;
|
|
use Tests\TestCase;
|
|
|
|
test('login screen can be rendered', function () {
|
|
/** @var TestCase $this */
|
|
$portalUrl = rtrim((string) config('domains.domain_portal_url', 'http://pressekonto.test'), '/');
|
|
$response = $this->get($portalUrl.'/login');
|
|
|
|
$response->assertStatus(200);
|
|
});
|
|
|
|
test('users can authenticate using the login screen', function () {
|
|
/** @var TestCase $this */
|
|
// Super-Admin damit canAccessAdmin() === true → Login-Redirect auf /dashboard.
|
|
// Seit der rollen-basierten Redirect-Logik (Phase 1) landen rollenlose
|
|
// User auf '/', nicht mehr auf /dashboard.
|
|
$user = User::factory()->superAdmin()->create();
|
|
|
|
$response = LivewireVolt::test('auth.login')
|
|
->set('email', $user->email)
|
|
->set('password', 'password')
|
|
->call('login');
|
|
|
|
$response
|
|
->assertHasNoErrors()
|
|
->assertRedirect(route('dashboard', absolute: false));
|
|
|
|
$this->assertAuthenticated();
|
|
$user->refresh();
|
|
expect($user->last_login_at)->not->toBeNull();
|
|
expect($user->last_login_ip)->toBe('127.0.0.1');
|
|
});
|
|
|
|
test('unverified users are redirected to the verification notice on login', function () {
|
|
/** @var TestCase $this */
|
|
$user = User::factory()->unverified()->create(['is_active' => false]);
|
|
|
|
LivewireVolt::test('auth.login')
|
|
->set('email', $user->email)
|
|
->set('password', 'password')
|
|
->call('login')
|
|
->assertHasNoErrors()
|
|
->assertRedirect(route('verification.notice', absolute: false));
|
|
|
|
$this->assertAuthenticated();
|
|
});
|
|
|
|
test('users can not authenticate with invalid password', function () {
|
|
/** @var TestCase $this */
|
|
$user = User::factory()->create();
|
|
|
|
$response = LivewireVolt::test('auth.login')
|
|
->set('email', $user->email)
|
|
->set('password', 'wrong-password')
|
|
->call('login');
|
|
|
|
$response->assertHasErrors('email');
|
|
|
|
$this->assertGuest();
|
|
});
|
|
|
|
test('an authenticated customer visiting guest routes is not trapped on the admin dashboard', function () {
|
|
/** @var TestCase $this */
|
|
$this->seed(RolesAndPermissionsSeeder::class);
|
|
$customer = User::factory()->create(['is_active' => true]);
|
|
$customer->assignRole('customer');
|
|
|
|
$this->actingAs($customer)->get('/login')->assertRedirect(route('me.dashboard'));
|
|
$this->actingAs($customer)->get('/register')->assertRedirect(route('me.dashboard'));
|
|
});
|
|
|
|
test('an authenticated admin visiting guest routes lands on the admin dashboard', function () {
|
|
/** @var TestCase $this */
|
|
$admin = User::factory()->superAdmin()->create();
|
|
|
|
$this->actingAs($admin)->get('/login')->assertRedirect(route('dashboard'));
|
|
});
|
|
|
|
test('an unverified authenticated user visiting guest routes lands on the notice', function () {
|
|
/** @var TestCase $this */
|
|
$user = User::factory()->unverified()->create(['is_active' => false]);
|
|
|
|
$this->actingAs($user)->get('/login')->assertRedirect(route('verification.notice'));
|
|
});
|
|
|
|
test('a customer login with a stale intended admin url is redirected to the customer area', function () {
|
|
/** @var TestCase $this */
|
|
$this->seed(RolesAndPermissionsSeeder::class);
|
|
$customer = User::factory()->create(['is_active' => true]);
|
|
$customer->assignRole('customer');
|
|
|
|
session()->put('url.intended', url('/admin/users'));
|
|
|
|
LivewireVolt::test('auth.login')
|
|
->set('email', $customer->email)
|
|
->set('password', 'password')
|
|
->call('login')
|
|
->assertHasNoErrors()
|
|
->assertRedirect(route('me.dashboard', absolute: false));
|
|
|
|
$this->assertAuthenticatedAs($customer);
|
|
});
|
|
|
|
test('an inactive but verified user cannot log in with a password', function () {
|
|
/** @var TestCase $this */
|
|
// Factory ist standardmäßig verifiziert; nur deaktiviert.
|
|
$user = User::factory()->create(['is_active' => false]);
|
|
|
|
LivewireVolt::test('auth.login')
|
|
->set('email', $user->email)
|
|
->set('password', 'password')
|
|
->call('login')
|
|
->assertHasErrors(['email']);
|
|
|
|
$this->assertGuest();
|
|
});
|
|
|
|
test('users can logout', function () {
|
|
/** @var TestCase $this */
|
|
$user = User::factory()->create();
|
|
|
|
$response = $this->actingAs($user)->post('/logout');
|
|
|
|
$response->assertRedirect('/');
|
|
|
|
$this->assertGuest();
|
|
});
|