gitmedia/presseportale
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
presseportale/tests/Feature/Auth/EmailVerificationTest.php
Kevin Adametz 94cb209a9f WS-6: E-Mail-Verifizierung, Auth-Flow-Fixes & Legacy-Rollen-Sicherheitsfix 
E-Mail-Verifizierung (Entscheidung 15.06.):
- User implementiert MustVerifyEmail; Registrierung legt inaktives, rollenloses
  Konto an und leitet auf die Danke-/Notice-Seite; Registered-Event versendet die
  Verifizierungsmail. Bestätigter Link aktiviert das Konto + vergibt customer-Rolle
  (ActivateUserAfterVerification). Backfill-Migration setzt email_verified_at für
  alle Bestands-User (sonst würde die verified-Middleware ~59k aktive Legacy-User
  aussperren). Seeder-User verifiziert.

Auth-Flow-Korrekturen:
- Magic-Link-Consume: rollensicherer Redirect ohne intended() (Customer landete
  sonst per stale intended=/dashboard im 403-Admin-Bereich).
- Guest-Redirect (bootstrap/app.php) rollen-/verifizierungsbewusst statt fix
  /dashboard – schließt die 403-Sackgasse auf /login und /register.
- Logout auf der Notice-Seite via echtes POST-Formular statt Livewire-Action
  (behebt 419 beim Session-Invalidate).
- Magic-Link-Anforderung über eigenes Modal mit separater E-Mail-Eingabe.
- Unverifizierte Login-Versuche landen auf der Notice-Seite.

Sicherheitsfix Legacy-Rollen:
- UserImporter mappte Alt-Gruppe 2 (Self-Publisher) auf editor (= Admin-Zugriff).
  Mapping auf customer korrigiert; Daten-Migration stuft die 65.950 fälschlichen
  Legacy-Editoren auf customer herab. Echte admin/api-only bleiben unberührt.

Tests: Registration, EmailVerification, Authentication (Guest-Redirect),
MagicLinkLogin (Modal/Redirect/Regression), Legacy-Import (Gruppen-Mapping).

Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
2026-06-16 08:16:41 +00:00

85 lines
2.7 KiB
PHP
Raw Blame History

<?php
use App\Models\User;
use Database\Seeders\RolesAndPermissionsSeeder;
use Illuminate\Auth\Events\Verified;
use Illuminate\Support\Facades\Event;
use Illuminate\Support\Facades\URL;
use Tests\TestCase;
test('the verification notice can be rendered for an unverified user', function () {
/** @var TestCase $this */
$user = User::factory()->unverified()->create(['is_active' => false]);
$this->actingAs($user)
->get('/verify-email')
->assertStatus(200)
// Abmelden läuft über ein echtes POST-Formular auf die Logout-Route,
// nicht über eine Livewire-Action (verhindert den 419 beim Session-Invalidate).
->assertSee('action="'.route('logout').'"', false)
->assertSee('method="POST"', false);
});
test('an unverified user is redirected away from the panel to the notice', function () {
/** @var TestCase $this */
$user = User::factory()->unverified()->create(['is_active' => false]);
$this->actingAs($user)
->get(route('me.dashboard'))
->assertRedirect(route('verification.notice'));
});
test('confirming the signed link verifies, activates and grants the customer role', function () {
/** @var TestCase $this */
$this->seed(RolesAndPermissionsSeeder::class);
$user = User::factory()->unverified()->create(['is_active' => false]);
$verificationUrl = URL::temporarySignedRoute(
'verification.verify',
now()->addMinutes(60),
['id' => $user->id, 'hash' => sha1($user->email)]
);
$this->actingAs($user)
->get($verificationUrl)
->assertRedirect(route('me.dashboard', absolute: false).'?verified=1');
$user->refresh();
expect($user->hasVerifiedEmail())->toBeTrue();
expect($user->is_active)->toBeTrue();
expect($user->hasRole('customer'))->toBeTrue();
});
test('verification dispatches the Verified event', function () {
/** @var TestCase $this */
Event::fake();
$user = User::factory()->unverified()->create(['is_active' => false]);
$verificationUrl = URL::temporarySignedRoute(
'verification.verify',
now()->addMinutes(60),
['id' => $user->id, 'hash' => sha1($user->email)]
);
$this->actingAs($user)->get($verificationUrl);
Event::assertDispatched(Verified::class);
});
test('the email is not verified with an invalid hash', function () {
/** @var TestCase $this */
$user = User::factory()->unverified()->create(['is_active' => false]);
$verificationUrl = URL::temporarySignedRoute(
'verification.verify',
now()->addMinutes(60),
['id' => $user->id, 'hash' => sha1('wrong-email')]
);
$this->actingAs($user)->get($verificationUrl)->assertForbidden();
expect($user->fresh()->hasVerifiedEmail())->toBeFalse();
});
Reference in a new issue View git blame Copy permalink