Add extensive controller and model tests

tests/Feature/AuthControllerTest.php

@@ -0,0 +1,180 @@
+<?php
+
+use App\Models\User;
+use Illuminate\Auth\Notifications\VerifyEmail;
+use Illuminate\Support\Facades\Hash;
+use Illuminate\Support\Facades\Notification;
+use Illuminate\Support\Facades\Password;
+use Illuminate\Support\Facades\URL;
+use Laravel\Sanctum\Sanctum;
+
+it('registers a user with username and plainPassword', function (): void {
+    Notification::fake();
+
+    $response = $this->postJson('/api/register', [
+        'username' => 'NewUser',
+        'email' => 'newuser@example.com',
+        'plainPassword' => 'Password123!',
+    ]);
+
+    $response->assertOk();
+    $response->assertJsonStructure(['user_id', 'email', 'message']);
+
+    $this->assertDatabaseHas('users', [
+        'email' => 'newuser@example.com',
+        'name' => 'NewUser',
+        'name_canonical' => 'newuser',
+    ]);
+
+    $user = User::where('email', 'newuser@example.com')->firstOrFail();
+    Notification::assertSentTo($user, VerifyEmail::class);
+});
+
+it('rejects invalid login credentials', function (): void {
+    $user = User::factory()->create([
+        'password' => Hash::make('Password123!'),
+    ]);
+
+    $response = $this->postJson('/api/login', [
+        'login' => $user->email,
+        'password' => 'wrong-password',
+    ]);
+
+    $response->assertStatus(422);
+    $response->assertJsonValidationErrors(['login']);
+});
+
+it('blocks login for unverified email', function (): void {
+    $user = User::factory()->unverified()->create([
+        'password' => Hash::make('Password123!'),
+    ]);
+
+    $response = $this->postJson('/api/login', [
+        'login' => $user->email,
+        'password' => 'Password123!',
+    ]);
+
+    $response->assertStatus(403);
+    $response->assertJsonFragment(['message' => 'Email not verified.']);
+});
+
+it('logs in with username', function (): void {
+    $user = User::factory()->create([
+        'name' => 'TestUser',
+        'name_canonical' => 'testuser',
+        'password' => Hash::make('Password123!'),
+    ]);
+
+    $response = $this->postJson('/api/login', [
+        'login' => 'TestUser',
+        'password' => 'Password123!',
+    ]);
+
+    $response->assertOk();
+    $response->assertJsonStructure(['token', 'user_id', 'email', 'roles']);
+});
+
+it('validates forgot password requests', function (): void {
+    $response = $this->postJson('/api/forgot-password', []);
+
+    $response->assertStatus(422);
+    $response->assertJsonValidationErrors(['email']);
+});
+
+it('sends a reset link for valid email', function (): void {
+    $user = User::factory()->create([
+        'email' => 'reset@example.com',
+    ]);
+
+    $response = $this->postJson('/api/forgot-password', [
+        'email' => $user->email,
+    ]);
+
+    $response->assertOk();
+    $response->assertJsonStructure(['message']);
+});
+
+it('resets a password with a valid token', function (): void {
+    $user = User::factory()->create([
+        'email' => 'reset2@example.com',
+        'password' => Hash::make('OldPassword123!'),
+    ]);
+
+    $token = Password::createToken($user);
+
+    $response = $this->postJson('/api/reset-password', [
+        'email' => $user->email,
+        'password' => 'NewPassword123!',
+        'password_confirmation' => 'NewPassword123!',
+        'token' => $token,
+    ]);
+
+    $response->assertOk();
+    $response->assertJsonStructure(['message']);
+
+    $user->refresh();
+    expect(Hash::check('NewPassword123!', $user->password))->toBeTrue();
+});
+
+it('verifies email and redirects to login', function (): void {
+    $user = User::factory()->unverified()->create();
+
+    $hash = sha1($user->getEmailForVerification());
+
+    $url = URL::signedRoute('verification.verify', [
+        'id' => $user->id,
+        'hash' => $hash,
+    ]);
+
+    $response = $this->get($url);
+
+    $response->assertRedirect('/login');
+    $user->refresh();
+    expect($user->hasVerifiedEmail())->toBeTrue();
+});
+
+it('updates password for authenticated users', function (): void {
+    $user = User::factory()->create([
+        'password' => Hash::make('OldPass123!'),
+    ]);
+
+    Sanctum::actingAs($user);
+
+    $response = $this->postJson('/api/user/password', [
+        'current_password' => 'OldPass123!',
+        'password' => 'NewPass123!',
+        'password_confirmation' => 'NewPass123!',
+    ]);
+
+    $response->assertOk();
+    $response->assertJsonFragment(['message' => 'Password updated.']);
+
+    $user->refresh();
+    expect(Hash::check('NewPass123!', $user->password))->toBeTrue();
+});
+
+it('rejects password update with wrong current password', function (): void {
+    $user = User::factory()->create([
+        'password' => Hash::make('OldPass123!'),
+    ]);
+
+    Sanctum::actingAs($user);
+
+    $response = $this->postJson('/api/user/password', [
+        'current_password' => 'WrongPass123!',
+        'password' => 'NewPass123!',
+        'password_confirmation' => 'NewPass123!',
+    ]);
+
+    $response->assertStatus(422);
+    $response->assertJsonValidationErrors(['current_password']);
+});
+
+it('logs out authenticated users', function (): void {
+    $user = User::factory()->create();
+    Sanctum::actingAs($user);
+
+    $response = $this->postJson('/api/logout');
+
+    $response->assertStatus(204);
+});