postJson('/api/register', [ 'username' => 'NewUser', 'email' => 'newuser@example.com', 'plainPassword' => 'Password123!', ]); $response->assertOk(); $response->assertJsonStructure(['user_id', 'email', 'message']); $this->assertDatabaseHas('users', [ 'email' => 'newuser@example.com', 'name' => 'NewUser', 'name_canonical' => 'newuser', ]); $user = User::where('email', 'newuser@example.com')->firstOrFail(); Notification::assertSentTo($user, VerifyEmail::class); }); it('rejects invalid login credentials', function (): void { $user = User::factory()->create([ 'password' => Hash::make('Password123!'), ]); $response = $this->postJson('/api/login', [ 'login' => $user->email, 'password' => 'wrong-password', ]); $response->assertStatus(422); $response->assertJsonValidationErrors(['login']); }); it('blocks login for unverified email', function (): void { $user = User::factory()->unverified()->create([ 'password' => Hash::make('Password123!'), ]); $response = $this->postJson('/api/login', [ 'login' => $user->email, 'password' => 'Password123!', ]); $response->assertStatus(403); $response->assertJsonFragment(['message' => 'Email not verified.']); }); it('logs in with username', function (): void { $user = User::factory()->create([ 'name' => 'TestUser', 'name_canonical' => 'testuser', 'password' => Hash::make('Password123!'), ]); $response = $this->postJson('/api/login', [ 'login' => 'TestUser', 'password' => 'Password123!', ]); $response->assertOk(); $response->assertJsonStructure(['token', 'user_id', 'email', 'roles']); }); it('validates forgot password requests', function (): void { $response = $this->postJson('/api/forgot-password', []); $response->assertStatus(422); $response->assertJsonValidationErrors(['email']); }); it('sends a reset link for valid email', function (): void { $user = User::factory()->create([ 'email' => 'reset@example.com', ]); $response = $this->postJson('/api/forgot-password', [ 'email' => $user->email, ]); $response->assertOk(); $response->assertJsonStructure(['message']); }); it('returns validation error when reset link cannot be sent', function (): void { Password::shouldReceive('sendResetLink') ->once() ->andReturn(Password::INVALID_USER); $response = $this->postJson('/api/forgot-password', [ 'email' => 'missing@example.com', ]); $response->assertStatus(422); $response->assertJsonValidationErrors(['email']); }); it('resets a password with a valid token', function (): void { $user = User::factory()->create([ 'email' => 'reset2@example.com', 'password' => Hash::make('OldPassword123!'), ]); $token = Password::createToken($user); $response = $this->postJson('/api/reset-password', [ 'email' => $user->email, 'password' => 'NewPassword123!', 'password_confirmation' => 'NewPassword123!', 'token' => $token, ]); $response->assertOk(); $response->assertJsonStructure(['message']); $user->refresh(); expect(Hash::check('NewPassword123!', $user->password))->toBeTrue(); }); it('returns validation error when reset fails', function (): void { Password::shouldReceive('reset') ->once() ->andReturn(Password::INVALID_TOKEN); $response = $this->postJson('/api/reset-password', [ 'email' => 'resetfail@example.com', 'password' => 'NewPassword123!', 'password_confirmation' => 'NewPassword123!', 'token' => 'bad-token', ]); $response->assertStatus(422); $response->assertJsonValidationErrors(['email']); }); it('verifies email and redirects to login', function (): void { $user = User::factory()->unverified()->create(); $hash = sha1($user->getEmailForVerification()); $url = URL::signedRoute('verification.verify', [ 'id' => $user->id, 'hash' => $hash, ]); $response = $this->get($url); $response->assertRedirect('/login'); $user->refresh(); expect($user->hasVerifiedEmail())->toBeTrue(); }); it('rejects invalid email verification hash', function (): void { $user = User::factory()->unverified()->create(); $url = URL::signedRoute('verification.verify', [ 'id' => $user->id, 'hash' => sha1('wrong'), ]); $response = $this->get($url); $response->assertStatus(403); }); it('updates password for authenticated users', function (): void { $user = User::factory()->create([ 'password' => Hash::make('OldPass123!'), ]); Sanctum::actingAs($user); $response = $this->postJson('/api/user/password', [ 'current_password' => 'OldPass123!', 'password' => 'NewPass123!', 'password_confirmation' => 'NewPass123!', ]); $response->assertOk(); $response->assertJsonFragment(['message' => 'Password updated.']); $user->refresh(); expect(Hash::check('NewPass123!', $user->password))->toBeTrue(); }); it('rejects password update with wrong current password', function (): void { $user = User::factory()->create([ 'password' => Hash::make('OldPass123!'), ]); Sanctum::actingAs($user); $response = $this->postJson('/api/user/password', [ 'current_password' => 'WrongPass123!', 'password' => 'NewPass123!', 'password_confirmation' => 'NewPass123!', ]); $response->assertStatus(422); $response->assertJsonValidationErrors(['current_password']); }); it('logs out authenticated users', function (): void { $user = User::factory()->create(); Sanctum::actingAs($user); $response = $this->postJson('/api/logout'); $response->assertStatus(204); });