speedBB/tests/Feature/AuthControllerTest.php

<?php

use App\Models\User;
use Illuminate\Auth\Notifications\VerifyEmail;
use Illuminate\Support\Facades\Hash;
use Illuminate\Support\Facades\Notification;
use Illuminate\Support\Facades\Password;
use Illuminate\Support\Facades\URL;
use Laravel\Sanctum\Sanctum;

it('registers a user with username and plainPassword', function (): void {
    Notification::fake();

    $response = $this->postJson('/api/register', [
        'username' => 'NewUser',
        'email' => 'newuser@example.com',
        'plainPassword' => 'Password123!',
    ]);

    $response->assertOk();
    $response->assertJsonStructure(['user_id', 'email', 'message']);

    $this->assertDatabaseHas('users', [
        'email' => 'newuser@example.com',
        'name' => 'NewUser',
        'name_canonical' => 'newuser',
    ]);

    $user = User::where('email', 'newuser@example.com')->firstOrFail();
    Notification::assertSentTo($user, VerifyEmail::class);
});

it('rejects invalid login credentials', function (): void {
    $user = User::factory()->create([
        'password' => Hash::make('Password123!'),
    ]);

    $response = $this->postJson('/api/login', [
        'login' => $user->email,
        'password' => 'wrong-password',
    ]);

    $response->assertStatus(422);
    $response->assertJsonValidationErrors(['login']);
});

it('blocks login for unverified email', function (): void {
    $user = User::factory()->unverified()->create([
        'password' => Hash::make('Password123!'),
    ]);

    $response = $this->postJson('/api/login', [
        'login' => $user->email,
        'password' => 'Password123!',
    ]);

    $response->assertStatus(403);
    $response->assertJsonFragment(['message' => 'Email not verified.']);
});

it('logs in with username', function (): void {
    $user = User::factory()->create([
        'name' => 'TestUser',
        'name_canonical' => 'testuser',
        'password' => Hash::make('Password123!'),
    ]);

    $response = $this->postJson('/api/login', [
        'login' => 'TestUser',
        'password' => 'Password123!',
    ]);

    $response->assertOk();
    $response->assertJsonStructure(['token', 'user_id', 'email', 'roles']);
});

it('validates forgot password requests', function (): void {
    $response = $this->postJson('/api/forgot-password', []);

    $response->assertStatus(422);
    $response->assertJsonValidationErrors(['email']);
});

it('sends a reset link for valid email', function (): void {
    $user = User::factory()->create([
        'email' => 'reset@example.com',
    ]);

    $response = $this->postJson('/api/forgot-password', [
        'email' => $user->email,
    ]);

    $response->assertOk();
    $response->assertJsonStructure(['message']);
});

it('resets a password with a valid token', function (): void {
    $user = User::factory()->create([
        'email' => 'reset2@example.com',
        'password' => Hash::make('OldPassword123!'),
    ]);

    $token = Password::createToken($user);

    $response = $this->postJson('/api/reset-password', [
        'email' => $user->email,
        'password' => 'NewPassword123!',
        'password_confirmation' => 'NewPassword123!',
        'token' => $token,
    ]);

    $response->assertOk();
    $response->assertJsonStructure(['message']);

    $user->refresh();
    expect(Hash::check('NewPassword123!', $user->password))->toBeTrue();
});

it('verifies email and redirects to login', function (): void {
    $user = User::factory()->unverified()->create();

    $hash = sha1($user->getEmailForVerification());

    $url = URL::signedRoute('verification.verify', [
        'id' => $user->id,
        'hash' => $hash,
    ]);

    $response = $this->get($url);

    $response->assertRedirect('/login');
    $user->refresh();
    expect($user->hasVerifiedEmail())->toBeTrue();
});

it('updates password for authenticated users', function (): void {
    $user = User::factory()->create([
        'password' => Hash::make('OldPass123!'),
    ]);

    Sanctum::actingAs($user);

    $response = $this->postJson('/api/user/password', [
        'current_password' => 'OldPass123!',
        'password' => 'NewPass123!',
        'password_confirmation' => 'NewPass123!',
    ]);

    $response->assertOk();
    $response->assertJsonFragment(['message' => 'Password updated.']);

    $user->refresh();
    expect(Hash::check('NewPass123!', $user->password))->toBeTrue();
});

it('rejects password update with wrong current password', function (): void {
    $user = User::factory()->create([
        'password' => Hash::make('OldPass123!'),
    ]);

    Sanctum::actingAs($user);

    $response = $this->postJson('/api/user/password', [
        'current_password' => 'WrongPass123!',
        'password' => 'NewPass123!',
        'password_confirmation' => 'NewPass123!',
    ]);

    $response->assertStatus(422);
    $response->assertJsonValidationErrors(['current_password']);
});

it('logs out authenticated users', function (): void {
    $user = User::factory()->create();
    Sanctum::actingAs($user);

    $response = $this->postJson('/api/logout');

    $response->assertStatus(204);
});