api/tests/Feature/EmailVerificationTest.php

144 lines
4.3 KiB
PHP

<?php
use App\Mail\VerifyAccount;
use App\Models\User;
use Illuminate\Auth\Notifications\VerifyEmail;
use Illuminate\Foundation\Testing\RefreshDatabase;
use Illuminate\Support\Facades\Notification;
use Illuminate\Support\Facades\URL;
use Laravel\Sanctum\Sanctum;
uses(RefreshDatabase::class);
it('sends a verification email when a user registers', function () {
Notification::fake();
$this->postJson('/api/auth/register', [
'name' => 'Léon',
'email' => 'leon@example.com',
'password' => 'password',
])
->assertCreated()
->assertJsonPath('user.email', 'leon@example.com')
->assertJsonPath('user.emailVerified', false);
$user = User::where('email', 'leon@example.com')->firstOrFail();
expect($user->hasVerifiedEmail())->toBeFalse();
Notification::assertSentTo($user, VerifyEmail::class);
});
it('uses the custom account verification mailable', function () {
$user = User::factory()->unverified()->create();
$mailable = (new VerifyEmail)->toMail($user);
expect($mailable)->toBeInstanceOf(VerifyAccount::class);
$mailable
->assertSeeInHtml('Vérifier mon compte')
->assertSeeInHtml($user->name);
});
it('verifies a user from a signed email link', function () {
$user = User::factory()->unverified()->create();
$url = URL::temporarySignedRoute('verification.verify', now()->addMinutes(60), [
'id' => $user->getKey(),
'hash' => sha1($user->email),
]);
$this->getJson($url)
->assertOk()
->assertJsonPath('message', __('api.auth.verified'))
->assertJsonPath('user.emailVerified', true);
expect($user->fresh()->hasVerifiedEmail())->toBeTrue();
});
it('rejects signed verification links with an invalid hash', function () {
$user = User::factory()->unverified()->create();
$url = URL::temporarySignedRoute('verification.verify', now()->addMinutes(60), [
'id' => $user->getKey(),
'hash' => sha1('wrong-address@example.com'),
]);
$this->getJson($url)->assertForbidden();
expect($user->fresh()->hasVerifiedEmail())->toBeFalse();
});
it('blocks login for unverified users', function () {
$user = User::factory()->unverified()->create([
'password' => 'password',
]);
$this->postJson('/api/auth/login', [
'email' => $user->email,
'password' => 'password',
])
->assertForbidden()
->assertJsonPath('message', __('api.auth.email_not_verified'))
->assertCookieMissing('token');
$this->assertDatabaseMissing('personal_access_tokens', [
'tokenable_id' => $user->getKey(),
]);
});
it('allows login for verified users', function () {
$user = User::factory()->create([
'password' => 'password',
]);
$this->postJson('/api/auth/login', [
'email' => $user->email,
'password' => 'password',
])
->assertOk()
->assertJsonPath('user.email', $user->email)
->assertJsonPath('user.emailVerified', true)
->assertCookie('token');
});
it('resends a verification email for an unverified user without authentication', function () {
Notification::fake();
$user = User::factory()->unverified()->create();
$this->postJson('/api/auth/email/verification-notification', [
'email' => $user->email,
])
->assertOk()
->assertJsonPath('message', __('api.auth.verification_sent_if_unverified'));
Notification::assertSentTo($user, VerifyEmail::class);
});
it('does not reveal whether an email can receive a verification email', function () {
Notification::fake();
$verifiedUser = User::factory()->create();
$this->postJson('/api/auth/email/verification-notification', [
'email' => $verifiedUser->email,
])
->assertOk()
->assertJsonPath('message', __('api.auth.verification_sent_if_unverified'));
$this->postJson('/api/auth/email/verification-notification', [
'email' => 'missing@example.com',
])
->assertOk()
->assertJsonPath('message', __('api.auth.verification_sent_if_unverified'));
Notification::assertNothingSent();
});
it('blocks verified routes for unverified users', function () {
$user = User::factory()->unverified()->create();
Sanctum::actingAs($user);
$this->getJson('/api/meal-posts')->assertForbidden();
});