stage 1 of oauth removal, switch to sanctum pat tokens

2025-11-06 20:35:58 +01:00
parent c9783bd57b
commit 776da57ca9
47 changed files with 1571 additions and 2555 deletions
--- a/tests/Feature/Auth/AuthenticationTest.php
+++ b/tests/Feature/Auth/AuthenticationTest.php
@@ -5,7 +5,6 @@ namespace Tests\Feature\Auth;
 use App\Models\User;
 use Illuminate\Foundation\Testing\RefreshDatabase;
 use Tests\TestCase;
-use Illuminate\Foundation\Testing\WithFaker;

 class AuthenticationTest extends TestCase
 {
@@ -28,7 +27,7 @@ class AuthenticationTest extends TestCase
        ]);

        $this->assertAuthenticated();
-        $response->assertRedirect(route('dashboard', absolute: false));
+        $response->assertRedirect('/packages');
    }

    public function test_users_can_authenticate_with_username()
@@ -41,7 +40,7 @@ class AuthenticationTest extends TestCase
        ]);

        $this->assertAuthenticated();
-        $response->assertRedirect(route('dashboard', absolute: false));
+        $response->assertRedirect('/packages');
    }

    public function test_users_can_not_authenticate_with_invalid_password()
--- a/tests/Feature/Auth/LoginTest.php
+++ b/tests/Feature/Auth/LoginTest.php
@@ -25,8 +25,8 @@ class LoginTest extends TestCase
        ]);

        $this->assertAuthenticated();
-        $expectedDefault = rtrim(route('tenant.admin.app', absolute: false), '/').'/events';
-        $response->assertRedirect($expectedDefault);
+        // User without specific role (null/default) redirects to packages for package selection
+        $response->assertRedirect('/packages');
        $this->assertEquals('valid@example.com', Auth::user()->email);
    }

@@ -44,8 +44,8 @@ class LoginTest extends TestCase
        ]);

        $this->assertAuthenticated();
-        $expectedDefault = rtrim(route('tenant.admin.app', absolute: false), '/').'/events';
-        $response->assertRedirect($expectedDefault);
+        // User without specific role (null/default) redirects to packages for package selection
+        $response->assertRedirect('/packages');
        $this->assertEquals('validuser', Auth::user()->username);
    }

@@ -72,6 +72,7 @@ class LoginTest extends TestCase
    {
        $user = User::factory()->create([
            'email' => 'success@example.com',
+            'role' => 'user', // Regular user
            'password' => bcrypt('password'),
            'email_verified_at' => now(),
        ]);
@@ -82,8 +83,8 @@ class LoginTest extends TestCase
        ]);

        $this->assertAuthenticated();
-        $expected = rtrim(route('tenant.admin.app', absolute: false), '/').'/events';
-        $response->assertRedirect($expected);
+        // Regular users now redirect to /packages for package selection
+        $response->assertRedirect('/packages');
        $response->assertSessionHas('success', 'Sie sind nun eingeloggt.');
    }

@@ -91,11 +92,13 @@ class LoginTest extends TestCase
    {
        $user = User::factory()->create([
            'email' => 'return@example.com',
+            'role' => 'user', // Regular user
            'password' => bcrypt('password'),
            'email_verified_at' => now(),
        ]);

-        $target = route('tenant.admin.app', absolute: false);
+        // Test that return_to parameter is honored - set it to a specific dashboard path
+        $target = '/marketing/profile';
        $encoded = rtrim(strtr(base64_encode($target), '+/', '-_'), '=');

        $response = $this->post(route('login.store'), [
@@ -108,6 +111,99 @@ class LoginTest extends TestCase
        $response->assertRedirect($target);
    }

+    public function test_login_prefers_intended_url_over_return_to_parameter()
+    {
+        $user = User::factory()->create([
+            'email' => 'tenant@example.com',
+            'role' => 'tenant_admin',
+            'password' => bcrypt('password'),
+            'email_verified_at' => now(),
+        ]);
+
+        $intended = 'http://localhost/api/v1/oauth/authorize?client_id=tenant-admin-app&response_type=code';
+        $returnTarget = '/event-admin/dashboard';
+        $encodedReturn = rtrim(strtr(base64_encode($returnTarget), '+/', '-_'), '=');
+
+        $response = $this
+            ->withSession(['url.intended' => $intended])
+            ->post(route('login.store'), [
+                'login' => 'tenant@example.com',
+                'password' => 'password',
+                'return_to' => $encodedReturn,
+            ]);
+
+        $this->assertAuthenticated();
+        $this->assertSame($user->id, Auth::id());
+        $response->assertRedirect($intended);
+    }
+
+    public function test_tenant_admin_login_with_absolute_intended_redirects_to_event_admin_dashboard(): void
+    {
+        $user = User::factory()->create([
+            'email' => 'absolute@example.com',
+            'role' => 'tenant_admin',
+            'password' => bcrypt('password'),
+            'email_verified_at' => now(),
+        ]);
+
+        $intended = url('/event-admin/dashboard?from=oauth');
+
+        $response = $this
+            ->withSession(['url.intended' => $intended])
+            ->post(route('login.store'), [
+                'login' => 'absolute@example.com',
+                'password' => 'password',
+            ]);
+
+        $this->assertAuthenticatedAs($user);
+        $response->assertRedirect($intended);
+
+        $dashboardResponse = $this->get('/dashboard');
+        $dashboardResponse->assertRedirect('/event-admin/dashboard?from=oauth');
+    }
+
+    public function test_tenant_admin_login_ignores_non_admin_return_path()
+    {
+        $user = User::factory()->create([
+            'email' => 'admin@example.com',
+            'role' => 'tenant_admin',
+            'password' => bcrypt('password'),
+            'email_verified_at' => now(),
+        ]);
+
+        $encodedReturn = rtrim(strtr(base64_encode('/dashboard'), '+/', '-_'), '=');
+
+        $response = $this->post(route('login.store'), [
+            'login' => 'admin@example.com',
+            'password' => 'password',
+            'return_to' => $encodedReturn,
+        ]);
+
+        $this->assertAuthenticatedAs($user);
+        $response->assertRedirect('/event-admin/dashboard');
+    }
+
+    public function test_tenant_admin_can_access_login_with_admin_return_path_when_authenticated()
+    {
+        $user = User::factory()->create([
+            'email' => 'already@logged.in',
+            'role' => 'tenant_admin',
+            'password' => bcrypt('password'),
+            'email_verified_at' => now(),
+        ]);
+
+        $this->actingAs($user);
+
+        $adminStart = '/event-admin/start?return_to='.rtrim(strtr(base64_encode('/event-admin/dashboard'), '+/', '-_'), '=');
+        $encoded = rtrim(strtr(base64_encode($adminStart), '+/', '-_'), '=');
+
+        $response = $this->get('/de/login?return_to='.$encoded);
+        $response->assertRedirect('/dashboard');
+
+        $eventAdminResponse = $this->get('/event-admin/dashboard');
+        $eventAdminResponse->assertOk();
+    }
+
    public function test_login_redirects_unverified_user_to_verification_notice()
    {
        $user = User::factory()->create([
--- a/tests/Feature/Auth/RoleBasedLoginTest.php
+++ b/tests/Feature/Auth/RoleBasedLoginTest.php
@@ -0,0 +1,70 @@
+<?php
+
+namespace Tests\Feature\Auth;
+
+use App\Models\User;
+use Illuminate\Foundation\Testing\RefreshDatabase;
+use Illuminate\Support\Facades\Auth;
+use Tests\TestCase;
+
+class RoleBasedLoginTest extends TestCase
+{
+    use RefreshDatabase;
+
+    public function test_tenant_admin_redirects_to_event_admin_dashboard()
+    {
+        $user = User::factory()->create([
+            'email' => 'tenant@example.com',
+            'role' => 'tenant_admin',
+            'password' => bcrypt('password'),
+            'email_verified_at' => now(),
+        ]);
+
+        $response = $this->post(route('login.store'), [
+            'login' => 'tenant@example.com',
+            'password' => 'password',
+        ]);
+
+        $this->assertAuthenticated();
+        $response->assertRedirect('/event-admin/dashboard');
+        $this->assertEquals('tenant@example.com', Auth::user()->email);
+    }
+
+    public function test_super_admin_redirects_to_admin_panel()
+    {
+        $user = User::factory()->create([
+            'email' => 'super@example.com',
+            'role' => 'super_admin',
+            'password' => bcrypt('password'),
+            'email_verified_at' => now(),
+        ]);
+
+        $response = $this->post(route('login.store'), [
+            'login' => 'super@example.com',
+            'password' => 'password',
+        ]);
+
+        $this->assertAuthenticated();
+        $response->assertRedirect('/admin');
+        $this->assertEquals('super@example.com', Auth::user()->email);
+    }
+
+    public function test_regular_user_redirects_to_packages()
+    {
+        $user = User::factory()->create([
+            'email' => 'regular@example.com',
+            'role' => 'user', // Regular user with 'user' role
+            'password' => bcrypt('password'),
+            'email_verified_at' => now(),
+        ]);
+
+        $response = $this->post(route('login.store'), [
+            'login' => 'regular@example.com',
+            'password' => 'password',
+        ]);
+
+        $this->assertAuthenticated();
+        $response->assertRedirect('/packages');
+        $this->assertEquals('regular@example.com', Auth::user()->email);
+    }
+}
--- a/tests/Feature/Auth/TenantAdminEntryTest.php
+++ b/tests/Feature/Auth/TenantAdminEntryTest.php
@@ -0,0 +1,42 @@
+<?php
+
+namespace Tests\Feature\Auth;
+
+use App\Models\User;
+use Illuminate\Foundation\Testing\RefreshDatabase;
+use Tests\TestCase;
+
+class TenantAdminEntryTest extends TestCase
+{
+    use RefreshDatabase;
+
+    public function test_guest_is_redirected_to_admin_start(): void
+    {
+        $response = $this->get('/event-admin/dashboard');
+
+        $response->assertRedirect('/event-admin/start');
+    }
+
+    public function test_tenant_admin_can_access_admin_shell(): void
+    {
+        $user = User::factory()->create([
+            'role' => 'tenant_admin',
+        ]);
+
+        $response = $this->actingAs($user)->get('/event-admin/dashboard');
+
+        $response->assertOk();
+        $response->assertViewIs('admin');
+    }
+
+    public function test_regular_user_is_redirected_to_packages(): void
+    {
+        $user = User::factory()->create([
+            'role' => 'user',
+        ]);
+
+        $response = $this->actingAs($user)->get('/event-admin/dashboard');
+
+        $response->assertRedirect('/packages');
+    }
+}
--- a/tests/Feature/Auth/UserRoleAccessTest.php
+++ b/tests/Feature/Auth/UserRoleAccessTest.php
@@ -0,0 +1,77 @@
+<?php
+
+namespace Tests\Feature\Auth;
+
+use App\Models\User;
+use Illuminate\Foundation\Testing\RefreshDatabase;
+use Tests\TestCase;
+
+class UserRoleAccessTest extends TestCase
+{
+    use RefreshDatabase;
+
+    public function test_user_role_cannot_access_dashboard(): void
+    {
+        $user = User::factory()->create(['role' => 'user']);
+
+        $response = $this->actingAs($user)->get('/dashboard');
+
+        $response->assertRedirect('/packages');
+    }
+
+    public function test_user_role_cannot_access_event_admin_dashboard(): void
+    {
+        $user = User::factory()->create(['role' => 'user']);
+
+        $response = $this->actingAs($user)->get('/event-admin/dashboard');
+
+        $response->assertRedirect('/packages');
+    }
+
+    public function test_user_role_cannot_access_event_admin_logout(): void
+    {
+        $user = User::factory()->create(['role' => 'user']);
+
+        $response = $this->actingAs($user)->get('/event-admin/logout');
+
+        $response->assertRedirect('/packages');
+    }
+
+    public function test_user_role_login_redirects_to_packages(): void
+    {
+        $user = User::factory()->create(['email' => 'test@example.com', 'role' => 'user']);
+
+        $response = $this->post('/login', [
+            'login' => 'test@example.com',
+            'password' => 'password',
+        ]);
+
+        $response->assertRedirect('/packages');
+    }
+
+    public function test_tenant_admin_can_access_both_dashboards(): void
+    {
+        $user = User::factory()->create(['role' => 'tenant_admin']);
+
+        // Can access regular dashboard
+        $response1 = $this->actingAs($user)->get('/dashboard');
+        $response1->assertStatus(200);
+
+        // Can access event admin dashboard
+        $response2 = $this->actingAs($user)->get('/event-admin/dashboard');
+        $response2->assertStatus(200);
+    }
+
+    public function test_super_admin_can_access_both_dashboards(): void
+    {
+        $user = User::factory()->create(['role' => 'super_admin']);
+
+        // Can access regular dashboard
+        $response1 = $this->actingAs($user)->get('/dashboard');
+        $response1->assertStatus(200);
+
+        // Can access event admin dashboard
+        $response2 = $this->actingAs($user)->get('/event-admin/dashboard');
+        $response2->assertStatus(200);
+    }
+}