feat: implement tenant OAuth flow and guest achievements

tests/Feature/OAuthFlowTest.php

@@ -0,0 +1,143 @@
+<?php
+
+namespace Tests\Feature;
+
+use App\Models\OAuthClient;
+use App\Models\Tenant;
+use Illuminate\Foundation\Testing\RefreshDatabase;
+use Illuminate\Support\Facades\Storage;
+use Illuminate\Support\Str;
+use Tests\TestCase;
+
+class OAuthFlowTest extends TestCase
+{
+    use RefreshDatabase;
+
+    private const PUBLIC_KEY = <<<KEY
+-----BEGIN PUBLIC KEY-----
+MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAlrZWbp/7pXo83BIJX3v/
+9f/51fxYFGZnZz9diqHkiOtDjggNdwze0LXruVeVb8YsaTI68RclgYCcsE4haTCG
+LlTivKFJL2O10IEzswjjD08MsanHer3xZRO6VZ7JLXmBNKp5C71zfFf8AhMnQ+Y6
+uGQ3wMOT6PWAiAmVBVYC8+KQsqyOkDu58bamhGGOrDsdWvrfDgRU1w8dxbgFYALQ
+v1pVVmYT9oBxZcS5FlT8auf8zLcHXEl6S7X61ZPd/GTWT5htdSiJyXfSa/xM7bJP
+CCv+mK6Gd5+1UG3RHGuwoi8Rch2O8PMglZqF6ybv/w836jUQKPl+sndePNN3soKQ
+5wIDAQAB
+-----END PUBLIC KEY-----
+KEY;
+
+    private const PRIVATE_KEY = <<<KEY
+-----BEGIN PRIVATE KEY-----
+MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQCWtlZun/ulejzc
+Eglfe//1//nV/FgUZmdnP12KoeSI60OOCA13DN7Qteu5V5VvxixpMjrxFyWBgJyw
+TiFpMIYuVOK8oUkvY7XQgTOzCOMPTwyxqcd6vfFlE7pVnskteYE0qnkLvXN8V/wC
+EydD5jq4ZDfAw5Po9YCICZUFVgLz4pCyrI6QO7nxtqaEYY6sOx1a+t8OBFTXDx3F
+uAVgAtC/WlVWZhP2gHFlxLkWVPxq5/zMtwdcSXpLtfrVk938ZNZPmG11KInJd9Jr
+/Eztsk8IK/6YroZ3n7VQbdEca7CiLxFyHY7w8yCVmoXrJu//DzfqNRAo+X6yd148
+03eygpDnAgMBAAECggEAFoldk11I/A2zXBU2YZjhRZ/pdB4v7Z0CiWXoTvq2eeL0
+TyDVIqBCEWOixCxcpEI2EeT4+2RCr4LT62lDhb9D0VnQLfTQRM3cOjmXyYXirj9b
+3pVMxwXwOvUgP/1mh+5La9yyDRdfVZCylnzWukiLL1eNHr4gOA2+EpmcNxgNiPp1
+Z8USUp2kmSZMPmQDkGEAJnrqmW7LyBvda3yuW557WtpaQlHTprvNQdBIUoFhLiiS
+HnV9kZfQHM3BdM06zx8c7W6sbVavLQlaD0mhM6Z7o7566pq1JKScjhfoGcZRTmLs
+kshQVSf38ayhAz8CikWiJgqFJigIZI0bR9fROOy+wQKBgQDOWjVRq8Ql+Eu0so/B
+3hS1TGaBOFe5vymeX+hnC87Zu7yVsj96mhmofnlTJdbSZLHfO631XD9O3qCcYzuK
+1PLzOvO38ZVZLq/CkiwkC4qfGVQb3/8v0QyIXCKhMrwkwuL6AYMjQi6vd/+4vp2C
+5EJefbNBfdvsC90t84wxqBpIDQKBgQC6+Rs7cBD9VOAKkNH1O4k9cE1JCDX6aqlg
+RtO/93+kbqxz3llvIebI9z3CPE7Wp0n2GEFjvDCTy5kST7BQvdwm4VlthSpfhx+l
+4ahw1+xbB3KQxemmf3MroTZWHLfTOGvHdei05EIdRZv8Mpi9UcHd7OhVO82SUnLn
+pBqGLZGrwwKBgB2FiltE16sW+r2/ThHOU+gcJg4WoXZRgwLFddpINi+wTCqedbZ0
+lXcloPXkU/eFsGzffOO9btE5yICXMc2K6bcil/uY9GTt6PdNMkN14z8fwIi8YyXU
+Ipbfl5S4TXJ070QVM024CjXQVSV5H8+6GESsdxjHiM8cY2hPj58LDbeBAoGAfd5r
+FcVoupJjzNkXbwboagLrFGpBpFYfth+YN1hPhou27r3V6TmiWtIOsm7VCC5QXSqR
+AqpS7XwXjTs2T/Swe0AjatZF409c39gdA/JoPBO0bX++voZ4Kvv5T1k/6yLFc96N
+jRFI7NnKm6oYJwMeBt+QvKhoyMNWdViFPqT4tu8CgYEAmcInq55jIJOr7GNvf6jV
+wojrBxhEGOF8U8YqX6FgVEmVDkEOer3mFDnkZT/S2IFjH4eruo/ZTFFtyw9K9JGd
+06FINYtK/H91SdcOJHuWdELuTQw0+Jtr47tSUlp1c3L0J7Mt1Sqqzg8lLoLYPcLJ
+d7faJuYR8uKalWG3ZimbGNo=
+-----END PRIVATE KEY-----
+KEY;
+
+    protected function setUp(): void
+    {
+        parent::setUp();
+
+        file_put_contents(storage_path('app/public.key'), self::PUBLIC_KEY);
+        file_put_contents(storage_path('app/private.key'), self::PRIVATE_KEY);
+    }
+
+    public function test_authorization_code_flow_and_refresh(): void
+    {
+        $tenant = Tenant::factory()->create([
+            'slug' => 'test-tenant',
+        ]);
+
+        OAuthClient::create([
+            'id' => (string) Str::uuid(),
+            'client_id' => 'tenant-admin-app',
+            'tenant_id' => $tenant->id,
+            'redirect_uris' => ['http://localhost/callback'],
+            'scopes' => ['tenant:read', 'tenant:write'],
+            'is_active' => true,
+        ]);
+
+        $codeVerifier = 'unit-test-code-verifier-1234567890';
+        $codeChallenge = rtrim(strtr(base64_encode(hash('sha256', $codeVerifier, true)), '+/', '-_'), '=');
+        $state = Str::random(10);
+
+        $response = $this->get('/api/v1/oauth/authorize?' . http_build_query([
+            'client_id' => 'tenant-admin-app',
+            'redirect_uri' => 'http://localhost/callback',
+            'response_type' => 'code',
+            'scope' => 'tenant:read tenant:write',
+            'state' => $state,
+            'code_challenge' => $codeChallenge,
+            'code_challenge_method' => 'S256',
+        ]));
+
+        $response->assertRedirect();
+        $location = $response->headers->get('Location');
+        $this->assertNotNull($location);
+
+        $query = [];
+        parse_str(parse_url($location, PHP_URL_QUERY) ?? '', $query);
+        $authorizationCode = $query['code'] ?? null;
+        $this->assertNotNull($authorizationCode, 'Authorization code should be present');
+        $this->assertEquals($state, $query['state'] ?? null);
+
+        $tokenResponse = $this->post('/api/v1/oauth/token', [
+            'grant_type' => 'authorization_code',
+            'code' => $authorizationCode,
+            'client_id' => 'tenant-admin-app',
+            'redirect_uri' => 'http://localhost/callback',
+            'code_verifier' => $codeVerifier,
+        ]);
+
+        $tokenResponse->assertOk();
+        $tokenData = $tokenResponse->json();
+
+        $this->assertArrayHasKey('access_token', $tokenData);
+        $this->assertArrayHasKey('refresh_token', $tokenData);
+        $this->assertSame('Bearer', $tokenData['token_type']);
+
+        $meResponse = $this->get('/api/v1/tenant/me', [
+            'Authorization' => 'Bearer ' . $tokenData['access_token'],
+        ]);
+
+        $meResponse->assertOk();
+        $meResponse->assertJsonFragment([
+            'tenant_id' => $tenant->id,
+            'name' => $tenant->name,
+        ]);
+
+        $refreshResponse = $this->post('/api/v1/oauth/token', [
+            'grant_type' => 'refresh_token',
+            'refresh_token' => $tokenData['refresh_token'],
+            'client_id' => 'tenant-admin-app',
+        ]);
+
+        $refreshResponse->assertOk();
+        $refreshData = $refreshResponse->json();
+        $this->assertArrayHasKey('access_token', $refreshData);
+        $this->assertArrayHasKey('refresh_token', $refreshData);
+        $this->assertNotEquals($refreshData['access_token'], $tokenData['access_token']);
+    }
+}

tests/Feature/TenantCreditsTest.php

@@ -0,0 +1,174 @@
+<?php
+
+namespace Tests\Feature;
+
+use App\Models\OAuthClient;
+use App\Models\Tenant;
+use Illuminate\Foundation\Testing\RefreshDatabase;
+use Illuminate\Support\Facades\Storage;
+use Illuminate\Support\Str;
+use Tests\TestCase;
+
+class TenantCreditsTest extends TestCase
+{
+    use RefreshDatabase;
+
+    private const PUBLIC_KEY = <<<KEY
+-----BEGIN PUBLIC KEY-----
+MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAlrZWbp/7pXo83BIJX3v/
+9f/51fxYFGZnZz9diqHkiOtDjggNdwze0LXruVeVb8YsaTI68RclgYCcsE4haTCG
+LlTivKFJL2O10IEzswjjD08MsanHer3xZRO6VZ7JLXmBNKp5C71zfFf8AhMnQ+Y6
+uGQ3wMOT6PWAiAmVBVYC8+KQsqyOkDu58bamhGGOrDsdWvrfDgRU1w8dxbgFYALQ
+v1pVVmYT9oBxZcS5FlT8auf8zLcHXEl6S7X61ZPd/GTWT5htdSiJyXfSa/xM7bJP
+CCv+mK6Gd5+1UG3RHGuwoi8Rch2O8PMglZqF6ybv/w836jUQKPl+sndePNN3soKQ
+5wIDAQAB
+-----END PUBLIC KEY-----
+KEY;
+
+    private const PRIVATE_KEY = <<<KEY
+-----BEGIN PRIVATE KEY-----
+MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQCWtlZun/ulejzc
+Eglfe//1//nV/FgUZmdnP12KoeSI60OOCA13DN7Qteu5V5VvxixpMjrxFyWBgJyw
+TiFpMIYuVOK8oUkvY7XQgTOzCOMPTwyxqcd6vfFlE7pVnskteYE0qnkLvXN8V/wC
+EydD5jq4ZDfAw5Po9YCICZUFVgLz4pCyrI6QO7nxtqaEYY6sOx1a+t8OBFTXDx3F
+uAVgAtC/WlVWZhP2gHFlxLkWVPxq5/zMtwdcSXpLtfrVk938ZNZPmG11KInJd9Jr
+/Eztsk8IK/6YroZ3n7VQbdEca7CiLxFyHY7w8yCVmoXrJu//DzfqNRAo+X6yd148
+03eygpDnAgMBAAECggEAFoldk11I/A2zXBU2YZjhRZ/pdB4v7Z0CiWXoTvq2eeL0
+TyDVIqBCEWOixCxcpEI2EeT4+2RCr4LT62lDhb9D0VnQLfTQRM3cOjmXyYXirj9b
+3pVMxwXwOvUgP/1mh+5La9yyDRdfVZCylnzWukiLL1eNHr4gOA2+EpmcNxgNiPp1
+Z8USUp2kmSZMPmQDkGEAJnrqmW7LyBvda3yuW557WtpaQlHTprvNQdBIUoFhLiiS
+HnV9kZfQHM3BdM06zx8c7W6sbVavLQlaD0mhM6Z7o7566pq1JKScjhfoGcZRTmLs
+kshQVSf38ayhAz8CikWiJgqFJigIZI0bR9fROOy+wQKBgQDOWjVRq8Ql+Eu0so/B
+3hS1TGaBOFe5vymeX+hnC87Zu7yVsj96mhmofnlTJdbSZLHfO631XD9O3qCcYzuK
+1PLzOvO38ZVZLq/CkiwkC4qfGVQb3/8v0QyIXCKhMrwkwuL6AYMjQi6vd/+4vp2C
+5EJefbNBfdvsC90t84wxqBpIDQKBgQC6+Rs7cBD9VOAKkNH1O4k9cE1JCDX6aqlg
+RtO/93+kbqxz3llvIebI9z3CPE7Wp0n2GEFjvDCTy5kST7BQvdwm4VlthSpfhx+l
+4ahw1+xbB3KQxemmf3MroTZWHLfTOGvHdei05EIdRZv8Mpi9UcHd7OhVO82SUnLn
+pBqGLZGrwwKBgB2FiltE16sW+r2/ThHOU+gcJg4WoXZRgwLFddpINi+wTCqedbZ0
+lXcloPXkU/eFsGzffOO9btE5yICXMc2K6bcil/uY9GTt6PdNMkN14z8fwIi8YyXU
+Ipbfl5S4TXJ070QVM024CjXQVSV5H8+6GESsdxjHiM8cY2hPj58LDbeBAoGAfd5r
+FcVoupJjzNkXbwboagLrFGpBpFYfth+YN1hPhou27r3V6TmiWtIOsm7VCC5QXSqR
+AqpS7XwXjTs2T/Swe0AjatZF409c39gdA/JoPBO0bX++voZ4Kvv5T1k/6yLFc96N
+jRFI7NnKm6oYJwMeBt+QvKhoyMNWdViFPqT4tu8CgYEAmcInq55jIJOr7GNvf6jV
+wojrBxhEGOF8U8YqX6FgVEmVDkEOer3mFDnkZT/S2IFjH4eruo/ZTFFtyw9K9JGd
+06FINYtK/H91SdcOJHuWdELuTQw0+Jtr47tSUlp1c3L0J7Mt1Sqqzg8lLoLYPcLJ
+d7faJuYR8uKalWG3ZimbGNo=
+-----END PRIVATE KEY-----
+KEY;
+
+    protected function setUp(): void
+    {
+        parent::setUp();
+
+        file_put_contents(storage_path('app/public.key'), self::PUBLIC_KEY);
+        file_put_contents(storage_path('app/private.key'), self::PRIVATE_KEY);
+    }
+
+    public function test_tenant_can_retrieve_balance_and_purchase_credits(): void
+    {
+        $tenant = Tenant::factory()->create([
+            'slug' => 'credits-tenant',
+            'event_credits_balance' => 0,
+        ]);
+
+        $client = OAuthClient::create([
+            'id' => (string) Str::uuid(),
+            'client_id' => 'tenant-admin-app',
+            'tenant_id' => $tenant->id,
+            'redirect_uris' => ['http://localhost/callback'],
+            'scopes' => ['tenant:read', 'tenant:write'],
+            'is_active' => true,
+        ]);
+
+        [$accessToken] = $this->obtainTokens($client);
+
+        $headers = [
+            'Authorization' => 'Bearer '.$accessToken,
+        ];
+
+        $balanceResponse = $this->withHeaders($headers)
+            ->getJson('/api/v1/tenant/credits/balance');
+
+        $balanceResponse->assertOk()
+            ->assertJsonStructure(['balance', 'free_event_granted_at']);
+
+        $purchaseResponse = $this->withHeaders($headers)
+            ->postJson('/api/v1/tenant/credits/purchase', [
+                'package_id' => 'event_starter',
+                'credits_added' => 5,
+                'platform' => 'capacitor',
+                'transaction_id' => 'txn_test_123',
+                'subscription_active' => false,
+            ]);
+
+        $purchaseResponse->assertCreated()
+            ->assertJsonStructure(['message', 'balance', 'subscription_active']);
+
+        $tenant->refresh();
+        $this->assertSame(5, $tenant->event_credits_balance);
+
+        $this->assertDatabaseHas('event_purchases', [
+            'tenant_id' => $tenant->id,
+            'events_purchased' => 5,
+            'external_receipt_id' => 'txn_test_123',
+        ]);
+
+        $this->assertDatabaseHas('event_credits_ledger', [
+            'tenant_id' => $tenant->id,
+            'delta' => 5,
+            'reason' => 'purchase',
+        ]);
+
+        $syncResponse = $this->withHeaders($headers)
+            ->postJson('/api/v1/tenant/credits/sync', [
+                'balance' => $tenant->event_credits_balance,
+                'subscription_active' => false,
+                'last_sync' => now()->toIso8601String(),
+            ]);
+
+        $syncResponse->assertOk()
+            ->assertJsonStructure(['balance', 'subscription_active', 'server_time']);
+    }
+
+    private function obtainTokens(OAuthClient $client): array
+    {
+        $codeVerifier = 'tenant-credits-code-verifier-1234567890';
+        $codeChallenge = rtrim(strtr(base64_encode(hash('sha256', $codeVerifier, true)), '+/', '-_'), '=');
+        $state = Str::random(10);
+
+        $response = $this->get('/api/v1/oauth/authorize?' . http_build_query([
+            'client_id' => $client->client_id,
+            'redirect_uri' => 'http://localhost/callback',
+            'response_type' => 'code',
+            'scope' => 'tenant:read tenant:write',
+            'state' => $state,
+            'code_challenge' => $codeChallenge,
+            'code_challenge_method' => 'S256',
+        ]));
+
+        $response->assertRedirect();
+        $location = $response->headers->get('Location');
+        $this->assertNotNull($location);
+
+        $query = [];
+        parse_str(parse_url($location, PHP_URL_QUERY) ?? '', $query);
+        $authorizationCode = $query['code'] ?? null;
+        $this->assertNotNull($authorizationCode, 'Authorization code should be present');
+
+        $tokenResponse = $this->post('/api/v1/oauth/token', [
+            'grant_type' => 'authorization_code',
+            'code' => $authorizationCode,
+            'client_id' => $client->client_id,
+            'redirect_uri' => 'http://localhost/callback',
+            'code_verifier' => $codeVerifier,
+        ]);
+
+        $tokenResponse->assertOk();
+
+        return [
+            $tokenResponse->json('access_token'),
+            $tokenResponse->json('refresh_token'),
+        ];
+    }
+
+}

tests/e2e/guest-profile-flow.test.ts

@@ -0,0 +1,52 @@
+import { test, expect } from '@playwright/test';
+
+test.describe('Guest Profile Flow', () => {
+  test('should require name setup on first event join and persist it', async ({ page }) => {
+    // Assume Vite dev server is running on localhost:5173
+    await page.goto('http://localhost:5173/');
+
+    // Enter event slug manually
+    await page.fill('input[placeholder*="Event-Code"]', 'test-event');
+    await page.click('button:has-text("Event beitreten")');
+
+    // Should redirect to setup if no name
+    await expect(page).toHaveURL(/.*\/e\/test-event\/setup/);
+
+    // Fill name and submit
+    await page.fill('input[placeholder*="Dein Name"]', 'Test User');
+    await page.click('button:has-text("LET\'S GO! ✨")');
+
+    // Should navigate to home
+    await expect(page).toHaveURL(/.*\/e\/test-event$/);
+
+    // Check localStorage
+    const storedName = await page.evaluate(() => localStorage.getItem('guestName_test-event'));
+    expect(storedName).toBe('Test User');
+
+    // Reload to test persistence - should stay on home, not redirect to setup
+    await page.reload();
+    await expect(page).toHaveURL(/.*\/e\/test-event$/);
+
+    // Re-nav to landing and join again - should go directly to home
+    await page.goto('http://localhost:5173/');
+    await page.fill('input[placeholder*="Event-Code"]', 'test-event');
+    await page.click('button:has-text("Event beitreten")');
+    await expect(page).toHaveURL(/.*\/e\/test-event$/);
+  });
+
+  test('should go directly to home if name already stored', async ({ page }) => {
+    // Pre-set name in localStorage
+    await page.addInitScript(() => {
+      localStorage.setItem('guestName_test-event', 'Existing User');
+    });
+
+    await page.goto('http://localhost:5173/');
+
+    // Join
+    await page.fill('input[placeholder*="Event-Code"]', 'test-event');
+    await page.click('button:has-text("Event beitreten")');
+
+    // Should go directly to home
+    await expect(page).toHaveURL(/.*\/e\/test-event$/);
+  });
+});

tests/e2e/oauth-flow.test.ts

@@ -0,0 +1,76 @@
+import { test, expect } from '@playwright/test';
+
+test('OAuth Flow for tenant-admin-app', async ({ page }) => {
+  const code_challenge = 'dBjftJeZ4CVP-mB92K27uhbUJU1p1r_wW1gFWFOEjXk';
+  const code_verifier = 'E9Melhoa2OwvFrEMTJguCHaoeK1t8URWbuGJSstw-cM';
+  const redirect_uri = 'http://localhost:8000/auth/callback';
+  const state = 'teststate';
+  const scope = 'tenant:read tenant:write tenant:admin';
+
+  const authorizeUrl = `/api/v1/oauth/authorize?response_type=code&client_id=tenant-admin-app&redirect_uri=${encodeURIComponent(redirect_uri)}&scope=${encodeURIComponent(scope)}&code_challenge=${code_challenge}&code_challenge_method=S256&state=${state}`;
+
+  // Navigate to authorize - should immediately redirect to callback
+  await page.goto(authorizeUrl);
+  await page.waitForLoadState('networkidle');
+
+  // Log response if no redirect
+  const currentUrl = page.url();
+  if (currentUrl.includes('/authorize')) {
+    const response = await page.content();
+    console.log('No redirect, response:', response.substring(0, 500)); // First 500 chars
+  }
+
+  // Wait for redirect to callback and parse params
+  await expect(page).toHaveURL(new RegExp(`${redirect_uri}\\?.*`));
+  const urlObj = new URL(currentUrl);
+  const code = urlObj.searchParams.get('code') || '';
+  const receivedState = urlObj.searchParams.get('state') || '';
+
+  expect(receivedState).toBe(state);
+  expect(code).not.toBeNull();
+
+  console.log('Authorization code:', code);
+
+  // Token exchange via fetch
+  const tokenParams = {
+    code: code!,
+    redirect_uri,
+    code_verifier
+  };
+  const tokenResponse = await page.evaluate(async (params) => {
+    const response = await fetch('/api/v1/oauth/token', {
+      method: 'POST',
+      headers: {
+        'Content-Type': 'application/x-www-form-urlencoded',
+      },
+      body: new URLSearchParams({
+        grant_type: 'authorization_code',
+        client_id: 'tenant-admin-app',
+        code: params.code,
+        redirect_uri: params.redirect_uri,
+        code_verifier: params.code_verifier,
+      }).toString(),
+    });
+    return await response.json();
+  }, tokenParams);
+
+  console.log('Token response:', tokenResponse);
+  expect(tokenResponse.access_token).toBeTruthy();
+
+  const accessToken = tokenResponse.access_token;
+
+  // Call /tenant/me with token
+  const meResponse = await page.evaluate(async (token) => {
+    const response = await fetch('/api/v1/tenant/me', {
+      headers: {
+        'Authorization': `Bearer ${token}`,
+        'Accept': 'application/json',
+      },
+    });
+    return await response.json();
+  }, accessToken);
+
+  console.log('/tenant/me response:', meResponse);
+  expect(meResponse).toHaveProperty('id');
+  expect(meResponse.email).toBe('demo@example.com');
+});