app/tests/Feature/Auth/AuthFlowIntegrationTest.php

<?php

declare(strict_types=1);

use App\Models\Tenant;
use App\Models\User;
use Illuminate\Foundation\Testing\DatabaseTransactions;
use Illuminate\Support\Facades\DB;
use Illuminate\Support\Facades\Notification;
use Illuminate\Support\Facades\Password;
use PragmaRX\Google2FA\Google2FA;

uses(DatabaseTransactions::class);

/**
 * Reset the Auth manager's default guard and cached guard instances back to
 * the 'web' SessionGuard.
 *
 * Necessary because auth:sanctum middleware calls Auth::shouldUse('sanctum')
 * on every successfully-authenticated request, which permanently changes
 * config('auth.defaults.guard') to 'sanctum' in the shared test application
 * instance. Laravel feature tests reuse the same $this->app between HTTP calls,
 * so this pollution persists across requests. Any subsequent call to
 * Auth::login() (which internally calls Auth::guard()->login()) then resolves
 * to the Sanctum RequestGuard — which has no login() method — and throws a
 * BadMethodCallException.
 *
 * The reset must happen *before* any request whose controller calls Auth::login()
 * without an explicit guard argument (i.e. login and 2fa/verify routes).
 */
function resetAuthToWebGuard(): void
{
    app('auth')->forgetGuards();
    app('auth')->setDefaultDriver('web');
}

it('full auth-flow writes all expected auth_log events', function () {
    Notification::fake();

    $tenant = Tenant::factory()->create();

    // ── Step 1: Register ─────────────────────────────────────────────────────
    $this->postJson('/api/auth/register', [
        'email' => 'flow-test@example.ru',
        'password' => 'secure-pass-1234',
        'accept_offer' => true,
        'accept_pdn' => true,
    ])->assertStatus(201);
    // logs: register_success

    $user = User::where('email', 'flow-test@example.ru')->first();
    expect($user)->not->toBeNull();

    // ── Step 2: Login (no 2FA yet) — establish session auth ──────────────────
    // No prior auth:sanctum request, so no reset needed here.
    $this->postJson('/api/auth/login', [
        'email' => 'flow-test@example.ru',
        'password' => 'secure-pass-1234',
    ])->assertOk();
    // logs: login_success (first direct login, 2FA not yet enabled)

    // ── Step 3: 2FA init (session-authenticated via web guard) ───────────────
    // auth:sanctum middleware → shouldUse('sanctum') → default becomes 'sanctum'
    $this->postJson('/api/2fa/init')->assertOk();
    // logs: 2fa_setup_init
    $secret = session('auth.pending_totp_secret');
    expect($secret)->not->toBeNull();

    // ── Step 4: 2FA confirm ───────────────────────────────────────────────────
    $google2fa = new Google2FA;
    $code = $google2fa->getCurrentOtp($secret);
    // auth:sanctum middleware → shouldUse('sanctum') again
    $this->postJson('/api/2fa/confirm', ['code' => $code])->assertOk();
    // logs: 2fa_setup_confirmed  (totp_enabled now true)

    // ── Step 5: Logout ────────────────────────────────────────────────────────
    // auth:sanctum middleware → shouldUse('sanctum') again
    $this->postJson('/api/auth/logout')->assertOk();
    // logs: logout

    // ── Step 6: Login with 2FA enabled ────────────────────────────────────────
    // auth.defaults.guard is now 'sanctum' from previous auth:sanctum requests.
    // Reset to 'web' so Auth::login() inside AuthController::login() finds the
    // SessionGuard (which implements login()) rather than the RequestGuard.
    resetAuthToWebGuard();

    $this->postJson('/api/auth/login', [
        'email' => 'flow-test@example.ru',
        'password' => 'secure-pass-1234',
    ])->assertOk();
    // requires_2fa=true, pending_user_id stored in session

    // ── Step 7: 2FA verify — completes login ─────────────────────────────────
    // No auth:sanctum request happened since the last reset, so no reset needed.
    $validCode = $google2fa->getCurrentOtp($secret);
    $this->postJson('/api/auth/2fa/verify', ['code' => $validCode])->assertOk();
    // logs: 2fa_verify_success

    // ── Step 8: 2FA disable (session-authenticated from step 7) ──────────────
    // auth:sanctum middleware → shouldUse('sanctum') again
    $this->postJson('/api/2fa/disable', ['password' => 'secure-pass-1234'])->assertOk();
    // logs: 2fa_disabled

    // ── Step 9: Logout ────────────────────────────────────────────────────────
    // auth:sanctum middleware → shouldUse('sanctum') again
    $this->postJson('/api/auth/logout')->assertOk();

    // ── Step 10: Login without 2FA — direct login_success ────────────────────
    // Reset again: auth.defaults.guard is 'sanctum' from Step 8+9 auth:sanctum.
    resetAuthToWebGuard();

    $this->postJson('/api/auth/login', [
        'email' => 'flow-test@example.ru',
        'password' => 'secure-pass-1234',
    ])->assertOk();
    // logs: login_success (direct login, 2FA now disabled)

    // ── Step 11: Forgot password ──────────────────────────────────────────────
    $this->postJson('/api/auth/logout')->assertOk();

    $this->postJson('/api/auth/forgot', [
        'email' => 'flow-test@example.ru',
    ])->assertOk();
    // logs: password_reset_requested

    // ── Step 12: Reset password ───────────────────────────────────────────────
    $token = Password::createToken($user);
    $this->postJson('/api/auth/reset-password', [
        'token' => $token,
        'email' => 'flow-test@example.ru',
        'password' => 'new-secure-pass-5678',
        'password_confirmation' => 'new-secure-pass-5678',
    ])->assertOk();
    // logs: password_reset_completed

    // ── Assert all expected events were recorded for this user ────────────────
    $events = DB::table('auth_log')
        ->where('user_id', $user->id)
        ->pluck('event')
        ->all();

    expect($events)->toContain(
        'register_success',
        '2fa_setup_init',
        '2fa_setup_confirmed',
        'logout',
        'login_success',
        '2fa_verify_success',
        '2fa_disabled',
        'password_reset_requested',
        'password_reset_completed',
    );
});
test(auth): full auth-flow integration test for auth_log coverage 2026-05-22 17:37:02 +03:00			`<?php`

			`declare(strict_types=1);`

			`use App\Models\Tenant;`
			`use App\Models\User;`
			`use Illuminate\Foundation\Testing\DatabaseTransactions;`
			`use Illuminate\Support\Facades\DB;`
			`use Illuminate\Support\Facades\Notification;`
			`use Illuminate\Support\Facades\Password;`
			`use PragmaRX\Google2FA\Google2FA;`

			`uses(DatabaseTransactions::class);`

			`/**`
			`* Reset the Auth manager's default guard and cached guard instances back to`
			`* the 'web' SessionGuard.`
			`*`
			`* Necessary because auth:sanctum middleware calls Auth::shouldUse('sanctum')`
			`* on every successfully-authenticated request, which permanently changes`
			`* config('auth.defaults.guard') to 'sanctum' in the shared test application`
			`* instance. Laravel feature tests reuse the same $this->app between HTTP calls,`
			`* so this pollution persists across requests. Any subsequent call to`
			`* Auth::login() (which internally calls Auth::guard()->login()) then resolves`
			`* to the Sanctum RequestGuard — which has no login() method — and throws a`
			`* BadMethodCallException.`
			`*`
			`* The reset must happen before any request whose controller calls Auth::login()`
			`* without an explicit guard argument (i.e. login and 2fa/verify routes).`
			`*/`
			`function resetAuthToWebGuard(): void`
			`{`
			`app('auth')->forgetGuards();`
			`app('auth')->setDefaultDriver('web');`
			`}`

			`it('full auth-flow writes all expected auth_log events', function () {`
			`Notification::fake();`

			`$tenant = Tenant::factory()->create();`

			`// ── Step 1: Register ─────────────────────────────────────────────────────`
			`$this->postJson('/api/auth/register', [`
style+fix(auth): pint formatting + nullsafe.neverNull fix + P1 plan DONE marker 2026-05-22 17:43:09 +03:00			`'email' => 'flow-test@example.ru',`
			`'password' => 'secure-pass-1234',`
test(auth): full auth-flow integration test for auth_log coverage 2026-05-22 17:37:02 +03:00			`'accept_offer' => true,`
style+fix(auth): pint formatting + nullsafe.neverNull fix + P1 plan DONE marker 2026-05-22 17:43:09 +03:00			`'accept_pdn' => true,`
test(auth): full auth-flow integration test for auth_log coverage 2026-05-22 17:37:02 +03:00			`])->assertStatus(201);`
			`// logs: register_success`

			`$user = User::where('email', 'flow-test@example.ru')->first();`
			`expect($user)->not->toBeNull();`

			`// ── Step 2: Login (no 2FA yet) — establish session auth ──────────────────`
			`// No prior auth:sanctum request, so no reset needed here.`
			`$this->postJson('/api/auth/login', [`
style+fix(auth): pint formatting + nullsafe.neverNull fix + P1 plan DONE marker 2026-05-22 17:43:09 +03:00			`'email' => 'flow-test@example.ru',`
test(auth): full auth-flow integration test for auth_log coverage 2026-05-22 17:37:02 +03:00			`'password' => 'secure-pass-1234',`
			`])->assertOk();`
			`// logs: login_success (first direct login, 2FA not yet enabled)`

			`// ── Step 3: 2FA init (session-authenticated via web guard) ───────────────`
			`// auth:sanctum middleware → shouldUse('sanctum') → default becomes 'sanctum'`
			`$this->postJson('/api/2fa/init')->assertOk();`
			`// logs: 2fa_setup_init`
			`$secret = session('auth.pending_totp_secret');`
			`expect($secret)->not->toBeNull();`

			`// ── Step 4: 2FA confirm ───────────────────────────────────────────────────`
			`$google2fa = new Google2FA;`
			`$code = $google2fa->getCurrentOtp($secret);`
			`// auth:sanctum middleware → shouldUse('sanctum') again`
			`$this->postJson('/api/2fa/confirm', ['code' => $code])->assertOk();`
			`// logs: 2fa_setup_confirmed (totp_enabled now true)`

			`// ── Step 5: Logout ────────────────────────────────────────────────────────`
			`// auth:sanctum middleware → shouldUse('sanctum') again`
			`$this->postJson('/api/auth/logout')->assertOk();`
			`// logs: logout`

			`// ── Step 6: Login with 2FA enabled ────────────────────────────────────────`
			`// auth.defaults.guard is now 'sanctum' from previous auth:sanctum requests.`
			`// Reset to 'web' so Auth::login() inside AuthController::login() finds the`
			`// SessionGuard (which implements login()) rather than the RequestGuard.`
			`resetAuthToWebGuard();`

			`$this->postJson('/api/auth/login', [`
style+fix(auth): pint formatting + nullsafe.neverNull fix + P1 plan DONE marker 2026-05-22 17:43:09 +03:00			`'email' => 'flow-test@example.ru',`
test(auth): full auth-flow integration test for auth_log coverage 2026-05-22 17:37:02 +03:00			`'password' => 'secure-pass-1234',`
			`])->assertOk();`
			`// requires_2fa=true, pending_user_id stored in session`

			`// ── Step 7: 2FA verify — completes login ─────────────────────────────────`
			`// No auth:sanctum request happened since the last reset, so no reset needed.`
			`$validCode = $google2fa->getCurrentOtp($secret);`
			`$this->postJson('/api/auth/2fa/verify', ['code' => $validCode])->assertOk();`
			`// logs: 2fa_verify_success`

			`// ── Step 8: 2FA disable (session-authenticated from step 7) ──────────────`
			`// auth:sanctum middleware → shouldUse('sanctum') again`
			`$this->postJson('/api/2fa/disable', ['password' => 'secure-pass-1234'])->assertOk();`
			`// logs: 2fa_disabled`

			`// ── Step 9: Logout ────────────────────────────────────────────────────────`
			`// auth:sanctum middleware → shouldUse('sanctum') again`
			`$this->postJson('/api/auth/logout')->assertOk();`

			`// ── Step 10: Login without 2FA — direct login_success ────────────────────`
			`// Reset again: auth.defaults.guard is 'sanctum' from Step 8+9 auth:sanctum.`
			`resetAuthToWebGuard();`

			`$this->postJson('/api/auth/login', [`
style+fix(auth): pint formatting + nullsafe.neverNull fix + P1 plan DONE marker 2026-05-22 17:43:09 +03:00			`'email' => 'flow-test@example.ru',`
test(auth): full auth-flow integration test for auth_log coverage 2026-05-22 17:37:02 +03:00			`'password' => 'secure-pass-1234',`
			`])->assertOk();`
			`// logs: login_success (direct login, 2FA now disabled)`

			`// ── Step 11: Forgot password ──────────────────────────────────────────────`
			`$this->postJson('/api/auth/logout')->assertOk();`

			`$this->postJson('/api/auth/forgot', [`
			`'email' => 'flow-test@example.ru',`
			`])->assertOk();`
			`// logs: password_reset_requested`

			`// ── Step 12: Reset password ───────────────────────────────────────────────`
			`$token = Password::createToken($user);`
			`$this->postJson('/api/auth/reset-password', [`
style+fix(auth): pint formatting + nullsafe.neverNull fix + P1 plan DONE marker 2026-05-22 17:43:09 +03:00			`'token' => $token,`
			`'email' => 'flow-test@example.ru',`
			`'password' => 'new-secure-pass-5678',`
test(auth): full auth-flow integration test for auth_log coverage 2026-05-22 17:37:02 +03:00			`'password_confirmation' => 'new-secure-pass-5678',`
			`])->assertOk();`
			`// logs: password_reset_completed`

			`// ── Assert all expected events were recorded for this user ────────────────`
			`$events = DB::table('auth_log')`
			`->where('user_id', $user->id)`
			`->pluck('event')`
			`->all();`

			`expect($events)->toContain(`
			`'register_success',`
			`'2fa_setup_init',`
			`'2fa_setup_confirmed',`
			`'logout',`
			`'login_success',`
			`'2fa_verify_success',`
			`'2fa_disabled',`
			`'password_reset_requested',`
			`'password_reset_completed',`
			`);`
			`});`