test: add tests for join mail confirmation

lib/mv_web/controllers/join_confirm_controller.ex

@@ -0,0 +1,45 @@
+defmodule MvWeb.JoinConfirmController do
+  @moduledoc """
+  Handles GET /confirm_join/:token for the public join flow (double opt-in).
+
+  Calls a configurable callback (default Mv.Membership) so tests can stub the
+  dependency. Public route; no authentication required.
+  """
+  use MvWeb, :controller
+
+  def confirm(conn, %{"token" => token}) when is_binary(token) do
+    callback = Application.get_env(:mv, :join_confirm_callback, Mv.Membership)
+
+    case callback.confirm_join_request(token, actor: nil) do
+      {:ok, _request} ->
+        success_response(conn)
+
+      {:error, :token_expired} ->
+        expired_response(conn)
+
+      {:error, _} ->
+        invalid_response(conn)
+    end
+  end
+
+  def confirm(conn, _params), do: invalid_response(conn)
+
+  defp success_response(conn) do
+    conn
+    |> put_resp_content_type("text/html")
+    |> send_resp(200, gettext("Thank you, we have received your request."))
+  end
+
+  defp expired_response(conn) do
+    conn
+    |> put_resp_content_type("text/html")
+    |> send_resp(200, gettext("This link has expired. Please submit the form again."))
+  end
+
+  defp invalid_response(conn) do
+    conn
+    |> put_resp_content_type("text/html")
+    |> put_status(404)
+    |> send_resp(404, gettext("Invalid or expired link."))
+  end
+end

lib/mv_web/router.ex

@@ -126,6 +126,9 @@ defmodule MvWeb.Router do
       overrides: [MvWeb.AuthOverrides, AshAuthentication.Phoenix.Overrides.DaisyUI],
       gettext_backend: {MvWeb.Gettext, "auth"}
 
+    # Public join confirmation (double opt-in); /confirm* is already public in CheckPagePermission
+    get "/confirm_join/:token", JoinConfirmController, :confirm
+
     # Remove this if you do not use the magic link strategy.
     # magic_sign_in_route(Mv.Accounts.User, :magic_link,
     #   auth_routes_prefix: "/auth",