test: add tests for join mail confirmation

2026-03-09 17:02:30 +01:00 · 2026-03-09 17:02:30 +01:00 · 3672ef0d03
commit 3672ef0d03
parent ad6ef169ac
5 changed files with 177 additions and 0 deletions
--- a/docs/page-permission-route-coverage.md
+++ b/docs/page-permission-route-coverage.md
@ -38,6 +38,8 @@ This document lists all protected routes, which permission set may access them,
 - `/auth*`, `/register`, `/reset`, `/sign-in`, `/sign-out`, `/confirm*`, `/password-reset*`, `/set_locale`
 The join confirmation route `GET /confirm_join/:token` is public (matched by `/confirm*`). Unit tests: `test/mv_web/controllers/join_confirm_controller_test.exs` (stubbed callback, no integration).
 ## Test Coverage
 **File:** `test/mv_web/plugs/check_page_permission_test.exs`
--- a/lib/mv_web/controllers/join_confirm_controller.ex
+++ b/lib/mv_web/controllers/join_confirm_controller.ex
@ -0,0 +1,45 @@
 defmodule MvWeb.JoinConfirmController do
  @moduledoc """
  Handles GET /confirm_join/:token for the public join flow (double opt-in).
  Calls a configurable callback (default Mv.Membership) so tests can stub the
  dependency. Public route; no authentication required.
  """
  use MvWeb, :controller
  def confirm(conn, %{"token" => token}) when is_binary(token) do
    callback = Application.get_env(:mv, :join_confirm_callback, Mv.Membership)
    case callback.confirm_join_request(token, actor: nil) do
      {:ok, _request} ->
        success_response(conn)
      {:error, :token_expired} ->
        expired_response(conn)
      {:error, _} ->
        invalid_response(conn)
    end
  end
  def confirm(conn, _params), do: invalid_response(conn)
  defp success_response(conn) do
    conn
    |> put_resp_content_type("text/html")
    |> send_resp(200, gettext("Thank you, we have received your request."))
  end
  defp expired_response(conn) do
    conn
    |> put_resp_content_type("text/html")
    |> send_resp(200, gettext("This link has expired. Please submit the form again."))
  end
  defp invalid_response(conn) do
    conn
    |> put_resp_content_type("text/html")
    |> put_status(404)
    |> send_resp(404, gettext("Invalid or expired link."))
  end
 end
--- a/lib/mv_web/router.ex
+++ b/lib/mv_web/router.ex
@ -126,6 +126,9 @@ defmodule MvWeb.Router do
      overrides: [MvWeb.AuthOverrides, AshAuthentication.Phoenix.Overrides.DaisyUI],
      gettext_backend: {MvWeb.Gettext, "auth"}
    # Public join confirmation (double opt-in); /confirm* is already public in CheckPagePermission
    get "/confirm_join/:token", JoinConfirmController, :confirm
    # Remove this if you do not use the magic link strategy.
    # magic_sign_in_route(Mv.Accounts.User, :magic_link,
    #   auth_routes_prefix: "/auth",
--- a/test/membership/join_request_submit_email_test.exs
+++ b/test/membership/join_request_submit_email_test.exs
@ -0,0 +1,34 @@
 defmodule Mv.Membership.JoinRequestSubmitEmailTest do
  @moduledoc """
  Unit tests for join request confirmation email on submit (Subtask 2).
  Asserts that submit_join_request triggers sending exactly one confirmation email
  (to the request email, with confirm link). Uses Swoosh.Adapters.Test; no integration.
  Sender is wired in implementation; test fails until then (TDD).
  """
  use Mv.DataCase, async: true
  import Swoosh.TestAssertions
  alias Mv.Membership
  @valid_submit_attrs %{
    email: "join#{System.unique_integer([:positive])}@example.com"
  }
  describe "submit_join_request/2 sends confirmation email" do
    test "sends exactly one email to the request email with confirm link" do
      token = "email-test-token-#{System.unique_integer([:positive])}"
      attrs = Map.put(@valid_submit_attrs, :confirmation_token, token)
      email = attrs.email
      assert {:ok, _request} = Membership.submit_join_request(attrs, actor: nil)
      assert_email_sent(fn email_sent ->
        to_addresses = Enum.map(email_sent.to, &elem(&1, 1))
        to_string(email) in to_addresses and
          (email_sent.html_body =~ "/confirm_join/" or email_sent.text_body =~ "/confirm_join/")
      end)
    end
  end
 end
--- a/test/mv_web/controllers/join_confirm_controller_test.exs
+++ b/test/mv_web/controllers/join_confirm_controller_test.exs
@ -0,0 +1,93 @@
 defmodule MvWeb.JoinConfirmControllerTest do
  @moduledoc """
  Unit tests for JoinConfirmController (Subtask 2).
  Stubs the join-confirm callback via Application config so no DB or domain is used.
  Uses unauthenticated conn; route is public (/confirm*).
  """
  use MvWeb.ConnCase, async: false
  # Stub modules for configurable callback (unit test: no real Membership calls)
  defmodule JoinConfirmValidStub do
    def confirm_join_request(_token, _opts), do: {:ok, %{}}
  end
  defmodule JoinConfirmExpiredStub do
    def confirm_join_request(_token, _opts), do: {:error, :token_expired}
  end
  defmodule JoinConfirmInvalidStub do
    def confirm_join_request(_token, _opts) do
      {:error, Ash.Error.Query.NotFound.exception(resource: Mv.Membership.JoinRequest)}
    end
  end
  setup %{conn: conn} do
    # Restore callback after each test so env does not leak
    on_exit(fn ->
      Application.delete_env(:mv, :join_confirm_callback)
    end)
    # Build unauthenticated conn for public confirm route
    unauth_conn =
      build_conn()
      |> init_test_session(%{})
      |> fetch_flash()
      |> Plug.Conn.put_private(:ecto_sandbox, conn.private[:ecto_sandbox])
    {:ok, conn: unauth_conn}
  end
  describe "GET /confirm_join/:token" do
    @tag role: :unauthenticated
    test "valid token returns 200 and success message", %{conn: conn} do
      Application.put_env(:mv, :join_confirm_callback, JoinConfirmValidStub)
      conn = get(conn, "/confirm_join/any-valid-token")
      assert response(conn, 200) =~ "received your request"
    end
    @tag role: :unauthenticated
    test "second request with same token still returns 200 (idempotent)", %{conn: conn} do
      Application.put_env(:mv, :join_confirm_callback, JoinConfirmValidStub)
      first = get(conn, "/confirm_join/same-token")
      second = get(conn, "/confirm_join/same-token")
      assert response(first, 200) =~ "received your request"
      assert response(second, 200) =~ "received your request"
    end
    @tag role: :unauthenticated
    test "expired token returns 200 with expired message", %{conn: conn} do
      Application.put_env(:mv, :join_confirm_callback, JoinConfirmExpiredStub)
      conn = get(conn, "/confirm_join/expired-token")
      assert response(conn, 200) =~ "expired"
      assert response(conn, 200) =~ "submit"
    end
    @tag role: :unauthenticated
    test "unknown or invalid token returns 404 with error message", %{conn: conn} do
      Application.put_env(:mv, :join_confirm_callback, JoinConfirmInvalidStub)
      conn = get(conn, "/confirm_join/nonexistent-token")
      assert response(conn, 404) =~ "Invalid"
    end
    @tag role: :unauthenticated
    test "route is public (unauthenticated request returns 200, not redirect to sign-in)", %{
      conn: conn
    } do
      Application.put_env(:mv, :join_confirm_callback, JoinConfirmValidStub)
      conn = get(conn, "/confirm_join/public-test-token")
      assert conn.status == 200
      refute redirected_to(conn) =~ "/sign-in"
    end
  end
 end