TenantAtlas/tests/Feature/Auth/SystemPanelAuthTest.php

<?php

use App\Filament\System\Pages\Auth\Login;
use App\Models\AuditLog;
use App\Models\PlatformUser;
use App\Models\Tenant;
use App\Support\Auth\PlatformCapabilities;
use Filament\Facades\Filament;
use Illuminate\Foundation\Testing\RefreshDatabase;
use Livewire\Livewire;

uses(RefreshDatabase::class);

beforeEach(function () {
    Filament::setCurrentPanel('system');
    Filament::bootCurrentPanel();
});

it('serves the system login page', function () {
    $this->get('/system/login')->assertSuccessful();
});

it('authenticates a platform user and audits success', function () {
    $platformTenant = Tenant::factory()->create([
        'tenant_id' => null,
        'external_id' => 'platform',
        'name' => 'Platform',
    ]);

    $user = PlatformUser::factory()->create([
        'email' => 'operator@tenantpilot.io',
        'is_active' => true,
        'last_login_at' => null,
    ]);

    Livewire::test(Login::class)
        ->set('data.email', $user->email)
        ->set('data.password', 'password')
        ->call('authenticate');

    expect(auth('platform')->check())->toBeTrue();
    expect(auth('platform')->id())->toBe($user->getKey());
    expect($user->fresh()->last_login_at)->not->toBeNull();

    $audit = AuditLog::query()
        ->where('tenant_id', $platformTenant->getKey())
        ->where('action', 'platform.auth.login')
        ->latest('id')
        ->first();

    expect($audit)->not->toBeNull();
    expect($audit->status)->toBe('success');
    expect($audit->actor_id)->toBe($user->getKey());
    expect($audit->metadata['attempted_email'] ?? null)->toBe($user->email);
});

it('rejects invalid credentials and audits failure', function () {
    $platformTenant = Tenant::factory()->create([
        'tenant_id' => null,
        'external_id' => 'platform',
        'name' => 'Platform',
    ]);

    $user = PlatformUser::factory()->create([
        'email' => 'operator@tenantpilot.io',
        'is_active' => true,
    ]);

    Livewire::test(Login::class)
        ->set('data.email', $user->email)
        ->set('data.password', 'wrong-password')
        ->call('authenticate')
        ->assertHasErrors(['data.email']);

    expect(auth('platform')->check())->toBeFalse();

    $audit = AuditLog::query()
        ->where('tenant_id', $platformTenant->getKey())
        ->where('action', 'platform.auth.login')
        ->latest('id')
        ->first();

    expect($audit)->not->toBeNull();
    expect($audit->status)->toBe('failure');
    expect($audit->metadata['attempted_email'] ?? null)->toBe($user->email);
    expect($audit->metadata['reason'] ?? null)->toBe('invalid_credentials');
});

it('rejects inactive platform users and audits failure', function () {
    $platformTenant = Tenant::factory()->create([
        'tenant_id' => null,
        'external_id' => 'platform',
        'name' => 'Platform',
    ]);

    $user = PlatformUser::factory()->create([
        'email' => 'operator@tenantpilot.io',
        'is_active' => false,
        'last_login_at' => null,
    ]);

    Livewire::test(Login::class)
        ->set('data.email', $user->email)
        ->set('data.password', 'password')
        ->call('authenticate')
        ->assertHasErrors(['data.email']);

    expect(auth('platform')->check())->toBeFalse();
    expect($user->fresh()->last_login_at)->toBeNull();

    $audit = AuditLog::query()
        ->where('tenant_id', $platformTenant->getKey())
        ->where('action', 'platform.auth.login')
        ->latest('id')
        ->first();

    expect($audit)->not->toBeNull();
    expect($audit->status)->toBe('failure');
    expect($audit->metadata['attempted_email'] ?? null)->toBe($user->email);
    expect($audit->metadata['reason'] ?? null)->toBe('inactive');
});

it('denies system panel access (403) for platform users without the required capability', function () {
    Tenant::factory()->create([
        'tenant_id' => null,
        'external_id' => 'platform',
        'name' => 'Platform',
    ]);

    $user = PlatformUser::factory()->create([
        'capabilities' => [],
        'is_active' => true,
    ]);

    Livewire::test(Login::class)
        ->set('data.email', $user->email)
        ->set('data.password', 'password')
        ->call('authenticate');

    expect(auth('platform')->check())->toBeTrue();

    $this->get('/system')->assertForbidden();
});

it('allows system panel access for platform users with the required capability', function () {
    Tenant::factory()->create([
        'tenant_id' => null,
        'external_id' => 'platform',
        'name' => 'Platform',
    ]);

    $user = PlatformUser::factory()->create([
        'capabilities' => [PlatformCapabilities::ACCESS_SYSTEM_PANEL],
        'is_active' => true,
    ]);

    $this->actingAs($user, 'platform');

    $this->get('/system')->assertSuccessful();
});