Add resend confirmation email feature (#166)

2026-06-01 10:04:00 +00:00 · 2026-03-07 23:03:31 -05:00
parent 431e11e052
commit 9238036042
12 changed files with 482 additions and 128 deletions
--- a/src/Core/API/API.Specs/Features/ResendConfirmation.feature
+++ b/src/Core/API/API.Specs/Features/ResendConfirmation.feature
@@ -0,0 +1,36 @@
+Feature: Resend Confirmation Email
+   As a user who did not receive the confirmation email
+   I want to request a resend of the confirmation email
+   So that I can obtain a working confirmation link while preventing abuse
+
+   Scenario: Legitimate resend for an unconfirmed user
+      Given the API is running
+      And I have registered a new account
+      And I have a valid access token for my account
+      When I submit a resend confirmation request for my account
+      Then the response has HTTP status 200
+      And the response JSON should have "message" containing "confirmation email has been resent"
+
+   Scenario: Resend is a no-op for an already confirmed user
+      Given the API is running
+      And I have registered a new account
+      And I have a valid confirmation token for my account
+      And I have a valid access token for my account
+      And I have confirmed my account
+      When I submit a resend confirmation request for my account
+      Then the response has HTTP status 200
+      And the response JSON should have "message" containing "confirmation email has been resent"
+
+   Scenario: Resend is a no-op for a non-existent user
+      Given the API is running
+      And I have registered a new account
+      And I have a valid access token for my account
+      When I submit a resend confirmation request for a non-existent user
+      Then the response has HTTP status 200
+      And the response JSON should have "message" containing "confirmation email has been resent"
+
+   Scenario: Resend requires authentication
+      Given the API is running
+      And I have registered a new account
+      When I submit a resend confirmation request without an access token
+      Then the response has HTTP status 401
--- a/src/Core/API/API.Specs/Mocks/MockEmailService.cs
+++ b/src/Core/API/API.Specs/Mocks/MockEmailService.cs
@@ -7,6 +7,8 @@ public class MockEmailService : IEmailService
 {
    public List<RegistrationEmail> SentRegistrationEmails { get; } = new();

+    public List<ResendConfirmationEmail> SentResendConfirmationEmails { get; } = new();
+
    public Task SendRegistrationEmailAsync(
        UserAccount createdUser,
        string confirmationToken
@@ -24,9 +26,27 @@ public class MockEmailService : IEmailService
        return Task.CompletedTask;
    }

+    public Task SendResendConfirmationEmailAsync(
+        UserAccount user,
+        string confirmationToken
+    )
+    {
+        SentResendConfirmationEmails.Add(
+            new ResendConfirmationEmail
+            {
+                UserAccount = user,
+                ConfirmationToken = confirmationToken,
+                SentAt = DateTime.UtcNow,
+            }
+        );
+
+        return Task.CompletedTask;
+    }
+
    public void Clear()
    {
        SentRegistrationEmails.Clear();
+        SentResendConfirmationEmails.Clear();
    }

    public class RegistrationEmail
@@ -35,4 +55,11 @@ public class MockEmailService : IEmailService
        public string ConfirmationToken { get; init; } = string.Empty;
        public DateTime SentAt { get; init; }
    }
+
+    public class ResendConfirmationEmail
+    {
+        public UserAccount UserAccount { get; init; } = null!;
+        public string ConfirmationToken { get; init; } = string.Empty;
+        public DateTime SentAt { get; init; }
+    }
 }
--- a/src/Core/API/API.Specs/Steps/AuthSteps.cs
+++ b/src/Core/API/API.Specs/Steps/AuthSteps.cs
@@ -1124,4 +1124,91 @@ public class AuthSteps(ScenarioContext scenario)
            refreshToken.Should().NotBe(previousRefreshToken);
        }
    }
+
+    [Given("I have confirmed my account")]
+    public async Task GivenIHaveConfirmedMyAccount()
+    {
+        var client = GetClient();
+        var token = scenario.TryGetValue<string>("confirmationToken", out var t)
+            ? t
+            : throw new InvalidOperationException("confirmation token not found");
+        var accessToken = scenario.TryGetValue<string>("accessToken", out var at)
+            ? at
+            : string.Empty;
+
+        var requestMessage = new HttpRequestMessage(
+            HttpMethod.Post,
+            $"/api/auth/confirm?token={Uri.EscapeDataString(token)}"
+        );
+        if (!string.IsNullOrEmpty(accessToken))
+            requestMessage.Headers.Add("Authorization", $"Bearer {accessToken}");
+
+        var response = await client.SendAsync(requestMessage);
+        response.EnsureSuccessStatusCode();
+    }
+
+    [When("I submit a resend confirmation request for my account")]
+    public async Task WhenISubmitAResendConfirmationRequestForMyAccount()
+    {
+        var client = GetClient();
+        var userId = scenario.TryGetValue<Guid>(RegisteredUserIdKey, out var id)
+            ? id
+            : throw new InvalidOperationException("registered user ID not found");
+        var accessToken = scenario.TryGetValue<string>("accessToken", out var at)
+            ? at
+            : string.Empty;
+
+        var requestMessage = new HttpRequestMessage(
+            HttpMethod.Post,
+            $"/api/auth/confirm/resend?userId={userId}"
+        );
+        if (!string.IsNullOrEmpty(accessToken))
+            requestMessage.Headers.Add("Authorization", $"Bearer {accessToken}");
+
+        var response = await client.SendAsync(requestMessage);
+        var responseBody = await response.Content.ReadAsStringAsync();
+        scenario[ResponseKey] = response;
+        scenario[ResponseBodyKey] = responseBody;
+    }
+
+    [When("I submit a resend confirmation request for a non-existent user")]
+    public async Task WhenISubmitAResendConfirmationRequestForANonExistentUser()
+    {
+        var client = GetClient();
+        var fakeUserId = Guid.NewGuid();
+        var accessToken = scenario.TryGetValue<string>("accessToken", out var at)
+            ? at
+            : string.Empty;
+
+        var requestMessage = new HttpRequestMessage(
+            HttpMethod.Post,
+            $"/api/auth/confirm/resend?userId={fakeUserId}"
+        );
+        if (!string.IsNullOrEmpty(accessToken))
+            requestMessage.Headers.Add("Authorization", $"Bearer {accessToken}");
+
+        var response = await client.SendAsync(requestMessage);
+        var responseBody = await response.Content.ReadAsStringAsync();
+        scenario[ResponseKey] = response;
+        scenario[ResponseBodyKey] = responseBody;
+    }
+
+    [When("I submit a resend confirmation request without an access token")]
+    public async Task WhenISubmitAResendConfirmationRequestWithoutAnAccessToken()
+    {
+        var client = GetClient();
+        var userId = scenario.TryGetValue<Guid>(RegisteredUserIdKey, out var id)
+            ? id
+            : Guid.NewGuid();
+
+        var requestMessage = new HttpRequestMessage(
+            HttpMethod.Post,
+            $"/api/auth/confirm/resend?userId={userId}"
+        );
+
+        var response = await client.SendAsync(requestMessage);
+        var responseBody = await response.Content.ReadAsStringAsync();
+        scenario[ResponseKey] = response;
+        scenario[ResponseBodyKey] = responseBody;
+    }
 }