MRR-Group · KacperWalenga · Oct 11, 2025 · Oct 10, 2025 · Oct 11, 2025 · Oct 11, 2025
diff --git a/app/Actions/Auth/ChangePasswordAction.php b/app/Actions/Auth/ChangePasswordAction.php
@@ -0,0 +1,25 @@
+<?php
+
+declare(strict_types=1);
+
+namespace Strava\Actions\Auth;
+
+use Illuminate\Support\Facades\Hash;
+use Strava\Models\User;
+
+class ChangePasswordAction
+{
+    public function execute(User $user, string $currentPassword, string $newPassword): bool
+    {
+        if (!Hash::check($currentPassword, $user->password)) {
+            return false;
+        }
+
+        $hashedPassword = Hash::make($newPassword);
+
+        $user->password = $hashedPassword;
+        $user->save();
+
+        return true;
+    }
+}
diff --git a/app/Actions/Auth/ResetPasswordAction.php b/app/Actions/Auth/ResetPasswordAction.php
@@ -0,0 +1,29 @@
+<?php
+
+declare(strict_types=1);
+
+namespace Strava\Actions\Auth;
+
+use Illuminate\Auth\Events\PasswordReset;
+use Illuminate\Support\Facades\Hash;
+use Illuminate\Support\Facades\Password;
+use Illuminate\Support\Str;
+use Strava\Models\User;
+
+class ResetPasswordAction
+{
+    public function execute(array $credentials): bool
+    {
+        $status = Password::reset($credentials, function (User $user, string $password): void {
+            $user->forceFill([
+                "password" => Hash::make($password),
+            ])->setRememberToken(Str::random(60));
+
+            $user->save();
+
+            event(new PasswordReset($user));
+        });
+
+        return $status === Password::PASSWORD_RESET;
+    }
+}
diff --git a/app/Http/Controllers/Auth/LoginController.php b/app/Http/Controllers/Auth/LoginController.php
@@ -0,0 +1,31 @@
+<?php
+
+declare(strict_types=1);
+
+namespace Strava\Http\Controllers\Auth;
+
+use Illuminate\Http\JsonResponse;
+use Illuminate\Support\Facades\Auth;
+use Strava\Http\Controllers\Controller;
+use Strava\Http\Requests\Auth\LoginRequest;
+use Symfony\Component\HttpFoundation\Response;
+
+class LoginController extends Controller
+{
+    public function login(LoginRequest $request): JsonResponse
+    {
+        $credentials = $request->validated();
+
+        if (!Auth::attempt($credentials)) {
+            return response()->json([], Response::HTTP_FORBIDDEN);
+        }
+
+        $user = Auth::user();
+        $token = $user->createToken("api-token")->plainTextToken;
+
+        return response()->json([
+            "token" => $token,
+            "user_id" => $user->id,
+        ], Response::HTTP_OK);
+    }
+}
diff --git a/app/Http/Controllers/Auth/LogoutController.php b/app/Http/Controllers/Auth/LogoutController.php
@@ -0,0 +1,23 @@
+<?php
+
+declare(strict_types=1);
+
+namespace Strava\Http\Controllers\Auth;
+
+use Illuminate\Http\JsonResponse;
+use Illuminate\Http\Request;
+use Strava\Http\Controllers\Controller;
+use Symfony\Component\HttpFoundation\Response;
+
+class LogoutController extends Controller
+{
+    public function logout(Request $request): JsonResponse
+    {
+        $user = $request->user();
+        $token = $user->currentAccessToken();
+
+        $token->delete();
+
+        return response()->json([], Response::HTTP_OK);
+    }
+}
diff --git a/app/Http/Controllers/Auth/PasswordController.php b/app/Http/Controllers/Auth/PasswordController.php
@@ -0,0 +1,56 @@
+<?php
+
+declare(strict_types=1);
+
+namespace Strava\Http\Controllers\Auth;
+
+use Illuminate\Http\JsonResponse;
+use Illuminate\Support\Facades\Password;
+use Strava\Actions\Auth\ChangePasswordAction;
+use Strava\Actions\Auth\ResetPasswordAction;
+use Strava\Http\Controllers\Controller;
+use Strava\Http\Requests\Auth\ChangePasswordRequest;
+use Strava\Http\Requests\Auth\ForgotPasswordRequest;
+use Strava\Http\Requests\Auth\ResetPasswordRequest;
+use Symfony\Component\HttpFoundation\Response;
+
+class PasswordController extends Controller
+{
+    public function sendResetEmail(ForgotPasswordRequest $request): JsonResponse
+    {
+        $validated = $request->validated();
+
+        Password::sendResetLink($validated);
+
+        return response()->json([], Response::HTTP_OK);
+    }
+
+    public function resetPassword(ResetPasswordRequest $request, ResetPasswordAction $resetPasswordAction): JsonResponse
+    {
+        $validated = $request->validated();
+        $success = $resetPasswordAction->execute($validated);
+
+        return $success
+            ? response()->json([], Response::HTTP_OK)
+            : response()->json([], Response::HTTP_BAD_REQUEST);
+    }
+
+    public function changePassword(ChangePasswordRequest $request, ChangePasswordAction $changePasswordAction): JsonResponse
+    {
+        $user = $request->user();
+        $validated = $request->validated();
+
+        $currentPassword = $validated["current_password"];
+        $newPassword = $validated["password"];
+
+        $success = $changePasswordAction->execute(
+            $user,
+            $currentPassword,
+            $newPassword,
+        );
+
+        return $success ?
+            response()->json([], Response::HTTP_OK)
+            : response()->json([], Response::HTTP_FORBIDDEN);
+    }
+}
diff --git a/app/Http/Controllers/Auth/RegisterController.php b/app/Http/Controllers/Auth/RegisterController.php
@@ -0,0 +1,26 @@
+<?php
+
+declare(strict_types=1);
+
+namespace Strava\Http\Controllers\Auth;
+
+use Illuminate\Http\JsonResponse;
+use Illuminate\Support\Facades\Hash;
+use Strava\Http\Controllers\Controller;
+use Strava\Http\Requests\Auth\RegisterRequest;
+use Strava\Models\User;
+use Symfony\Component\HttpFoundation\Response;
+
+class RegisterController extends Controller
+{
+    public function register(RegisterRequest $request): JsonResponse
+    {
+        $validated = $request->validated();
+
+        $user = new User($validated);
+        $user->password = Hash::make($validated["password"]);
+        $user->save();
+
+        return response()->json([], Response::HTTP_CREATED);
+    }
+}
diff --git a/app/Http/Requests/Auth/ChangePasswordRequest.php b/app/Http/Requests/Auth/ChangePasswordRequest.php
@@ -0,0 +1,32 @@
+<?php
+
+declare(strict_types=1);
+
+namespace Strava\Http\Requests\Auth;
+
+use Illuminate\Contracts\Validation\ValidationRule;
+use Illuminate\Foundation\Http\FormRequest;
+
+class ChangePasswordRequest extends FormRequest
+{
+    /**
+     * Determine if the user is authorized to make this request.
+     */
+    public function authorize(): bool
+    {
+        return auth()->check();
+    }
+
+    /**
+     * Get the validation rules that apply to the request.
+     *
+     * @return array<string, ValidationRule|array<mixed>|string>
+     */
+    public function rules(): array
+    {
+        return [
+            "current_password" => ["required", "string"],
+            "password" => ["required", "string", "min:8", "confirmed"],
+        ];
+    }
+}
diff --git a/app/Http/Requests/Auth/ForgotPasswordRequest.php b/app/Http/Requests/Auth/ForgotPasswordRequest.php
@@ -0,0 +1,31 @@
+<?php
+
+declare(strict_types=1);
+
+namespace Strava\Http\Requests\Auth;
+
+use Illuminate\Contracts\Validation\ValidationRule;
+use Illuminate\Foundation\Http\FormRequest;
+
+class ForgotPasswordRequest extends FormRequest
+{
+    /**
+     * Determine if the user is authorized to make this request.
+     */
+    public function authorize(): bool
+    {
+        return true;
+    }
+
+    /**
+     * Get the validation rules that apply to the request.
+     *
+     * @return array<string, ValidationRule|array<mixed>|string>
+     */
+    public function rules(): array
+    {
+        return [
+            "email" => ["email", "string", "required", "max:255"],
+        ];
+    }
+}
diff --git a/app/Http/Requests/Auth/LoginRequest.php b/app/Http/Requests/Auth/LoginRequest.php
@@ -0,0 +1,32 @@
+<?php
+
+declare(strict_types=1);
+
+namespace Strava\Http\Requests\Auth;
+
+use Illuminate\Contracts\Validation\ValidationRule;
+use Illuminate\Foundation\Http\FormRequest;
+
+class LoginRequest extends FormRequest
+{
+    /**
+     * Determine if the user is authorized to make this request.
+     */
+    public function authorize(): bool
+    {
+        return true;
+    }
+
+    /**
+     * Get the validation rules that apply to the request.
+     *
+     * @return array<string, ValidationRule|array<mixed>|string>
+     */
+    public function rules(): array
+    {
+        return [
+            "email" => ["required", "string", "email", "max:255"],
+            "password" => ["required", "string", "max:255"],
+        ];
+    }
+}
diff --git a/app/Http/Requests/Auth/RegisterRequest.php b/app/Http/Requests/Auth/RegisterRequest.php
@@ -0,0 +1,33 @@
+<?php
+
+declare(strict_types=1);
+
+namespace Strava\Http\Requests\Auth;
+
+use Illuminate\Contracts\Validation\ValidationRule;
+use Illuminate\Foundation\Http\FormRequest;
+
+class RegisterRequest extends FormRequest
+{
+    /**
+     * Determine if the user is authorized to make this request.
+     */
+    public function authorize(): bool
+    {
+        return true;
+    }
+
+    /**
+     * Get the validation rules that apply to the request.
+     *
+     * @return array<string, ValidationRule|array<mixed>|string>
+     */
+    public function rules(): array
+    {
+        return [
+            "name" => ["required", "string", "max:255"],
+            "email" => ["required", "string", "email:rfc,dns", "max:255", "unique:users"],
+            "password" => ["required", "string", "min:8", "max:255", "confirmed"],
+        ];
+    }
+}
diff --git a/app/Http/Requests/Auth/ResetPasswordRequest.php b/app/Http/Requests/Auth/ResetPasswordRequest.php
@@ -0,0 +1,33 @@
+<?php
+
+declare(strict_types=1);
+
+namespace Strava\Http\Requests\Auth;
+
+use Illuminate\Contracts\Validation\ValidationRule;
+use Illuminate\Foundation\Http\FormRequest;
+
+class ResetPasswordRequest extends FormRequest
+{
+    /**
+     * Determine if the user is authorized to make this request.
+     */
+    public function authorize(): bool
+    {
+        return true;
+    }
+
+    /**
+     * Get the validation rules that apply to the request.
+     *
+     * @return array<string, ValidationRule|array<mixed>|string>
+     */
+    public function rules(): array
+    {
+        return [
+            "token" => ["required", "string"],
+            "email" => ["required", "string", "email"],
+            "password" => ["required", "string", "min:8", "max:255", "confirmed"],
+        ];
+    }
+}
diff --git a/app/Models/User.php b/app/Models/User.php
@@ -9,8 +9,10 @@
 use Illuminate\Foundation\Auth\User as Authenticatable;
 use Illuminate\Notifications\Notifiable;
 use Laravel\Sanctum\HasApiTokens;
+use Strava\Notifications\ForgotPasswordNotification;
 
 /**
+ * @property int $id
  * @property string $name
  * @property string $email
  * @property string $password
@@ -34,6 +36,11 @@ class User extends Authenticatable
         "remember_token",
     ];
 
+    public function sendPasswordResetNotification($token): void
+    {
+        $this->notify(new ForgotPasswordNotification($this->email));
+    }
+
     protected function casts(): array
     {
         return [