Add POST /api/account/lookup route for account lookup by email

New API endpoint secured by X-App-Secret header (no JWT auth required). Accepts an email in the request body and returns the user's id and stripeAccountId if present. Includes 6 unit tests covering all cases (success, missing secret, invalid secret, missing email, user not found). Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
2026-03-28 19:03:15 +01:00
parent f2f8b31d6e
commit ea50f8e740
2 changed files with 189 additions and 0 deletions
--- a/src/Controller/Api/ApiAccountController.php
+++ b/src/Controller/Api/ApiAccountController.php
@@ -0,0 +1,53 @@
 <?php
 namespace App\Controller\Api;
 use App\Entity\User;
 use Doctrine\ORM\EntityManagerInterface;
 use Symfony\Bundle\FrameworkBundle\Controller\AbstractController;
 use Symfony\Component\DependencyInjection\Attribute\Autowire;
 use Symfony\Component\HttpFoundation\JsonResponse;
 use Symfony\Component\HttpFoundation\Request;
 use Symfony\Component\Routing\Attribute\Route;
 #[Route('/api/account')]
 class ApiAccountController extends AbstractController
 {
    use ApiAuthTrait;
    /** @codeCoverageIgnore Autowire injection */
    public function __construct(
        #[Autowire('%kernel.secret%')] private string $appSecret,
    ) {
    }
    #[Route('/lookup', name: 'app_api_account_lookup', methods: ['POST'])]
    public function lookup(
        Request $request,
        EntityManagerInterface $em,
    ): JsonResponse {
        $secret = $request->headers->get('X-App-Secret', '');
        if ('' === $secret || !hash_equals($this->appSecret, $secret)) {
            return $this->error('Secret invalide.', 401);
        }
        $data = json_decode($request->getContent(), true);
        $email = $data['email'] ?? '';
        if ('' === $email) {
            return $this->error('Email requis.');
        }
        $user = $em->getRepository(User::class)->findOneBy(['email' => $email]);
        if (!$user) {
            return $this->error('Utilisateur introuvable.', 404);
        }
        return $this->success([
            'id' => $user->getId(),
            'stripeAccountId' => $user->getStripeAccountId(),
        ]);
    }
 }
--- a/tests/Controller/Api/ApiAccountControllerTest.php
+++ b/tests/Controller/Api/ApiAccountControllerTest.php
@@ -0,0 +1,136 @@
 <?php
 namespace App\Tests\Controller\Api;
 use App\Controller\Api\ApiAccountController;
 use App\Entity\User;
 use App\Repository\UserRepository;
 use Doctrine\ORM\EntityManagerInterface;
 use PHPUnit\Framework\TestCase;
 use Symfony\Component\HttpFoundation\Request;
 class ApiAccountControllerTest extends TestCase
 {
    private const SECRET = 'test_secret';
    private function createController(): ApiAccountController
    {
        $reflection = new \ReflectionClass(ApiAccountController::class);
        $controller = $reflection->newInstanceWithoutConstructor();
        $prop = $reflection->getProperty('appSecret');
        $prop->setValue($controller, self::SECRET);
        // Set the container to null-like state — we only use the trait helpers
        $containerProp = (new \ReflectionClass(\Symfony\Bundle\FrameworkBundle\Controller\AbstractController::class))->getProperty('container');
        $containerProp->setValue($controller, new \Symfony\Component\DependencyInjection\Container());
        return $controller;
    }
    private function createEm(?User $user): EntityManagerInterface
    {
        $repo = $this->createMock(UserRepository::class);
        $repo->method('findOneBy')->willReturn($user);
        $em = $this->createMock(EntityManagerInterface::class);
        $em->method('getRepository')->willReturn($repo);
        return $em;
    }
    private function createUser(int $id, string $email, ?string $stripeAccountId = null): User
    {
        $user = $this->createMock(User::class);
        $user->method('getId')->willReturn($id);
        $user->method('getEmail')->willReturn($email);
        $user->method('getStripeAccountId')->willReturn($stripeAccountId);
        return $user;
    }
    private function makeRequest(string $email = '', string $secret = self::SECRET): Request
    {
        $request = Request::create('/api/account/lookup', 'POST', [], [], [], [], json_encode(['email' => $email]));
        $request->headers->set('X-App-Secret', $secret);
        $request->headers->set('Content-Type', 'application/json');
        return $request;
    }
    public function testLookupSuccess(): void
    {
        $controller = $this->createController();
        $user = $this->createUser(42, 'test@example.com', 'acct_123');
        $em = $this->createEm($user);
        $response = $controller->lookup($this->makeRequest('test@example.com'), $em);
        self::assertSame(200, $response->getStatusCode());
        $data = json_decode($response->getContent(), true);
        self::assertTrue($data['success']);
        self::assertSame(42, $data['data']['id']);
        self::assertSame('acct_123', $data['data']['stripeAccountId']);
    }
    public function testLookupSuccessWithoutStripe(): void
    {
        $controller = $this->createController();
        $user = $this->createUser(10, 'user@example.com');
        $em = $this->createEm($user);
        $response = $controller->lookup($this->makeRequest('user@example.com'), $em);
        $data = json_decode($response->getContent(), true);
        self::assertTrue($data['success']);
        self::assertSame(10, $data['data']['id']);
        self::assertNull($data['data']['stripeAccountId']);
    }
    public function testLookupInvalidSecret(): void
    {
        $controller = $this->createController();
        $em = $this->createEm(null);
        $response = $controller->lookup($this->makeRequest('test@example.com', 'wrong_secret'), $em);
        self::assertSame(401, $response->getStatusCode());
        $data = json_decode($response->getContent(), true);
        self::assertFalse($data['success']);
        self::assertSame('Secret invalide.', $data['error']);
    }
    public function testLookupEmptySecret(): void
    {
        $controller = $this->createController();
        $em = $this->createEm(null);
        $response = $controller->lookup($this->makeRequest('test@example.com', ''), $em);
        self::assertSame(401, $response->getStatusCode());
    }
    public function testLookupMissingEmail(): void
    {
        $controller = $this->createController();
        $em = $this->createEm(null);
        $response = $controller->lookup($this->makeRequest(''), $em);
        self::assertSame(400, $response->getStatusCode());
        $data = json_decode($response->getContent(), true);
        self::assertSame('Email requis.', $data['error']);
    }
    public function testLookupUserNotFound(): void
    {
        $controller = $this->createController();
        $em = $this->createEm(null);
        $response = $controller->lookup($this->makeRequest('notfound@example.com'), $em);
        self::assertSame(404, $response->getStatusCode());
        $data = json_decode($response->getContent(), true);
        self::assertSame('Utilisateur introuvable.', $data['error']);
    }
 }