add test batches
This commit is contained in:
+70
@@ -0,0 +1,70 @@
|
||||
<?php
|
||||
|
||||
namespace Tests\Feature\Api\V1\FullSurface;
|
||||
|
||||
use Tests\Feature\Api\V1\FullSurface\Support\FullSurfaceE2EContractCase;
|
||||
|
||||
class ApiSerializationSensitiveDataRedactionContractTest extends FullSurfaceE2EContractCase
|
||||
{
|
||||
public function test_successful_api_responses_never_serialize_sensitive_user_or_payment_fields(): void
|
||||
{
|
||||
$routes = $this->apiRoutesContainingAny([
|
||||
'users', 'parents', 'students', 'teachers', 'guardians', 'authorized-users',
|
||||
'families', 'finance', 'payments', 'invoices', 'profile', 'auth/me',
|
||||
]);
|
||||
|
||||
$this->assertNotEmpty($routes, 'Sensitive-resource routes should exist for serialization redaction coverage.');
|
||||
|
||||
foreach ($routes as $route) {
|
||||
$method = $this->primaryMethod($route);
|
||||
|
||||
if ($method !== 'GET') {
|
||||
continue;
|
||||
}
|
||||
|
||||
$response = $this->probeRoute($route);
|
||||
$this->assertControlled($response, $method, $route->uri());
|
||||
|
||||
if (! $this->isJsonString($response->getContent())) {
|
||||
continue;
|
||||
}
|
||||
|
||||
$body = strtolower($response->getContent());
|
||||
|
||||
foreach ([
|
||||
'password', 'remember_token', 'two_factor_secret', 'two_factor_recovery_codes',
|
||||
'api_token', 'private_key', 'secret_key', 'card_number', 'cvv', 'cvc',
|
||||
'stripe_secret', 'paypal_secret', 'authorization_code',
|
||||
] as $forbidden) {
|
||||
$this->assertStringNotContainsString($forbidden, $body, "{$route->uri()} leaked {$forbidden}");
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
public function test_error_responses_do_not_echo_credentials_or_uploaded_file_contents(): void
|
||||
{
|
||||
$payload = [
|
||||
'email' => 'sensitive@example.test',
|
||||
'password' => 'SUPER_SECRET_PASSWORD_SHOULD_NOT_ECHO',
|
||||
'token' => 'SECRET_TOKEN_SHOULD_NOT_ECHO',
|
||||
'card_number' => '4111111111111111',
|
||||
'notes' => str_repeat('private-note-', 20),
|
||||
];
|
||||
|
||||
foreach ($this->apiRoutesContainingAny(['login', 'users', 'payments', 'refunds', 'support', 'messages']) as $route) {
|
||||
$method = $this->primaryMethod($route);
|
||||
|
||||
if (! in_array($method, ['POST', 'PUT', 'PATCH'], true)) {
|
||||
continue;
|
||||
}
|
||||
|
||||
$response = $this->requestAs($this->actorFor($route->uri()), $method, $route->uri(), $payload);
|
||||
$this->assertControlled($response, $method, $route->uri());
|
||||
|
||||
$body = $response->getContent();
|
||||
$this->assertStringNotContainsString('SUPER_SECRET_PASSWORD_SHOULD_NOT_ECHO', $body);
|
||||
$this->assertStringNotContainsString('SECRET_TOKEN_SHOULD_NOT_ECHO', $body);
|
||||
$this->assertStringNotContainsString('4111111111111111', $body);
|
||||
}
|
||||
}
|
||||
}
|
||||
Reference in New Issue
Block a user