apiRoutesContainingAny(['webhook', 'callback', 'paypal', 'stripe', 'payment', 'provider']), 0, 120); $headerSets = [ [], ['X-Signature' => 'bad-signature'], ['PayPal-Transmission-Id' => 'replay-id', 'PayPal-Transmission-Sig' => 'bad'], ['Stripe-Signature' => 't=1,v1=bad'], ]; foreach ($routes as $route) { $method = $this->primaryMethod($route); if (! in_array($method, ['POST', 'PUT', 'PATCH'], true)) { continue; } foreach ($headerSets as $headers) { $response = $this->withHeaders($headers)->json($method, $this->materializePath($route->uri()), [ 'id' => 'evt_batch_12', 'type' => 'payment.succeeded', 'amount' => 10, 'metadata' => ['invoice_id' => $this->ids['invoiceId']], ]); $this->assertStatusIn($response, [200, 202, 400, 401, 403, 404, 405, 409, 419, 422], 'provider callback '.$method.' '.$route->uri()); $this->assertNoServerError($response, 'provider callback '.$method.' '.$route->uri()); $this->assertStringNotContainsString('secret', strtolower($response->getContent()), 'provider callback must not expose secrets'); } } } }