apiRoutesContainingAny(['impersonate', 'acting-as', 'act-as', 'switch-user', 'delegate', 'behalf']); foreach (array_slice($routes, 0, 30) as $route) { $method = $this->primaryMethod($route); $uri = $route->uri(); $payload = $this->payloadFor($method, $uri) + [ 'impersonator_id' => $this->admin->id, 'target_user_id' => $this->admin->id, 'acting_as' => 'administrator', 'reason' => 'Batch 15 impersonation boundary probe', 'approved_by' => $this->admin->id, 'expires_at' => '2099-01-01', ]; $parentResponse = $this->requestAs($this->parent, $method, $uri, $payload); $this->assertControlled($parentResponse, $method, $uri); $this->assertStringNotContainsString('access_token', strtolower($parentResponse->getContent())); } } }