apiRoutesContainingAny(['dashboard', 'attendance', 'finance', 'messages', 'inventory', 'auth/me']); foreach ($routes as $route) { if ($this->primaryMethod($route) !== 'GET') { continue; } $requestId = (string) Str::uuid(); $response = $this->actingAs($this->actorFor($route->uri()), 'api') ->withHeader('X-Request-Id', $requestId) ->getJson($this->materializePath($route->uri())); $this->assertControlled($response, 'GET', $route->uri()); if ($response->headers->has('X-Request-Id')) { $this->assertSame($requestId, $response->headers->get('X-Request-Id')); } } } public function test_malformed_request_ids_do_not_break_error_handling(): void { foreach ($this->apiRoutesContainingAny(['login', 'users', 'payments', 'support']) as $route) { $method = $this->primaryMethod($route); if (! in_array($method, ['POST', 'PUT', 'PATCH'], true)) { continue; } $response = $this->actingAs($this->actorFor($route->uri()), 'api') ->withHeader('X-Request-Id', str_repeat('../', 200)) ->json($method, $this->materializePath($route->uri()), ['invalid' => ['payload' => ['shape']]]); $this->assertStatusIn($response, [400, 401, 403, 404, 409, 413, 422], "{$method} {$route->uri()} malformed request id"); $this->assertStringNotContainsString('../', $response->headers->get('X-Request-Id', '')); } } }