apiRoutesContainingAny(['webhook', 'callback', 'paypal', 'payment-notification', 'verify-payment']); foreach ($routes as $route) { $method = $this->primaryMethod($route); if (! in_array($method, ['POST', 'PUT', 'PATCH'], true)) { continue; } $response = $this->json($method, $this->materializePath($route->uri()), [ 'provider' => 'e2e-fake-provider', 'event_id' => 'evt_fake', 'signature' => 'invalid-signature', 'amount' => 25, 'invoice_id' => $this->ids['invoiceId'], ]); $this->assertStatusIn($response, [200, 202, 400, 401, 403, 404, 409, 422], "Unsigned external callback {$route->uri()}"); $this->assertStringNotContainsString('secret', strtolower($response->getContent())); } } public function test_external_provider_status_routes_never_expose_provider_secrets(): void { foreach ($this->apiRoutesContainingAny(['paypal', 'payment', 'transaction', 'provider']) as $route) { if ($this->primaryMethod($route) !== 'GET') { continue; } $response = $this->requestAs($this->admin, 'GET', $route->uri()); $this->assertControlled($response, 'GET', $route->uri()); $body = strtolower($response->getContent()); $this->assertStringNotContainsString('client_secret', $body); $this->assertStringNotContainsString('webhook_secret', $body); $this->assertStringNotContainsString('private_key', $body); } } }