apiRoutesContainingAny(['auth', 'login', 'logout', 'me', 'profile', 'frontend']), 0, 40) as $route) { $method = $this->primaryMethod($route); $response = $this->withCookie('laravel_session', 'attacker-controlled-session') ->withHeader('X-XSRF-TOKEN', 'not-a-real-xsrf-token') ->actingAs($this->actorFor($route->uri()), 'api') ->json($method, $this->materializePath($route->uri()), $this->payloadFor($method, $route->uri())); $this->assertControlled($response, $method, $route->uri()); $this->assertStringNotContainsString('csrf token mismatch', strtolower($response->getContent())); } } public function test_browser_only_session_headers_do_not_grant_api_privileges(): void { foreach (array_slice($this->apiRoutesContainingAny(['admin', 'users', 'roles', 'permissions', 'finance', 'inventory', 'attendance']), 0, 30) as $route) { $method = $this->primaryMethod($route); $response = $this->withCookie('laravel_session', 'fake-admin-browser-session') ->withHeaders(['X-Requested-With' => 'XMLHttpRequest', 'X-CSRF-TOKEN' => 'fake-csrf', 'X-User-Id' => (string) $this->admin->id]) ->json($method, $this->materializePath($route->uri()), $this->payloadFor($method, $route->uri())); $this->assertStatusIn($response, [401, 403, 404, 405, 419, 422], $method.' '.$route->uri()); $this->assertStringNotContainsString('sqlstate', strtolower($response->getContent())); } } }