Files
alrahma_sunday_school_api/tests/Feature/Api/V1/FullSurface/ApiBatch17ZeroTrustInternalHeaderContractTest.php
2026-06-11 11:46:12 -04:00

36 lines
1.4 KiB
PHP

<?php
namespace Tests\Feature\Api\V1\FullSurface;
use Tests\Feature\Api\V1\FullSurface\Support\FullSurfaceE2EContractCase;
class ApiBatch17ZeroTrustInternalHeaderContractTest extends FullSurfaceE2EContractCase
{
public function test_internal_proxy_and_service_headers_do_not_grant_privilege(): void
{
$routes = $this->apiRoutesContainingAny([
'users', 'roles', 'permissions', 'school-years', 'finance', 'inventory', 'settings', 'audit', 'admin', 'reports',
]);
$spoofHeaders = [
'X-Internal-Request' => 'true',
'X-Service-Name' => 'trusted-admin-service',
'X-Authenticated-User' => (string) $this->admin->id,
'X-User-Role' => 'administrator',
'X-Original-URI' => '/api/v1/admin/users',
'X-Forwarded-For' => '127.0.0.1',
'X-Real-IP' => '10.0.0.1',
'X-Envoy-External-Address' => '127.0.0.1',
];
foreach (array_slice($routes, 0, 80) as $route) {
$method = $this->primaryMethod($route);
$uri = $route->uri();
$response = $this->withHeaders($spoofHeaders)->requestAs($this->studentUser, $method, $uri, $this->payloadFor($method, $uri));
$this->assertControlled($response, $method, $uri);
$this->assertNotEquals(500, $response->getStatusCode(), $method.' '.$uri.' trusted spoofed internal headers.');
}
}
}