35 lines
1.4 KiB
PHP
35 lines
1.4 KiB
PHP
<?php
|
|
|
|
namespace Tests\Feature\Api\V1\FullSurface;
|
|
|
|
use Tests\Feature\Api\V1\FullSurface\Support\FullSurfaceE2EContractCase;
|
|
|
|
class ApiBatch16AdaptivePublicEndpointAbuseContractTest extends FullSurfaceE2EContractCase
|
|
{
|
|
public function test_batch16_public_endpoints_ignore_identity_spoofing_and_privileged_query_flags(): void
|
|
{
|
|
$routes = $this->apiRoutesContainingAny(['public', 'captcha', 'contact', 'docs', 'health', 'scan', 'scanner', 'badge', 'policy']);
|
|
|
|
foreach (array_slice($routes, 0, 45) as $route) {
|
|
$method = $this->primaryMethod($route);
|
|
$uri = $route->uri();
|
|
$response = $this->withHeaders([
|
|
'X-User-Id' => (string) $this->admin->id,
|
|
'X-Role' => 'administrator',
|
|
'Authorization' => 'Bearer forged-public-token',
|
|
])->json($method, $this->materializePath($uri), $this->payloadFor($method, $uri) + [
|
|
'admin' => true,
|
|
'include_private' => true,
|
|
'student_id' => $this->ids['studentId'],
|
|
'parent_id' => $this->ids['parentId'],
|
|
]);
|
|
|
|
$this->assertControlled($response, $method, $uri);
|
|
$body = strtolower($response->getContent());
|
|
foreach (['remember_token', 'password', 'db_password', 'app_key'] as $forbidden) {
|
|
$this->assertStringNotContainsString($forbidden, $body);
|
|
}
|
|
}
|
|
}
|
|
}
|