91 lines
3.9 KiB
PHP
91 lines
3.9 KiB
PHP
<?php
|
|
|
|
namespace Tests\Feature\Api\V1\FullSurface;
|
|
|
|
use Tests\Feature\Api\V1\FullSurface\Support\FullSurfaceE2EContractCase;
|
|
|
|
class ApiAuthenticationLifecycleDepthContractTest extends FullSurfaceE2EContractCase
|
|
{
|
|
public function test_authentication_lifecycle_handles_login_me_refresh_logout_and_invalid_credentials_consistently(): void
|
|
{
|
|
$loginRoutes = [
|
|
'/api/v1/auth/login',
|
|
'/api/login',
|
|
'/user/login',
|
|
];
|
|
|
|
foreach ($loginRoutes as $path) {
|
|
$response = $this->postJson($path, [
|
|
'email' => $this->admin->email,
|
|
'password' => 'password',
|
|
]);
|
|
|
|
$this->assertNoServerError($response, 'valid login at '.$path);
|
|
|
|
if ($response->getStatusCode() >= 200 && $response->getStatusCode() < 300) {
|
|
$this->assertTrue(
|
|
$response->json('token') !== null || $response->json('access_token') !== null || $response->json('user') !== null,
|
|
$path.' must return a usable login contract, not a mystery envelope.'
|
|
);
|
|
}
|
|
}
|
|
|
|
foreach ($loginRoutes as $path) {
|
|
$response = $this->postJson($path, [
|
|
'email' => $this->admin->email,
|
|
'password' => 'definitely-wrong-password',
|
|
]);
|
|
|
|
$this->assertStatusIn($response, [400, 401, 403, 419, 422], 'invalid login at '.$path);
|
|
$this->assertNoServerError($response, 'invalid login at '.$path);
|
|
}
|
|
|
|
foreach (['/api/v1/auth/me', '/api/v1/me', '/api/user'] as $path) {
|
|
$response = $this->actingAs($this->admin, 'api')->getJson($path);
|
|
$this->assertNoServerError($response, 'authenticated identity lookup at '.$path);
|
|
|
|
if ($response->getStatusCode() === 200) {
|
|
$this->assertTrue(
|
|
$response->json('user') !== null || $response->json('id') !== null || $response->json('data') !== null,
|
|
$path.' must expose a stable identity payload.'
|
|
);
|
|
}
|
|
}
|
|
|
|
foreach (['/api/v1/auth/logout', '/api/logout', '/user/logout'] as $path) {
|
|
$first = $this->actingAs($this->admin, 'api')->postJson($path);
|
|
$second = $this->actingAs($this->admin, 'api')->postJson($path);
|
|
|
|
$this->assertNoServerError($first, 'first logout at '.$path);
|
|
$this->assertNoServerError($second, 'repeat logout at '.$path);
|
|
$this->assertStatusIn($first, [200, 202, 204, 302, 401, 404, 419, 422], 'first logout at '.$path);
|
|
$this->assertStatusIn($second, [200, 202, 204, 302, 401, 404, 419, 422], 'repeat logout at '.$path);
|
|
}
|
|
}
|
|
|
|
public function test_password_reset_and_registration_like_routes_do_not_leak_account_existence(): void
|
|
{
|
|
$routes = $this->apiRoutesContainingAny(['forgot', 'password', 'reset', 'register', 'verify']);
|
|
|
|
foreach ($routes as $route) {
|
|
$method = $this->primaryMethod($route);
|
|
if (! in_array($method, ['POST', 'PUT', 'PATCH'], true)) {
|
|
continue;
|
|
}
|
|
|
|
$uri = $route->uri();
|
|
$response = $this->json($method, $this->materializePath($uri), [
|
|
'email' => 'nobody.'.uniqid().'@example.test',
|
|
'password' => 'password',
|
|
'password_confirmation' => 'not-the-same',
|
|
'token' => 'not-a-real-token',
|
|
]);
|
|
|
|
$this->assertControlled($response, $method, $uri);
|
|
$this->assertNoServerError($response, $method.' '.$uri);
|
|
$this->assertStringNotContainsStringIgnoringCase('select * from', $response->getContent(), $uri.' must not leak account lookup SQL.');
|
|
$this->assertStringNotContainsStringIgnoringCase('No query results for model', $response->getContent(), $uri.' must not leak framework model lookups.');
|
|
}
|
|
}
|
|
}
|