Files
alrahma_sunday_school_api/tests/Feature/Api/V1/FullSurface/ApiWebhookReplayAndSignatureDepthContractTest.php
T
root 8661615717
API CI/CD / Validate (composer + pint) (push) Successful in 2m46s
API CI/CD / Test (PHPUnit) (push) Failing after 3m3s
API CI/CD / Build frontend assets (push) Failing after 5m22s
API CI/CD / Security audit (push) Failing after 34s
API CI/CD / Deploy to shared hosting (PHP) (push) Has been skipped
Update PHPUnit test metadata attributes
2026-06-25 20:04:18 -04:00

42 lines
1.9 KiB
PHP

<?php
namespace Tests\Feature\Api\V1\FullSurface;
use PHPUnit\Framework\Attributes\Test;
use Tests\Feature\Api\V1\FullSurface\Support\FullSurfaceE2EContractCase;
class ApiWebhookReplayAndSignatureDepthContractTest extends FullSurfaceE2EContractCase
{
#[Test]
public function external_callback_routes_reject_missing_bad_and_replayed_signatures_cleanly(): void
{
$routes = array_slice($this->apiRoutesContainingAny(['webhook', 'callback', 'paypal', 'stripe', 'provider', 'payment-notification']), 0, 80);
$payload = [
'id' => 'evt_e2e_probe',
'event' => 'payment.completed',
'amount' => 25.00,
'invoice_id' => $this->ids['invoiceId'],
];
foreach ($routes as $route) {
$method = $this->primaryMethod($route);
$uri = $route->uri();
if (! in_array($method, ['POST', 'PUT', 'PATCH'], true)) {
continue;
}
$missing = $this->json($method, $this->materializePath($uri), $payload);
$bad = $this->withHeaders(['X-Signature' => 'definitely-wrong', 'X-Timestamp' => '0'])->json($method, $this->materializePath($uri), $payload);
$replayed = $this->withHeaders(['X-Signature' => 'replayed', 'X-Webhook-Id' => 'evt_e2e_probe'])->json($method, $this->materializePath($uri), $payload);
foreach ([$missing, $bad, $replayed] as $response) {
$this->assertStatusIn($response, [200, 202, 204, 400, 401, 403, 404, 405, 409, 419, 422], "$method $uri webhook security response");
$this->assertLessThan(500, $response->getStatusCode(), "$method $uri webhook should not crash on bad signatures.");
$this->assertStringNotContainsString('secret', strtolower($response->getContent()), "$method $uri must not leak provider secrets.");
}
}
}
}