33 lines
2.0 KiB
PHP
33 lines
2.0 KiB
PHP
<?php
|
|
|
|
namespace Tests\Feature\Api\V1\FullSurface;
|
|
|
|
use Tests\Feature\Api\V1\FullSurface\Support\FullSurfaceE2EContractCase;
|
|
|
|
class ApiBatch14AttendanceDeviceAndKioskAbuseContractTest extends FullSurfaceE2EContractCase
|
|
{
|
|
public function test_kiosk_scanner_and_attendance_routes_reject_forged_device_identity(): void
|
|
{
|
|
foreach (array_slice($this->apiRoutesContainingAny(['attendance', 'scanner', 'scan', 'kiosk', 'badge', 'dismissal', 'late']), 0, 55) as $route) {
|
|
$method = $this->primaryMethod($route);
|
|
$response = $this->withHeaders(['X-Device-Id' => 'trusted-front-desk-tablet', 'X-Kiosk-Mode' => 'true', 'X-Scanner-Token' => 'forged-scanner-token', 'X-Forwarded-For' => '127.0.0.1'])
|
|
->actingAs($this->actorFor($route->uri()), 'api')
|
|
->json($method, $this->materializePath($route->uri()), $this->payloadFor($method, $route->uri()) + ['badge_token' => 'forged-badge-token', 'device_id' => 'trusted-front-desk-tablet', 'scan_time' => '2099-01-01 00:00:00', 'status' => 'present', 'override' => true]);
|
|
$this->assertControlled($response, $method, $route->uri());
|
|
$this->assertStringNotContainsString('sqlstate', strtolower($response->getContent()));
|
|
}
|
|
}
|
|
|
|
public function test_student_and_parent_cannot_self_mark_attendance_through_device_payloads(): void
|
|
{
|
|
foreach (array_slice($this->apiRoutesContainingAny(['attendance', 'scan', 'dismissal', 'late']), 0, 30) as $route) {
|
|
$method = $this->primaryMethod($route);
|
|
if (! in_array($method, ['POST', 'PUT', 'PATCH'], true)) { continue; }
|
|
foreach ([$this->studentUser, $this->parent] as $actor) {
|
|
$response = $this->requestAs($actor, $method, $route->uri(), ['student_id' => $this->ids['studentId'], 'status' => 'present', 'verified_by_device' => true, 'override_reason' => 'parent approved']);
|
|
$this->assertStatusIn($response, [400, 401, 403, 404, 405, 409, 419, 422], $method . ' ' . $route->uri());
|
|
}
|
|
}
|
|
}
|
|
}
|