Files
alrahma_sunday_school_api/tests/Feature/Api/V1/FullSurface/ApiBatch14SessionCookieCsrfBoundaryContractTest.php
T
2026-06-09 01:03:53 -04:00

34 lines
1.9 KiB
PHP

<?php
namespace Tests\Feature\Api\V1\FullSurface;
use Tests\Feature\Api\V1\FullSurface\Support\FullSurfaceE2EContractCase;
class ApiBatch14SessionCookieCsrfBoundaryContractTest extends FullSurfaceE2EContractCase
{
public function test_api_auth_routes_do_not_depend_on_browser_session_cookies(): void
{
foreach (array_slice($this->apiRoutesContainingAny(['auth', 'login', 'logout', 'me', 'profile', 'frontend']), 0, 40) as $route) {
$method = $this->primaryMethod($route);
$response = $this->withCookie('laravel_session', 'attacker-controlled-session')
->withHeader('X-XSRF-TOKEN', 'not-a-real-xsrf-token')
->actingAs($this->actorFor($route->uri()), 'api')
->json($method, $this->materializePath($route->uri()), $this->payloadFor($method, $route->uri()));
$this->assertControlled($response, $method, $route->uri());
$this->assertStringNotContainsString('csrf token mismatch', strtolower($response->getContent()));
}
}
public function test_browser_only_session_headers_do_not_grant_api_privileges(): void
{
foreach (array_slice($this->apiRoutesContainingAny(['admin', 'users', 'roles', 'permissions', 'finance', 'inventory', 'attendance']), 0, 30) as $route) {
$method = $this->primaryMethod($route);
$response = $this->withCookie('laravel_session', 'fake-admin-browser-session')
->withHeaders(['X-Requested-With' => 'XMLHttpRequest', 'X-CSRF-TOKEN' => 'fake-csrf', 'X-User-Id' => (string) $this->admin->id])
->json($method, $this->materializePath($route->uri()), $this->payloadFor($method, $route->uri()));
$this->assertStatusIn($response, [401, 403, 404, 405, 419, 422], $method . ' ' . $route->uri());
$this->assertStringNotContainsString('sqlstate', strtolower($response->getContent()));
}
}
}