940afe9319
API CI/CD / Validate (composer + pint) (push) Successful in 2m7s
API CI/CD / Test (PHPUnit) (push) Failing after 2m23s
API CI/CD / Build frontend assets (push) Successful in 2m18s
API CI/CD / Security audit (push) Successful in 31s
API CI/CD / Deploy to shared hosting (PHP) (push) Has been skipped
60 lines
2.4 KiB
PHP
60 lines
2.4 KiB
PHP
<?php
|
|
|
|
namespace Tests\Feature\Api\V1\FullSurface;
|
|
|
|
use Tests\Feature\Api\V1\FullSurface\Support\FullSurfaceE2EContractCase;
|
|
|
|
class ApiBatch13AccountRecoveryCredentialChangeContractTest extends FullSurfaceE2EContractCase
|
|
{
|
|
public function test_password_reset_and_credential_routes_do_not_leak_user_existence_or_tokens(): void
|
|
{
|
|
$routes = $this->apiRoutesContainingAny(['password', 'reset', 'forgot', 'verify', 'verification', 'credential', 'profile']);
|
|
|
|
foreach ($routes as $route) {
|
|
$method = $this->primaryMethod($route);
|
|
$payload = $this->payloadFor($method, $route->uri()) + [
|
|
'email' => 'does-not-exist-batch13@example.test',
|
|
'token' => str_repeat('x', 2048),
|
|
'password' => 'short',
|
|
'password_confirmation' => 'different',
|
|
'current_password' => 'wrong-password',
|
|
];
|
|
|
|
$response = $this->requestAs($this->actorFor($route->uri()), $method, $route->uri(), $payload);
|
|
$this->assertControlled($response, $method, $route->uri());
|
|
|
|
$body = strtolower($response->getContent());
|
|
$this->assertStringNotContainsString('password_resets', $body);
|
|
$this->assertStringNotContainsString('remember_token', $body);
|
|
$this->assertStringNotContainsString('reset_token', $body);
|
|
}
|
|
}
|
|
|
|
public function test_low_privilege_users_cannot_change_other_users_credentials(): void
|
|
{
|
|
$routes = $this->apiRoutesContainingAny(['users', 'profile', 'password', 'credential']);
|
|
|
|
foreach ($routes as $route) {
|
|
$method = $this->primaryMethod($route);
|
|
if (! in_array($method, ['POST', 'PUT', 'PATCH'], true)) {
|
|
continue;
|
|
}
|
|
|
|
$response = $this->requestAs($this->parent, $method, $route->uri(), [
|
|
'user_id' => $this->admin->id,
|
|
'email' => $this->admin->email,
|
|
'password' => 'NewPassword123!',
|
|
'password_confirmation' => 'NewPassword123!',
|
|
'role' => 'administrator',
|
|
]);
|
|
|
|
$this->assertControlled($response, $method, $route->uri());
|
|
$this->assertNotContains(
|
|
$response->getStatusCode(),
|
|
[200, 201],
|
|
sprintf('%s %s unexpectedly allowed low-privilege credential mutation.', $method, $route->uri())
|
|
);
|
|
}
|
|
}
|
|
}
|