Files
alrahma_sunday_school_api/tests/Feature/Api/V1/FullSurface/ApiBatch13AccountRecoveryCredentialChangeContractTest.php
T
root 940afe9319
API CI/CD / Validate (composer + pint) (push) Successful in 2m7s
API CI/CD / Test (PHPUnit) (push) Failing after 2m23s
API CI/CD / Build frontend assets (push) Successful in 2m18s
API CI/CD / Security audit (push) Successful in 31s
API CI/CD / Deploy to shared hosting (PHP) (push) Has been skipped
fix unit tests as well as missing code
2026-06-25 14:26:32 -04:00

60 lines
2.4 KiB
PHP

<?php
namespace Tests\Feature\Api\V1\FullSurface;
use Tests\Feature\Api\V1\FullSurface\Support\FullSurfaceE2EContractCase;
class ApiBatch13AccountRecoveryCredentialChangeContractTest extends FullSurfaceE2EContractCase
{
public function test_password_reset_and_credential_routes_do_not_leak_user_existence_or_tokens(): void
{
$routes = $this->apiRoutesContainingAny(['password', 'reset', 'forgot', 'verify', 'verification', 'credential', 'profile']);
foreach ($routes as $route) {
$method = $this->primaryMethod($route);
$payload = $this->payloadFor($method, $route->uri()) + [
'email' => 'does-not-exist-batch13@example.test',
'token' => str_repeat('x', 2048),
'password' => 'short',
'password_confirmation' => 'different',
'current_password' => 'wrong-password',
];
$response = $this->requestAs($this->actorFor($route->uri()), $method, $route->uri(), $payload);
$this->assertControlled($response, $method, $route->uri());
$body = strtolower($response->getContent());
$this->assertStringNotContainsString('password_resets', $body);
$this->assertStringNotContainsString('remember_token', $body);
$this->assertStringNotContainsString('reset_token', $body);
}
}
public function test_low_privilege_users_cannot_change_other_users_credentials(): void
{
$routes = $this->apiRoutesContainingAny(['users', 'profile', 'password', 'credential']);
foreach ($routes as $route) {
$method = $this->primaryMethod($route);
if (! in_array($method, ['POST', 'PUT', 'PATCH'], true)) {
continue;
}
$response = $this->requestAs($this->parent, $method, $route->uri(), [
'user_id' => $this->admin->id,
'email' => $this->admin->email,
'password' => 'NewPassword123!',
'password_confirmation' => 'NewPassword123!',
'role' => 'administrator',
]);
$this->assertControlled($response, $method, $route->uri());
$this->assertNotContains(
$response->getStatusCode(),
[200, 201],
sprintf('%s %s unexpectedly allowed low-privilege credential mutation.', $method, $route->uri())
);
}
}
}