56 lines
2.2 KiB
PHP
56 lines
2.2 KiB
PHP
<?php
|
|
|
|
namespace Tests\Feature\Api\V1\FullSurface;
|
|
|
|
use Tests\Feature\Api\V1\FullSurface\Support\FullSurfaceE2EContractCase;
|
|
|
|
class ApiBatch13AccountRecoveryCredentialChangeContractTest extends FullSurfaceE2EContractCase
|
|
{
|
|
public function test_password_reset_and_credential_routes_do_not_leak_user_existence_or_tokens(): void
|
|
{
|
|
$routes = $this->apiRoutesContainingAny(['password', 'reset', 'forgot', 'verify', 'verification', 'credential', 'profile']);
|
|
|
|
foreach ($routes as $route) {
|
|
$method = $this->primaryMethod($route);
|
|
$payload = $this->payloadFor($method, $route->uri()) + [
|
|
'email' => 'does-not-exist-batch13@example.test',
|
|
'token' => str_repeat('x', 2048),
|
|
'password' => 'short',
|
|
'password_confirmation' => 'different',
|
|
'current_password' => 'wrong-password',
|
|
];
|
|
|
|
$response = $this->requestAs($this->actorFor($route->uri()), $method, $route->uri(), $payload);
|
|
$this->assertControlled($response, $method, $route->uri());
|
|
|
|
$body = strtolower($response->getContent());
|
|
$this->assertStringNotContainsString('password_resets', $body);
|
|
$this->assertStringNotContainsString('remember_token', $body);
|
|
$this->assertStringNotContainsString('reset_token', $body);
|
|
}
|
|
}
|
|
|
|
public function test_low_privilege_users_cannot_change_other_users_credentials(): void
|
|
{
|
|
$routes = $this->apiRoutesContainingAny(['users', 'profile', 'password', 'credential']);
|
|
|
|
foreach ($routes as $route) {
|
|
$method = $this->primaryMethod($route);
|
|
if (! in_array($method, ['POST', 'PUT', 'PATCH'], true)) {
|
|
continue;
|
|
}
|
|
|
|
$response = $this->requestAs($this->parent, $method, $route->uri(), [
|
|
'user_id' => $this->admin->id,
|
|
'email' => $this->admin->email,
|
|
'password' => 'NewPassword123!',
|
|
'password_confirmation' => 'NewPassword123!',
|
|
'role' => 'administrator',
|
|
]);
|
|
|
|
$this->assertControlled($response, $method, $route->uri());
|
|
$this->assertNotContains($response->getStatusCode(), [200, 201]);
|
|
}
|
|
}
|
|
}
|