Files
alrahma_sunday_school_api/tests/Feature/Api/V1/FullSurface/ApiRequestHeaderSpoofingContractTest.php
T
2026-06-09 00:03:03 -04:00

32 lines
1.3 KiB
PHP

<?php
namespace Tests\Feature\Api\V1\FullSurface;
use Tests\Feature\Api\V1\FullSurface\Support\FullSurfaceE2EContractCase;
class ApiRequestHeaderSpoofingContractTest extends FullSurfaceE2EContractCase
{
public function test_forwarded_and_override_headers_do_not_bypass_authorization(): void
{
$routes = array_slice($this->apiRoutesContainingAny(['admin', 'users', 'finance', 'inventory', 'settings', 'school-years', 'permissions']), 0, 120);
foreach ($routes as $route) {
$method = $this->primaryMethod($route);
$uri = $route->uri();
$this->actingAs($this->parent, 'api');
$response = $this->withHeaders([
'X-Forwarded-For' => '127.0.0.1',
'X-Original-Method' => 'GET',
'X-HTTP-Method-Override' => 'GET',
'X-User-Role' => 'administrator',
'X-Admin' => 'true',
'X-Impersonate-User' => (string) $this->admin->id,
])->json($method, $this->materializePath($uri), $this->payloadFor($method, $uri));
$this->assertStatusIn($response, [401, 403, 404, 405, 419, 422], 'spoofed headers should not authorize parent at '.$method.' '.$uri);
$this->assertNoServerError($response, 'header spoofing at '.$method.' '.$uri);
}
}
}