Files
alrahma_sunday_school_api/tests/Feature/Api/V1/FullSurface/ApiBatch12SensitiveConfigurationExposureContractTest.php
T
2026-06-08 23:45:55 -04:00

44 lines
2.0 KiB
PHP

<?php
namespace Tests\Feature\Api\V1\FullSurface;
use Tests\Feature\Api\V1\FullSurface\Support\FullSurfaceE2EContractCase;
class ApiBatch12SensitiveConfigurationExposureContractTest extends FullSurfaceE2EContractCase
{
public function test_configuration_and_bootstrap_responses_do_not_expose_secrets(): void
{
$routes = array_slice($this->apiRoutesContainingAny(['settings', 'configuration', 'config', 'frontend', 'bootstrap', 'env', 'health', 'debug']), 0, 120);
$forbidden = ['APP_KEY', 'DB_PASSWORD', 'MAIL_PASSWORD', 'STRIPE_SECRET', 'PAYPAL_SECRET', 'JWT_SECRET', 'SANCTUM', 'password_hash', 'remember_token'];
foreach ($routes as $route) {
$method = $this->primaryMethod($route);
if ($method !== 'GET') {
continue;
}
$response = $this->requestAs($this->actorFor($route->uri()), $method, $route->uri());
$this->assertControlled($response, $method, $route->uri());
$this->assertNoServerError($response, 'secret exposure probe '.$route->uri());
$body = $response->getContent();
foreach ($forbidden as $needle) {
$this->assertStringNotContainsString($needle, $body, $route->uri().' must not expose '.$needle);
}
}
}
public function test_low_privilege_users_cannot_read_sensitive_configuration_domains(): void
{
$routes = array_slice($this->apiRoutesContainingAny(['settings', 'configuration', 'config', 'permissions']), 0, 100);
foreach ($routes as $route) {
$method = $this->primaryMethod($route);
$response = $this->requestAs($this->studentUser, $method, $route->uri(), $this->payloadFor($method, $route->uri()));
$this->assertStatusIn($response, [401, 403, 404, 405, 419, 422], 'student must not read/mutate sensitive configuration '.$method.' '.$route->uri());
$this->assertNoServerError($response, 'student configuration probe '.$method.' '.$route->uri());
}
}
}