34 lines
1.9 KiB
PHP
34 lines
1.9 KiB
PHP
<?php
|
|
|
|
namespace Tests\Feature\Api\V1\FullSurface;
|
|
|
|
use Tests\Feature\Api\V1\FullSurface\Support\FullSurfaceE2EContractCase;
|
|
|
|
class ApiBatch14SessionCookieCsrfBoundaryContractTest extends FullSurfaceE2EContractCase
|
|
{
|
|
public function test_api_auth_routes_do_not_depend_on_browser_session_cookies(): void
|
|
{
|
|
foreach (array_slice($this->apiRoutesContainingAny(['auth', 'login', 'logout', 'me', 'profile', 'frontend']), 0, 40) as $route) {
|
|
$method = $this->primaryMethod($route);
|
|
$response = $this->withCookie('laravel_session', 'attacker-controlled-session')
|
|
->withHeader('X-XSRF-TOKEN', 'not-a-real-xsrf-token')
|
|
->actingAs($this->actorFor($route->uri()), 'api')
|
|
->json($method, $this->materializePath($route->uri()), $this->payloadFor($method, $route->uri()));
|
|
$this->assertControlled($response, $method, $route->uri());
|
|
$this->assertStringNotContainsString('csrf token mismatch', strtolower($response->getContent()));
|
|
}
|
|
}
|
|
|
|
public function test_browser_only_session_headers_do_not_grant_api_privileges(): void
|
|
{
|
|
foreach (array_slice($this->apiRoutesContainingAny(['admin', 'users', 'roles', 'permissions', 'finance', 'inventory', 'attendance']), 0, 30) as $route) {
|
|
$method = $this->primaryMethod($route);
|
|
$response = $this->withCookie('laravel_session', 'fake-admin-browser-session')
|
|
->withHeaders(['X-Requested-With' => 'XMLHttpRequest', 'X-CSRF-TOKEN' => 'fake-csrf', 'X-User-Id' => (string) $this->admin->id])
|
|
->json($method, $this->materializePath($route->uri()), $this->payloadFor($method, $route->uri()));
|
|
$this->assertStatusIn($response, [401, 403, 404, 405, 419, 422], $method . ' ' . $route->uri());
|
|
$this->assertStringNotContainsString('sqlstate', strtolower($response->getContent()));
|
|
}
|
|
}
|
|
}
|