Files
alrahma_sunday_school_api/tests/Feature/Api/V1/FullSurface/ApiDeepValidationFailureContractTest.php
T
root 5e35fefd69
API CI/CD / Validate (composer + pint) (push) Successful in 2m47s
API CI/CD / Test (PHPUnit) (push) Failing after 3m8s
API CI/CD / Build frontend assets (push) Failing after 5m22s
API CI/CD / Security audit (push) Failing after 34s
API CI/CD / Deploy to shared hosting (PHP) (push) Has been skipped
fix test errors
2026-06-26 15:37:03 -04:00

101 lines
4.0 KiB
PHP

<?php
namespace Tests\Feature\Api\V1\FullSurface;
use Illuminate\Routing\Route as LaravelRoute;
use Tests\Feature\Api\V1\FullSurface\Support\FullSurfaceE2EContractCase;
class ApiDeepValidationFailureContractTest extends FullSurfaceE2EContractCase
{
public function test_mutating_routes_return_controlled_validation_or_authorization_for_hostile_payloads(): void
{
$failures = [];
foreach ($this->mutatingRoutes() as $route) {
$method = $this->primaryMethod($route);
$uri = $route->uri();
foreach ($this->hostilePayloads() as $label => $payload) {
$response = $this->requestAs($this->actorFor($uri), $method, $uri, $payload);
$status = $response->getStatusCode();
if ($status >= 500) {
$failures[] = "$method $uri crashed on $label hostile payload with $status: ".$response->getContent();
continue;
}
if (! in_array($status, [200, 201, 202, 204, 302, 400, 401, 403, 404, 405, 409, 419, 422, 429], true)) {
$failures[] = "$method $uri returned unexpected $status on $label hostile payload: ".$response->getContent();
}
}
}
$this->assertSame([], $failures, "Hostile payloads must fail cleanly, not leak framework explosions:\n".implode("\n", $failures));
}
public function test_required_field_validation_uses_machine_readable_error_shape_when_validation_fails(): void
{
$failures = [];
foreach ($this->validationSensitiveRoutes() as $route) {
$method = $this->primaryMethod($route);
$uri = $route->uri();
$response = $this->requestAs($this->actorFor($uri), $method, $uri, []);
if ($response->getStatusCode() !== 422) {
continue;
}
if (! $this->isJsonString($response->getContent())) {
$failures[] = "$method $uri returned 422 but not JSON: ".$response->getContent();
continue;
}
$json = $response->json();
if (! is_array($json) || (! array_key_exists('errors', $json) && ! array_key_exists('message', $json))) {
$failures[] = "$method $uri returned 422 without message/errors: ".$response->getContent();
}
}
$this->assertSame([], $failures, "Validation errors must be usable by clients, not poetic prose:\n".implode("\n", $failures));
}
/** @return list<LaravelRoute> */
private function mutatingRoutes(): array
{
return array_slice(array_values(array_filter($this->apiRoutes(), function (LaravelRoute $route): bool {
return in_array($this->primaryMethod($route), ['POST', 'PUT', 'PATCH', 'DELETE'], true)
&& ! str_contains($route->uri(), 'auth/logout');
})), 0, 150);
}
/** @return list<LaravelRoute> */
private function validationSensitiveRoutes(): array
{
return array_values(array_filter($this->mutatingRoutes(), function (LaravelRoute $route): bool {
$uri = $route->uri();
return str_contains($uri, 'students')
|| str_contains($uri, 'users')
|| str_contains($uri, 'attendance')
|| str_contains($uri, 'finance')
|| str_contains($uri, 'scores')
|| str_contains($uri, 'support')
|| str_contains($uri, 'inventory');
}));
}
/** @return array<string, array<string, mixed>> */
private function hostilePayloads(): array
{
return [
'empty' => [],
'wrong_scalar_types' => ['id' => 'not-an-int', 'amount' => 'NaN', 'date' => 'not-a-date', 'email' => 'not-email'],
'unexpected_nested_arrays' => ['name' => ['nested' => ['too' => ['deep' => true]]], 'student_id' => ['x']],
'oversized_strings' => ['name' => str_repeat('x', 1024), 'description' => str_repeat('y', 2048)],
];
}
}