32 lines
1.3 KiB
PHP
32 lines
1.3 KiB
PHP
<?php
|
|
|
|
namespace Tests\Feature\Api\V1\FullSurface;
|
|
|
|
use Tests\Feature\Api\V1\FullSurface\Support\FullSurfaceE2EContractCase;
|
|
|
|
class ApiRequestHeaderSpoofingContractTest extends FullSurfaceE2EContractCase
|
|
{
|
|
public function test_forwarded_and_override_headers_do_not_bypass_authorization(): void
|
|
{
|
|
$routes = array_slice($this->apiRoutesContainingAny(['admin', 'users', 'finance', 'inventory', 'settings', 'school-years', 'permissions']), 0, 120);
|
|
|
|
foreach ($routes as $route) {
|
|
$method = $this->primaryMethod($route);
|
|
$uri = $route->uri();
|
|
|
|
$this->actingAs($this->parent, 'api');
|
|
$response = $this->withHeaders([
|
|
'X-Forwarded-For' => '127.0.0.1',
|
|
'X-Original-Method' => 'GET',
|
|
'X-HTTP-Method-Override' => 'GET',
|
|
'X-User-Role' => 'administrator',
|
|
'X-Admin' => 'true',
|
|
'X-Impersonate-User' => (string) $this->admin->id,
|
|
])->json($method, $this->materializePath($uri), $this->payloadFor($method, $uri));
|
|
|
|
$this->assertStatusIn($response, [401, 403, 404, 405, 419, 422], 'spoofed headers should not authorize parent at '.$method.' '.$uri);
|
|
$this->assertNoServerError($response, 'header spoofing at '.$method.' '.$uri);
|
|
}
|
|
}
|
|
}
|