Files
alrahma_sunday_school_api/tests/Feature/Api/V1/FullSurface/ApiSerializationSensitiveDataRedactionContractTest.php
T
2026-06-08 23:45:55 -04:00

71 lines
2.7 KiB
PHP

<?php
namespace Tests\Feature\Api\V1\FullSurface;
use Tests\Feature\Api\V1\FullSurface\Support\FullSurfaceE2EContractCase;
class ApiSerializationSensitiveDataRedactionContractTest extends FullSurfaceE2EContractCase
{
public function test_successful_api_responses_never_serialize_sensitive_user_or_payment_fields(): void
{
$routes = $this->apiRoutesContainingAny([
'users', 'parents', 'students', 'teachers', 'guardians', 'authorized-users',
'families', 'finance', 'payments', 'invoices', 'profile', 'auth/me',
]);
$this->assertNotEmpty($routes, 'Sensitive-resource routes should exist for serialization redaction coverage.');
foreach ($routes as $route) {
$method = $this->primaryMethod($route);
if ($method !== 'GET') {
continue;
}
$response = $this->probeRoute($route);
$this->assertControlled($response, $method, $route->uri());
if (! $this->isJsonString($response->getContent())) {
continue;
}
$body = strtolower($response->getContent());
foreach ([
'password', 'remember_token', 'two_factor_secret', 'two_factor_recovery_codes',
'api_token', 'private_key', 'secret_key', 'card_number', 'cvv', 'cvc',
'stripe_secret', 'paypal_secret', 'authorization_code',
] as $forbidden) {
$this->assertStringNotContainsString($forbidden, $body, "{$route->uri()} leaked {$forbidden}");
}
}
}
public function test_error_responses_do_not_echo_credentials_or_uploaded_file_contents(): void
{
$payload = [
'email' => 'sensitive@example.test',
'password' => 'SUPER_SECRET_PASSWORD_SHOULD_NOT_ECHO',
'token' => 'SECRET_TOKEN_SHOULD_NOT_ECHO',
'card_number' => '4111111111111111',
'notes' => str_repeat('private-note-', 20),
];
foreach ($this->apiRoutesContainingAny(['login', 'users', 'payments', 'refunds', 'support', 'messages']) as $route) {
$method = $this->primaryMethod($route);
if (! in_array($method, ['POST', 'PUT', 'PATCH'], true)) {
continue;
}
$response = $this->requestAs($this->actorFor($route->uri()), $method, $route->uri(), $payload);
$this->assertControlled($response, $method, $route->uri());
$body = $response->getContent();
$this->assertStringNotContainsString('SUPER_SECRET_PASSWORD_SHOULD_NOT_ECHO', $body);
$this->assertStringNotContainsString('SECRET_TOKEN_SHOULD_NOT_ECHO', $body);
$this->assertStringNotContainsString('4111111111111111', $body);
}
}
}