gitmedia/presseportale
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
presseportale/tests/Feature/ApiAccessSecurityAndLoggingTest.php
Kevin Adametz 5b8bdf4182
Some checks are pending
linter / quality (push) Waiting to run
Details
tests / ci (push) Waiting to run
Details
12-05-2026 Frontend dev
2026-05-12 18:32:33 +02:00

78 lines
2.9 KiB
PHP
Raw Blame History

<?php
use App\Models\ApiUsageLog;
use App\Models\User;
use Tests\TestCase;
test('api requests are logged without storing bearer token contents', function () {
/** @var TestCase $this */
$user = User::factory()->create(['is_active' => true]);
$plainTextToken = $user->createToken('API Client', ['press-releases:read'])->plainTextToken;
$tokenId = $user->tokens()->value('id');
$this->withHeader('Authorization', "Bearer {$plainTextToken}")
->getJson('/api/v1/categories')
->assertOk();
$log = ApiUsageLog::query()->firstOrFail();
expect($log->user_id)->toBe($user->id)
->and($log->personal_access_token_id)->toBe($tokenId)
->and($log->method)->toBe('GET')
->and($log->path)->toBe('/api/v1/categories')
->and($log->status_code)->toBe(200)
->and(json_encode($log->toArray()))->not->toContain($plainTextToken);
});
test('legacy api key rejections are logged', function () {
/** @var TestCase $this */
$this->getJson('/api/v1/categories?api_key=legacy-secret')
->assertStatus(410);
$log = ApiUsageLog::query()->firstOrFail();
expect($log->user_id)->toBeNull()
->and($log->personal_access_token_id)->toBeNull()
->and($log->path)->toBe('/api/v1/categories')
->and($log->status_code)->toBe(410)
->and(json_encode($log->toArray()))->not->toContain('legacy-secret');
});
test('inactive users cannot use existing api tokens', function () {
/** @var TestCase $this */
$user = User::factory()->create(['is_active' => false]);
$plainTextToken = $user->createToken('Old API Client', ['press-releases:read'])->plainTextToken;
$this->withHeader('Authorization', "Bearer {$plainTextToken}")
->getJson('/api/v1/categories')
->assertForbidden()
->assertJsonPath('message', 'API access is disabled for inactive users.');
expect(ApiUsageLog::query()->value('status_code'))->toBe(403);
});
test('api rate limit is scoped to each personal access token', function () {
/** @var TestCase $this */
$user = User::factory()->create(['is_active' => true]);
$firstToken = $user->createToken('Busy Client', ['press-releases:read'])->plainTextToken;
$secondToken = $user->createToken('Other Client', ['press-releases:read'])->plainTextToken;
expect(strtok($firstToken, '|'))->not->toBe(strtok($secondToken, '|'));
for ($request = 1; $request <= 60; $request++) {
$this->withHeader('Authorization', "Bearer {$firstToken}")
->getJson('/api/v1/categories')
->assertOk();
}
$this->withHeader('Authorization', "Bearer {$firstToken}")
->getJson('/api/v1/categories')
->assertStatus(429)
->assertJsonPath('message', 'API rate limit exceeded.');
$this->flushHeaders();
$this->withHeader('Authorization', "Bearer {$secondToken}")
->getJson('/api/v1/categories')
->assertOk();
});
Reference in a new issue View git blame Copy permalink