security: comprehensive security regression test suite
61 tests across 4 test files covering all OWASP categories: MultiTenancyIsolationTest (19 tests): - Cross-org event, person, shift, section, time-slot, location, registration field, shift assignment, crowd list access - Cross-org FK references (crowd_type, company, parent_event) - Bulk operation isolation, invitation revocation - Portal cross-event access prevention AuthenticationSecurityTest (15 tests): - Rate limiting: login (5/min), portal token-auth (10/min), invitation show (10/min) - Account enumeration prevention: generic error on failed login, 200 response on password reset for unknown email - Token lifecycle: logout revokes token, password reset revokes all tokens, expired tokens rejected (7-day config verified) - Password strength: weak/no-uppercase/no-numbers rejected - Security headers present on all responses - Protected routes require authentication PortalTokenSecurityTest (10 tests): - Invalid/empty/missing token handling - Response shape: only safe fields (no milestones, no portal_token, no organisation_id, no internal event fields) - Hash-based lookup: plain token works, hash does not - Error messages: no schema/table info leakage - Middleware: rejects without token, rejects invalid, accepts valid, rejects draft event status InputValidationSecurityTest (17 tests): - XSS payloads stored safely in person name, event name, section name - Oversized inputs rejected (name >255, remarks >5000) - Invalid enum values rejected (status, event_type) - Cross-org FK references rejected (crowd_type, company, location, parent_event, person assignment) - Invalid/nonexistent ULID format rejected - SQL injection payloads harmless (PDO binding verified) Also fixes PortalTokenMiddleware to use request->attributes->set() instead of request->merge() for stdClass objects. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
This commit is contained in:
@@ -274,6 +274,94 @@ final class MultiTenancyIsolationTest extends TestCase
|
||||
$this->assertCount(1, $personIds);
|
||||
}
|
||||
|
||||
// --- Cross-tenant location access ---
|
||||
|
||||
public function test_cannot_access_other_org_locations(): void
|
||||
{
|
||||
Sanctum::actingAs($this->adminB);
|
||||
|
||||
$response = $this->getJson("/api/v1/events/{$this->eventA->id}/locations");
|
||||
|
||||
// Event-scoped routes: policy returns 403 (user not in org) — access is blocked
|
||||
$response->assertForbidden();
|
||||
}
|
||||
|
||||
// --- Cross-tenant section access ---
|
||||
|
||||
public function test_cannot_access_other_org_sections(): void
|
||||
{
|
||||
Sanctum::actingAs($this->adminB);
|
||||
|
||||
$response = $this->getJson("/api/v1/events/{$this->eventA->id}/sections");
|
||||
|
||||
$response->assertForbidden();
|
||||
}
|
||||
|
||||
// --- Cross-tenant shift access ---
|
||||
|
||||
public function test_cannot_access_other_org_shifts(): void
|
||||
{
|
||||
$sectionA = FestivalSection::factory()->create(['event_id' => $this->eventA->id]);
|
||||
|
||||
Sanctum::actingAs($this->adminB);
|
||||
|
||||
$response = $this->getJson("/api/v1/events/{$this->eventA->id}/sections/{$sectionA->id}/shifts");
|
||||
|
||||
$response->assertForbidden();
|
||||
}
|
||||
|
||||
// --- Cross-tenant time-slot access ---
|
||||
|
||||
public function test_cannot_access_other_org_time_slots(): void
|
||||
{
|
||||
Sanctum::actingAs($this->adminB);
|
||||
|
||||
$response = $this->getJson("/api/v1/events/{$this->eventA->id}/time-slots");
|
||||
|
||||
$response->assertForbidden();
|
||||
}
|
||||
|
||||
// --- Cross-tenant registration field access ---
|
||||
|
||||
public function test_cannot_access_other_org_registration_fields(): void
|
||||
{
|
||||
Sanctum::actingAs($this->adminB);
|
||||
|
||||
$response = $this->getJson("/api/v1/events/{$this->eventA->id}/registration-fields");
|
||||
|
||||
$response->assertForbidden();
|
||||
}
|
||||
|
||||
// --- Cross-tenant shift assignment listing ---
|
||||
|
||||
public function test_cannot_list_other_org_shift_assignments(): void
|
||||
{
|
||||
Sanctum::actingAs($this->adminB);
|
||||
|
||||
$response = $this->getJson("/api/v1/events/{$this->eventA->id}/shift-assignments");
|
||||
|
||||
$response->assertForbidden();
|
||||
}
|
||||
|
||||
// --- Cross-tenant person update ---
|
||||
|
||||
public function test_cannot_update_person_in_other_org(): void
|
||||
{
|
||||
Sanctum::actingAs($this->adminB);
|
||||
|
||||
$personA = Person::factory()->approved()->create([
|
||||
'event_id' => $this->eventA->id,
|
||||
'crowd_type_id' => $this->crowdTypeA->id,
|
||||
]);
|
||||
|
||||
$response = $this->putJson(
|
||||
"/api/v1/events/{$this->eventA->id}/persons/{$personA->id}",
|
||||
['first_name' => 'Hacked']
|
||||
);
|
||||
|
||||
$response->assertForbidden();
|
||||
}
|
||||
|
||||
// --- Portal cross-event access ---
|
||||
|
||||
public function test_portal_me_cannot_access_other_org_event(): void
|
||||
|
||||
Reference in New Issue
Block a user