bert.hausmans/crewli
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
5c42f27b26150f33256847263312d30c5448c589
crewli/api/tests/Feature/Security/AuthenticationSecurityTest.php
bert.hausmans 65978104d8 feat: complete email infrastructure with queue, templates, logging, and API 
Adds the full transactional email system:
- Redis queue (QUEUE_CONNECTION=redis), SES config in .env.example
- 3 migrations: organisation_email_settings, organisation_email_templates, email_logs
- EmailTemplateType and EmailLogStatus enums with Dutch defaults
- EmailService as central entry point for all email sending
- SendTransactionalEmail queued job with retries and idempotency
- TransactionalMail mailable with responsive HTML + plain text templates
- Organisation-level branding (colors, logo, footer, reply-to)
- Per-type template overrides with {variable} substitution
- Email log with filtering by status, type, date range, recipient
- Preview and send-test endpoints for template management
- API endpoints: email-settings, email-templates (CRUD), email-logs (read-only)
- Integrated into existing flows: invitations, password reset, email
  verification, registration approval/rejection
- 37 new tests across 4 test files, all existing tests updated

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
2026-04-15 20:12:21 +02:00

250 lines
7.6 KiB
PHP
Raw Blame History

<?php
declare(strict_types=1);
namespace Tests\Feature\Security;
use App\Models\User;
use Database\Seeders\RoleSeeder;
use Illuminate\Foundation\Testing\RefreshDatabase;
use Illuminate\Support\Facades\Hash;
use Illuminate\Support\Facades\Password;
use Illuminate\Support\Facades\Queue;
use Laravel\Sanctum\Sanctum;
use Tests\TestCase;
final class AuthenticationSecurityTest extends TestCase
{
use RefreshDatabase;
protected function setUp(): void
{
parent::setUp();
$this->seed(RoleSeeder::class);
}
// --- Rate Limiting ---
public function test_login_rate_limited_after_5_attempts(): void
{
$user = User::factory()->create();
for ($i = 0; $i < 5; $i++) {
$this->postJson('/api/v1/auth/login', [
'email' => $user->email,
'password' => 'WrongPassword1',
]);
}
$response = $this->postJson('/api/v1/auth/login', [
'email' => $user->email,
'password' => 'WrongPassword1',
]);
$response->assertStatus(429);
}
public function test_portal_token_auth_rate_limited(): void
{
for ($i = 0; $i < 10; $i++) {
$this->postJson('/api/v1/portal/token-auth', [
'token' => 'invalid-token-' . $i,
]);
}
$response = $this->postJson('/api/v1/portal/token-auth', [
'token' => 'invalid-token-final',
]);
$response->assertStatus(429);
}
public function test_invitation_show_rate_limited(): void
{
for ($i = 0; $i < 10; $i++) {
$this->getJson('/api/v1/invitations/fake-token-' . $i);
}
$response = $this->getJson('/api/v1/invitations/fake-token-final');
$response->assertStatus(429);
}
// --- Account Enumeration Prevention ---
public function test_failed_login_returns_generic_message(): void
{
$response = $this->postJson('/api/v1/auth/login', [
'email' => 'nonexistent@example.com',
'password' => 'SomePassword1',
]);
$response->assertUnauthorized();
// Should NOT say "User not found" or "Email does not exist"
$response->assertJson(['message' => 'Invalid credentials']);
}
public function test_failed_login_same_message_for_wrong_password(): void
{
$user = User::factory()->create();
$response = $this->postJson('/api/v1/auth/login', [
'email' => $user->email,
'password' => 'WrongPassword1',
]);
$response->assertUnauthorized();
$response->assertJson(['message' => 'Invalid credentials']);
}
public function test_password_reset_returns_success_for_unknown_email(): void
{
Queue::fake();
$response = $this->postJson('/api/v1/auth/forgot-password', [
'email' => 'nonexistent@example.com',
'app' => 'app',
]);
// Must return 200 regardless — don't leak whether email exists
$response->assertOk();
}
public function test_password_reset_returns_success_for_known_email(): void
{
Queue::fake();
$user = User::factory()->create();
$response = $this->postJson('/api/v1/auth/forgot-password', [
'email' => $user->email,
'app' => 'app',
]);
$response->assertOk();
}
// --- Token Lifecycle ---
public function test_logout_revokes_current_token(): void
{
$user = User::factory()->create();
$token = $user->createToken('auth-token')->plainTextToken;
// Use token for logout
$this->withHeaders(['Authorization' => "Bearer {$token}"])
->postJson('/api/v1/auth/logout')
->assertOk();
// Verify the token record is deleted from the database
$this->assertDatabaseCount('personal_access_tokens', 0);
}
public function test_password_reset_revokes_all_tokens(): void
{
$user = User::factory()->create(['email' => 'tokens@test.nl']);
// Create two tokens
$user->createToken('device-1');
$user->createToken('device-2');
$this->assertDatabaseCount('personal_access_tokens', 2);
// Reset password
$resetToken = Password::createToken($user);
$this->postJson('/api/v1/auth/reset-password', [
'token' => $resetToken,
'email' => 'tokens@test.nl',
'password' => 'NewPassword123',
'password_confirmation' => 'NewPassword123',
])->assertOk();
// All tokens should be deleted from the database
$this->assertDatabaseCount('personal_access_tokens', 0);
}
public function test_token_expiration_is_configured(): void
{
// Verify Sanctum expiration is set to 7 days (10080 minutes)
$expiration = config('sanctum.expiration');
$this->assertEquals(60 * 24 * 7, $expiration);
// Create a token and backdate its created_at to 8 days ago
$user = User::factory()->create();
$accessToken = $user->createToken('auth-token');
// Sanctum checks created_at against the expiration window
$accessToken->accessToken->forceFill([
'created_at' => now()->subDays(8),
])->save();
// Token created 8 days ago should be expired (7-day expiry)
$this->withHeaders(['Authorization' => "Bearer {$accessToken->plainTextToken}"])
->getJson('/api/v1/auth/me')
->assertUnauthorized();
}
// --- Password Strength ---
public function test_weak_password_rejected_on_registration(): void
{
$response = $this->postJson('/api/v1/auth/reset-password', [
'token' => 'fake',
'email' => 'test@test.nl',
'password' => 'weakpass',
'password_confirmation' => 'weakpass',
]);
$response->assertUnprocessable();
$response->assertJsonValidationErrors('password');
}
public function test_password_without_uppercase_rejected(): void
{
$response = $this->postJson('/api/v1/auth/reset-password', [
'token' => 'fake',
'email' => 'test@test.nl',
'password' => 'lowercase1',
'password_confirmation' => 'lowercase1',
]);
$response->assertUnprocessable();
$response->assertJsonValidationErrors('password');
}
public function test_password_without_numbers_rejected(): void
{
$response = $this->postJson('/api/v1/auth/reset-password', [
'token' => 'fake',
'email' => 'test@test.nl',
'password' => 'NoNumbersHere',
'password_confirmation' => 'NoNumbersHere',
]);
$response->assertUnprocessable();
$response->assertJsonValidationErrors('password');
}
// --- Security Headers ---
public function test_security_headers_present(): void
{
$response = $this->getJson('/api/v1/');
$response->assertHeader('X-Content-Type-Options', 'nosniff');
$response->assertHeader('X-Frame-Options', 'DENY');
$response->assertHeader('Referrer-Policy', 'strict-origin-when-cross-origin');
$response->assertHeader('Permissions-Policy', 'camera=(), microphone=(), geolocation=()');
}
// --- Protected Routes ---
public function test_protected_routes_require_authentication(): void
{
$this->getJson('/api/v1/auth/me')->assertUnauthorized();
$this->postJson('/api/v1/auth/logout')->assertUnauthorized();
$this->getJson('/api/v1/organisations')->assertUnauthorized();
$this->getJson('/api/v1/portal/me?event_id=fake')->assertUnauthorized();
}
}
Reference in New Issue View Git Blame Copy Permalink