bert.hausmans/crewli
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
9414d09472359abdb8e06913770355eb270e249d
crewli/api/tests/Feature/Observability/ExceptionReportingTest.php
bert.hausmans 9414d09472 refactor: BindSentryContext to AuthScopeContextListener for auth-scope tags 
Sentry-context binding split into two responsibilities:

- Route-scope (app, http.method, route_name) stays in middleware on
  the api group as BindSentryRouteContext — works on every request,
  no auth required.
- Auth-scope (user_id, actor_type) moves to AuthScopeContextListener
  on Illuminate\Auth\Events\Authenticated — works on every
  authentication mechanism (Sanctum, portal-tokens, future
  authenticators) without per-route middleware-attachment. Listener
  also augments Log::withContext with user_id (closes OBS-2).

Architecturally fault-preventing rather than fault-detecting: new
authenticated route groups need no separate sentry.context aliasing,
so silent observability gaps are no longer possible (closes OBS-3).

Impersonation tagging is co-located with HandleImpersonation: after
the user-swap, the middleware re-tags Sentry scope with the target
user_id/actor_type and adds impersonation.active /
impersonation.impersonator_user_id / impersonation.session_id. The
Authenticated event fires for the admin (Sanctum's natural flow),
the listener tags the admin, then HandleImpersonation overwrites
post-swap.

Files renamed:
- BindSentryContext -> BindSentryRouteContext (route-scope only)
- BindSentryContextTest -> BindSentryRouteContextTest (4 cases)

Files added:
- AuthScopeContextListener
- AuthScopeContextListenerTest (6 cases)

bootstrap/app.php drops the sentry.context alias and prepends
BindSentryRouteContext to the api group. routes/api.php drops every
sentry.context middleware string from auth:sanctum groups.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2026-05-06 12:53:14 +02:00

156 lines
5.3 KiB
PHP
Raw Blame History

<?php
declare(strict_types=1);
namespace Tests\Feature\Observability;
use App\Models\Organisation;
use App\Models\User;
use Database\Seeders\RoleSeeder;
use Illuminate\Auth\Access\AuthorizationException;
use Illuminate\Foundation\Testing\RefreshDatabase;
use Illuminate\Support\Facades\Route;
use Illuminate\Validation\ValidationException;
use Laravel\Sanctum\Sanctum;
use RuntimeException;
use Sentry\ClientBuilder;
use Sentry\Event as SentryEvent;
use Sentry\EventHint;
use Sentry\SentrySdk;
use Sentry\State\Hub;
use Symfony\Component\HttpKernel\Exception\NotFoundHttpException;
use Tests\TestCase;
/**
* Regression coverage for the report() → sentry-laravel pipeline (PR-2
* follow-up). Captures the bug where unit tests passed (scope tagging
* verified, scrubbing verified) yet live exceptions never reached
* GlitchTip because `\Sentry\Laravel\Integration::handles($exceptions)`
* was missing from `bootstrap/app.php`.
*
* Strategy: install a recording `before_send` hook on a real Sentry
* client. Every exception that traverses the report pipeline lands here
* with its full event payload. Returning null prevents network egress.
*/
final class ExceptionReportingTest extends TestCase
{
use RefreshDatabase;
/**
* Captured events received by the recording before_send hook.
*
* @var list<array{event: SentryEvent, hint: ?EventHint}>
*/
private static array $captured = [];
protected function setUp(): void
{
parent::setUp();
$this->seed(RoleSeeder::class);
self::$captured = [];
// Wire a real Sentry client whose before_send records events into
// the static buffer and returns null (drops, never networked).
$clientBuilder = ClientBuilder::create([
'dsn' => 'https://test@localhost/1',
'environment' => 'testing',
'release' => 'crewli-api@test',
'send_default_pii' => false,
'traces_sample_rate' => 0.0,
'profiles_sample_rate' => 0.0,
'ignore_exceptions' => [
ValidationException::class,
\Illuminate\Auth\AuthenticationException::class,
AuthorizationException::class,
],
'before_send' => static function (SentryEvent $event, ?EventHint $hint = null): ?SentryEvent {
self::$captured[] = ['event' => $event, 'hint' => $hint];
return null;
},
]);
$hub = new Hub($clientBuilder->getClient());
SentrySdk::setCurrentHub($hub);
// Test-only routes that exercise each branch of the
// ignore_exceptions / before_send / capture pipeline.
Route::middleware(['auth:sanctum', \App\Http\Middleware\BindSentryRouteContext::class])->group(function (): void {
Route::get('_obs_runtime', static fn () => throw new RuntimeException('boom'))
->name('test.obs.runtime');
Route::get('_obs_validation', static function (): never {
throw ValidationException::withMessages(['email' => 'required']);
})->name('test.obs.validation');
Route::get('_obs_404', static fn () => throw new NotFoundHttpException('nope'))
->name('test.obs.404');
Route::get('_obs_403', static fn () => throw new AuthorizationException('denied'))
->name('test.obs.403');
});
}
private function actAsOrgAdmin(): void
{
$org = Organisation::factory()->create();
$user = User::factory()->create();
$org->users()->attach($user, ['role' => 'org_admin']);
$user->assignRole('org_admin');
Sanctum::actingAs($user);
}
public function test_runtime_exception_from_controller_is_captured(): void
{
$this->actAsOrgAdmin();
$this->getJson('/_obs_runtime')->assertStatus(500);
$this->assertCount(1, self::$captured, 'expected exactly one captured event');
$event = self::$captured[0]['event'];
$exceptions = $event->getExceptions();
$this->assertNotEmpty($exceptions);
$this->assertSame(RuntimeException::class, $exceptions[0]->getType());
$this->assertSame('boom', $exceptions[0]->getValue());
}
public function test_validation_exception_is_not_captured(): void
{
$this->actAsOrgAdmin();
$this->getJson('/_obs_validation')->assertStatus(422);
$this->assertCount(0, self::$captured);
}
public function test_not_found_http_exception_is_not_captured(): void
{
$this->actAsOrgAdmin();
$this->getJson('/_obs_404')->assertStatus(404);
$this->assertCount(0, self::$captured);
}
public function test_authorization_exception_is_not_captured(): void
{
$this->actAsOrgAdmin();
$this->getJson('/_obs_403')->assertStatus(403);
$this->assertCount(0, self::$captured);
}
public function test_runtime_exception_carries_request_context(): void
{
$this->actAsOrgAdmin();
$this->getJson('/_obs_runtime')->assertStatus(500);
$this->assertCount(1, self::$captured);
$tags = self::$captured[0]['event']->getTags();
// BindSentryContext should have set these on the scope before
// the exception fired in the controller.
$this->assertSame('api', $tags['app'] ?? null);
$this->assertSame('GET', $tags['http.method'] ?? null);
}
}
Reference in New Issue View Git Blame Copy Permalink