liderra/portal
1
0
Fork 0
Code Issues Pull Requests Actions 88 Packages Projects Releases Wiki Activity
Files
4a385b1df75d802b8bad67de72bf491ba18352d7
portal/app/tests/Feature/WebhookReceiveTest.php
T
Дмитрий 4a385b1df7 phase2(prod-tightening): HMAC+rate-limit webhook / fetch system_settings / CSV export 
3 production-tightening после 7-фичного пакета v1.55.

(1) HMAC + per-token rate-limit для webhook receive endpoint:
- WebhookReceiveController::receive: tenant lookup → rate-limit → HMAC
  → payload validation.
- HMAC: опциональный X-Webhook-Signature: sha256=<hex> через hash_hmac +
  hash_equals (constant-time). Backward-compat: header missing → 202.
- Per-token rate-limit: RateLimiter с decay 60 сек. Лимит из
  system_settings.webhook_rate_limit_rps × 60. На превышении 429 +
  Retry-After. Hit ставится ДО валидации payload — иначе обходимо 422.
- Pest +5: HMAC valid/invalid 401/missing 202; rate-limit 60+1=429;
  ключ изолирован per-token.

(2) Реальный fetch system_settings в AdminSystemView:
- onMounted → adminApi.listSystemSettings() → splice replace.
- На fetch-error → fallback на mock + warning v-alert.
- Кнопка «Обновить» — ручной reload.
- Vitest +3: mount fetch / reload / error fallback.

(3) Реальный CSV-export для bulk-actions DealsView:
- applyBulkExport → CSV через Blob+a[download].
- 8 колонок, ; разделитель, \r\n, BOM через String.fromCharCode(0xFEFF)
  (литеральный U+FEFF блокируется ESLint no-irregular-whitespace).
- Filename deals_export_YYYY-MM-DD.csv.
- Empty selection → toast без download.
- Vitest +2: spy createObjectURL+anchor.click; empty без blob.

PHPStan baseline регенерирован.

Регресс: lint+type-check+format ; vitest 242/242 за 15.82 сек (+4);
vite build 903 ms; Pint+PHPStan passed; Pest 141/141 за 17.8 сек (+5,
627 assertions). Реестр v1.55→v1.56, CLAUDE.md v1.46→v1.47.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2026-05-09 05:49:34 +03:00

217 lines
7.5 KiB
PHP
Raw Blame History

This file contains ambiguous Unicode characters
This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.
<?php
declare(strict_types=1);
use App\Jobs\ProcessWebhookJob;
use App\Models\SystemSetting;
use App\Models\Tenant;
use Illuminate\Foundation\Testing\DatabaseTransactions;
use Illuminate\Support\Facades\Bus;
use Illuminate\Support\Facades\RateLimiter;
uses(DatabaseTransactions::class);
beforeEach(function () {
$this->tenant = Tenant::factory()->create([
'webhook_token' => 'whk_test_'.bin2hex(random_bytes(8)),
'balance_leads' => 100,
]);
// Чистим RateLimiter между тестами — иначе lockout из одного теста
// загрязняет следующий.
RateLimiter::clear("webhook:{$this->tenant->id}");
});
test('POST /api/webhook/{token} с валидным payload возвращает 202 + dispatch ProcessWebhookJob', function () {
Bus::fake();
$payload = [
'vid' => 12345,
'project' => 'Натяжные потолки',
'phone' => '+7 (999) 123-45-67',
'time' => time(),
'tag' => 'ya_direct',
];
$r = $this->postJson("/api/webhook/{$this->tenant->webhook_token}", $payload);
$r->assertStatus(202);
expect($r->json('status'))->toBe('accepted');
expect($r->json('tenant_id'))->toBe($this->tenant->id);
Bus::assertDispatched(ProcessWebhookJob::class, function ($job) use ($payload) {
return $job->tenantId === $this->tenant->id
&& $job->data['vid'] === $payload['vid']
&& $job->data['phone'] === $payload['phone'];
});
});
test('POST с unknown token → 404', function () {
Bus::fake();
$r = $this->postJson('/api/webhook/whk_nonexistent_token_12345', [
'vid' => 1,
'project' => 'X',
'phone' => '+7 (999) 000-00-00',
'time' => time(),
]);
$r->assertStatus(404);
Bus::assertNothingDispatched();
});
test('POST без обязательных полей → 422', function () {
Bus::fake();
$r = $this->postJson("/api/webhook/{$this->tenant->webhook_token}", [
// Нет vid/project/phone/time
]);
$r->assertStatus(422);
$errors = $r->json('errors');
expect($errors)->toHaveKeys(['vid', 'project', 'phone', 'time']);
Bus::assertNothingDispatched();
});
test('POST с вредной структурой (vid=строка, time=отрицательный) → 422', function () {
Bus::fake();
$r = $this->postJson("/api/webhook/{$this->tenant->webhook_token}", [
'vid' => 'не-число',
'project' => 'X',
'phone' => '+7 (999) 000-00-00',
'time' => -1,
]);
$r->assertStatus(422);
Bus::assertNothingDispatched();
});
test('POST к webhook НЕ требует CSRF (внешний клиент)', function () {
Bus::fake();
// Симулируем запрос БЕЗ X-XSRF-TOKEN — CSRF middleware не должен проверять
// /api/webhook/* (см. bootstrap/app.php validateCsrfTokens except).
$r = $this->postJson("/api/webhook/{$this->tenant->webhook_token}", [
'vid' => 1,
'project' => 'X',
'phone' => '+7 (999) 000-00-00',
'time' => time(),
]);
$r->assertStatus(202);
});
test('POST с `phones` array (multi-phone payload) принимается', function () {
Bus::fake();
$r = $this->postJson("/api/webhook/{$this->tenant->webhook_token}", [
'vid' => 1,
'project' => 'Окна',
'phone' => '+7 (999) 000-00-00',
'phones' => ['+7 (999) 000-00-01', '+7 (999) 000-00-02'],
'time' => time(),
]);
$r->assertStatus(202);
Bus::assertDispatched(ProcessWebhookJob::class, function ($job) {
return is_array($job->data['phones']) && count($job->data['phones']) === 2;
});
});
test('HMAC: валидная подпись sha256=hex(hmac_sha256(body, token)) проходит', function () {
Bus::fake();
$payload = [
'vid' => 1,
'project' => 'X',
'phone' => '+7 (999) 000-00-00',
'time' => time(),
];
$rawBody = json_encode($payload);
$signature = 'sha256='.hash_hmac('sha256', $rawBody, $this->tenant->webhook_token);
$r = $this->call('POST', "/api/webhook/{$this->tenant->webhook_token}", [], [], [], [
'CONTENT_TYPE' => 'application/json',
'HTTP_ACCEPT' => 'application/json',
'HTTP_X_WEBHOOK_SIGNATURE' => $signature,
], $rawBody);
$r->assertStatus(202);
Bus::assertDispatched(ProcessWebhookJob::class);
});
test('HMAC: невалидная подпись → 401, dispatch НЕ происходит', function () {
Bus::fake();
$payload = [
'vid' => 1,
'project' => 'X',
'phone' => '+7 (999) 000-00-00',
'time' => time(),
];
$rawBody = json_encode($payload);
$r = $this->call('POST', "/api/webhook/{$this->tenant->webhook_token}", [], [], [], [
'CONTENT_TYPE' => 'application/json',
'HTTP_ACCEPT' => 'application/json',
'HTTP_X_WEBHOOK_SIGNATURE' => 'sha256=deadbeef'.str_repeat('0', 56),
], $rawBody);
$r->assertStatus(401);
expect($r->json('message'))->toContain('HMAC');
Bus::assertNothingDispatched();
});
test('HMAC: отсутствие header → пропускаем (backward-compat) → 202', function () {
Bus::fake();
$r = $this->postJson("/api/webhook/{$this->tenant->webhook_token}", [
'vid' => 1,
'project' => 'X',
'phone' => '+7 (999) 000-00-00',
'time' => time(),
]);
$r->assertStatus(202);
});
test('rate-limit: системный лимит RPS×60 в минуту, 429 + Retry-After на превышении', function () {
Bus::fake();
// Устанавливаем низкий лимит через system_settings — иначе тест слишком долгий
// (default 100 RPS = 6000/мин). Подменяем через update.
SystemSetting::where('key', 'webhook_rate_limit_rps')->update(['value' => '1']);
$payload = [
'vid' => 1,
'project' => 'X',
'phone' => '+7 (999) 000-00-00',
'time' => time(),
];
// 1 RPS × 60 = 60 запросов/мин. Делаем 60 успешных.
for ($i = 0; $i < 60; $i++) {
$r = $this->postJson("/api/webhook/{$this->tenant->webhook_token}", $payload);
$r->assertStatus(202);
}
// 61-й — превышение.
$r = $this->postJson("/api/webhook/{$this->tenant->webhook_token}", $payload);
$r->assertStatus(429);
expect($r->json('retry_after'))->toBeInt()->toBeGreaterThan(0);
expect($r->headers->get('Retry-After'))->not->toBeNull();
});
test('rate-limit: ключ изолирован per-token (другой tenant не блокирует)', function () {
Bus::fake();
SystemSetting::where('key', 'webhook_rate_limit_rps')->update(['value' => '1']);
$tenantOther = Tenant::factory()->create([
'webhook_token' => 'whk_other_'.bin2hex(random_bytes(8)),
]);
RateLimiter::clear("webhook:{$tenantOther->id}");
$payload = [
'vid' => 1, 'project' => 'X', 'phone' => '+7 (999) 000-00-00', 'time' => time(),
];
// Заполняем лимит первого tenant'а
for ($i = 0; $i < 60; $i++) {
$this->postJson("/api/webhook/{$this->tenant->webhook_token}", $payload)->assertStatus(202);
}
$this->postJson("/api/webhook/{$this->tenant->webhook_token}", $payload)->assertStatus(429);
// Второй tenant — без проблем.
$r = $this->postJson("/api/webhook/{$tenantOther->webhook_token}", $payload);
$r->assertStatus(202);
});
Reference in New Issue View Git Blame Copy Permalink