liderra/portal
1
0
Fork 0
Code Issues Pull Requests Actions 74 Packages Projects Releases Wiki Activity
Files
7efe9e3e83b22cde275b63c8b9a782b21e42acba
portal/app/tests/Feature/Auth/AuthLogCoverageTest.php
T
Дмитрий 7efe9e3e83
Accessibility (Pa11y live) / a11y (push) Waiting to run
Details
fix/tests: idempotency 2 auth-тестов — SharesSupplierPdo против утечки регистрации мимо отката 
AuthFlowIntegrationTest и AuthLogCoverageTest писали регистрацию через BYPASSRLS pgsql_supplier без SharesSupplierPdo. Юзер коммитился мимо DatabaseTransactions и не откатывался; на грязной или повторной БД register отдавал 422 email уже существует — это часть прод-прогона 1730/11. Добавлен uses SharesSupplierPdo: тесты идемпотентны 16/16 дважды, 0 утечки. На свежей migrate-БД весь набор 1757 прошло 0 упало 1 skip. Разбор 11 в findings tails-doc.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
2026-06-26 08:43:30 +03:00

465 lines
15 KiB
PHP
Raw Blame History

This file contains ambiguous Unicode characters
This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.
<?php
declare(strict_types=1);
use App\Models\Tenant;
use App\Models\User;
use Illuminate\Foundation\Testing\DatabaseTransactions;
use Illuminate\Support\Facades\DB;
use Illuminate\Support\Facades\Hash;
use Illuminate\Support\Facades\Notification;
use Illuminate\Support\Facades\Password;
use PragmaRX\Google2FA\Google2FA;
use Tests\Concerns\SharesSupplierPdo;
// SharesSupplierPdo: регистрация (RegistrationService) пишет users/tenants/
// email_verifications через BYPASSRLS-подключение pgsql_supplier. Без шаринга PDO
// эти записи коммитятся мимо DatabaseTransactions и не откатываются — тест
// перестаёт быть идемпотентным (повторный прогон/«грязная» БД → 422 «email уже
// существует»). Шаринг PDO кладёт supplier-записи в ту же откатываемую транзакцию.
uses(DatabaseTransactions::class, SharesSupplierPdo::class);
it('logout writes auth_log event=logout', function () {
$tenant = Tenant::factory()->create();
$user = User::factory()->create([
'tenant_id' => $tenant->id,
'email' => 'logout-log@example.ru',
'password_hash' => Hash::make('secret-pass-123'),
'is_active' => true,
]);
$this->postJson('/api/auth/login', [
'email' => 'logout-log@example.ru',
'password' => 'secret-pass-123',
])->assertOk();
$this->postJson('/api/auth/logout')->assertOk();
$row = DB::table('auth_log')
->where('event', 'logout')
->where('user_id', $user->id)
->latest('id')
->first();
expect($row)->not->toBeNull()
->and((int) $row->tenant_id)->toBe($tenant->id);
});
it('register writes auth_log event=register_success', function () {
Tenant::factory()->create();
// Новый флоу самозаписи (G1/SP1): register создаёт pending-пользователя и шлёт код;
// событие register_success пишется ПОСЛЕ подтверждения почты (confirmEmail), а не на register.
$response = $this->postJson('/api/auth/register', [
'email' => 'reg-log-test@example.ru',
'password' => 'fresh-pass-123',
'accept_offer' => true,
'accept_pdn' => true,
'captcha_token' => 'tok-123', // RegisterRequest требует captcha_token (CAPTCHA_FAKE_PASSES в phpunit.xml пропускает)
]);
$response->assertStatus(201);
$code = $response->json('_dev_plain_code');
$this->postJson('/api/auth/confirm-email', [
'email' => 'reg-log-test@example.ru',
'code' => $code,
])->assertOk();
$user = User::where('email', 'reg-log-test@example.ru')->first();
$row = DB::table('auth_log')
->where('event', 'register_success')
->where('user_id', $user->id)
->latest('id')
->first();
expect($row)->not->toBeNull()
->and($row->email)->toBe('reg-log-test@example.ru');
});
it('2fa verify success writes auth_log event=2fa_verify_success', function () {
$tenant = Tenant::factory()->create();
$google2fa = new Google2FA;
$secret = $google2fa->generateSecretKey();
$user = User::factory()->create([
'tenant_id' => $tenant->id,
'email' => '2fa-log-success@example.ru',
'password_hash' => Hash::make('secret-pass-123'),
'is_active' => true,
'totp_enabled' => true,
'totp_secret' => $secret,
]);
// Step 1: login to set pending_user_id in session.
$this->postJson('/api/auth/login', [
'email' => '2fa-log-success@example.ru',
'password' => 'secret-pass-123',
])->assertOk();
// Step 2: verify with valid code.
$validCode = $google2fa->getCurrentOtp($secret);
$this->postJson('/api/auth/2fa/verify', [
'code' => $validCode,
])->assertOk();
$row = DB::table('auth_log')
->where('event', '2fa_verify_success')
->where('user_id', $user->id)
->latest('id')
->first();
expect($row)->not->toBeNull()
->and((int) $row->tenant_id)->toBe($tenant->id);
});
it('2fa verify failed writes auth_log event=2fa_verify_failed', function () {
$tenant = Tenant::factory()->create();
$google2fa = new Google2FA;
$secret = $google2fa->generateSecretKey();
$user = User::factory()->create([
'tenant_id' => $tenant->id,
'email' => '2fa-log-fail@example.ru',
'password_hash' => Hash::make('secret-pass-123'),
'is_active' => true,
'totp_enabled' => true,
'totp_secret' => $secret,
]);
// Step 1: login to set pending_user_id in session.
$this->postJson('/api/auth/login', [
'email' => '2fa-log-fail@example.ru',
'password' => 'secret-pass-123',
])->assertOk();
// Step 2: verify with wrong code.
$this->postJson('/api/auth/2fa/verify', [
'code' => '000000',
])->assertStatus(422);
$row = DB::table('auth_log')
->where('event', '2fa_verify_failed')
->where('user_id', $user->id)
->latest('id')
->first();
expect($row)->not->toBeNull()
->and($row->failure_reason)->toBe('invalid_code');
});
it('2fa recovery used writes auth_log event=2fa_recovery_used', function () {
$tenant = Tenant::factory()->create();
$user = User::factory()->create([
'tenant_id' => $tenant->id,
'email' => '2fa-recovery-log@example.ru',
'password_hash' => Hash::make('secret-pass-123'),
'is_active' => true,
'totp_enabled' => true,
'totp_secret' => 'JBSWY3DPEHPK3PXP',
]);
DB::table('user_recovery_codes')->insert([
'user_id' => $user->id,
'code_hash' => Hash::make('abcd1234'),
'used_at' => null,
]);
// Login to set pending_user_id.
$this->postJson('/api/auth/login', [
'email' => '2fa-recovery-log@example.ru',
'password' => 'secret-pass-123',
])->assertOk();
$this->postJson('/api/auth/2fa/recovery-use', [
'code' => 'ABCD-1234',
])->assertOk();
$row = DB::table('auth_log')
->where('event', '2fa_recovery_used')
->where('user_id', $user->id)
->latest('id')
->first();
expect($row)->not->toBeNull()
->and((int) $row->tenant_id)->toBe($tenant->id);
});
it('2fa recovery failed writes auth_log event=2fa_recovery_failed', function () {
$tenant = Tenant::factory()->create();
$user = User::factory()->create([
'tenant_id' => $tenant->id,
'email' => '2fa-recovery-fail-log@example.ru',
'password_hash' => Hash::make('secret-pass-123'),
'is_active' => true,
'totp_enabled' => true,
'totp_secret' => 'JBSWY3DPEHPK3PXP',
]);
DB::table('user_recovery_codes')->insert([
'user_id' => $user->id,
'code_hash' => Hash::make('abcd1234'),
'used_at' => null,
]);
// Login to set pending_user_id.
$this->postJson('/api/auth/login', [
'email' => '2fa-recovery-fail-log@example.ru',
'password' => 'secret-pass-123',
])->assertOk();
$this->postJson('/api/auth/2fa/recovery-use', [
'code' => 'WRONG-9999',
])->assertStatus(422);
$row = DB::table('auth_log')
->where('event', '2fa_recovery_failed')
->where('user_id', $user->id)
->latest('id')
->first();
expect($row)->not->toBeNull()
->and($row->failure_reason)->toBe('invalid_or_used');
});
it('2fa setup init writes auth_log event=2fa_setup_init', function () {
$tenant = Tenant::factory()->create();
$user = User::factory()->create([
'tenant_id' => $tenant->id,
'email' => '2fa-init-log@example.ru',
'password_hash' => Hash::make('secret-pass-123'),
'is_active' => true,
'totp_enabled' => false,
'totp_secret' => null,
]);
$this->actingAs($user);
$this->postJson('/api/2fa/init')->assertOk();
$row = DB::table('auth_log')
->where('event', '2fa_setup_init')
->where('user_id', $user->id)
->latest('id')
->first();
expect($row)->not->toBeNull()
->and((int) $row->tenant_id)->toBe($tenant->id);
});
it('2fa setup confirm writes auth_log event=2fa_setup_confirmed', function () {
$tenant = Tenant::factory()->create();
$user = User::factory()->create([
'tenant_id' => $tenant->id,
'email' => '2fa-confirm-log@example.ru',
'password_hash' => Hash::make('secret-pass-123'),
'is_active' => true,
'totp_enabled' => false,
'totp_secret' => null,
]);
$this->actingAs($user);
$this->postJson('/api/2fa/init')->assertOk();
$secret = session('auth.pending_totp_secret');
$google2fa = new Google2FA;
$code = $google2fa->getCurrentOtp($secret);
$this->postJson('/api/2fa/confirm', ['code' => $code])->assertOk();
$row = DB::table('auth_log')
->where('event', '2fa_setup_confirmed')
->where('user_id', $user->id)
->latest('id')
->first();
expect($row)->not->toBeNull()
->and((int) $row->tenant_id)->toBe($tenant->id);
});
it('2fa disable success writes auth_log event=2fa_disabled', function () {
$tenant = Tenant::factory()->create();
$google2fa = new Google2FA;
$secret = $google2fa->generateSecretKey();
$user = User::factory()->create([
'tenant_id' => $tenant->id,
'email' => '2fa-disabled-log@example.ru',
'password_hash' => Hash::make('secret-pass-123'),
'is_active' => true,
'totp_enabled' => true,
'totp_secret' => $secret,
]);
$this->actingAs($user);
$this->postJson('/api/2fa/disable', ['password' => 'secret-pass-123'])->assertOk();
$row = DB::table('auth_log')
->where('event', '2fa_disabled')
->where('user_id', $user->id)
->latest('id')
->first();
expect($row)->not->toBeNull()
->and((int) $row->tenant_id)->toBe($tenant->id);
});
it('2fa disable wrong password writes auth_log event=2fa_disable_failed', function () {
$tenant = Tenant::factory()->create();
$google2fa = new Google2FA;
$secret = $google2fa->generateSecretKey();
$user = User::factory()->create([
'tenant_id' => $tenant->id,
'email' => '2fa-disable-fail-log@example.ru',
'password_hash' => Hash::make('secret-pass-123'),
'is_active' => true,
'totp_enabled' => true,
'totp_secret' => $secret,
]);
$this->actingAs($user);
$this->postJson('/api/2fa/disable', ['password' => 'wrong-password'])->assertStatus(422);
$row = DB::table('auth_log')
->where('event', '2fa_disable_failed')
->where('user_id', $user->id)
->latest('id')
->first();
expect($row)->not->toBeNull()
->and($row->failure_reason)->toBe('invalid_password');
});
it('2fa regenerate recovery codes writes auth_log event=2fa_recovery_regenerated', function () {
$tenant = Tenant::factory()->create();
$google2fa = new Google2FA;
$secret = $google2fa->generateSecretKey();
$user = User::factory()->create([
'tenant_id' => $tenant->id,
'email' => '2fa-regen-log@example.ru',
'password_hash' => Hash::make('secret-pass-123'),
'is_active' => true,
'totp_enabled' => true,
'totp_secret' => $secret,
]);
$this->actingAs($user);
$this->postJson('/api/2fa/regenerate-recovery-codes', ['password' => 'secret-pass-123'])->assertOk();
$row = DB::table('auth_log')
->where('event', '2fa_recovery_regenerated')
->where('user_id', $user->id)
->latest('id')
->first();
expect($row)->not->toBeNull()
->and((int) $row->tenant_id)->toBe($tenant->id);
});
it('password_reset_requested writes auth_log with user_id for known email', function () {
Notification::fake();
$tenant = Tenant::factory()->create();
$user = User::factory()->create([
'tenant_id' => $tenant->id,
'email' => 'pr-known-log@example.ru',
'password_hash' => Hash::make('old-pass-1234'),
'is_active' => true,
]);
$this->postJson('/api/auth/forgot', [
'email' => 'pr-known-log@example.ru',
])->assertOk();
$row = DB::table('auth_log')
->where('event', 'password_reset_requested')
->where('email', 'pr-known-log@example.ru')
->latest('id')
->first();
expect($row)->not->toBeNull()
->and((int) $row->user_id)->toBe($user->id)
->and($row->failure_reason)->toBeNull();
});
it('password_reset_requested writes auth_log with unknown_email failure_reason for unknown email', function () {
Notification::fake();
$this->postJson('/api/auth/forgot', [
'email' => 'no-such-pr-log@example.ru',
])->assertOk();
$row = DB::table('auth_log')
->where('event', 'password_reset_requested')
->where('email', 'no-such-pr-log@example.ru')
->latest('id')
->first();
expect($row)->not->toBeNull()
->and($row->user_id)->toBeNull()
->and($row->failure_reason)->toBe('unknown_email');
});
it('password_reset_completed writes auth_log on successful token reset', function () {
$tenant = Tenant::factory()->create();
$user = User::factory()->create([
'tenant_id' => $tenant->id,
'email' => 'pr-completed-log@example.ru',
'password_hash' => Hash::make('old-pass-1234'),
'is_active' => true,
]);
$token = Password::createToken($user);
$this->postJson('/api/auth/reset-password', [
'token' => $token,
'email' => 'pr-completed-log@example.ru',
'password' => 'new-strong-pass-1234',
'password_confirmation' => 'new-strong-pass-1234',
])->assertOk();
$row = DB::table('auth_log')
->where('event', 'password_reset_completed')
->where('user_id', $user->id)
->latest('id')
->first();
expect($row)->not->toBeNull()
->and($row->email)->toBe('pr-completed-log@example.ru');
});
it('password_reset_failed writes auth_log on invalid token', function () {
$tenant = Tenant::factory()->create();
User::factory()->create([
'tenant_id' => $tenant->id,
'email' => 'pr-failed-log@example.ru',
'password_hash' => Hash::make('old-pass-1234'),
'is_active' => true,
]);
$this->postJson('/api/auth/reset-password', [
'token' => 'invalid-token-zzz',
'email' => 'pr-failed-log@example.ru',
'password' => 'new-strong-pass-1234',
'password_confirmation' => 'new-strong-pass-1234',
])->assertStatus(422);
$row = DB::table('auth_log')
->where('event', 'password_reset_failed')
->where('email', 'pr-failed-log@example.ru')
->latest('id')
->first();
expect($row)->not->toBeNull()
->and($row->failure_reason)->not->toBeNull();
});
Reference in New Issue View Git Blame Copy Permalink