liderra/portal
1
0
Fork 0
Code Issues Pull Requests Actions 69 Packages Projects Releases Wiki Activity
Files
88ace4e3d98213faa2ca91f595d8fe5644f07e43
portal/app/tests/Feature/Auth/AuthLogCoverageTest.php
T
Дмитрий 88ace4e3d9
Accessibility (Pa11y live) / a11y (push) Has been cancelled
Details
test: дозакрытие оздоровления — protekateli pd-аудита, видимость supplier, новый флоу регистрации 
Снижение остатка 19 to 5. Всё тест-сторона:
- PdErasureServiceTest + AdminPdSubjectRequestsControllerTest: SharesSupplierPdo —
  перестали коммитить pd_processing_log через pgsql_supplier, что ломало
  глобальный audit:verify-chains (6 падений) и амплифицировало PhoneRegionSmoke.
- ReportFileDeletePdLogTest: SharesSupplierPdo — cron reports:cleanup-expired
  теперь видит незакоммиченные job'ы теста.
- AdminSuppliersControllerTest: устойчивый ассерт (с фазы 3 в suppliers есть direct).
- AuthLogCoverageTest/AuthFlowIntegrationTest: новый флоу самозаписи G1/SP1 —
  register_success пишется после confirm-email; добавлен шаг подтверждения.
- ImpersonationTest end: verify (G7-B) ставит маркер impersonation → admin-зона
  закрыта by design; помечаем токен used напрямую вместо session-takeover.
- CleanupInactiveSupplierProjectsJobTest: phase A читает pivot project_supplier_links —
  добавлена привязка linkProjectToSupplier (раньше был только legacy FK).
- Pint-нормализация uses() FQN to import в ранее тронутых файлах.

Остаток 5 (НЕ слепой патч): webhook B-префикс ×2 (решение владельца), advisory-lock
audit-цепочки (возможный дрейф схемы, флажок), SupplierConnection WARN#2 (cap-3,
поведенческое), SupplierPortalClientTest (пре-существующий, не от этих правок).

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
2026-06-25 08:19:53 +03:00

459 lines
14 KiB
PHP
Raw Blame History

This file contains ambiguous Unicode characters
This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.
<?php
declare(strict_types=1);
use App\Models\Tenant;
use App\Models\User;
use Illuminate\Foundation\Testing\DatabaseTransactions;
use Illuminate\Support\Facades\DB;
use Illuminate\Support\Facades\Hash;
use Illuminate\Support\Facades\Notification;
use Illuminate\Support\Facades\Password;
use PragmaRX\Google2FA\Google2FA;
uses(DatabaseTransactions::class);
it('logout writes auth_log event=logout', function () {
$tenant = Tenant::factory()->create();
$user = User::factory()->create([
'tenant_id' => $tenant->id,
'email' => 'logout-log@example.ru',
'password_hash' => Hash::make('secret-pass-123'),
'is_active' => true,
]);
$this->postJson('/api/auth/login', [
'email' => 'logout-log@example.ru',
'password' => 'secret-pass-123',
])->assertOk();
$this->postJson('/api/auth/logout')->assertOk();
$row = DB::table('auth_log')
->where('event', 'logout')
->where('user_id', $user->id)
->latest('id')
->first();
expect($row)->not->toBeNull()
->and((int) $row->tenant_id)->toBe($tenant->id);
});
it('register writes auth_log event=register_success', function () {
Tenant::factory()->create();
// Новый флоу самозаписи (G1/SP1): register создаёт pending-пользователя и шлёт код;
// событие register_success пишется ПОСЛЕ подтверждения почты (confirmEmail), а не на register.
$response = $this->postJson('/api/auth/register', [
'email' => 'reg-log-test@example.ru',
'password' => 'fresh-pass-123',
'accept_offer' => true,
'accept_pdn' => true,
'captcha_token' => 'tok-123', // RegisterRequest требует captcha_token (CAPTCHA_FAKE_PASSES в phpunit.xml пропускает)
]);
$response->assertStatus(201);
$code = $response->json('_dev_plain_code');
$this->postJson('/api/auth/confirm-email', [
'email' => 'reg-log-test@example.ru',
'code' => $code,
])->assertOk();
$user = User::where('email', 'reg-log-test@example.ru')->first();
$row = DB::table('auth_log')
->where('event', 'register_success')
->where('user_id', $user->id)
->latest('id')
->first();
expect($row)->not->toBeNull()
->and($row->email)->toBe('reg-log-test@example.ru');
});
it('2fa verify success writes auth_log event=2fa_verify_success', function () {
$tenant = Tenant::factory()->create();
$google2fa = new Google2FA;
$secret = $google2fa->generateSecretKey();
$user = User::factory()->create([
'tenant_id' => $tenant->id,
'email' => '2fa-log-success@example.ru',
'password_hash' => Hash::make('secret-pass-123'),
'is_active' => true,
'totp_enabled' => true,
'totp_secret' => $secret,
]);
// Step 1: login to set pending_user_id in session.
$this->postJson('/api/auth/login', [
'email' => '2fa-log-success@example.ru',
'password' => 'secret-pass-123',
])->assertOk();
// Step 2: verify with valid code.
$validCode = $google2fa->getCurrentOtp($secret);
$this->postJson('/api/auth/2fa/verify', [
'code' => $validCode,
])->assertOk();
$row = DB::table('auth_log')
->where('event', '2fa_verify_success')
->where('user_id', $user->id)
->latest('id')
->first();
expect($row)->not->toBeNull()
->and((int) $row->tenant_id)->toBe($tenant->id);
});
it('2fa verify failed writes auth_log event=2fa_verify_failed', function () {
$tenant = Tenant::factory()->create();
$google2fa = new Google2FA;
$secret = $google2fa->generateSecretKey();
$user = User::factory()->create([
'tenant_id' => $tenant->id,
'email' => '2fa-log-fail@example.ru',
'password_hash' => Hash::make('secret-pass-123'),
'is_active' => true,
'totp_enabled' => true,
'totp_secret' => $secret,
]);
// Step 1: login to set pending_user_id in session.
$this->postJson('/api/auth/login', [
'email' => '2fa-log-fail@example.ru',
'password' => 'secret-pass-123',
])->assertOk();
// Step 2: verify with wrong code.
$this->postJson('/api/auth/2fa/verify', [
'code' => '000000',
])->assertStatus(422);
$row = DB::table('auth_log')
->where('event', '2fa_verify_failed')
->where('user_id', $user->id)
->latest('id')
->first();
expect($row)->not->toBeNull()
->and($row->failure_reason)->toBe('invalid_code');
});
it('2fa recovery used writes auth_log event=2fa_recovery_used', function () {
$tenant = Tenant::factory()->create();
$user = User::factory()->create([
'tenant_id' => $tenant->id,
'email' => '2fa-recovery-log@example.ru',
'password_hash' => Hash::make('secret-pass-123'),
'is_active' => true,
'totp_enabled' => true,
'totp_secret' => 'JBSWY3DPEHPK3PXP',
]);
DB::table('user_recovery_codes')->insert([
'user_id' => $user->id,
'code_hash' => Hash::make('abcd1234'),
'used_at' => null,
]);
// Login to set pending_user_id.
$this->postJson('/api/auth/login', [
'email' => '2fa-recovery-log@example.ru',
'password' => 'secret-pass-123',
])->assertOk();
$this->postJson('/api/auth/2fa/recovery-use', [
'code' => 'ABCD-1234',
])->assertOk();
$row = DB::table('auth_log')
->where('event', '2fa_recovery_used')
->where('user_id', $user->id)
->latest('id')
->first();
expect($row)->not->toBeNull()
->and((int) $row->tenant_id)->toBe($tenant->id);
});
it('2fa recovery failed writes auth_log event=2fa_recovery_failed', function () {
$tenant = Tenant::factory()->create();
$user = User::factory()->create([
'tenant_id' => $tenant->id,
'email' => '2fa-recovery-fail-log@example.ru',
'password_hash' => Hash::make('secret-pass-123'),
'is_active' => true,
'totp_enabled' => true,
'totp_secret' => 'JBSWY3DPEHPK3PXP',
]);
DB::table('user_recovery_codes')->insert([
'user_id' => $user->id,
'code_hash' => Hash::make('abcd1234'),
'used_at' => null,
]);
// Login to set pending_user_id.
$this->postJson('/api/auth/login', [
'email' => '2fa-recovery-fail-log@example.ru',
'password' => 'secret-pass-123',
])->assertOk();
$this->postJson('/api/auth/2fa/recovery-use', [
'code' => 'WRONG-9999',
])->assertStatus(422);
$row = DB::table('auth_log')
->where('event', '2fa_recovery_failed')
->where('user_id', $user->id)
->latest('id')
->first();
expect($row)->not->toBeNull()
->and($row->failure_reason)->toBe('invalid_or_used');
});
it('2fa setup init writes auth_log event=2fa_setup_init', function () {
$tenant = Tenant::factory()->create();
$user = User::factory()->create([
'tenant_id' => $tenant->id,
'email' => '2fa-init-log@example.ru',
'password_hash' => Hash::make('secret-pass-123'),
'is_active' => true,
'totp_enabled' => false,
'totp_secret' => null,
]);
$this->actingAs($user);
$this->postJson('/api/2fa/init')->assertOk();
$row = DB::table('auth_log')
->where('event', '2fa_setup_init')
->where('user_id', $user->id)
->latest('id')
->first();
expect($row)->not->toBeNull()
->and((int) $row->tenant_id)->toBe($tenant->id);
});
it('2fa setup confirm writes auth_log event=2fa_setup_confirmed', function () {
$tenant = Tenant::factory()->create();
$user = User::factory()->create([
'tenant_id' => $tenant->id,
'email' => '2fa-confirm-log@example.ru',
'password_hash' => Hash::make('secret-pass-123'),
'is_active' => true,
'totp_enabled' => false,
'totp_secret' => null,
]);
$this->actingAs($user);
$this->postJson('/api/2fa/init')->assertOk();
$secret = session('auth.pending_totp_secret');
$google2fa = new Google2FA;
$code = $google2fa->getCurrentOtp($secret);
$this->postJson('/api/2fa/confirm', ['code' => $code])->assertOk();
$row = DB::table('auth_log')
->where('event', '2fa_setup_confirmed')
->where('user_id', $user->id)
->latest('id')
->first();
expect($row)->not->toBeNull()
->and((int) $row->tenant_id)->toBe($tenant->id);
});
it('2fa disable success writes auth_log event=2fa_disabled', function () {
$tenant = Tenant::factory()->create();
$google2fa = new Google2FA;
$secret = $google2fa->generateSecretKey();
$user = User::factory()->create([
'tenant_id' => $tenant->id,
'email' => '2fa-disabled-log@example.ru',
'password_hash' => Hash::make('secret-pass-123'),
'is_active' => true,
'totp_enabled' => true,
'totp_secret' => $secret,
]);
$this->actingAs($user);
$this->postJson('/api/2fa/disable', ['password' => 'secret-pass-123'])->assertOk();
$row = DB::table('auth_log')
->where('event', '2fa_disabled')
->where('user_id', $user->id)
->latest('id')
->first();
expect($row)->not->toBeNull()
->and((int) $row->tenant_id)->toBe($tenant->id);
});
it('2fa disable wrong password writes auth_log event=2fa_disable_failed', function () {
$tenant = Tenant::factory()->create();
$google2fa = new Google2FA;
$secret = $google2fa->generateSecretKey();
$user = User::factory()->create([
'tenant_id' => $tenant->id,
'email' => '2fa-disable-fail-log@example.ru',
'password_hash' => Hash::make('secret-pass-123'),
'is_active' => true,
'totp_enabled' => true,
'totp_secret' => $secret,
]);
$this->actingAs($user);
$this->postJson('/api/2fa/disable', ['password' => 'wrong-password'])->assertStatus(422);
$row = DB::table('auth_log')
->where('event', '2fa_disable_failed')
->where('user_id', $user->id)
->latest('id')
->first();
expect($row)->not->toBeNull()
->and($row->failure_reason)->toBe('invalid_password');
});
it('2fa regenerate recovery codes writes auth_log event=2fa_recovery_regenerated', function () {
$tenant = Tenant::factory()->create();
$google2fa = new Google2FA;
$secret = $google2fa->generateSecretKey();
$user = User::factory()->create([
'tenant_id' => $tenant->id,
'email' => '2fa-regen-log@example.ru',
'password_hash' => Hash::make('secret-pass-123'),
'is_active' => true,
'totp_enabled' => true,
'totp_secret' => $secret,
]);
$this->actingAs($user);
$this->postJson('/api/2fa/regenerate-recovery-codes', ['password' => 'secret-pass-123'])->assertOk();
$row = DB::table('auth_log')
->where('event', '2fa_recovery_regenerated')
->where('user_id', $user->id)
->latest('id')
->first();
expect($row)->not->toBeNull()
->and((int) $row->tenant_id)->toBe($tenant->id);
});
it('password_reset_requested writes auth_log with user_id for known email', function () {
Notification::fake();
$tenant = Tenant::factory()->create();
$user = User::factory()->create([
'tenant_id' => $tenant->id,
'email' => 'pr-known-log@example.ru',
'password_hash' => Hash::make('old-pass-1234'),
'is_active' => true,
]);
$this->postJson('/api/auth/forgot', [
'email' => 'pr-known-log@example.ru',
])->assertOk();
$row = DB::table('auth_log')
->where('event', 'password_reset_requested')
->where('email', 'pr-known-log@example.ru')
->latest('id')
->first();
expect($row)->not->toBeNull()
->and((int) $row->user_id)->toBe($user->id)
->and($row->failure_reason)->toBeNull();
});
it('password_reset_requested writes auth_log with unknown_email failure_reason for unknown email', function () {
Notification::fake();
$this->postJson('/api/auth/forgot', [
'email' => 'no-such-pr-log@example.ru',
])->assertOk();
$row = DB::table('auth_log')
->where('event', 'password_reset_requested')
->where('email', 'no-such-pr-log@example.ru')
->latest('id')
->first();
expect($row)->not->toBeNull()
->and($row->user_id)->toBeNull()
->and($row->failure_reason)->toBe('unknown_email');
});
it('password_reset_completed writes auth_log on successful token reset', function () {
$tenant = Tenant::factory()->create();
$user = User::factory()->create([
'tenant_id' => $tenant->id,
'email' => 'pr-completed-log@example.ru',
'password_hash' => Hash::make('old-pass-1234'),
'is_active' => true,
]);
$token = Password::createToken($user);
$this->postJson('/api/auth/reset-password', [
'token' => $token,
'email' => 'pr-completed-log@example.ru',
'password' => 'new-strong-pass-1234',
'password_confirmation' => 'new-strong-pass-1234',
])->assertOk();
$row = DB::table('auth_log')
->where('event', 'password_reset_completed')
->where('user_id', $user->id)
->latest('id')
->first();
expect($row)->not->toBeNull()
->and($row->email)->toBe('pr-completed-log@example.ru');
});
it('password_reset_failed writes auth_log on invalid token', function () {
$tenant = Tenant::factory()->create();
User::factory()->create([
'tenant_id' => $tenant->id,
'email' => 'pr-failed-log@example.ru',
'password_hash' => Hash::make('old-pass-1234'),
'is_active' => true,
]);
$this->postJson('/api/auth/reset-password', [
'token' => 'invalid-token-zzz',
'email' => 'pr-failed-log@example.ru',
'password' => 'new-strong-pass-1234',
'password_confirmation' => 'new-strong-pass-1234',
])->assertStatus(422);
$row = DB::table('auth_log')
->where('event', 'password_reset_failed')
->where('email', 'pr-failed-log@example.ru')
->latest('id')
->first();
expect($row)->not->toBeNull()
->and($row->failure_reason)->not->toBeNull();
});
Reference in New Issue View Git Blame Copy Permalink