soeren/fotospiel-app
1
0
Fork 0
Code Issues Pull Requests Actions 2 Packages Projects Releases Wiki Activity

Harden tenant admin auth and photo moderation
Some checks failed
linter / quality (push) Has been cancelled
Details
tests / ci (push) Has been cancelled
Details
tests / ui (push) Has been cancelled
Details

Browse Source
This commit is contained in:
Codex Agent
2026-01-30 14:53:51 +01:00
parent d45cb6a087
commit 916b204688
7 changed files with 220 additions and 11 deletions
Download Patch File Download Diff File Expand all files Collapse all files

24
tests/Feature/Auth/LoginTest.php
View File

@@ -184,6 +184,30 @@ class LoginTest extends TestCase
$response->assertRedirect('/event-admin/dashboard');
}
public function test_tenant_admin_login_rejects_lookalike_return_host(): void
{
$user = User::factory()->create([
'email' => 'hostcheck@example.com',
'role' => 'tenant_admin',
'password' => bcrypt('password'),
'email_verified_at' => now(),
]);
$appHost = parse_url(config('app.url'), PHP_URL_HOST) ?? 'localhost';
$targetHost = 'evil-'.$appHost;
$target = "https://{$targetHost}/event-admin/dashboard";
$encodedReturn = rtrim(strtr(base64_encode($target), '+/', '-_'), '=');
$response = $this->post(route('login.store'), [
'login' => 'hostcheck@example.com',
'password' => 'password',
'return_to' => $encodedReturn,
]);
$this->assertAuthenticatedAs($user);
$response->assertRedirect('/event-admin/dashboard');
}
public function test_tenant_admin_can_access_login_with_admin_return_path_when_authenticated()
{
$user = User::factory()->create([