soeren/fotospiel-app
1
0
Fork 0
Code Issues Pull Requests Actions 2 Packages Projects Releases Wiki Activity

implemented a lot of security measures

Browse Source
This commit is contained in:
Codex Agent
2025-12-09 20:29:32 +01:00
parent 4bdb93c171
commit 928d28fcaf
21 changed files with 953 additions and 134 deletions
Download Patch File Download Diff File Expand all files Collapse all files

52
tests/Feature/Api/Event/BrandingAssetTest.php Normal file
View File

@@ -0,0 +1,52 @@
<?php
namespace Tests\Feature\Api\Event;
use Illuminate\Foundation\Testing\RefreshDatabase;
use Illuminate\Support\Facades\Config;
use Illuminate\Support\Facades\Storage;
use Illuminate\Support\Facades\URL;
use Tests\TestCase;
class BrandingAssetTest extends TestCase
{
use RefreshDatabase;
public function test_branding_asset_serves_signed_file(): void
{
Config::set('filesystems.default', 'public');
Storage::fake('public');
$path = 'branding/logo.png';
Storage::disk('public')->put($path, 'branding-content');
$url = URL::temporarySignedRoute(
'api.v1.branding.asset',
now()->addMinutes(5),
['path' => $path]
);
$response = $this->get($url);
$response->assertOk();
$this->assertSame('branding-content', $response->streamedContent());
$this->assertStringContainsString('max-age=3600', $response->headers->get('Cache-Control'));
$this->assertStringContainsString('private', $response->headers->get('Cache-Control'));
}
public function test_branding_asset_rejects_invalid_path(): void
{
Config::set('filesystems.default', 'public');
Storage::fake('public');
$url = URL::temporarySignedRoute(
'api.v1.branding.asset',
now()->addMinutes(5),
['path' => '../.env']
);
$response = $this->get($url);
$response->assertStatus(404);
}
}

106
tests/Feature/Api/Event/EventUploadSecurityTest.php Normal file
View File

@@ -0,0 +1,106 @@
<?php
namespace Tests\Feature\Api\Event;
use App\Jobs\ProcessPhotoSecurityScan;
use App\Models\Event;
use App\Models\EventPackage;
use App\Models\EventType;
use App\Models\MediaStorageTarget;
use App\Models\Package;
use App\Models\Tenant;
use App\Services\EventJoinTokenService;
use Illuminate\Foundation\Testing\RefreshDatabase;
use Illuminate\Http\UploadedFile;
use Illuminate\Support\Facades\Bus;
use Illuminate\Support\Facades\Storage;
use Tests\TestCase;
class EventUploadSecurityTest extends TestCase
{
use RefreshDatabase;
public function test_guest_upload_rejects_svg_and_does_not_dispatch_scan(): void
{
[$token] = $this->prepareUploadContext();
Bus::fake();
$response = $this->postJson("/api/v1/events/{$token}/upload", [
'photo' => UploadedFile::fake()->create('evil.svg', 10, 'image/svg+xml'),
]);
$response->assertStatus(422);
Bus::assertNothingDispatched();
}
public function test_guest_upload_dispatches_security_scan_for_valid_image(): void
{
[$token] = $this->prepareUploadContext();
Bus::fake();
$response = $this->postJson("/api/v1/events/{$token}/upload", [
'photo' => UploadedFile::fake()->image('photo.jpg', 800, 600),
]);
$response->assertCreated()
->assertJsonPath('status', 'pending');
Bus::assertDispatched(ProcessPhotoSecurityScan::class);
}
/**
* @return array{string}
*/
private function prepareUploadContext(): array
{
config(['filesystems.default' => 'public']);
Storage::fake('public');
$tenant = Tenant::factory()->create();
$package = Package::factory()->endcustomer()->create([
'max_photos' => 100,
'gallery_days' => 14,
]);
$eventType = EventType::factory()->create();
$event = Event::factory()->create([
'tenant_id' => $tenant->id,
'event_type_id' => $eventType->id,
'status' => 'published',
'photo_upload_enabled' => true,
]);
MediaStorageTarget::create([
'key' => 'public',
'name' => 'Public (test)',
'driver' => 'local',
'config' => [
'root' => Storage::disk('public')->path(''),
'url' => 'http://localhost/storage',
'visibility' => 'public',
],
'is_hot' => true,
'is_default' => true,
'is_active' => true,
'priority' => 10,
]);
EventPackage::create([
'event_id' => $event->id,
'package_id' => $package->id,
'purchased_price' => $package->price,
'purchased_at' => now(),
'used_photos' => 0,
'gallery_expires_at' => now()->addDays($package->gallery_days ?? 30),
]);
$token = app(EventJoinTokenService::class)
->createToken($event, ['label' => 'Test upload'])
->getAttribute('plain_token');
return [$token];
}
}

169
tests/Feature/Jobs/ProcessPhotoSecurityScanTest.php Normal file
View File

@@ -0,0 +1,169 @@
<?php
namespace Tests\Feature\Jobs;
use App\Jobs\ProcessPhotoSecurityScan;
use App\Models\Event;
use App\Models\EventMediaAsset;
use App\Models\EventPackage;
use App\Models\EventType;
use App\Models\MediaStorageTarget;
use App\Models\Package;
use App\Models\Photo;
use App\Models\Tenant;
use App\Services\Security\PhotoSecurityScanner;
use Illuminate\Foundation\Testing\RefreshDatabase;
use Illuminate\Support\Facades\Storage;
use Tests\TestCase;
class ProcessPhotoSecurityScanTest extends TestCase
{
use RefreshDatabase;
public function test_clean_scan_auto_approves_pending_photo(): void
{
[$photo, $asset] = $this->seedPhotoWithAsset();
$scanner = new class extends PhotoSecurityScanner {
public function scan(string $disk, ?string $relativePath): array
{
return ['status' => 'clean', 'message' => 'ok'];
}
public function stripExif(string $disk, ?string $relativePath): array
{
return ['status' => 'stripped', 'message' => 'removed'];
}
};
(new ProcessPhotoSecurityScan($photo->id))->handle($scanner);
$photo->refresh();
$this->assertSame('approved', $photo->status);
$this->assertSame('clean', $photo->security_scan_status);
$this->assertNotNull($photo->security_scanned_at);
}
public function test_skipped_scan_still_approves_pending_photo(): void
{
[$photo] = $this->seedPhotoWithAsset();
$scanner = new class extends PhotoSecurityScanner {
public function scan(string $disk, ?string $relativePath): array
{
return ['status' => 'skipped', 'message' => 'disabled'];
}
public function stripExif(string $disk, ?string $relativePath): array
{
return ['status' => 'skipped'];
}
};
(new ProcessPhotoSecurityScan($photo->id))->handle($scanner);
$photo->refresh();
$this->assertSame('approved', $photo->status);
$this->assertSame('skipped', $photo->security_scan_status);
}
public function test_infected_scan_rejects_photo(): void
{
[$photo, $asset] = $this->seedPhotoWithAsset();
$scanner = new class extends PhotoSecurityScanner {
public function scan(string $disk, ?string $relativePath): array
{
return ['status' => 'infected', 'message' => 'bad'];
}
public function stripExif(string $disk, ?string $relativePath): array
{
return ['status' => 'skipped'];
}
};
(new ProcessPhotoSecurityScan($photo->id))->handle($scanner);
$photo->refresh();
$this->assertSame('rejected', $photo->status);
$this->assertSame('infected', $photo->security_scan_status);
}
/**
* @return array{Photo, EventMediaAsset}
*/
private function seedPhotoWithAsset(): array
{
Storage::fake('public');
$tenant = Tenant::factory()->create();
$eventType = EventType::factory()->create();
$package = Package::factory()->endcustomer()->create([
'max_photos' => 100,
'gallery_days' => 30,
]);
$event = Event::factory()->create([
'tenant_id' => $tenant->id,
'event_type_id' => $eventType->id,
'status' => 'published',
]);
EventPackage::create([
'event_id' => $event->id,
'package_id' => $package->id,
'purchased_price' => $package->price,
'purchased_at' => now(),
'used_photos' => 0,
'gallery_expires_at' => now()->addDays($package->gallery_days ?? 30),
]);
$path = "events/{$event->id}/photos/example.jpg";
Storage::disk('public')->put($path, 'fake-image');
$target = MediaStorageTarget::create([
'key' => 'public',
'name' => 'Public (test)',
'driver' => 'local',
'config' => [
'root' => Storage::disk('public')->path(''),
'url' => 'http://localhost/storage',
'visibility' => 'public',
],
'is_hot' => true,
'is_default' => true,
'is_active' => true,
'priority' => 10,
]);
$photo = Photo::create([
'event_id' => $event->id,
'guest_name' => 'tester',
'file_path' => $path,
'thumbnail_path' => $path,
'status' => 'pending',
'ingest_source' => Photo::SOURCE_GUEST_PWA,
]);
$asset = EventMediaAsset::create([
'event_id' => $event->id,
'photo_id' => $photo->id,
'media_storage_target_id' => $target->id,
'disk' => 'public',
'path' => $path,
'variant' => 'original',
'status' => 'hot',
'processed_at' => now(),
'mime_type' => 'image/jpeg',
'size_bytes' => 10,
]);
$photo->update(['media_asset_id' => $asset->id]);
return [$photo, $asset];
}
}