implemented a lot of security measures

2025-12-09 20:29:32 +01:00
parent 4bdb93c171
commit 928d28fcaf
21 changed files with 953 additions and 134 deletions
--- a/tests/Feature/Api/Event/BrandingAssetTest.php
+++ b/tests/Feature/Api/Event/BrandingAssetTest.php
@@ -0,0 +1,52 @@
+<?php
+
+namespace Tests\Feature\Api\Event;
+
+use Illuminate\Foundation\Testing\RefreshDatabase;
+use Illuminate\Support\Facades\Config;
+use Illuminate\Support\Facades\Storage;
+use Illuminate\Support\Facades\URL;
+use Tests\TestCase;
+
+class BrandingAssetTest extends TestCase
+{
+    use RefreshDatabase;
+
+    public function test_branding_asset_serves_signed_file(): void
+    {
+        Config::set('filesystems.default', 'public');
+        Storage::fake('public');
+
+        $path = 'branding/logo.png';
+        Storage::disk('public')->put($path, 'branding-content');
+
+        $url = URL::temporarySignedRoute(
+            'api.v1.branding.asset',
+            now()->addMinutes(5),
+            ['path' => $path]
+        );
+
+        $response = $this->get($url);
+
+        $response->assertOk();
+        $this->assertSame('branding-content', $response->streamedContent());
+        $this->assertStringContainsString('max-age=3600', $response->headers->get('Cache-Control'));
+        $this->assertStringContainsString('private', $response->headers->get('Cache-Control'));
+    }
+
+    public function test_branding_asset_rejects_invalid_path(): void
+    {
+        Config::set('filesystems.default', 'public');
+        Storage::fake('public');
+
+        $url = URL::temporarySignedRoute(
+            'api.v1.branding.asset',
+            now()->addMinutes(5),
+            ['path' => '../.env']
+        );
+
+        $response = $this->get($url);
+
+        $response->assertStatus(404);
+    }
+}