2026-03-04 15:56:58 +01:00
|
|
|
<?php
|
|
|
|
|
|
refactor(audit): extract audit domain into self-contained module
Move the entire audit subsystem (system audit, API audit, import audit,
user lifecycle audit, frontend telemetry) from core into modules/audit/.
Core decoupling via interface-based injection:
- AuditRecorderInterface replaces SystemAuditService in 10+ core services
- UserLifecycleAuditInterface / ImportAuditInterface for specialized flows
- NullAuditRecorder fallback when audit module is disabled
- ApiBootstrap/ApiResponse use null-safe callable resolvers
Module structure (modules/audit/):
- Manifest with routes, permissions, scheduler jobs, authorization policy
- 9 services, 8 repositories, 6 domain enums, 4 job handlers
- 33 page files, 4 JS files, 8 test files, migration scripts, i18n
Core cleanup:
- OperationsAuthorizationPolicy, UiCapabilityMap, PermissionService
surgically cleaned of audit-specific constants
- Sidebar template cleared of hardcoded audit navigation
- AuditModuleIsolationContractTest ensures no future core→module coupling
All quality gates pass: 1346 tests (19,276 assertions), PHPStan level 5
clean, architecture contracts verified.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
2026-03-25 21:12:49 +01:00
|
|
|
namespace MintyPHP\Tests\Module\Audit\Service;
|
2026-03-04 15:56:58 +01:00
|
|
|
|
2026-04-05 23:20:55 +02:00
|
|
|
use MintyPHP\Http\ApiAuth;
|
2026-03-05 11:17:42 +01:00
|
|
|
use MintyPHP\Http\RequestContext;
|
test(auth): add 33 unit tests for AuthService and RememberMeService
AuthServiceTest (17 tests): canLoginToTenant, refreshSessionAuthState,
loginUserById, login email-not-verified branch.
RememberMeServiceTest (16 tests): rememberUser, autoLoginFromCookie
(all 11 branches), forgetCurrentUser, forgetAllForUser,
expireAllTokensByAdmin.
Also fixes: 3 PHPStan errors in FrontendTelemetryIngestService,
8 CS-Fixer violations in out-of-scope files (ordered_imports,
braces_position).
All quality gates green: QG-001 (429 tests/0 failures),
QG-002 (0 errors), QG-003 (11 arch tests pass), QG-006 (0 violations).
Task: AUTH-LOGIN-REVIEW-001
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-03-06 11:43:31 +01:00
|
|
|
use MintyPHP\Http\RequestRuntime;
|
2026-03-26 12:33:59 +01:00
|
|
|
use MintyPHP\Module\Audit\Repository\ApiAuditLogRepository;
|
refactor(audit): extract audit domain into self-contained module
Move the entire audit subsystem (system audit, API audit, import audit,
user lifecycle audit, frontend telemetry) from core into modules/audit/.
Core decoupling via interface-based injection:
- AuditRecorderInterface replaces SystemAuditService in 10+ core services
- UserLifecycleAuditInterface / ImportAuditInterface for specialized flows
- NullAuditRecorder fallback when audit module is disabled
- ApiBootstrap/ApiResponse use null-safe callable resolvers
Module structure (modules/audit/):
- Manifest with routes, permissions, scheduler jobs, authorization policy
- 9 services, 8 repositories, 6 domain enums, 4 job handlers
- 33 page files, 4 JS files, 8 test files, migration scripts, i18n
Core cleanup:
- OperationsAuthorizationPolicy, UiCapabilityMap, PermissionService
surgically cleaned of audit-specific constants
- Sidebar template cleared of hardcoded audit navigation
- AuditModuleIsolationContractTest ensures no future core→module coupling
All quality gates pass: 1346 tests (19,276 assertions), PHPStan level 5
clean, architecture contracts verified.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
2026-03-25 21:12:49 +01:00
|
|
|
use MintyPHP\Module\Audit\Service\ApiAuditService;
|
2026-03-04 15:56:58 +01:00
|
|
|
use PHPUnit\Framework\TestCase;
|
|
|
|
|
|
|
|
|
|
class ApiAuditServiceTest extends TestCase
|
|
|
|
|
{
|
|
|
|
|
private array $serverBackup = [];
|
|
|
|
|
private array $getBackup = [];
|
|
|
|
|
|
|
|
|
|
protected function setUp(): void
|
|
|
|
|
{
|
|
|
|
|
$this->serverBackup = $_SERVER;
|
|
|
|
|
$this->getBackup = $_GET;
|
|
|
|
|
RequestContext::resetForTests();
|
2026-04-05 23:20:55 +02:00
|
|
|
ApiAuth::authenticate();
|
2026-03-04 15:56:58 +01:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
protected function tearDown(): void
|
|
|
|
|
{
|
|
|
|
|
$_SERVER = $this->serverBackup;
|
|
|
|
|
$_GET = $this->getBackup;
|
|
|
|
|
RequestContext::resetForTests();
|
2026-04-05 23:20:55 +02:00
|
|
|
ApiAuth::authenticate();
|
2026-03-04 15:56:58 +01:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
public function testCurrentRequestIdIsNullBeforeStart(): void
|
|
|
|
|
{
|
2026-03-06 00:44:52 +01:00
|
|
|
$service = new ApiAuditService(
|
2026-03-26 12:33:59 +01:00
|
|
|
$this->createMock(ApiAuditLogRepository::class),
|
2026-03-06 00:44:52 +01:00
|
|
|
new RequestRuntime()
|
|
|
|
|
);
|
2026-03-04 15:56:58 +01:00
|
|
|
$this->assertNull($service->currentRequestId());
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
public function testCurrentRequestIdIsGeneratedForRegularRequests(): void
|
|
|
|
|
{
|
|
|
|
|
$_SERVER['REQUEST_METHOD'] = 'GET';
|
|
|
|
|
$_SERVER['REQUEST_URI'] = '/api/v1/me?x=1';
|
|
|
|
|
$_GET = ['x' => '1'];
|
|
|
|
|
|
2026-03-06 00:44:52 +01:00
|
|
|
$service = new ApiAuditService(
|
2026-03-26 12:33:59 +01:00
|
|
|
$this->createMock(ApiAuditLogRepository::class),
|
2026-03-06 00:44:52 +01:00
|
|
|
new RequestRuntime()
|
|
|
|
|
);
|
2026-03-04 15:56:58 +01:00
|
|
|
$service->startRequestContext();
|
|
|
|
|
|
|
|
|
|
$requestId = $service->currentRequestId();
|
|
|
|
|
$this->assertNotNull($requestId);
|
|
|
|
|
$this->assertMatchesRegularExpression(
|
|
|
|
|
'/^[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}$/i',
|
|
|
|
|
$requestId
|
|
|
|
|
);
|
|
|
|
|
|
|
|
|
|
$service->startRequestContext();
|
|
|
|
|
$this->assertSame($requestId, $service->currentRequestId());
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
public function testCurrentRequestIdStaysNullForOptionsRequests(): void
|
|
|
|
|
{
|
|
|
|
|
$_SERVER['REQUEST_METHOD'] = 'OPTIONS';
|
|
|
|
|
$_SERVER['REQUEST_URI'] = '/api/v1/me';
|
|
|
|
|
$_GET = [];
|
|
|
|
|
|
2026-03-06 00:44:52 +01:00
|
|
|
$service = new ApiAuditService(
|
2026-03-26 12:33:59 +01:00
|
|
|
$this->createMock(ApiAuditLogRepository::class),
|
2026-03-06 00:44:52 +01:00
|
|
|
new RequestRuntime()
|
|
|
|
|
);
|
2026-03-04 15:56:58 +01:00
|
|
|
$service->startRequestContext();
|
|
|
|
|
|
|
|
|
|
$this->assertNull($service->currentRequestId());
|
|
|
|
|
}
|
2026-04-05 23:20:55 +02:00
|
|
|
|
|
|
|
|
public function testFinishStoresOnlyAllowlistedQueryKeysAndHashedNetworkMetadata(): void
|
|
|
|
|
{
|
|
|
|
|
$_SERVER['REQUEST_METHOD'] = 'GET';
|
|
|
|
|
$_SERVER['REQUEST_URI'] = '/api/v1/users?active=1&email=user@example.com&token=secret&search=max';
|
|
|
|
|
$_SERVER['REMOTE_ADDR'] = '203.0.113.10';
|
|
|
|
|
$_SERVER['HTTP_USER_AGENT'] = 'TestAgent/1.0';
|
|
|
|
|
$_GET = [
|
|
|
|
|
'active' => '1',
|
|
|
|
|
'email' => 'user@example.com',
|
|
|
|
|
'token' => 'secret',
|
|
|
|
|
'search' => 'max',
|
|
|
|
|
];
|
|
|
|
|
|
|
|
|
|
$captured = null;
|
|
|
|
|
$repository = $this->createMock(ApiAuditLogRepository::class);
|
|
|
|
|
$repository->expects($this->once())
|
|
|
|
|
->method('create')
|
|
|
|
|
->willReturnCallback(static function (array $payload) use (&$captured): int {
|
|
|
|
|
$captured = $payload;
|
|
|
|
|
return 1;
|
|
|
|
|
});
|
|
|
|
|
|
|
|
|
|
$service = new ApiAuditService($repository, new RequestRuntime());
|
|
|
|
|
$service->startRequestContext();
|
|
|
|
|
$service->finish(204);
|
|
|
|
|
|
|
|
|
|
$this->assertIsArray($captured);
|
|
|
|
|
$decodedQuery = json_decode((string) ($captured['query_json'] ?? ''), true);
|
|
|
|
|
$this->assertSame(['keys' => ['active', 'search']], $decodedQuery);
|
|
|
|
|
$this->assertSame(RequestContext::hashValue('203.0.113.10'), $captured['ip']);
|
|
|
|
|
$this->assertSame(RequestContext::hashValue('TestAgent/1.0'), $captured['user_agent']);
|
|
|
|
|
$this->assertNotSame('203.0.113.10', $captured['ip']);
|
|
|
|
|
$this->assertNotSame('TestAgent/1.0', $captured['user_agent']);
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
public function testFinishSkipsQueryMetadataWhenNoAllowlistedKeyExists(): void
|
|
|
|
|
{
|
|
|
|
|
$_SERVER['REQUEST_METHOD'] = 'GET';
|
|
|
|
|
$_SERVER['REQUEST_URI'] = '/api/v1/users?email=user@example.com&token=secret';
|
|
|
|
|
$_SERVER['REMOTE_ADDR'] = '203.0.113.20';
|
|
|
|
|
$_SERVER['HTTP_USER_AGENT'] = 'NoAllowlistAgent/1.0';
|
|
|
|
|
$_GET = [
|
|
|
|
|
'email' => 'user@example.com',
|
|
|
|
|
'token' => 'secret',
|
|
|
|
|
];
|
|
|
|
|
|
|
|
|
|
$captured = null;
|
|
|
|
|
$repository = $this->createMock(ApiAuditLogRepository::class);
|
|
|
|
|
$repository->expects($this->once())
|
|
|
|
|
->method('create')
|
|
|
|
|
->willReturnCallback(static function (array $payload) use (&$captured): int {
|
|
|
|
|
$captured = $payload;
|
|
|
|
|
return 1;
|
|
|
|
|
});
|
|
|
|
|
|
|
|
|
|
$service = new ApiAuditService($repository, new RequestRuntime());
|
|
|
|
|
$service->startRequestContext();
|
|
|
|
|
$service->finish(200);
|
|
|
|
|
|
|
|
|
|
$this->assertIsArray($captured);
|
|
|
|
|
$this->assertNull($captured['query_json'] ?? null);
|
|
|
|
|
}
|
2026-03-04 15:56:58 +01:00
|
|
|
}
|