harden(api-login): remove account-state leak and equalize failure timing

This commit is contained in:
2026-04-25 21:37:09 +02:00
parent e775ed2800
commit 61c1d18e95
3 changed files with 20 additions and 26 deletions

View File

@@ -14,6 +14,15 @@ class AuthzApiBootstrapContractTest extends TestCase
$this->assertStringContainsString('ApiBootstrap::init(false);', $content);
}
public function testApiLoginUsesUniformCredentialErrorAndTimingEqualization(): void
{
$content = $this->readProjectFile('pages/api/v1/auth/login().php');
$this->assertStringContainsString('$dummyPasswordHash =', $content);
$this->assertStringContainsString('password_verify($password, $userPasswordHash)', $content);
$this->assertStringContainsString("ApiResponse::error('invalid_credentials', 401);", $content);
$this->assertStringNotContainsString("ApiResponse::error('account_inactive', 401);", $content);
}
public function testApiBootstrapSupportsOptionalAuthRequirement(): void
{
$content = $this->readProjectFile('core/Http/ApiBootstrap.php');