serverBackup = $_SERVER; $this->getBackup = $_GET; RequestContext::resetForTests(); ApiAuth::authenticate(); } protected function tearDown(): void { $_SERVER = $this->serverBackup; $_GET = $this->getBackup; RequestContext::resetForTests(); ApiAuth::authenticate(); } public function testCurrentRequestIdIsNullBeforeStart(): void { $service = new ApiAuditService( $this->createMock(ApiAuditLogRepository::class), new RequestRuntime() ); $this->assertNull($service->currentRequestId()); } public function testCurrentRequestIdIsGeneratedForRegularRequests(): void { $_SERVER['REQUEST_METHOD'] = 'GET'; $_SERVER['REQUEST_URI'] = '/api/v1/me?x=1'; $_GET = ['x' => '1']; $service = new ApiAuditService( $this->createMock(ApiAuditLogRepository::class), new RequestRuntime() ); $service->startRequestContext(); $requestId = $service->currentRequestId(); $this->assertNotNull($requestId); $this->assertMatchesRegularExpression( '/^[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}$/i', $requestId ); $service->startRequestContext(); $this->assertSame($requestId, $service->currentRequestId()); } public function testCurrentRequestIdStaysNullForOptionsRequests(): void { $_SERVER['REQUEST_METHOD'] = 'OPTIONS'; $_SERVER['REQUEST_URI'] = '/api/v1/me'; $_GET = []; $service = new ApiAuditService( $this->createMock(ApiAuditLogRepository::class), new RequestRuntime() ); $service->startRequestContext(); $this->assertNull($service->currentRequestId()); } public function testFinishStoresOnlyAllowlistedQueryKeysAndHashedNetworkMetadata(): void { $_SERVER['REQUEST_METHOD'] = 'GET'; $_SERVER['REQUEST_URI'] = '/api/v1/users?active=1&email=user@example.com&token=secret&search=max'; $_SERVER['REMOTE_ADDR'] = '203.0.113.10'; $_SERVER['HTTP_USER_AGENT'] = 'TestAgent/1.0'; $_GET = [ 'active' => '1', 'email' => 'user@example.com', 'token' => 'secret', 'search' => 'max', ]; $captured = null; $repository = $this->createMock(ApiAuditLogRepository::class); $repository->expects($this->once()) ->method('create') ->willReturnCallback(static function (array $payload) use (&$captured): int { $captured = $payload; return 1; }); $service = new ApiAuditService($repository, new RequestRuntime()); $service->startRequestContext(); $service->finish(204); $this->assertIsArray($captured); $decodedQuery = json_decode((string) ($captured['query_json'] ?? ''), true); $this->assertSame(['keys' => ['active', 'search']], $decodedQuery); $this->assertSame(RequestContext::hashValue('203.0.113.10'), $captured['ip']); $this->assertSame(RequestContext::hashValue('TestAgent/1.0'), $captured['user_agent']); $this->assertNotSame('203.0.113.10', $captured['ip']); $this->assertNotSame('TestAgent/1.0', $captured['user_agent']); } public function testFinishSkipsQueryMetadataWhenNoAllowlistedKeyExists(): void { $_SERVER['REQUEST_METHOD'] = 'GET'; $_SERVER['REQUEST_URI'] = '/api/v1/users?email=user@example.com&token=secret'; $_SERVER['REMOTE_ADDR'] = '203.0.113.20'; $_SERVER['HTTP_USER_AGENT'] = 'NoAllowlistAgent/1.0'; $_GET = [ 'email' => 'user@example.com', 'token' => 'secret', ]; $captured = null; $repository = $this->createMock(ApiAuditLogRepository::class); $repository->expects($this->once()) ->method('create') ->willReturnCallback(static function (array $payload) use (&$captured): int { $captured = $payload; return 1; }); $service = new ApiAuditService($repository, new RequestRuntime()); $service->startRequestContext(); $service->finish(200); $this->assertIsArray($captured); $this->assertNull($captured['query_json'] ?? null); } }