forked from fa/breadcrumb-the-shire
harden(api-login): remove account-state leak and equalize failure timing
This commit is contained in:
@@ -14,6 +14,15 @@ class AuthzApiBootstrapContractTest extends TestCase
|
||||
$this->assertStringContainsString('ApiBootstrap::init(false);', $content);
|
||||
}
|
||||
|
||||
public function testApiLoginUsesUniformCredentialErrorAndTimingEqualization(): void
|
||||
{
|
||||
$content = $this->readProjectFile('pages/api/v1/auth/login().php');
|
||||
$this->assertStringContainsString('$dummyPasswordHash =', $content);
|
||||
$this->assertStringContainsString('password_verify($password, $userPasswordHash)', $content);
|
||||
$this->assertStringContainsString("ApiResponse::error('invalid_credentials', 401);", $content);
|
||||
$this->assertStringNotContainsString("ApiResponse::error('account_inactive', 401);", $content);
|
||||
}
|
||||
|
||||
public function testApiBootstrapSupportsOptionalAuthRequirement(): void
|
||||
{
|
||||
$content = $this->readProjectFile('core/Http/ApiBootstrap.php');
|
||||
|
||||
Reference in New Issue
Block a user