Improve API authentication tests to properly verify fix

arukompas · arukompas · commit b83e185b03ef · 2025-10-17T17:22:37.000+03:00
- Override default stateful domains (exclude localhost) in key tests
- Verify session middleware is actually applied via hasSession() checks
- Use production-like domains (production.example.com) instead of localhost
- Tests now properly fail when fix is disabled (verified 3 failures)
- All 294 tests pass with fix enabled
diff --git a/tests/Feature/Authorization/ApiAuthenticationTest.php b/tests/Feature/Authorization/ApiAuthenticationTest.php
@@ -25,12 +25,21 @@
 });
 
 test('authentication works when APP_URL is empty using same-domain fallback', function () {
-    config(['app.url' => '']);
+    config([
+        'app.url' => '',
+        'log-viewer.api_stateful_domains' => [], // Override to exclude localhost
+    ]);
 
-    LogViewer::auth(fn ($request) => true);
+    // Auth callback that requires session to be started (proving session middleware was applied)
+    LogViewer::auth(function ($request) {
+        if (! $request->hasSession() || ! $request->session()->isStarted()) {
+            return false;
+        }
+        return true;
+    });
 
-    $response = getJson(route('log-viewer.folders'), [
-        'referer' => 'http://localhost/',
+    $response = getJson('http://production.example.com/log-viewer/api/folders', [
+        'referer' => 'http://production.example.com/',
     ]);
 
     $response->assertOk();
@@ -72,9 +81,18 @@
 });
 
 test('same-domain requests work without APP_URL configured', function () {
-    config(['app.url' => null]);
+    config([
+        'app.url' => null,
+        'log-viewer.api_stateful_domains' => [], // Override to exclude localhost
+    ]);
 
-    LogViewer::auth(fn ($request) => true);
+    // Auth callback that requires session to be started (proving session middleware was applied)
+    LogViewer::auth(function ($request) {
+        if (! $request->hasSession() || ! $request->session()->isStarted()) {
+            return false;
+        }
+        return true;
+    });
 
     // Simulate request from same domain
     $response = getJson('http://production.example.com/log-viewer/api/folders', [
@@ -85,13 +103,22 @@
 });
 
 test('same-domain requests with custom port work without APP_URL', function () {
-    config(['app.url' => null]);
+    config([
+        'app.url' => null,
+        'log-viewer.api_stateful_domains' => [], // Override to exclude localhost
+    ]);
 
-    LogViewer::auth(fn ($request) => true);
+    // Auth callback that requires session to be started (proving session middleware was applied)
+    LogViewer::auth(function ($request) {
+        if (! $request->hasSession() || ! $request->session()->isStarted()) {
+            return false;
+        }
+        return true;
+    });
 
     // Simulate request from same domain with custom port
-    $response = getJson('http://localhost:8080/log-viewer/api/folders', [
-        'referer' => 'http://localhost:8080/log-viewer',
+    $response = getJson('http://production.example.com:8080/log-viewer/api/folders', [
+        'referer' => 'http://production.example.com:8080/log-viewer',
     ]);
 
     $response->assertOk();
