Files
InvoiceShelf/tests/Feature/Customer/EmailLogTokenTest.php
Darko Gjorgjijoski e56b6b4fe5 fix(security): harden public EmailLog token endpoints (GHSA-73q7) (#669)
v3 port. Customer PDF controllers resolved the target document by raw
mailable_id ignoring mailable_type, and skipped expiry on the JSON endpoints.

- Resolve via $emailLog->mailable + assert the expected type (404) to close
  cross-type disclosure.
- Enforce isExpired() (403) on every public path incl. the JSON endpoints.
- Harden EmailLog::isExpired() against a null/unresolvable mailable.

Adds tests for cross-type 404, JSON-path expiry 403, and the valid path.
2026-06-12 11:02:11 +02:00

62 lines
1.9 KiB
PHP

<?php
namespace Tests\Feature\Customer;
use App\Models\CompanySetting;
use App\Models\EmailLog;
use App\Models\Invoice;
use App\Models\Payment;
use Illuminate\Support\Facades\Artisan;
use function Pest\Laravel\get;
beforeEach(function () {
Artisan::call('db:seed', ['--class' => 'DatabaseSeeder', '--force' => true]);
Artisan::call('db:seed', ['--class' => 'DemoSeeder', '--force' => true]);
});
test('email-log token enforces the mailable type (no cross-type disclosure)', function () {
$payment = Payment::factory()->create();
// Token issued for a Payment must not resolve a document on the invoice
// or estimate routes, even if the numeric id collides.
$emailLog = EmailLog::factory()->create([
'mailable_type' => Payment::class,
'mailable_id' => $payment->id,
'token' => 'tok-type-confusion',
]);
get('/customer/invoices/'.$emailLog->token)->assertNotFound();
get('/customer/estimates/'.$emailLog->token)->assertNotFound();
});
test('json invoice endpoint enforces link expiry', function () {
$invoice = Invoice::factory()->create();
CompanySetting::setSettings([
'automatically_expire_public_links' => 'YES',
'link_expiry_days' => '1',
], $invoice->company_id);
$emailLog = EmailLog::factory()->create([
'mailable_type' => Invoice::class,
'mailable_id' => $invoice->id,
'token' => 'tok-expired',
'created_at' => now()->subDays(5),
]);
get('/customer/invoices/'.$emailLog->token)->assertForbidden();
});
test('json invoice endpoint returns the invoice for a valid token', function () {
$invoice = Invoice::factory()->create();
$emailLog = EmailLog::factory()->create([
'mailable_type' => Invoice::class,
'mailable_id' => $invoice->id,
'token' => 'tok-valid',
]);
get('/customer/invoices/'.$emailLog->token)->assertOk();
});