security: 2026-06-11 稽核修補——封鎖 admin/register P0 漏洞、is_verified 業務約束、預約核心測試 #28
@@ -66,13 +66,9 @@
|
||||
- **WHEN** role=member 的帳號嘗試 `POST /api/provider/login`
|
||||
- **THEN** 回傳 HTTP 401,`{ status: false, message: "電子郵件或密碼錯誤" }`(查詢以 role 過濾,跨角色帳號視同不存在)
|
||||
|
||||
#### Scenario: Admin 註冊成功
|
||||
- **WHEN** 送出有效的 name / email / password / password_confirmation 至 `POST /api/admin/register`
|
||||
- **THEN** 回傳 HTTP 201,body 包含 `{ status: true, data: { user } }`,DB 存在對應 admin 用戶
|
||||
|
||||
#### Scenario: Admin 重複 Email 註冊失敗
|
||||
- **WHEN** 送出已存在的 email 至 `POST /api/admin/register`
|
||||
- **THEN** 回傳 HTTP 422
|
||||
#### Scenario: Admin 公開註冊端點保持關閉
|
||||
- **WHEN** 任何人送出 `POST /api/admin/register`(該端點已於 2026-06-11 因 P0 漏洞移除,見 admin-auth 規格「管理員帳號建立途徑」)
|
||||
- **THEN** 回傳 HTTP 404,且不建立任何帳號;帳號建立改由 `app:create-admin` command 覆蓋測試
|
||||
|
||||
#### Scenario: Admin 登入成功
|
||||
- **WHEN** 送出正確的 email / password 至 `POST /api/admin/login`
|
||||
|
||||
@@ -248,40 +248,7 @@ class AuthLoginTest extends TestCase
|
||||
->assertStatus(401);
|
||||
}
|
||||
|
||||
// ── admin 註冊 ───────────────────────────────────────────
|
||||
|
||||
public function test_admin_register_success(): void
|
||||
{
|
||||
$response = $this->postJson('/api/admin/register', [
|
||||
'name' => 'Test Admin',
|
||||
'email' => 'newadmin@example.com',
|
||||
'password' => 'password123',
|
||||
'password_confirmation' => 'password123',
|
||||
]);
|
||||
|
||||
$response->assertStatus(201)
|
||||
->assertJsonPath('status', true)
|
||||
->assertJsonStructure(['data' => ['user']]);
|
||||
|
||||
$this->assertDatabaseHas('users', [
|
||||
'email' => 'newadmin@example.com',
|
||||
'role' => 'admin',
|
||||
]);
|
||||
}
|
||||
|
||||
public function test_admin_register_duplicate_email_returns_422(): void
|
||||
{
|
||||
$this->createAdmin(['email' => 'dup-admin@example.com']);
|
||||
|
||||
$response = $this->postJson('/api/admin/register', [
|
||||
'name' => 'Another Admin',
|
||||
'email' => 'dup-admin@example.com',
|
||||
'password' => 'password123',
|
||||
'password_confirmation' => 'password123',
|
||||
]);
|
||||
|
||||
$response->assertStatus(422);
|
||||
}
|
||||
// admin 註冊端點已移除(P0 漏洞),帳號建立途徑見 AdminAccountCreationTest
|
||||
|
||||
// ── admin 登入/登出 ─────────────────────────────────────
|
||||
|
||||
|
||||
Reference in New Issue
Block a user