security: 2026-06-11 稽核修補——封鎖 admin/register P0 漏洞、is_verified 業務約束、預約核心測試 #28

Merged
a620906209 merged 7 commits from fix/audit-remediation into master 2026-06-11 10:21:33 +00:00
2 changed files with 4 additions and 41 deletions
Showing only changes of commit cec2078035 - Show all commits
+3 -7
View File
@@ -66,13 +66,9 @@
- **WHEN** role=member 的帳號嘗試 `POST /api/provider/login` - **WHEN** role=member 的帳號嘗試 `POST /api/provider/login`
- **THEN** 回傳 HTTP 401`{ status: false, message: "電子郵件或密碼錯誤" }`(查詢以 role 過濾,跨角色帳號視同不存在) - **THEN** 回傳 HTTP 401`{ status: false, message: "電子郵件或密碼錯誤" }`(查詢以 role 過濾,跨角色帳號視同不存在)
#### Scenario: Admin 註冊成功 #### Scenario: Admin 公開註冊端點保持關閉
- **WHEN** 送出有效的 name / email / password / password_confirmation 至 `POST /api/admin/register` - **WHEN** 任何人送出 `POST /api/admin/register`(該端點已於 2026-06-11 因 P0 漏洞移除,見 admin-auth 規格「管理員帳號建立途徑」)
- **THEN** 回傳 HTTP 201body 包含 `{ status: true, data: { user } }`DB 存在對應 admin 用戶 - **THEN** 回傳 HTTP 404,且不建立任何帳號;帳號建立改由 `app:create-admin` command 覆蓋測試
#### Scenario: Admin 重複 Email 註冊失敗
- **WHEN** 送出已存在的 email 至 `POST /api/admin/register`
- **THEN** 回傳 HTTP 422
#### Scenario: Admin 登入成功 #### Scenario: Admin 登入成功
- **WHEN** 送出正確的 email / password 至 `POST /api/admin/login` - **WHEN** 送出正確的 email / password 至 `POST /api/admin/login`
+1 -34
View File
@@ -248,40 +248,7 @@ class AuthLoginTest extends TestCase
->assertStatus(401); ->assertStatus(401);
} }
// ── admin 註冊 ─────────────────────────────────────────── // admin 註冊端點已移除(P0 漏洞),帳號建立途徑見 AdminAccountCreationTest
public function test_admin_register_success(): void
{
$response = $this->postJson('/api/admin/register', [
'name' => 'Test Admin',
'email' => 'newadmin@example.com',
'password' => 'password123',
'password_confirmation' => 'password123',
]);
$response->assertStatus(201)
->assertJsonPath('status', true)
->assertJsonStructure(['data' => ['user']]);
$this->assertDatabaseHas('users', [
'email' => 'newadmin@example.com',
'role' => 'admin',
]);
}
public function test_admin_register_duplicate_email_returns_422(): void
{
$this->createAdmin(['email' => 'dup-admin@example.com']);
$response = $this->postJson('/api/admin/register', [
'name' => 'Another Admin',
'email' => 'dup-admin@example.com',
'password' => 'password123',
'password_confirmation' => 'password123',
]);
$response->assertStatus(422);
}
// ── admin 登入/登出 ───────────────────────────────────── // ── admin 登入/登出 ─────────────────────────────────────