bitstream/fuel-price
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

fix: prevent sensitive field leaks in /me, add retry logic to Brent price sources
Some checks failed
linter / quality (push) Has been cancelled
Details
tests / ci (8.3) (push) Has been cancelled
Details
tests / ci (8.4) (push) Has been cancelled
Details
tests / ci (8.5) (push) Has been cancelled
Details

Browse Source 
- Made `/api/auth/me` public and return explicit allowlist (name, email,
  two_factor_confirmed_at, tier, subscription fields) instead of spreading
  `$user->toArray()` which leaked is_admin, stripe_id, pm_type, pm_last_four,
  postcode. Returns `null` when unauthenticated rather than 401.
- Moved `/auth/logout` to remain behind auth:sanctum gate.
- Added 3×200ms retry with exponential backoff to EiaBrentPriceSource and
  FredBrentPriceSource on ConnectionException or 5xx responses. Timeout
  raised from 10s to 30s.
- Both sources now throw typed BrentPriceFetchException on exhausted retries
  instead of silently returning null + logging. Updated tests to assert
  exception message includes HTTP status or "connection failed".
This commit is contained in:
Ovidiu U
2026-05-01 13:22:36 +01:00
parent df70e514e9
commit 73de53994f
6 changed files with 145 additions and 75 deletions
Download Patch File Download Diff File Expand all files Collapse all files

45
tests/Feature/Api/AuthControllerTest.php
View File

@@ -69,6 +69,41 @@ it('returns the authenticated user on /me', function () {
->assertJsonPath('email', $user->email);
});
it('does not leak sensitive or internal user fields on /me', function () {
$user = User::factory()->create([
'is_admin' => true,
'stripe_id' => 'cus_secret',
'pm_type' => 'visa',
'pm_last_four' => '4242',
'postcode' => 'SW1A 1AA',
]);
$user->subscriptions()->create([
'type' => 'default',
'stripe_id' => 'sub_secret',
'stripe_status' => 'active',
'stripe_price' => 'price_plus_monthly',
'quantity' => 1,
]);
$response = $this->actingAs($user, 'sanctum')
->getJson('/api/auth/me')
->assertOk();
$payload = $response->json();
expect(array_keys($payload))->toEqualCanonicalizing([
'name',
'email',
'two_factor_confirmed_at',
'tier',
'subscription_cancelled',
'subscription_cadence',
'subscribed_at',
'subscription_expires_at',
]);
});
it('reports subscription_cancelled=false for a user with no subscription', function () {
$user = User::factory()->create();
@@ -215,6 +250,12 @@ it('logs out and revokes the token', function () {
expect($user->tokens()->count())->toBe(0);
});
it('returns 401 on protected routes without a token', function () {
$this->getJson('/api/auth/me')->assertUnauthorized();
it('returns null on /me when unauthenticated', function () {
$response = $this->getJson('/api/auth/me')->assertOk();
expect($response->getContent())->toBe('null');
});
it('returns 401 on protected routes without a token', function () {
$this->postJson('/api/auth/logout')->assertUnauthorized();
});

34
tests/Unit/Services/BrentPriceFetcherTest.php
View File

@@ -38,11 +38,24 @@ it('fetches and stores brent prices from EIA', function (): void {
->and(BrentPrice::find('2026-04-02')->price_usd)->toBe('73.80');
});
it('throws when EIA returns a 500', function (): void {
it('throws with HTTP status when EIA returns a 500', function (): void {
Http::fake(['*eia.gov/*' => Http::response([], 500)]);
expect(fn () => $this->fetcher->fetchFromEia())
->toThrow(BrentPriceFetchException::class, 'EIA returned HTTP 500');
});
it('retries EIA on transient 500 and succeeds', function (): void {
Http::fake([
'*eia.gov/*' => Http::sequence()
->push([], 500)
->push(['response' => ['data' => [['period' => '2026-04-01', 'value' => '75.10']]]]),
]);
$this->fetcher->fetchFromEia();
})->throws(BrentPriceFetchException::class);
expect(BrentPrice::count())->toBe(1);
});
it('throws when EIA returns empty data', function (): void {
Http::fake(['*eia.gov/*' => Http::response(['response' => ['data' => []]])]);
@@ -84,11 +97,24 @@ it('fetches and stores brent prices from FRED', function (): void {
expect(BrentPrice::count())->toBe(2);
});
it('throws when FRED fails', function (): void {
it('throws with HTTP status when FRED returns a 500', function (): void {
Http::fake(['*/fred/series/observations*' => Http::response([], 500)]);
expect(fn () => $this->fetcher->fetchFromFred())
->toThrow(BrentPriceFetchException::class, 'FRED returned HTTP 500');
});
it('retries FRED on transient 500 and succeeds', function (): void {
Http::fake([
'*/fred/series/observations*' => Http::sequence()
->push([], 500)
->push(['observations' => [['date' => '2026-04-01', 'value' => '75.10']]]),
]);
$this->fetcher->fetchFromFred();
})->throws(BrentPriceFetchException::class);
expect(BrentPrice::count())->toBe(1);
});
it('filters out FRED missing value markers', function (): void {
Http::fake([