Backend PR-3: Tests & API Documentation Update #208
Description
📦 Sub-Issue of Epic #208
Part of: SecPal/frontend#208 (httpOnly Cookie Authentication Migration)
Priority: High
Area: Backend, Testing, Documentation
Repository: api
Goal
Add comprehensive tests for httpOnly cookie authentication flow and update API documentation to reflect the new authentication mechanism.
Acceptance Criteria
- Integration tests for login with httpOnly cookies
- Integration tests for CSRF protection
- Integration tests for logout flow
- Integration tests for authenticated requests with cookies
- Tests verify cookies are httpOnly
- Tests verify cookies have correct sameSite attribute
- API documentation updated (OpenAPI spec in contracts repo)
- Migration guide for developers documented
- Code coverage ≥80% for new code
- PHPStan passes
- Pint passes
- All tests pass
Implementation Details
New test files:
tests/Feature/Auth/SanctumCookieAuthTest.phptests/Feature/Auth/CsrfProtectionTest.php
Test scenarios:
- Login returns httpOnly cookie
- Authenticated request with cookie succeeds
- Request without cookie fails (401)
- CSRF token validation works
- Request without CSRF token fails (419)
- Logout clears cookies
- Cookie attributes correct (httpOnly, secure, sameSite)
Documentation updates:
- Update
docs/api/authentication.md - Add migration guide in
CHANGELOG.md - Update
README.mdwith new auth flow
Dependencies
- Depends on: Backend PR-1, Backend PR-2 (implementation must be complete)
- Blocks: None (final backend step)
Testing
ddev exec php artisan test --filter=Auth
ddev exec php artisan test --coverage
ddev exec vendor/bin/phpstan analyze
ddev exec vendor/bin/pint --test --dirty