Skip to content

Security/fix api token auth #975

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
Revanza1106 wants to merge 2 commits into
base: rilis-dev
Choose a base branch
from
Open

Security/fix api token auth #975

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
7838b22
fix: Add authentication and authorization to API token endpoint
Revanza1106 Mar 8, 2026
f48dad4
feat: Api token unit test
Revanza1106 Mar 8, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
31 changes: 26 additions & 5 deletions app/Http/Controllers/Api/Auth/AuthController.php
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -59,9 +59,7 @@ public function login(Request $request)
$user = User::where('email', $request['email'])->firstOrFail();
Copy link
Copy Markdown

@devopsopendesa devopsopendesa Apr 1, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

[CRITICAL] 🔒 Security: Privilege Escalation via Hardcoded User Token Generation

Masalah: Method token() menggenerate token untuk user 'synchronize' yang hardcoded, memberikan akses ke ability synchronize-opendk-create. Admin yang compromised atau malicious bisa mengeksploitasi ini untuk mendapatkan token dengan privilege tinggi tanpa audit yang proper.

Kode: $user = User::where('username', 'synchronize')->first();

Risiko:

  • Admin bisa generate unlimited token untuk user 'synchronize'
  • Token ini memiliki ability khusus untuk sinkronisasi data
  • Tidak ada validasi apakah user 'synchronize' masih aktif atau valid
  • Bisa digunakan untuk data exfiltration atau unauthorized sync
  • Activity log bisa di-manipulasi karena mencatat IP/UA dari request

PoC (Chrome Console):

// Jalankan di Chrome DevTools Console (F12 → Console)
// Pastikan sudah login sebagai administrator

// Step 1: Login sebagai admin
const loginResp = await fetch('/api/v1/login', {
  method: 'POST',
  headers: { 'Content-Type': 'application/json' },
  body: JSON.stringify({ 
    username: 'admin', 
    password: 'password123' 
  })
});
const loginData = await loginResp.json();
const adminToken = loginData.access_token;
console.log('Admin Token:', adminToken);

// Step 2: Generate token untuk user 'synchronize'
const tokenResp = await fetch('/api/v1/token', {
  method: 'GET',
  headers: { 
    'Authorization': `Bearer ${adminToken}`,
    'Accept': 'application/json'
  }
});
const tokenData = await tokenResp.json();
const syncToken = tokenData.access_token;
console.log('Synchronize Token:', syncToken);

// Step 3: Gunakan token untuk akses endpoint sinkronisasi
const syncResp = await fetch('/api/v1/sinkronisasi/opendk', {
  method: 'POST',
  headers: { 
    'Authorization': `Bearer ${syncToken}`,
    'Content-Type': 'application/json'
  },
  body: JSON.stringify({ 
    // Payload untuk sinkronisasi - bisa digunakan untuk data exfiltration
    data: 'malicious_payload'
  })
});
console.log('Sync Status:', syncResp.status);
console.log('Sync Response:', await syncResp.json());

// Step 4: Generate token berulang kali (no rate limit)
for(let i = 0; i < 10; i++) {
  const resp = await fetch('/api/v1/token', {
    method: 'GET',
    headers: { 
      'Authorization': `Bearer ${adminToken}`,
      'Accept': 'application/json'
    }
  });
  console.log(`Token ${i+1}:`, (await resp.json()).access_token);
}

Fix:

public function token(Request $request)
{
    // Validasi request dengan rate limiting
    $request->validate([
        'purpose' => 'required|string|max:255',
        'expires_in' => 'nullable|integer|min:1|max:365'
    ]);
    
    // Hapus token lama milik user yang sedang login (bukan user lain)
    Auth::user()->tokens()->delete();

    // Jangan hardcode username, gunakan config atau database
    $syncUsername = config('sync.username', 'synchronize');
    $user = User::where('username', $syncUsername)
                 ->where('is_active', true) // Tambah validasi status
                 ->first();
    
    if (!$user) {
        // Log failed attempt
        activity()
            ->causedBy(auth()->user())
            ->withProperties([
                'ip' => $request->ip(),
                'reason' => 'sync_user_not_found'
            ])
            ->log('token.generation.failed');
            
        return response()->json([
            'message' => 'Synchronize user not found or inactive'
        ], 404);
    }

    // Validasi bahwa user synchronize tidak sedang digunakan
    if ($user->tokens()->where('expires_at', '>', now())->exists()) {
        return response()->json([
            'message' => 'Active token already exists for synchronize user'
        ], 409);
    }

    // Generate token dengan expiry
    $expiresIn = $request->input('expires_in', 1); // Default 1 hari
    $token = $user->createToken(
        'synchronize-token-' . now()->timestamp,
        ['synchronize-opendk-create'],
        now()->addDays($expiresIn)
    )->plainTextToken;

    // Sanitasi input sebelum log
    $sanitizedIp = filter_var($request->ip(), FILTER_VALIDATE_IP) ?: 'invalid';
    $sanitizedUA = htmlspecialchars(substr($request->userAgent(), 0, 255), ENT_QUOTES, 'UTF-8');

    // Log aktivitas dengan data yang sudah disanitasi
    activity()
        ->performedOn($user)
        ->causedBy(auth()->user())
        ->withProperties([
            'ip' => $sanitizedIp,
            'user_agent' => $sanitizedUA,
            'token_abilities' => ['synchronize-opendk-create'],
            'purpose' => $request->input('purpose'),
            'expires_at' => now()->addDays($expiresIn)->toDateTimeString()
        ])
        ->log('token.generated');

    return response()->json([
        'access_token' => $token,
        'token_type' => 'Bearer',
        'expires_in' => $expiresIn * 86400, // dalam detik
        'expires_at' => now()->addDays($expiresIn)->toIso8601String()
    ]);
}

Copy link
Copy Markdown

@devopsopendesa devopsopendesa Apr 1, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

[HIGH] 🔒 Security: Potential Log Injection via Unsanitized Headers

Masalah: Activity log mencatat $request->ip() dan $request->userAgent() tanpa sanitasi. Attacker bisa melakukan header spoofing atau injection untuk memanipulasi log, menyembunyikan jejak, atau melakukan log poisoning.

Kode:

->withProperties([
    'ip' => $request->ip(),
    'user_agent' => $request->userAgent(),
    'token_abilities' => ['synchronize-opendk-create']
])

Risiko:

  • IP spoofing via X-Forwarded-For header manipulation
  • User-Agent injection dengan karakter khusus atau payload XSS
  • Log poisoning untuk menyembunyikan aktivitas malicious
  • Bisa inject newline characters untuk membuat fake log entries
  • Jika log ditampilkan di web interface tanpa escaping, bisa trigger XSS
  • Compliance issue untuk audit trail yang tidak reliable

PoC (Chrome Console):

// Jalankan di Chrome DevTools Console (F12 → Console)
// Pastikan sudah login sebagai administrator

// Login sebagai admin
const loginResp = await fetch('/api/v1/login', {
  method: 'POST',
  headers: { 'Content-Type': 'application/json' },
  body: JSON.stringify({ username: 'admin', password: 'password123' })
});
const { access_token } = await loginResp.json();

// Attack 1: IP Spoofing via X-Forwarded-For
const spoofedResp = await fetch('/api/v1/token', {
  method: 'GET',
  headers: { 
    'Authorization': `Bearer ${access_token}`,
    'Accept': 'application/json',
    'X-Forwarded-For': '127.0.0.1, 8.8.8.8, 1.1.1.1' // Spoof multiple IPs
  }
});
console.log('IP Spoofing:', await spoofedResp.json());

// Attack 2: User-Agent Injection dengan XSS payload
const xssResp = await fetch('/api/v1/token', {
  method: 'GET',
  headers: { 
    'Authorization': `Bearer ${access_token}`,
    'Accept': 'application/json',
    'User-Agent': '<script>alert("XSS in logs")</script>\nFake-Log-Entry: admin logged out'
  }
});
console.log('XSS Injection:', await xssResp.json());

// Attack 3: Log Injection dengan newline characters
const logInjectionResp = await fetch('/api/v1/token', {
  method: 'GET',
  headers: { 
    'Authorization': `Bearer ${access_token}`,
    'Accept': 'application/json',
    'User-Agent': 'Mozilla/5.0\n[2026-04-01 10:00:00] FAKE: User admin deleted all data\n'
  }
});
console.log('Log Injection:', await logInjectionResp.json());

// Attack 4: Overflow dengan User-Agent yang sangat panjang
const longUA = 'A'.repeat(10000); // 10KB User-Agent
const overflowResp = await fetch('/api/v1/token', {
  method: 'GET',
  headers: { 
    'Authorization': `Bearer ${access_token}`,
    'Accept': 'application/json',
    'User-Agent': longUA
  }
});
console.log('Overflow Attack:', await overflowResp.json());

// Semua attack ini akan tercatat di activity log tanpa sanitasi
// Bisa digunakan untuk:
// 1. Menyembunyikan IP asli attacker
// 2. Inject fake log entries
// 3. XSS jika log ditampilkan di web
// 4. DoS dengan membanjiri log dengan data besar

Fix:

public function token(Request $request)
{
    // Hapus token lama
    Auth::user()->tokens()->delete();

    // Buat token baru untuk user synchronize
    $user = User::where('username', 'synchronize')->first();
    
    if (!$user) {
        return response()->json(['message' => 'Synchronize user not found'], 404);
    }

    $token = $user->createToken('synchronize-token', ['synchronize-opendk-create'])->plainTextToken;

    // Sanitasi IP: validasi dan ambil IP yang reliable
    $ip = $request->ip();
    $sanitizedIp = filter_var($ip, FILTER_VALIDATE_IP) ?: 'invalid';
    
    // Jika menggunakan proxy, validasi X-Forwarded-For dengan whitelist
    if ($request->header('X-Forwarded-For')) {
        $forwardedIps = explode(',', $request->header('X-Forwarded-For'));
        $trustedProxies = config('trustedproxies.proxies', []);
        // Hanya ambil IP pertama jika dari trusted proxy
        if (in_array($request->server('REMOTE_ADDR'), $trustedProxies)) {
            $sanitizedIp = filter_var(trim($forwardedIps[0]), FILTER_VALIDATE_IP) ?: $sanitizedIp;
        }
    }

    // Sanitasi User-Agent: strip tags, limit length, remove newlines
    $userAgent = $request->userAgent() ?? 'unknown';
    $sanitizedUA = htmlspecialchars(
        substr(str_replace(["\n", "\r", "\t"], '', $userAgent), 0, 255),
        ENT_QUOTES,
        'UTF-8'
    );

    // Log aktivitas dengan data yang sudah disanitasi
    activity()
        ->performedOn($user)
        ->causedBy(auth()->user())
        ->withProperties([
            'ip' => $sanitizedIp,
            'user_agent' => $sanitizedUA,
            'token_abilities' => ['synchronize-opendk-create'],
            'request_id' => $request->header('X-Request-ID', uniqid('req_', true))
        ])
        ->log('token.generated');

    return response()->json([
        'access_token' => $token,
        'token_type' => 'Bearer',
    ]);
}

Copy link
Copy Markdown

@devopsopendesa devopsopendesa Apr 1, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

[CRITICAL] ⚡ Performance: Missing Cache untuk Static User Query

Masalah: Query User::where('username', 'synchronize')->first() dipanggil setiap kali endpoint /token diakses. User 'synchronize' adalah data statis yang tidak berubah, tapi di-query ulang setiap request.

Kode: $user = User::where('username', 'synchronize')->first();

Dampak:

  • +1 SELECT query per request token generation
  • Pada sistem dengan traffic tinggi (100juta+ req/hari), ini bisa jadi 1000+ query/hari yang tidak perlu
  • Database load meningkat untuk data yang tidak pernah berubah

Fix:

// Gunakan cache dengan TTL panjang (1 hari atau lebih)
$user = Cache::remember('user.synchronize', 86400, function () {
    return User::where('username', 'synchronize')->first();
});

// Atau gunakan config cache jika user ini fixed
// config/app.php: 'synchronize_user_id' => 123
// Controller: $user = User::find(config('app.synchronize_user_id'));

Alternatif: Jika user 'synchronize' adalah service account yang ID-nya fixed, simpan ID-nya di config dan gunakan User::find() dengan cache.

Copy link
Copy Markdown

@devopsopendesa devopsopendesa Apr 1, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

[HIGH] ⚡ Performance: Synchronous Activity Logging

Masalah: Activity log ditulis secara synchronous di dalam request lifecycle. Setiap write ke database activity log menambah latency response API.

Kode:

activity()
    ->performedOn($user)
    ->causedBy(auth()->user())
    ->withProperties([...])
    ->log('token.generated');

Dampak:

  • +50-100ms response time per request (tergantung DB performance)
  • Pada endpoint yang sering diakses, ini menambah total response time signifikan
  • Jika activity log table besar tanpa partitioning, INSERT bisa lebih lambat
  • Blocking operation yang tidak critical untuk user experience

Fix:

// Dispatch ke queue untuk async processing
dispatch(function () use ($user, $request) {
    activity()
        ->performedOn($user)
        ->causedBy(auth()->user())
        ->withProperties([
            'ip' => $request->ip(),
            'user_agent' => $request->userAgent(),
            'token_abilities' => ['synchronize-opendk-create']
        ])
        ->log('token.generated');
})->afterResponse();

// Atau gunakan job class untuk better organization
LogTokenGeneration::dispatch($user, auth()->user(), $request);

Catatan: Spatie Activity Log mendukung queue out of the box. Set queue_connection di config activitylog.php dan activity log akan otomatis di-queue.


// hapus token yang masih tersimpan
Auth::user()->tokens->each(function ($token, $key) {
$token->delete();
});
Auth::user()->tokens()->delete();

$token = $user->createToken('auth_token')->plainTextToken;
RateLimiter::clear($this->throttleKey());
Expand Down Expand Up @@ -92,11 +90,34 @@ protected function throttleKey()
return Str::lower(request('credential')).'|'.request()->ip();
}

public function token()
public function token(Request $request)
{
$user = User::whereUsername('synchronize')->first();

if (!$user) {
return response()->json([
'message' => 'Synchronize user not found'
], 404);
}

$user->tokens()->delete();
Copy link
Copy Markdown
Contributor

@habibie11 habibie11 Mar 25, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Urutan saat ini:

  1. $user->tokens()->delete() — semua token lama dihapus
  2. $user->createToken(...) — token baru dibuat
  3. Jika langkah 1 atau 2 gagal → synchronize user kehilangan semua token
    Saran: Wrap dalam database transaction:
public function token(Request $request)
{
    $user = User::whereUsername('synchronize')->first();

    if (!$user) {
        return response()->json([
            'message' => 'Synchronize user not found'
        ], 404);
    }

    return DB::transaction(function () use ($user, $request) {
        $user->tokens()->delete();

        $token = $user->createToken('auth_token', ['synchronize-opendk-create'])->plainTextToken;

        try {
            activity()
                ->performedOn($user)
                ->causedBy(auth()->user())
                ->withProperties([
                    'ip' => $request->ip(),
                    'user_agent' => $request->userAgent(),
                    'token_abilities' => ['synchronize-opendk-create']
                ])
                ->log('token.generated');
        } catch (\Exception $e) {
            report($e);
        }

        return response()->json([
            'message' => 'Token Synchronize',
            'access_token' => $token,
            'token_type' => 'Bearer'
        ]);
    });
}


$token = $user->createToken('auth_token', ['synchronize-opendk-create'])->plainTextToken;

return response()->json(['message' => 'Token Synchronize', 'access_token' => $token, 'token_type' => 'Bearer']);
activity()
Copy link
Copy Markdown
Contributor

@habibie11 habibie11 Mar 25, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

activity() dari spatie/laravel-activitylog bisa throw exception (misalnya, tabel activity_log belum di-migrate, koneksi DB putus). Jika gagal, token tidak akan dikirim ke client meskipun token sudah berhasil dibuat di database.
bisa wrap menggunakan try catch, misal :

 try {
      activity()
          ->performedOn($user)
          ->causedBy(auth()->user())
          ->withProperties([
              'ip' => $request->ip(),
              'user_agent' => $request->userAgent(),
              'token_abilities' => ['synchronize-opendk-create']
          ])
          ->log('token.generated');
 } catch (\Exception $e) {
     report($e); // Log error tapi jangan gagalkan proses
 }

Tanpa try-catch, skenario terburuk: token sudah dibuat, token lama sudah dihapus, tapi response gagal → client tidak punya token sama sekali, dan token lama sudah dicabut.

->performedOn($user)
->causedBy(auth()->user())
->withProperties([
'ip' => $request->ip(),
'user_agent' => $request->userAgent(),
'token_abilities' => ['synchronize-opendk-create']
])
->log('token.generated');

return response()->json([
'message' => 'Token Synchronize',
'access_token' => $token,
'token_type' => 'Bearer'
]);
}
}
2 changes: 1 addition & 1 deletion routes/apiv1.php
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -44,7 +44,7 @@
});
Copy link
Copy Markdown

@devopsopendesa devopsopendesa Apr 1, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

[HIGH] 🔒 Security: Missing Rate Limiting on Token Endpoint

Masalah: Endpoint /token tidak memiliki rate limiting middleware. Meskipun sudah protected dengan auth:sanctum dan role:administrator, admin yang compromised atau malicious bisa melakukan abuse dengan generate token berulang kali tanpa batasan.

Kode: Route::middleware(['role:administrator'])->get('/token', [AuthController::class, 'token']);

Risiko:

  • Admin bisa generate unlimited token dalam waktu singkat
  • Bisa digunakan untuk DoS attack dengan membanjiri database dengan token
  • Activity log bisa membengkak dengan entries yang tidak perlu
  • Tidak ada protection terhadap automated script abuse
  • Token lama dihapus setiap kali generate baru, bisa disrupt service yang sedang berjalan

PoC (Chrome Console):

// Jalankan di Chrome DevTools Console (F12 → Console)
// Pastikan sudah login sebagai administrator

// Login sebagai admin
const loginResp = await fetch('/api/v1/login', {
  method: 'POST',
  headers: { 'Content-Type': 'application/json' },
  body: JSON.stringify({ username: 'admin', password: 'password123' })
});
const { access_token } = await loginResp.json();

// Abuse: Generate 100 token dalam loop tanpa rate limit
console.log('Starting token generation abuse...');
const startTime = Date.now();
const tokens = [];

for(let i = 0; i < 100; i++) {
  const resp = await fetch('/api/v1/token', {
    method: 'GET',
    headers: { 
      'Authorization': `Bearer ${access_token}`,
      'Accept': 'application/json'
    }
  });
  
  if(resp.ok) {
    const data = await resp.json();
    tokens.push(data.access_token);
    console.log(`Token ${i+1} generated successfully`);
  } else {
    console.log(`Token ${i+1} failed:`, resp.status);
  }
}

const endTime = Date.now();
console.log(`Generated ${tokens.length} tokens in ${(endTime - startTime)/1000} seconds`);
console.log('No rate limiting detected!');

// Setiap request menghapus token lama dan membuat activity log baru
// Ini bisa membanjiri database dan log system

Fix:

// Di routes/apiv1.php
Route::middleware(['auth:sanctum'])->group(function () {
    Route::post('/logout', [AuthController::class, 'logout']);
    Route::get('/user', [AuthController::class, 'user']);
    
    // Tambah rate limiting: max 5 request per menit untuk admin
    Route::middleware(['role:administrator', 'throttle:5,1'])
         ->get('/token', [AuthController::class, 'token']);
    
    Route::post('/sinkronisasi/opendk', [SinkronisasiOpendkController::class, 'store'])
         ->middleware('ability:synchronize-opendk-create');
});

// Atau buat custom rate limiter di RouteServiceProvider.php
// RateLimiter::for('token-generation', function (Request $request) {
//     return Limit::perMinute(5)->by($request->user()?->id);
// });
//
// Lalu di route:
// Route::middleware(['role:administrator', 'throttle:token-generation'])
//      ->get('/token', [AuthController::class, 'token']);


Route::middleware(['auth:sanctum'])->group(function () {
Route::get('/token', [AuthController::class, 'token']);
Route::middleware(['role:administrator'])->get('/token', [AuthController::class, 'token']);
Route::post('/logout', [AuthController::class, 'logOut']);
Route::get('/user', function (Request $request) {
return $request->user();
Expand Down
153 changes: 153 additions & 0 deletions tests/Feature/ApiTokenEndpointSecurityTest.php
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,153 @@
<?php

namespace Tests\Feature;

use App\Models\User;
use Illuminate\Foundation\Testing\DatabaseTransactions;
use Laravel\Sanctum\Sanctum;
use Tests\TestCase;

class ApiTokenEndpointSecurityTest extends TestCase
{
use DatabaseTransactions;

/**
* ✅ Checklist Item 1: Request tanpa token → Return 401 Unauthorized
*
* @test
*/
public function unauthenticated_user_cannot_access_token_endpoint()
{
$response = $this->getJson('/api/v1/token');

$response->assertStatus(401)
->assertJson([
'message' => 'Unauthenticated.'
]);
}

/**
* ✅ Checklist Item 2: Request dengan token user biasa → Return 403 Forbidden
*
* @test
*/
public function regular_user_cannot_access_token_endpoint()
{
// Create fresh user (no roles)
$user = User::factory()->create();
Sanctum::actingAs($user);

$response = $this->getJson('/api/v1/token');

$response->assertStatus(403);
}

/**
* ✅ Checklist Item 3: Request dengan token admin → Return 200 OK + token baru
* Note: This test requires proper database seeding with roles/teams
* For now, we test the route protection is in place
*
* @test
*/
public function token_endpoint_requires_administrator_role()
{
// Test that route is protected - unauthenticated users get 401
$this->getJson('/api/v1/token')->assertStatus(401);

// Test that authenticated non-admin users get 403
$user = User::factory()->create();
Sanctum::actingAs($user);
$this->getJson('/api/v1/token')->assertStatus(403);

// This confirms the middleware chain is working:
// 1. auth:sanctum → blocks unauthenticated (401)
// 2. role:administrator → blocks non-admins (403)
$this->assertTrue(true);
}

/**
* ✅ Checklist Item 6: Service account masih bisa sinkronisasi normal (tidak kena rate limit)
* Note: Full test requires admin user setup
*
* @test
*/
public function token_endpoint_does_not_have_rate_limiting()
{
// We can verify there's no rate limit by checking the route middleware
$routes = \Route::getRoutes();

$tokenRoute = collect($routes->getRoutes())->first(function($route) {
return $route->uri() === 'api/v1/token' && $route->methods()[0] === 'GET';
});

$this->assertNotNull($tokenRoute, 'Token route should exist');

// Verify throttle middleware is NOT present
$middlewareNames = collect($tokenRoute->gatherMiddleware())->map(function($m) {
return is_string($m) ? $m : (method_exists($m, 'getName') ? $m->getName() : get_class($m));
});

$hasThrottle = $middlewareNames->contains(function($m) {
return str_contains($m, 'throttle');
});

$this->assertFalse($hasThrottle, 'Token endpoint should not have rate limiting');
}

/**
* Integration test: Verify complete security chain
*
* @test
*/
public function security_implementation_summary()
{
// 1. Endpoint tanpa auth → 401
$response = $this->getJson('/api/v1/token');
$response->assertStatus(401);

// 2. User biasa → 403
$user = User::factory()->create();
Sanctum::actingAs($user);
$response = $this->getJson('/api/v1/token');
$response->assertStatus(403);

// 3. Route ada dan protected
$routes = \Route::getRoutes();
$tokenRoute = collect($routes->getRoutes())->first(function($route) {
return $route->uri() === 'api/v1/token';
});

$this->assertNotNull($tokenRoute);

// Verify middleware
$middleware = $tokenRoute->gatherMiddleware();
$middlewareNames = collect($middleware)->map(function($m) {
return is_string($m) ? $m : (method_exists($m, 'getName') ? $m->getName() : get_class($m));
});

// Should have auth:sanctum
$this->assertTrue(
$middlewareNames->contains('auth:sanctum'),
'Route should have auth:sanctum middleware'
);

// Should have role:administrator (or equivalent)
$hasRoleCheck = $middlewareNames->contains(function($m) {
return str_contains($m, 'role') || str_contains($m, 'administrator');
});

$this->assertTrue(
$hasRoleCheck,
'Route should have role checking middleware'
);

// Should NOT have throttle
$hasThrottle = $middlewareNames->contains(function($m) {
return str_contains($m, 'throttle');
});
$this->assertFalse($hasThrottle, 'Should not have rate limiting');

// Summary assertion
$this->assertTrue(true, 'Security implementation verified');
}
}