assertEquals(32, strlen($token1)); // 16 bytes = 32 hex chars $this->assertEquals(32, strlen($token2)); // Test uniqueness $this->assertNotEquals($token1, $token2); // Test valid hex characters $this->assertMatchesRegularExpression('/^[a-f0-9]+$/', $token1); $this->assertMatchesRegularExpression('/^[a-f0-9]+$/', $token2); } public function testGenerateSecureUserId() { $userId1 = Security::generateSecureUserId(); $userId2 = Security::generateSecureUserId(); // Test format (32 char hex) $this->assertEquals(32, strlen($userId1)); $this->assertEquals(32, strlen($userId2)); // Test uniqueness $this->assertNotEquals($userId1, $userId2); // Test valid characters $this->assertMatchesRegularExpression('/^[a-f0-9]+$/', $userId1); $this->assertMatchesRegularExpression('/^[a-f0-9]+$/', $userId2); } public function testGetClientIP() { // Test with default server vars $ip = Security::getClientIP(); $this->assertEquals('127.0.0.1', $ip); // Test with forwarded headers $_SERVER['HTTP_X_FORWARDED_FOR'] = '192.168.1.100, 10.0.0.1'; $ip = Security::getClientIP(); $this->assertEquals('192.168.1.100', $ip); // Test with real IP header $_SERVER['HTTP_X_REAL_IP'] = '203.0.113.1'; unset($_SERVER['HTTP_X_FORWARDED_FOR']); $ip = Security::getClientIP(); $this->assertEquals('203.0.113.1', $ip); } public function testSanitizeInput() { // Test string sanitization $input = 'Hello World'; $result = Security::sanitizeInput($input, 'string'); $this->assertEquals('alert("xss")Hello World', $result); // Test email sanitization $email = 'test@example.com'; $result = Security::sanitizeInput($email, 'email'); $this->assertEquals('test@example.com', $result); // Test URL sanitization $url = 'http://example.com/path'; $result = Security::sanitizeInput($url, 'url'); $this->assertEquals('http://example.com/path', $result); // Scripts should be stripped } public function testValidateCSRFToken() { // Generate a token $token = Security::generateCSRFToken(); $_SESSION['csrf_token'] = $token; // Test valid token $this->assertTrue(Security::validateCSRFToken($token)); // Test invalid token $this->assertFalse(Security::validateCSRFToken('invalid_token')); // Test missing token $this->assertFalse(Security::validateCSRFToken('')); } public function testCheckRateLimit() { $ip = '192.168.1.100'; // First request should succeed $result1 = Security::checkRateLimit($ip, 'test_action', 3, 60); $this->assertTrue($result1); // Second request should succeed $result2 = Security::checkRateLimit($ip, 'test_action', 3, 60); $this->assertTrue($result2); // Third request should succeed $result3 = Security::checkRateLimit($ip, 'test_action', 3, 60); $this->assertTrue($result3); // Fourth request should fail (over limit) $result4 = Security::checkRateLimit($ip, 'test_action', 3, 60); $this->assertFalse($result4); } public function testIsValidStreamUrl() { // Valid URLs $this->assertTrue(Security::isValidStreamUrl('http://127.0.0.1:8080/stream')); $this->assertTrue(Security::isValidStreamUrl('https://127.0.0.1:8080/stream')); $this->assertTrue(Security::isValidStreamUrl('http://localhost:8080/stream')); // Invalid URLs $this->assertFalse(Security::isValidStreamUrl('http://evil.com/stream')); $this->assertFalse(Security::isValidStreamUrl('http://192.168.1.1/stream')); $this->assertFalse(Security::isValidStreamUrl('javascript:alert(1)')); $this->assertFalse(Security::isValidStreamUrl('')); } public function testAdminAuthentication() { // Test without any auth setup $this->assertFalse(Security::isAdminAuthenticated()); // Set up session auth $_SESSION['admin_authenticated'] = true; $_SESSION['admin_login_time'] = time(); $this->assertTrue(Security::isAdminAuthenticated()); } public function testAuthenticateAdmin() { // This would need proper config setup for real testing // For now, test that the method exists and handles failures $result = Security::authenticateAdmin('invalid_user', 'invalid_pass'); $this->assertFalse($result); } public function testDetectSuspiciousActivity() { // Test with normal request $warnings = Security::detectSuspiciousActivity(); $this->assertIsArray($warnings); // Test with suspicious user agent $_SERVER['HTTP_USER_AGENT'] = 'sqlmap'; $warnings = Security::detectSuspiciousActivity(); $this->assertContains('Suspicious user agent detected', $warnings); // Reset $_SERVER['HTTP_USER_AGENT'] = 'PHPUnit/Test'; } public function testLogSecurityEvent() { // Start output buffering to capture logs ob_start(); // Generate a security event Security::logSecurityEvent('test_event', ['test_data' => 'value']); // The actual logging happens in ErrorHandler, so we test that no exceptions are thrown $this->assertTrue(true); ob_end_clean(); } }