coolify/tests/Feature/SecureCookieAutoDetectionTest.php

<?php

use App\Models\InstanceSettings;
use Illuminate\Support\Facades\Cache;

uses(\Illuminate\Foundation\Testing\RefreshDatabase::class);

beforeEach(function () {
    Cache::forget('instance_settings_fqdn_host');
    InstanceSettings::updateOrCreate(['id' => 0], ['fqdn' => null]);
    // Ensure session.secure starts unconfigured for each test
    config(['session.secure' => null]);
});

it('sets session.secure to true when request arrives over HTTPS via proxy', function () {
    $this->get('/login', [
        'X-Forwarded-Proto' => 'https',
        'X-Forwarded-For' => '1.2.3.4',
    ]);

    expect(config('session.secure'))->toBeTrue();
});

it('does not set session.secure for plain HTTP requests', function () {
    $this->get('/login');

    expect(config('session.secure'))->toBeNull();
});

it('does not override explicit SESSION_SECURE_COOKIE=false for HTTPS requests', function () {
    config(['session.secure' => false]);

    $this->get('/login', [
        'X-Forwarded-Proto' => 'https',
        'X-Forwarded-For' => '1.2.3.4',
    ]);

    // Explicit false must not be overridden — our check is `=== null` only
    expect(config('session.secure'))->toBeFalse();
});

it('does not override explicit SESSION_SECURE_COOKIE=true', function () {
    config(['session.secure' => true]);

    $this->get('/login');

    expect(config('session.secure'))->toBeTrue();
});

it('marks session cookie with Secure flag when accessed over HTTPS proxy', function () {
    $response = $this->get('/login', [
        'X-Forwarded-Proto' => 'https',
        'X-Forwarded-For' => '1.2.3.4',
    ]);

    $response->assertSuccessful();

    $cookieName = config('session.cookie');
    $sessionCookie = collect($response->headers->all('set-cookie'))
        ->first(fn ($c) => str_contains($c, $cookieName));

    expect($sessionCookie)->not->toBeNull()
        ->and(strtolower($sessionCookie))->toContain('; secure');
});
fix(subscription): harden quantity updates and proxy trust behavior Centralize min/max server limits in Stripe quantity updates and wire them into Livewire subscription actions with price preview/update handling. Also improve host/proxy middleware behavior by trusting loopback hosts when FQDN is set and auto-enabling secure session cookies for HTTPS requests behind proxies when session.secure is unset. Includes feature tests for loopback trust and secure cookie auto-detection. 2026-03-03 11:28:16 +00:00			`<?php`

			`use App\Models\InstanceSettings;`
			`use Illuminate\Support\Facades\Cache;`

			`uses(\Illuminate\Foundation\Testing\RefreshDatabase::class);`

			`beforeEach(function () {`
			`Cache::forget('instance_settings_fqdn_host');`
			`InstanceSettings::updateOrCreate(['id' => 0], ['fqdn' => null]);`
			`// Ensure session.secure starts unconfigured for each test`
			`config(['session.secure' => null]);`
			`});`

			`it('sets session.secure to true when request arrives over HTTPS via proxy', function () {`
			`$this->get('/login', [`
			`'X-Forwarded-Proto' => 'https',`
			`'X-Forwarded-For' => '1.2.3.4',`
			`]);`

			`expect(config('session.secure'))->toBeTrue();`
			`});`

			`it('does not set session.secure for plain HTTP requests', function () {`
			`$this->get('/login');`

			`expect(config('session.secure'))->toBeNull();`
			`});`

			`it('does not override explicit SESSION_SECURE_COOKIE=false for HTTPS requests', function () {`
			`config(['session.secure' => false]);`

			`$this->get('/login', [`
			`'X-Forwarded-Proto' => 'https',`
			`'X-Forwarded-For' => '1.2.3.4',`
			`]);`

			// Explicit false must not be overridden — our check is `=== null` only
			`expect(config('session.secure'))->toBeFalse();`
			`});`

			`it('does not override explicit SESSION_SECURE_COOKIE=true', function () {`
			`config(['session.secure' => true]);`

			`$this->get('/login');`

			`expect(config('session.secure'))->toBeTrue();`
			`});`

			`it('marks session cookie with Secure flag when accessed over HTTPS proxy', function () {`
			`$response = $this->get('/login', [`
			`'X-Forwarded-Proto' => 'https',`
			`'X-Forwarded-For' => '1.2.3.4',`
			`]);`

			`$response->assertSuccessful();`

			`$cookieName = config('session.cookie');`
			`$sessionCookie = collect($response->headers->all('set-cookie'))`
			`->first(fn ($c) => str_contains($c, $cookieName));`

			`expect($sessionCookie)->not->toBeNull()`
			`->and(strtolower($sessionCookie))->toContain('; secure');`
			`});`