client->request('GET', '/login'); $this->assertResponseIsSuccessful(); } // SEC-02: authenticated GET /login → redirects to spa public function test_login_page_redirects_when_authenticated(): void { $user = $this->createUser('sec02@example.com'); $this->loginAs($user); $this->client->request('GET', '/login'); $this->assertResponseRedirects(); } // SEC-03: anonymous GET /register → 200 public function test_register_page_renders_for_anonymous(): void { $this->client->request('GET', '/register'); $this->assertResponseIsSuccessful(); } // SEC-04: POST /register with valid form data → user created, redirected public function test_register_creates_user_and_redirects(): void { $this->client->request('POST', '/register', [ 'registration_form' => [ 'email' => 'newsecuser@example.com', 'plainPassword' => [ 'first' => 'securepass123', 'second' => 'securepass123', ], ], ]); $this->assertResponseRedirects(); } // SEC-05: authenticated GET /register → redirects public function test_register_page_redirects_when_authenticated(): void { $user = $this->createUser('sec05@example.com'); $this->loginAs($user); $this->client->request('GET', '/register'); $this->assertResponseRedirects(); } // SEC-06: logout() method throws LogicException (the firewall intercepts real requests before this runs) public function test_logout_method_throws_logic_exception(): void { $controller = new \App\Controller\SecurityController(); $this->expectException(\LogicException::class); $controller->logout(); } }