test: add CSP nonce handling tests and refactor BrowserLogger attributes handling

Co-authored-by: Joost de Bruijn <[email protected]>
Signed-off-by: Pushpak Chhajed <[email protected]>

Author: pushpak1300

src/Services/BrowserLogger.php

@@ -6,6 +6,7 @@
 
 use Illuminate\Support\Facades\Route;
 use Illuminate\Support\Facades\Vite;
+use Illuminate\View\ComponentAttributeBag;
 
 class BrowserLogger
 {
@@ -15,18 +16,16 @@ public static function getScript(): string
             ? route('boost.browser-logs')
             : '/_boost/browser-logs';
 
-        $attributes = ['id' => 'browser-logger-active'];
+        $attributes = new ComponentAttributeBag([
+            'id' => 'browser-logger-active',
+        ]);
 
         if ($nonce = Vite::cspNonce()) {
-            $attributes['nonce'] = $nonce;
+            $attributes = $attributes->merge(['nonce' => $nonce]);
         }
 
-        $scriptAttributes = collect($attributes)
-            ->map(fn ($value, $key) => sprintf('%s="%s"', $key, $value))
-            ->implode(' ');
-
         return <<<HTML
-<script {$scriptAttributes}>
+<script {$attributes->toHtml()}>
 (function() {
     const ENDPOINT = '{$endpoint}';
     const logQueue = [];

tests/Feature/Middleware/InjectBoostTest.php

@@ -5,6 +5,7 @@
 use Illuminate\Http\Request;
 use Illuminate\Http\Response;
 use Illuminate\Support\Facades\Route;
+use Illuminate\Support\Facades\Vite;
 use Laravel\Boost\Middleware\InjectBoost;
 use Symfony\Component\HttpFoundation\BinaryFileResponse;
 use Symfony\Component\HttpFoundation\JsonResponse;
@@ -89,3 +90,30 @@ function createMiddlewareResponse($response): SymfonyResponse
     'with head and body tags' => '<html><head><title>Test</title></head><body></body></html>',
     'without head/body tags' => '<html>Test</html>',
 ]);
+
+it('handles CSP nonce attribute correctly', function ($nonce, $assertions) {
+    if ($nonce) {
+        Vite::useCspNonce($nonce);
+    }
+
+    Route::get('injection-test', fn () => view('test::injection-test'))
+        ->middleware(InjectBoost::class);
+
+    $response = $this->get('injection-test')->assertViewIs('test::injection-test');
+
+    $assertions($response);
+})->with([
+    'with CSP nonce configured' => [
+        'test-nonce',
+        fn ($response) => $response
+            ->assertSee('nonce="test-nonce"', false)
+            ->assertSee('id="browser-logger-active"', false),
+    ],
+    'without CSP nonce configured' => [
+        null,
+        fn ($response) => $response
+            ->assertSee('<script id="browser-logger-active">', false)
+            ->assertDontSee('nonce=', false)
+            ->assertDontSee('test-nonce', false),
+    ],
+]);