security: round 1 — quick wins (rate limiting, headers, mass assignment, logging)

- Add throttle middleware to login (5/min), portal/token-auth (10/min),
  volunteer-register (5/min), and invitation routes (10/min)
- Set Sanctum token expiration to 7 days
- Remove billing_status from UpdateOrganisationRequest (super_admin only)
- Revoke all Sanctum tokens on password reset
- Strengthen password rules: min 8 chars, mixed case, numbers
- Create SecurityHeaders middleware (X-Content-Type-Options, X-Frame-Options,
  HSTS, Referrer-Policy, Permissions-Policy)
- Fix open redirect on all 3 login pages (validate ?to= starts with /)
- Set APP_DEBUG=false in .env.example
- Log failed login attempts with email, IP, user-agent
- Log authorization failures (403) with user, IP, path, method
- Harden mass assignment: remove user_id from Person, audit fields from
  ShiftAssignment, system fields from UserInvitation $fillable
- Replace real DB records with factory make() in mail preview routes

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

api/app/Http/Controllers/Api/V1/LoginController.php

@@ -9,12 +9,19 @@ use App\Http\Requests\Api\V1\LoginRequest;
 use App\Http\Resources\Api\V1\UserResource;
 use Illuminate\Http\JsonResponse;
 use Illuminate\Support\Facades\Auth;
+use Illuminate\Support\Facades\Log;
 
 final class LoginController extends Controller
 {
     public function __invoke(LoginRequest $request): JsonResponse
     {
         if (!Auth::attempt($request->only('email', 'password'))) {
+            Log::warning('Failed login attempt', [
+                'email' => $request->validated('email'),
+                'ip' => $request->ip(),
+                'user_agent' => $request->userAgent(),
+            ]);
+
             return $this->unauthorized('Invalid credentials');
         }
 

api/app/Http/Controllers/Api/V1/PasswordResetController.php

@@ -9,6 +9,7 @@ use Illuminate\Http\JsonResponse;
 use Illuminate\Http\Request;
 use Illuminate\Support\Facades\Hash;
 use Illuminate\Support\Facades\Password;
+use Illuminate\Validation\Rules\Password as PasswordRule;
 
 final class PasswordResetController extends Controller
 {
@@ -29,13 +30,14 @@ final class PasswordResetController extends Controller
         $request->validate([
             'token' => 'required',
             'email' => 'required|email',
-            'password' => 'required|min:8|confirmed',
+            'password' => ['required', 'confirmed', PasswordRule::min(8)->mixedCase()->numbers()],
         ]);
 
         $status = Password::reset(
             $request->only('email', 'password', 'password_confirmation', 'token'),
             function ($user, $password) {
                 $user->forceFill(['password' => Hash::make($password)])->save();
+                $user->tokens()->delete();
             }
         );
 

api/app/Http/Middleware/SecurityHeaders.php

@@ -0,0 +1,29 @@
+<?php
+
+declare(strict_types=1);
+
+namespace App\Http\Middleware;
+
+use Closure;
+use Illuminate\Http\Request;
+use Symfony\Component\HttpFoundation\Response;
+
+final class SecurityHeaders
+{
+    public function handle(Request $request, Closure $next): Response
+    {
+        $response = $next($request);
+
+        $response->headers->set('X-Content-Type-Options', 'nosniff');
+        $response->headers->set('X-Frame-Options', 'DENY');
+        $response->headers->set('X-XSS-Protection', '0');
+        $response->headers->set('Referrer-Policy', 'strict-origin-when-cross-origin');
+        $response->headers->set('Permissions-Policy', 'camera=(), microphone=(), geolocation=()');
+
+        if ($request->isSecure() || app()->environment('production')) {
+            $response->headers->set('Strict-Transport-Security', 'max-age=31536000; includeSubDomains');
+        }
+
+        return $response;
+    }
+}

api/app/Http/Requests/Api/V1/AcceptInvitationRequest.php

@@ -7,6 +7,7 @@ namespace App\Http\Requests\Api\V1;
 use App\Models\User;
 use App\Models\UserInvitation;
 use Illuminate\Foundation\Http\FormRequest;
+use Illuminate\Validation\Rules\Password;
 
 final class AcceptInvitationRequest extends FormRequest
 {
@@ -24,7 +25,7 @@ final class AcceptInvitationRequest extends FormRequest
         return [
             'first_name' => [$userExists ? 'nullable' : 'required', 'string', 'max:255'],
             'last_name' => [$userExists ? 'nullable' : 'required', 'string', 'max:255'],
-            'password' => [$userExists ? 'nullable' : 'required', 'string', 'min:8', 'confirmed'],
+            'password' => [$userExists ? 'nullable' : 'required', 'string', 'confirmed', Password::min(8)->mixedCase()->numbers()],
         ];
     }
 }

api/app/Http/Requests/Api/V1/UpdateOrganisationRequest.php

@@ -23,7 +23,6 @@ final class UpdateOrganisationRequest extends FormRequest
                 'sometimes', 'string', 'max:255', 'regex:/^[a-z0-9-]+$/',
                 Rule::unique('organisations', 'slug')->ignore($this->route('organisation')),
             ],
-            'billing_status' => ['sometimes', 'string', 'in:active,trial,suspended'],
             'settings' => ['sometimes', 'array'],
             'email_logo_url' => ['nullable', 'url', 'max:500'],
             'email_primary_color' => ['nullable', 'string', 'regex:/^#[0-9A-Fa-f]{6}$/'],

api/app/Http/Requests/Api/V1/VolunteerRegistrationRequest.php

@@ -5,6 +5,7 @@ declare(strict_types=1);
 namespace App\Http\Requests\Api\V1;
 
 use Illuminate\Foundation\Http\FormRequest;
+use Illuminate\Validation\Rules\Password;
 
 final class VolunteerRegistrationRequest extends FormRequest
 {
@@ -60,7 +61,7 @@ final class VolunteerRegistrationRequest extends FormRequest
 
         // Password required for unauthenticated registrations
         if ($user === null) {
-            $rules['password'] = ['required', 'string', 'min:8'];
+            $rules['password'] = ['required', 'string', Password::min(8)->mixedCase()->numbers()];
             $rules['password_confirmation'] = ['nullable', 'same:password'];
         }