security: round 1 — quick wins (rate limiting, headers, mass assignment, logging)

- Add throttle middleware to login (5/min), portal/token-auth (10/min),
  volunteer-register (5/min), and invitation routes (10/min)
- Set Sanctum token expiration to 7 days
- Remove billing_status from UpdateOrganisationRequest (super_admin only)
- Revoke all Sanctum tokens on password reset
- Strengthen password rules: min 8 chars, mixed case, numbers
- Create SecurityHeaders middleware (X-Content-Type-Options, X-Frame-Options,
  HSTS, Referrer-Policy, Permissions-Policy)
- Fix open redirect on all 3 login pages (validate ?to= starts with /)
- Set APP_DEBUG=false in .env.example
- Log failed login attempts with email, IP, user-agent
- Log authorization failures (403) with user, IP, path, method
- Harden mass assignment: remove user_id from Person, audit fields from
  ShiftAssignment, system fields from UserInvitation $fillable
- Replace real DB records with factory make() in mail preview routes

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

api/database/factories/PersonFactory.php

@@ -29,6 +29,29 @@ final class PersonFactory extends Factory
         ];
     }
 
+    /**
+     * Override create to handle user_id which is not mass-assignable.
+     *
+     * @param  array<string, mixed>  $attributes
+     */
+    public function create($attributes = [], ?\Illuminate\Database\Eloquent\Model $parent = null): Person|\Illuminate\Database\Eloquent\Collection
+    {
+        $userId = $attributes['user_id'] ?? null;
+        unset($attributes['user_id']);
+
+        $result = parent::create($attributes, $parent);
+
+        if ($userId !== null) {
+            $models = $result instanceof Person ? collect([$result]) : $result;
+            $models->each(function (Person $person) use ($userId): void {
+                $person->user_id = $userId;
+                $person->save();
+            });
+        }
+
+        return $result;
+    }
+
     public function approved(): static
     {
         return $this->state(fn () => ['status' => 'approved']);

api/database/factories/ShiftAssignmentFactory.php

@@ -22,25 +22,34 @@ final class ShiftAssignmentFactory extends Factory
             'person_id' => Person::factory(),
             'time_slot_id' => TimeSlot::factory(),
             'status' => ShiftAssignmentStatus::PENDING_APPROVAL,
-            'auto_approved' => false,
-            'assigned_at' => now(),
         ];
     }
 
+    public function configure(): static
+    {
+        return $this->afterCreating(function (ShiftAssignment $assignment): void {
+            $assignment->auto_approved = false;
+            $assignment->assigned_at = now();
+            $assignment->save();
+        });
+    }
+
     public function approved(): static
     {
-        return $this->state(fn () => [
-            'status' => ShiftAssignmentStatus::APPROVED,
-            'approved_at' => now(),
-        ]);
+        return $this->afterCreating(function (ShiftAssignment $assignment): void {
+            $assignment->status = ShiftAssignmentStatus::APPROVED;
+            $assignment->approved_at = now();
+            $assignment->save();
+        });
     }
 
     public function autoApproved(): static
     {
-        return $this->state(fn () => [
-            'status' => ShiftAssignmentStatus::APPROVED,
-            'auto_approved' => true,
-            'approved_at' => now(),
-        ]);
+        return $this->afterCreating(function (ShiftAssignment $assignment): void {
+            $assignment->status = ShiftAssignmentStatus::APPROVED;
+            $assignment->auto_approved = true;
+            $assignment->approved_at = now();
+            $assignment->save();
+        });
     }
 }

api/database/factories/UserInvitationFactory.php

@@ -18,13 +18,19 @@ final class UserInvitationFactory extends Factory
     {
         return [
             'email' => fake()->unique()->safeEmail(),
-            'invited_by_user_id' => User::factory(),
-            'organisation_id' => Organisation::factory(),
             'event_id' => null,
-            'role' => 'org_member',
-            'token' => strtolower((string) Str::ulid()),
-            'status' => 'pending',
-            'expires_at' => now()->addDays(7),
         ];
     }
+
+    public function configure(): static
+    {
+        return $this->afterMaking(function (UserInvitation $invitation): void {
+            $invitation->invited_by_user_id ??= User::factory()->create()->id;
+            $invitation->organisation_id ??= Organisation::factory()->create()->id;
+            $invitation->role ??= 'org_member';
+            $invitation->token ??= strtolower((string) Str::ulid());
+            $invitation->status ??= 'pending';
+            $invitation->expires_at ??= now()->addDays(7);
+        });
+    }
 }