bert.hausmans/crewli
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

security: round 1 — quick wins (rate limiting, headers, mass assignment, logging)

Browse Source 
- Add throttle middleware to login (5/min), portal/token-auth (10/min),
  volunteer-register (5/min), and invitation routes (10/min)
- Set Sanctum token expiration to 7 days
- Remove billing_status from UpdateOrganisationRequest (super_admin only)
- Revoke all Sanctum tokens on password reset
- Strengthen password rules: min 8 chars, mixed case, numbers
- Create SecurityHeaders middleware (X-Content-Type-Options, X-Frame-Options,
  HSTS, Referrer-Policy, Permissions-Policy)
- Fix open redirect on all 3 login pages (validate ?to= starts with /)
- Set APP_DEBUG=false in .env.example
- Log failed login attempts with email, IP, user-agent
- Log authorization failures (403) with user, IP, path, method
- Harden mass assignment: remove user_id from Person, audit fields from
  ShiftAssignment, system fields from UserInvitation $fillable
- Replace real DB records with factory make() in mail preview routes

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
This commit is contained in:
bert.hausmans
2026-04-14 01:34:51 +02:00
parent 72120969c6
commit 1028498705
30 changed files with 235 additions and 154 deletions
Download Patch File Download Diff File Expand all files Collapse all files

18
api/database/factories/UserInvitationFactory.php
View File

@@ -18,13 +18,19 @@ final class UserInvitationFactory extends Factory
{
return [
'email' => fake()->unique()->safeEmail(),
'invited_by_user_id' => User::factory(),
'organisation_id' => Organisation::factory(),
'event_id' => null,
'role' => 'org_member',
'token' => strtolower((string) Str::ulid()),
'status' => 'pending',
'expires_at' => now()->addDays(7),
];
}
public function configure(): static
{
return $this->afterMaking(function (UserInvitation $invitation): void {
$invitation->invited_by_user_id ??= User::factory()->create()->id;
$invitation->organisation_id ??= Organisation::factory()->create()->id;
$invitation->role ??= 'org_member';
$invitation->token ??= strtolower((string) Str::ulid());
$invitation->status ??= 'pending';
$invitation->expires_at ??= now()->addDays(7);
});
}
}