security: round 1 — quick wins (rate limiting, headers, mass assignment, logging)
- Add throttle middleware to login (5/min), portal/token-auth (10/min), volunteer-register (5/min), and invitation routes (10/min) - Set Sanctum token expiration to 7 days - Remove billing_status from UpdateOrganisationRequest (super_admin only) - Revoke all Sanctum tokens on password reset - Strengthen password rules: min 8 chars, mixed case, numbers - Create SecurityHeaders middleware (X-Content-Type-Options, X-Frame-Options, HSTS, Referrer-Policy, Permissions-Policy) - Fix open redirect on all 3 login pages (validate ?to= starts with /) - Set APP_DEBUG=false in .env.example - Log failed login attempts with email, IP, user-agent - Log authorization failures (403) with user, IP, path, method - Harden mass assignment: remove user_id from Person, audit fields from ShiftAssignment, system fields from UserInvitation $fillable - Replace real DB records with factory make() in mail preview routes Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
This commit is contained in:
@@ -55,11 +55,11 @@ Route::get('/', fn () => response()->json([
|
||||
]));
|
||||
|
||||
// Public auth routes
|
||||
Route::post('auth/login', LoginController::class);
|
||||
Route::post('auth/login', LoginController::class)->middleware('throttle:5,1');
|
||||
|
||||
// Public invitation routes (no auth required)
|
||||
Route::get('invitations/{token}', [InvitationController::class, 'show']);
|
||||
Route::post('invitations/{token}/accept', [InvitationController::class, 'accept']);
|
||||
Route::get('invitations/{token}', [InvitationController::class, 'show'])->middleware('throttle:10,1');
|
||||
Route::post('invitations/{token}/accept', [InvitationController::class, 'accept'])->middleware('throttle:10,1');
|
||||
|
||||
// Password reset
|
||||
Route::post('auth/forgot-password', [PasswordResetController::class, 'sendResetLink'])
|
||||
@@ -69,8 +69,8 @@ Route::post('auth/reset-password', [PasswordResetController::class, 'resetPasswo
|
||||
// Public portal routes
|
||||
Route::get('public/events/{slug}/registration-data', PublicRegistrationDataController::class);
|
||||
Route::post('public/check-email', CheckEmailController::class)->middleware('throttle:10,1');
|
||||
Route::post('events/{event}/volunteer-register', VolunteerRegistrationController::class);
|
||||
Route::post('portal/token-auth', [PortalTokenController::class, 'auth']);
|
||||
Route::post('events/{event}/volunteer-register', VolunteerRegistrationController::class)->middleware('throttle:5,1');
|
||||
Route::post('portal/token-auth', [PortalTokenController::class, 'auth'])->middleware('throttle:10,1');
|
||||
|
||||
// Protected routes
|
||||
Route::middleware('auth:sanctum')->group(function () {
|
||||
|
||||
@@ -5,7 +5,9 @@ use App\Mail\RegistrationApprovedMail;
|
||||
use App\Mail\RegistrationConfirmationMail;
|
||||
use App\Mail\RegistrationRejectedMail;
|
||||
use App\Models\Event;
|
||||
use App\Models\Organisation;
|
||||
use App\Models\Person;
|
||||
use App\Models\User;
|
||||
use App\Models\UserInvitation;
|
||||
use Illuminate\Support\Facades\Route;
|
||||
|
||||
@@ -23,26 +25,19 @@ if (app()->environment('local', 'staging')) {
|
||||
}
|
||||
|
||||
if ($type === 'invitation') {
|
||||
$invitation = UserInvitation::first();
|
||||
|
||||
if (! $invitation) {
|
||||
return response('No UserInvitation found in the database. Create one first to preview this mail.', 422);
|
||||
}
|
||||
$organisation = Organisation::factory()->make();
|
||||
$invitation = UserInvitation::factory()->make();
|
||||
$invitation->setRelation('organisation', $organisation);
|
||||
$invitation->setRelation('invitedBy', User::factory()->make());
|
||||
$invitation->token ??= 'preview-token';
|
||||
$invitation->role ??= 'org_member';
|
||||
$invitation->expires_at ??= now()->addDays(7);
|
||||
|
||||
return new InvitationMail($invitation);
|
||||
}
|
||||
|
||||
$event = Event::first();
|
||||
$person = Person::first();
|
||||
|
||||
if (! $event || ! $person) {
|
||||
$missing = collect([
|
||||
'Event' => $event,
|
||||
'Person' => $person,
|
||||
])->filter(fn ($v) => $v === null)->keys()->implode(', ');
|
||||
|
||||
return response("No test data found. Missing: {$missing}. Seed the database first.", 422);
|
||||
}
|
||||
$event = Event::factory()->make();
|
||||
$person = Person::factory()->make();
|
||||
|
||||
return match ($type) {
|
||||
'registration-confirmation' => new RegistrationConfirmationMail($person, $event),
|
||||
|
||||
Reference in New Issue
Block a user