bert.hausmans/crewli
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

security: round 1 — quick wins (rate limiting, headers, mass assignment, logging)

Browse Source 
- Add throttle middleware to login (5/min), portal/token-auth (10/min),
  volunteer-register (5/min), and invitation routes (10/min)
- Set Sanctum token expiration to 7 days
- Remove billing_status from UpdateOrganisationRequest (super_admin only)
- Revoke all Sanctum tokens on password reset
- Strengthen password rules: min 8 chars, mixed case, numbers
- Create SecurityHeaders middleware (X-Content-Type-Options, X-Frame-Options,
  HSTS, Referrer-Policy, Permissions-Policy)
- Fix open redirect on all 3 login pages (validate ?to= starts with /)
- Set APP_DEBUG=false in .env.example
- Log failed login attempts with email, IP, user-agent
- Log authorization failures (403) with user, IP, path, method
- Harden mass assignment: remove user_id from Person, audit fields from
  ShiftAssignment, system fields from UserInvitation $fillable
- Replace real DB records with factory make() in mail preview routes

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
This commit is contained in:
bert.hausmans
2026-04-14 01:34:51 +02:00
parent 72120969c6
commit 1028498705
30 changed files with 235 additions and 154 deletions
Download Patch File Download Diff File Expand all files Collapse all files

12
api/tests/Feature/Api/V1/PasswordResetTest.php
View File

@@ -85,8 +85,8 @@ class PasswordResetTest extends TestCase
$response = $this->postJson('/api/v1/auth/reset-password', [
'token' => $token,
'email' => 'jan@voorbeeld.nl',
'password' => 'nieuwwachtwoord123',
'password_confirmation' => 'nieuwwachtwoord123',
'password' => 'NieuwWachtwoord1',
'password_confirmation' => 'NieuwWachtwoord1',
]);
$response->assertOk();
@@ -94,7 +94,7 @@ class PasswordResetTest extends TestCase
// Verify password was actually changed
$user->refresh();
$this->assertTrue(Hash::check('nieuwwachtwoord123', $user->password));
$this->assertTrue(Hash::check('NieuwWachtwoord1', $user->password));
}
public function test_reset_password_with_invalid_token_returns_422(): void
@@ -104,8 +104,8 @@ class PasswordResetTest extends TestCase
$response = $this->postJson('/api/v1/auth/reset-password', [
'token' => 'invalid-token-here',
'email' => 'jan@voorbeeld.nl',
'password' => 'nieuwwachtwoord123',
'password_confirmation' => 'nieuwwachtwoord123',
'password' => 'NieuwWachtwoord1',
'password_confirmation' => 'NieuwWachtwoord1',
]);
$response->assertStatus(422);
@@ -120,7 +120,7 @@ class PasswordResetTest extends TestCase
$response = $this->postJson('/api/v1/auth/reset-password', [
'token' => $token,
'email' => 'jan@voorbeeld.nl',
'password' => 'nieuwwachtwoord123',
'password' => 'NieuwWachtwoord1',
]);
$response->assertStatus(422);

3
api/tests/Feature/Api/V1/PortalMeUpcomingShiftTest.php
View File

@@ -144,7 +144,8 @@ class PortalMeUpcomingShiftTest extends TestCase
]);
$pendingUser = User::factory()->create(['email' => $pendingPerson->email]);
$pendingPerson->update(['user_id' => $pendingUser->id]);
$pendingPerson->user_id = $pendingUser->id;
$pendingPerson->save();
$futureDate = now()->addDays(7)->toDateString();

2
api/tests/Feature/Api/V1/RegistrationSettingsTest.php
View File

@@ -219,7 +219,7 @@ class RegistrationSettingsTest extends TestCase
'first_name' => 'Test',
'last_name' => 'Vrijwilliger',
'email' => 'test-section-pref@example.nl',
'password' => 'wachtwoord123',
'password' => 'Wachtwoord1',
'section_preferences' => [
['festival_section_id' => $section->id, 'priority' => 1],
],

42
api/tests/Feature/Api/V1/VolunteerRegistrationTest.php
View File

@@ -63,7 +63,7 @@ class VolunteerRegistrationTest extends TestCase
'first_name' => 'Jan',
'last_name' => 'de Vries',
'email' => 'jan@voorbeeld.nl',
'password' => 'wachtwoord123',
'password' => 'Wachtwoord1',
'phone' => '+31612345678',
'tshirt_size' => 'L',
'motivation' => 'Ik wil graag helpen bij dit festival!',
@@ -89,7 +89,7 @@ class VolunteerRegistrationTest extends TestCase
'first_name' => 'Sophie',
'last_name' => 'Bakker',
'email' => 'sophie@voorbeeld.nl',
'password' => 'wachtwoord123',
'password' => 'Wachtwoord1',
]);
$response->assertStatus(201);
@@ -117,7 +117,7 @@ class VolunteerRegistrationTest extends TestCase
'first_name' => 'Pieter',
'last_name' => 'Jansen',
'email' => 'pieter@voorbeeld.nl',
'password' => 'wachtwoord123',
'password' => 'Wachtwoord1',
]);
$response->assertStatus(201);
@@ -137,7 +137,7 @@ class VolunteerRegistrationTest extends TestCase
'first_name' => 'Fleur',
'last_name' => 'Vermeer',
'email' => 'fleur@voorbeeld.nl',
'password' => 'wachtwoord123',
'password' => 'Wachtwoord1',
'availabilities' => [
['time_slot_id' => $this->timeSlot->id, 'preference_level' => 4],
['time_slot_id' => $timeSlot2->id, 'preference_level' => 2],
@@ -168,7 +168,7 @@ class VolunteerRegistrationTest extends TestCase
'first_name' => 'Daan',
'last_name' => 'Mulder',
'email' => 'daan@voorbeeld.nl',
'password' => 'wachtwoord123',
'password' => 'Wachtwoord1',
'tshirt_size' => 'XL',
'motivation' => 'Ik vind festivals geweldig.',
'section_preferences' => [
@@ -199,7 +199,7 @@ class VolunteerRegistrationTest extends TestCase
'first_name' => 'Mila',
'last_name' => 'de Boer',
'email' => 'mila@voorbeeld.nl',
'password' => 'wachtwoord123',
'password' => 'Wachtwoord1',
'date_of_birth' => '1998-05-12',
]);
@@ -217,7 +217,7 @@ class VolunteerRegistrationTest extends TestCase
'first_name' => 'Sem',
'last_name' => 'van Beek',
'email' => 'sem@voorbeeld.nl',
'password' => 'wachtwoord123',
'password' => 'Wachtwoord1',
]);
$response->assertStatus(201);
@@ -232,7 +232,7 @@ class VolunteerRegistrationTest extends TestCase
'first_name' => 'Tijn',
'last_name' => 'Kuiper',
'email' => 'tijn@voorbeeld.nl',
'password' => 'wachtwoord123',
'password' => 'Wachtwoord1',
'date_of_birth' => now()->addDay()->format('Y-m-d'),
]);
@@ -248,14 +248,14 @@ class VolunteerRegistrationTest extends TestCase
'first_name' => 'Anna',
'last_name' => 'Smit',
'email' => 'anna@voorbeeld.nl',
'password' => 'wachtwoord123',
'password' => 'Wachtwoord1',
]);
$response = $this->postJson("/api/v1/events/{$this->event->id}/volunteer-register", [
'first_name' => 'Anna',
'last_name' => 'Smit',
'email' => 'anna@voorbeeld.nl',
'password' => 'wachtwoord123',
'password' => 'Wachtwoord1',
]);
$response->assertStatus(422);
@@ -276,7 +276,7 @@ class VolunteerRegistrationTest extends TestCase
'first_name' => 'Herkan',
'last_name' => 'Poging',
'email' => 'herkan@voorbeeld.nl',
'password' => 'wachtwoord123',
'password' => 'Wachtwoord1',
]);
$response->assertStatus(200);
@@ -298,7 +298,7 @@ class VolunteerRegistrationTest extends TestCase
'first_name' => 'Test',
'last_name' => 'Persoon',
'email' => 'test@voorbeeld.nl',
'password' => 'wachtwoord123',
'password' => 'Wachtwoord1',
]);
$response->assertStatus(422);
@@ -310,7 +310,7 @@ class VolunteerRegistrationTest extends TestCase
'first_name' => 'Bas',
'last_name' => 'van Dijk',
'email' => 'bas@voorbeeld.nl',
'password' => 'wachtwoord123',
'password' => 'Wachtwoord1',
'availabilities' => [
['time_slot_id' => '01JNONEXISTENT00000000000', 'preference_level' => 3],
],
@@ -486,7 +486,7 @@ class VolunteerRegistrationTest extends TestCase
'first_name' => 'Noor',
'last_name' => 'Janssen',
'email' => 'noor@voorbeeld.nl',
'password' => 'wachtwoord123',
'password' => 'Wachtwoord1',
'field_values' => [
$selectField->slug => 'L',
$textField->slug => 'Ik ben een ervaren vrijwilliger',
@@ -528,7 +528,7 @@ class VolunteerRegistrationTest extends TestCase
'first_name' => 'Rick',
'last_name' => 'Peters',
'email' => 'rick@voorbeeld.nl',
'password' => 'wachtwoord123',
'password' => 'Wachtwoord1',
'section_preferences' => [
['festival_section_id' => $section1->id, 'priority' => 1],
['festival_section_id' => $section2->id, 'priority' => 2],
@@ -564,7 +564,7 @@ class VolunteerRegistrationTest extends TestCase
'first_name' => 'Femke',
'last_name' => 'de Jong',
'email' => 'femke@voorbeeld.nl',
'password' => 'wachtwoord123',
'password' => 'Wachtwoord1',
'field_values' => [
$multiselectField->slug => ['Vegetarisch', 'Glutenvrij'],
],
@@ -596,7 +596,7 @@ class VolunteerRegistrationTest extends TestCase
'first_name' => 'Nieuwe',
'last_name' => 'Vrijwilliger',
'email' => 'nieuw@voorbeeld.nl',
'password' => 'wachtwoord123',
'password' => 'Wachtwoord1',
]);
$response->assertStatus(201);
@@ -624,14 +624,14 @@ class VolunteerRegistrationTest extends TestCase
'first_name' => 'Terug',
'last_name' => 'Keerder',
'email' => 'terug@voorbeeld.nl',
'password' => Hash::make('bestaandwachtwoord'),
'password' => Hash::make('BestaandWw1'),
]);
$response = $this->postJson("/api/v1/events/{$this->event->id}/volunteer-register", [
'first_name' => 'Terug',
'last_name' => 'Keerder',
'email' => 'terug@voorbeeld.nl',
'password' => 'bestaandwachtwoord',
'password' => 'BestaandWw1',
]);
$response->assertStatus(201);
@@ -672,7 +672,7 @@ class VolunteerRegistrationTest extends TestCase
'first_name' => 'Mail',
'last_name' => 'Test',
'email' => 'mailtest@voorbeeld.nl',
'password' => 'wachtwoord123',
'password' => 'Wachtwoord1',
]);
Mail::assertQueued(RegistrationConfirmationMail::class, function ($mail) {
@@ -688,7 +688,7 @@ class VolunteerRegistrationTest extends TestCase
'first_name' => 'Hoofdletter',
'last_name' => 'Email',
'email' => 'HOOFDLETTER@VOORBEELD.NL',
'password' => 'wachtwoord123',
'password' => 'Wachtwoord1',
]);
$response->assertStatus(201);