refactor(auth): consolidate to single cookie post single-SPA

The dual-cookie machinery (crewli_app_token + crewli_portal_token,
Origin-based resolution) was load-bearing only when the second SPA
existed. apps/portal/ was deleted in WS-3 PR-B1; the resolver code
has been carrying dead branches since then. Collapse to one cookie.

Cookie name retained as crewli_app_token — no session breakage on
deploy. crewli_portal_token is fully purged from the server-side.

CookieBearerToken middleware:
- COOKIE_NAMES array → single COOKIE_NAME constant
- resolveCookieName method (Origin/Referer parsing, host+port
  matching against frontend_app_url/frontend_portal_url) → removed
- Body collapses to: skip if Authorization header present; else
  read crewli_app_token cookie and inject Bearer header

SetAuthCookie trait:
- COOKIE_MAP / resolveCookieName / originMatches → removed
- makeAuthCookie / forgetAuthCookie now take only $token; the
  cookie name is the trait's private constant

Five callers updated to drop the resolveCookieName($request) line
and the cookie-name argument: LoginController (3 sites),
MfaVerifyController (1 site), AuthRefreshController (1 site),
LogoutController (1 site), InvitationController (1 site — caller
list in the prompt missed this one but the same pattern applies).

frontend_portal_url config key retained (per Phase A directive Q1):
EmailChangeController, PasswordResetController, PersonController are
non-auth consumers that build per-app URL maps for outbound emails.
The map structure is now functionally redundant (production resolves
all FRONTEND_* env vars to the same host) but stays structurally
intact. Refactor tracked as TECH-FRONTEND-URL-CONSOLIDATE in the
upcoming docs commit.

HttpOnlyCookieAuthTest:
- Removed 4 dual-cookie tests (login_sets_portal_cookie_for_portal_origin,
  app_cookie_does_not_authenticate_portal_requests,
  portal_cookie_does_not_authenticate_app_requests,
  correct_cookie_authenticates_with_matching_origin)
- Renamed login_sets_app_cookie_for_unknown_origin →
  login_sets_app_cookie_regardless_of_origin; expanded to four
  Origin variants (none, app, unknown, foreign) — pins the new
  origin-agnostic contract
- Removed Origin headers from request calls in remaining tests
  (now meaningless)

Backend test count: 1491 → 1487 (-4 deleted, dual-cookie tests
encoding the obsolete contract). Pint clean. Larastan clean.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

api/app/Http/Controllers/Api/V1/Auth/MfaVerifyController.php

@@ -4,12 +4,12 @@ declare(strict_types=1);
 
 namespace App\Http\Controllers\Api\V1\Auth;
 
+use App\Enums\MfaMethod;
 use App\Http\Controllers\Api\V1\Traits\SetAuthCookie;
 use App\Http\Controllers\Controller;
 use App\Http\Requests\Api\V1\Auth\MfaEmailSendRequest;
 use App\Http\Requests\Api\V1\Auth\MfaVerifyRequest;
 use App\Http\Resources\Api\V1\MeResource;
-use App\Enums\MfaMethod;
 use App\Models\User;
 use App\Services\MfaService;
 use Illuminate\Http\JsonResponse;
@@ -58,19 +58,18 @@ final class MfaVerifyController extends Controller
         ]);
 
         $token = $user->createToken('auth-token')->plainTextToken;
-        $cookieName = $this->resolveCookieName($request);
 
         return $this->success([
             'user' => new MeResource($user),
         ], 'MFA verification successful')
-            ->withCookie($this->makeAuthCookie($cookieName, $token));
+            ->withCookie($this->makeAuthCookie($token));
     }
 
     public function sendEmailCode(MfaEmailSendRequest $request): JsonResponse
     {
         $sessionToken = $request->validated('mfa_session_token');
 
-        $cacheKey = 'mfa_session:' . $sessionToken;
+        $cacheKey = 'mfa_session:'.$sessionToken;
         $session = Cache::get($cacheKey);
 
         if (! $session) {

api/app/Http/Controllers/Api/V1/AuthRefreshController.php

@@ -24,7 +24,6 @@ final class AuthRefreshController extends Controller
 
         // Create a new token
         $newToken = $user->createToken('auth-token')->plainTextToken;
-        $cookieName = $this->resolveCookieName($request);
 
         $user->load(['organisations', 'roles', 'permissions']);
 
@@ -34,6 +33,6 @@ final class AuthRefreshController extends Controller
         ]);
 
         return $this->success(new MeResource($user), 'Token refreshed')
-            ->withCookie($this->makeAuthCookie($cookieName, $newToken));
+            ->withCookie($this->makeAuthCookie($newToken));
     }
 }

api/app/Http/Controllers/Api/V1/InvitationController.php

@@ -18,6 +18,7 @@ use Illuminate\Support\Facades\Gate;
 final class InvitationController extends Controller
 {
     use SetAuthCookie;
+
     public function __construct(
         private readonly InvitationService $invitationService,
     ) {}
@@ -65,7 +66,6 @@ final class InvitationController extends Controller
         );
 
         $sanctumToken = $user->createToken('auth-token')->plainTextToken;
-        $cookieName = $this->resolveCookieName($request);
 
         return $this->success([
             'user' => [
@@ -76,7 +76,7 @@ final class InvitationController extends Controller
                 'email' => $user->email,
             ],
         ], 'Uitnodiging geaccepteerd')
-            ->withCookie($this->makeAuthCookie($cookieName, $sanctumToken));
+            ->withCookie($this->makeAuthCookie($sanctumToken));
     }
 
     public function revoke(Organisation $organisation, UserInvitation $invitation): JsonResponse

api/app/Http/Controllers/Api/V1/LoginController.php

@@ -65,13 +65,11 @@ final class LoginController extends Controller
 
             // Return MFA challenge — NO auth token, NO auth cookie.
             // Expire the auth cookie to invalidate any stale browser session.
-            $cookieName = $this->resolveCookieName($request);
-
             return response()->json([
                 'success' => true,
                 'mfa_required' => true,
                 ...$mfaSession,
-            ])->withCookie($this->forgetAuthCookie($cookieName));
+            ])->withCookie($this->forgetAuthCookie());
         }
 
         // MFA required by policy but not yet set up — issue token with flag
@@ -80,11 +78,10 @@ final class LoginController extends Controller
             $data = $response->getData(true);
             $data['mfa_setup_required'] = true;
 
-            $cookieName = $this->resolveCookieName($request);
             $token = $user->createToken('auth-token')->plainTextToken;
 
             return response()->json($data)
-                ->withCookie($this->makeAuthCookie($cookieName, $token));
+                ->withCookie($this->makeAuthCookie($token));
         }
 
         // No MFA — issue token as normal
@@ -101,11 +98,10 @@ final class LoginController extends Controller
         ]);
 
         $token = $user->createToken('auth-token')->plainTextToken;
-        $cookieName = $this->resolveCookieName($request);
 
         return $this->success([
             'user' => new MeResource($user),
         ], 'Login successful')
-            ->withCookie($this->makeAuthCookie($cookieName, $token));
+            ->withCookie($this->makeAuthCookie($token));
     }
 }

api/app/Http/Controllers/Api/V1/LogoutController.php

@@ -17,9 +17,7 @@ final class LogoutController extends Controller
     {
         $request->user()->currentAccessToken()->delete();
 
-        $cookieName = $this->resolveCookieName($request);
-
         return $this->success(null, 'Logged out successfully')
-            ->withCookie($this->forgetAuthCookie($cookieName));
+            ->withCookie($this->forgetAuthCookie());
     }
 }

api/app/Http/Controllers/Api/V1/Traits/SetAuthCookie.php

@@ -4,42 +4,18 @@ declare(strict_types=1);
 
 namespace App\Http\Controllers\Api\V1\Traits;
 
-use Illuminate\Http\Request;
 use Symfony\Component\HttpFoundation\Cookie;
 
 trait SetAuthCookie
 {
-    private const COOKIE_MAP = [
-        'app' => 'crewli_app_token',
-        'portal' => 'crewli_portal_token',
-    ];
+    private const COOKIE_NAME = 'crewli_app_token';
 
     private const COOKIE_TTL_MINUTES = 60 * 24 * 7; // 7 days
 
-    protected function resolveCookieName(Request $request): string
-    {
-        $origin = $request->headers->get('Origin')
-            ?? $request->headers->get('Referer')
-            ?? '';
-
-        $appUrl = config('app.frontend_app_url', 'http://localhost:5174');
-        $portalUrl = config('app.frontend_portal_url', 'http://localhost:5175');
-
-        if ($this->originMatches($origin, $appUrl)) {
-            return self::COOKIE_MAP['app'];
-        }
-
-        if ($this->originMatches($origin, $portalUrl)) {
-            return self::COOKIE_MAP['portal'];
-        }
-
-        return self::COOKIE_MAP['app'];
-    }
-
-    protected function makeAuthCookie(string $cookieName, string $token): Cookie
+    protected function makeAuthCookie(string $token): Cookie
     {
         return new Cookie(
-            name: $cookieName,
+            name: self::COOKIE_NAME,
             value: $token,
             expire: now()->addMinutes(self::COOKIE_TTL_MINUTES),
             path: '/',
@@ -50,10 +26,10 @@ trait SetAuthCookie
         );
     }
 
-    protected function forgetAuthCookie(string $cookieName): Cookie
+    protected function forgetAuthCookie(): Cookie
     {
         return new Cookie(
-            name: $cookieName,
+            name: self::COOKIE_NAME,
             value: '',
             expire: now()->subMinute(),
             path: '/',
@@ -63,19 +39,4 @@ trait SetAuthCookie
             sameSite: 'Strict',
         );
     }
-
-    private function originMatches(string $origin, string $configuredUrl): bool
-    {
-        if ($origin === '' || $configuredUrl === '') {
-            return false;
-        }
-
-        // Parse to compare host+port, ignoring trailing slashes and paths
-        $originHost = parse_url($origin, PHP_URL_HOST);
-        $originPort = parse_url($origin, PHP_URL_PORT);
-        $configHost = parse_url($configuredUrl, PHP_URL_HOST);
-        $configPort = parse_url($configuredUrl, PHP_URL_PORT);
-
-        return $originHost === $configHost && $originPort === $configPort;
-    }
 }