refactor(auth): consolidate to single cookie post single-SPA
The dual-cookie machinery (crewli_app_token + crewli_portal_token, Origin-based resolution) was load-bearing only when the second SPA existed. apps/portal/ was deleted in WS-3 PR-B1; the resolver code has been carrying dead branches since then. Collapse to one cookie. Cookie name retained as crewli_app_token — no session breakage on deploy. crewli_portal_token is fully purged from the server-side. CookieBearerToken middleware: - COOKIE_NAMES array → single COOKIE_NAME constant - resolveCookieName method (Origin/Referer parsing, host+port matching against frontend_app_url/frontend_portal_url) → removed - Body collapses to: skip if Authorization header present; else read crewli_app_token cookie and inject Bearer header SetAuthCookie trait: - COOKIE_MAP / resolveCookieName / originMatches → removed - makeAuthCookie / forgetAuthCookie now take only $token; the cookie name is the trait's private constant Five callers updated to drop the resolveCookieName($request) line and the cookie-name argument: LoginController (3 sites), MfaVerifyController (1 site), AuthRefreshController (1 site), LogoutController (1 site), InvitationController (1 site — caller list in the prompt missed this one but the same pattern applies). frontend_portal_url config key retained (per Phase A directive Q1): EmailChangeController, PasswordResetController, PersonController are non-auth consumers that build per-app URL maps for outbound emails. The map structure is now functionally redundant (production resolves all FRONTEND_* env vars to the same host) but stays structurally intact. Refactor tracked as TECH-FRONTEND-URL-CONSOLIDATE in the upcoming docs commit. HttpOnlyCookieAuthTest: - Removed 4 dual-cookie tests (login_sets_portal_cookie_for_portal_origin, app_cookie_does_not_authenticate_portal_requests, portal_cookie_does_not_authenticate_app_requests, correct_cookie_authenticates_with_matching_origin) - Renamed login_sets_app_cookie_for_unknown_origin → login_sets_app_cookie_regardless_of_origin; expanded to four Origin variants (none, app, unknown, foreign) — pins the new origin-agnostic contract - Removed Origin headers from request calls in remaining tests (now meaningless) Backend test count: 1491 → 1487 (-4 deleted, dual-cookie tests encoding the obsolete contract). Pint clean. Larastan clean. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
This commit is contained in:
@@ -65,13 +65,11 @@ final class LoginController extends Controller
|
||||
|
||||
// Return MFA challenge — NO auth token, NO auth cookie.
|
||||
// Expire the auth cookie to invalidate any stale browser session.
|
||||
$cookieName = $this->resolveCookieName($request);
|
||||
|
||||
return response()->json([
|
||||
'success' => true,
|
||||
'mfa_required' => true,
|
||||
...$mfaSession,
|
||||
])->withCookie($this->forgetAuthCookie($cookieName));
|
||||
])->withCookie($this->forgetAuthCookie());
|
||||
}
|
||||
|
||||
// MFA required by policy but not yet set up — issue token with flag
|
||||
@@ -80,11 +78,10 @@ final class LoginController extends Controller
|
||||
$data = $response->getData(true);
|
||||
$data['mfa_setup_required'] = true;
|
||||
|
||||
$cookieName = $this->resolveCookieName($request);
|
||||
$token = $user->createToken('auth-token')->plainTextToken;
|
||||
|
||||
return response()->json($data)
|
||||
->withCookie($this->makeAuthCookie($cookieName, $token));
|
||||
->withCookie($this->makeAuthCookie($token));
|
||||
}
|
||||
|
||||
// No MFA — issue token as normal
|
||||
@@ -101,11 +98,10 @@ final class LoginController extends Controller
|
||||
]);
|
||||
|
||||
$token = $user->createToken('auth-token')->plainTextToken;
|
||||
$cookieName = $this->resolveCookieName($request);
|
||||
|
||||
return $this->success([
|
||||
'user' => new MeResource($user),
|
||||
], 'Login successful')
|
||||
->withCookie($this->makeAuthCookie($cookieName, $token));
|
||||
->withCookie($this->makeAuthCookie($token));
|
||||
}
|
||||
}
|
||||
|
||||
Reference in New Issue
Block a user