refactor(auth): consolidate to single cookie post single-SPA

The dual-cookie machinery (crewli_app_token + crewli_portal_token, Origin-based resolution) was load-bearing only when the second SPA existed. apps/portal/ was deleted in WS-3 PR-B1; the resolver code has been carrying dead branches since then. Collapse to one cookie. Cookie name retained as crewli_app_token — no session breakage on deploy. crewli_portal_token is fully purged from the server-side. CookieBearerToken middleware: - COOKIE_NAMES array → single COOKIE_NAME constant - resolveCookieName method (Origin/Referer parsing, host+port matching against frontend_app_url/frontend_portal_url) → removed - Body collapses to: skip if Authorization header present; else read crewli_app_token cookie and inject Bearer header SetAuthCookie trait: - COOKIE_MAP / resolveCookieName / originMatches → removed - makeAuthCookie / forgetAuthCookie now take only $token; the cookie name is the trait's private constant Five callers updated to drop the resolveCookieName($request) line and the cookie-name argument: LoginController (3 sites), MfaVerifyController (1 site), AuthRefreshController (1 site), LogoutController (1 site), InvitationController (1 site — caller list in the prompt missed this one but the same pattern applies). frontend_portal_url config key retained (per Phase A directive Q1): EmailChangeController, PasswordResetController, PersonController are non-auth consumers that build per-app URL maps for outbound emails. The map structure is now functionally redundant (production resolves all FRONTEND_* env vars to the same host) but stays structurally intact. Refactor tracked as TECH-FRONTEND-URL-CONSOLIDATE in the upcoming docs commit. HttpOnlyCookieAuthTest: - Removed 4 dual-cookie tests (login_sets_portal_cookie_for_portal_origin, app_cookie_does_not_authenticate_portal_requests, portal_cookie_does_not_authenticate_app_requests, correct_cookie_authenticates_with_matching_origin) - Renamed login_sets_app_cookie_for_unknown_origin → login_sets_app_cookie_regardless_of_origin; expanded to four Origin variants (none, app, unknown, foreign) — pins the new origin-agnostic contract - Removed Origin headers from request calls in remaining tests (now meaningless) Backend test count: 1491 → 1487 (-4 deleted, dual-cookie tests encoding the obsolete contract). Pint clean. Larastan clean. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2026-05-06 00:24:01 +02:00
parent 96cb1519de
commit 2e94a107e4
8 changed files with 49 additions and 185 deletions
--- a/api/app/Http/Controllers/Api/V1/Traits/SetAuthCookie.php
+++ b/api/app/Http/Controllers/Api/V1/Traits/SetAuthCookie.php
@@ -4,42 +4,18 @@ declare(strict_types=1);

 namespace App\Http\Controllers\Api\V1\Traits;

-use Illuminate\Http\Request;
 use Symfony\Component\HttpFoundation\Cookie;

 trait SetAuthCookie
 {
-    private const COOKIE_MAP = [
-        'app' => 'crewli_app_token',
-        'portal' => 'crewli_portal_token',
-    ];
+    private const COOKIE_NAME = 'crewli_app_token';

    private const COOKIE_TTL_MINUTES = 60 * 24 * 7; // 7 days

-    protected function resolveCookieName(Request $request): string
-    {
-        $origin = $request->headers->get('Origin')
-            ?? $request->headers->get('Referer')
-            ?? '';
-
-        $appUrl = config('app.frontend_app_url', 'http://localhost:5174');
-        $portalUrl = config('app.frontend_portal_url', 'http://localhost:5175');
-
-        if ($this->originMatches($origin, $appUrl)) {
-            return self::COOKIE_MAP['app'];
-        }
-
-        if ($this->originMatches($origin, $portalUrl)) {
-            return self::COOKIE_MAP['portal'];
-        }
-
-        return self::COOKIE_MAP['app'];
-    }
-
-    protected function makeAuthCookie(string $cookieName, string $token): Cookie
+    protected function makeAuthCookie(string $token): Cookie
    {
        return new Cookie(
-            name: $cookieName,
+            name: self::COOKIE_NAME,
            value: $token,
            expire: now()->addMinutes(self::COOKIE_TTL_MINUTES),
            path: '/',
@@ -50,10 +26,10 @@ trait SetAuthCookie
        );
    }

-    protected function forgetAuthCookie(string $cookieName): Cookie
+    protected function forgetAuthCookie(): Cookie
    {
        return new Cookie(
-            name: $cookieName,
+            name: self::COOKIE_NAME,
            value: '',
            expire: now()->subMinute(),
            path: '/',
@@ -63,19 +39,4 @@ trait SetAuthCookie
            sameSite: 'Strict',
        );
    }
-
-    private function originMatches(string $origin, string $configuredUrl): bool
-    {
-        if ($origin === '' || $configuredUrl === '') {
-            return false;
-        }
-
-        // Parse to compare host+port, ignoring trailing slashes and paths
-        $originHost = parse_url($origin, PHP_URL_HOST);
-        $originPort = parse_url($origin, PHP_URL_PORT);
-        $configHost = parse_url($configuredUrl, PHP_URL_HOST);
-        $configPort = parse_url($configuredUrl, PHP_URL_PORT);
-
-        return $originHost === $configHost && $originPort === $configPort;
-    }
 }