refactor(auth): consolidate to single cookie post single-SPA

The dual-cookie machinery (crewli_app_token + crewli_portal_token, Origin-based resolution) was load-bearing only when the second SPA existed. apps/portal/ was deleted in WS-3 PR-B1; the resolver code has been carrying dead branches since then. Collapse to one cookie. Cookie name retained as crewli_app_token — no session breakage on deploy. crewli_portal_token is fully purged from the server-side. CookieBearerToken middleware: - COOKIE_NAMES array → single COOKIE_NAME constant - resolveCookieName method (Origin/Referer parsing, host+port matching against frontend_app_url/frontend_portal_url) → removed - Body collapses to: skip if Authorization header present; else read crewli_app_token cookie and inject Bearer header SetAuthCookie trait: - COOKIE_MAP / resolveCookieName / originMatches → removed - makeAuthCookie / forgetAuthCookie now take only $token; the cookie name is the trait's private constant Five callers updated to drop the resolveCookieName($request) line and the cookie-name argument: LoginController (3 sites), MfaVerifyController (1 site), AuthRefreshController (1 site), LogoutController (1 site), InvitationController (1 site — caller list in the prompt missed this one but the same pattern applies). frontend_portal_url config key retained (per Phase A directive Q1): EmailChangeController, PasswordResetController, PersonController are non-auth consumers that build per-app URL maps for outbound emails. The map structure is now functionally redundant (production resolves all FRONTEND_* env vars to the same host) but stays structurally intact. Refactor tracked as TECH-FRONTEND-URL-CONSOLIDATE in the upcoming docs commit. HttpOnlyCookieAuthTest: - Removed 4 dual-cookie tests (login_sets_portal_cookie_for_portal_origin, app_cookie_does_not_authenticate_portal_requests, portal_cookie_does_not_authenticate_app_requests, correct_cookie_authenticates_with_matching_origin) - Renamed login_sets_app_cookie_for_unknown_origin → login_sets_app_cookie_regardless_of_origin; expanded to four Origin variants (none, app, unknown, foreign) — pins the new origin-agnostic contract - Removed Origin headers from request calls in remaining tests (now meaningless) Backend test count: 1491 → 1487 (-4 deleted, dual-cookie tests encoding the obsolete contract). Pint clean. Larastan clean. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2026-05-06 00:24:01 +02:00
parent 96cb1519de
commit 2e94a107e4
8 changed files with 49 additions and 185 deletions
--- a/api/app/Http/Middleware/CookieBearerToken.php
+++ b/api/app/Http/Middleware/CookieBearerToken.php
@@ -10,74 +10,21 @@ use Symfony\Component\HttpFoundation\Response;

 final class CookieBearerToken
 {
-    private const COOKIE_NAMES = [
-        'crewli_app_token',
-        'crewli_portal_token',
-    ];
+    private const COOKIE_NAME = 'crewli_app_token';

    public function handle(Request $request, Closure $next): Response
    {
-        // Skip if an Authorization header is already present
+        // Skip if an Authorization header is already present (e.g. portal-token
+        // Bearer flow for artists/suppliers, or server-to-server callers).
        if ($request->hasHeader('Authorization')) {
            return $next($request);
        }

-        // Resolve the cookie name for the requesting app via Origin header.
-        // This prevents cross-app cookie leakage on localhost where the
-        // browser sends all cookies regardless of port.
-        $cookieName = $this->resolveCookieName($request);
-
-        if ($cookieName) {
-            $token = $request->cookie($cookieName);
-            if ($token) {
-                $request->headers->set('Authorization', 'Bearer ' . $token);
-            }
+        $token = $request->cookie(self::COOKIE_NAME);
+        if ($token) {
+            $request->headers->set('Authorization', 'Bearer '.$token);
        }

        return $next($request);
    }
-
-    private function resolveCookieName(Request $request): ?string
-    {
-        $origin = $request->headers->get('Origin')
-            ?? $request->headers->get('Referer')
-            ?? '';
-
-        if ($origin === '') {
-            // No Origin — fall back to first available cookie (e.g. server-to-server)
-            foreach (self::COOKIE_NAMES as $name) {
-                if ($request->cookie($name)) {
-                    return $name;
-                }
-            }
-
-            return null;
-        }
-
-        $originHost = parse_url($origin, PHP_URL_HOST);
-        $originPort = parse_url($origin, PHP_URL_PORT);
-
-        $map = [
-            'app' => [config('app.frontend_app_url', 'http://localhost:5174'), 'crewli_app_token'],
-            'portal' => [config('app.frontend_portal_url', 'http://localhost:5175'), 'crewli_portal_token'],
-        ];
-
-        foreach ($map as [$configuredUrl, $cookieName]) {
-            $configHost = parse_url($configuredUrl, PHP_URL_HOST);
-            $configPort = parse_url($configuredUrl, PHP_URL_PORT);
-
-            if ($originHost === $configHost && $originPort === $configPort) {
-                return $cookieName;
-            }
-        }
-
-        // Origin didn't match any configured frontend — fall back to first available
-        foreach (self::COOKIE_NAMES as $name) {
-            if ($request->cookie($name)) {
-                return $name;
-            }
-        }
-
-        return null;
-    }
 }