bert.hausmans/crewli
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

refactor(auth): consolidate to single cookie post single-SPA

Browse Source 
The dual-cookie machinery (crewli_app_token + crewli_portal_token,
Origin-based resolution) was load-bearing only when the second SPA
existed. apps/portal/ was deleted in WS-3 PR-B1; the resolver code
has been carrying dead branches since then. Collapse to one cookie.

Cookie name retained as crewli_app_token — no session breakage on
deploy. crewli_portal_token is fully purged from the server-side.

CookieBearerToken middleware:
- COOKIE_NAMES array → single COOKIE_NAME constant
- resolveCookieName method (Origin/Referer parsing, host+port
  matching against frontend_app_url/frontend_portal_url) → removed
- Body collapses to: skip if Authorization header present; else
  read crewli_app_token cookie and inject Bearer header

SetAuthCookie trait:
- COOKIE_MAP / resolveCookieName / originMatches → removed
- makeAuthCookie / forgetAuthCookie now take only $token; the
  cookie name is the trait's private constant

Five callers updated to drop the resolveCookieName($request) line
and the cookie-name argument: LoginController (3 sites),
MfaVerifyController (1 site), AuthRefreshController (1 site),
LogoutController (1 site), InvitationController (1 site — caller
list in the prompt missed this one but the same pattern applies).

frontend_portal_url config key retained (per Phase A directive Q1):
EmailChangeController, PasswordResetController, PersonController are
non-auth consumers that build per-app URL maps for outbound emails.
The map structure is now functionally redundant (production resolves
all FRONTEND_* env vars to the same host) but stays structurally
intact. Refactor tracked as TECH-FRONTEND-URL-CONSOLIDATE in the
upcoming docs commit.

HttpOnlyCookieAuthTest:
- Removed 4 dual-cookie tests (login_sets_portal_cookie_for_portal_origin,
  app_cookie_does_not_authenticate_portal_requests,
  portal_cookie_does_not_authenticate_app_requests,
  correct_cookie_authenticates_with_matching_origin)
- Renamed login_sets_app_cookie_for_unknown_origin →
  login_sets_app_cookie_regardless_of_origin; expanded to four
  Origin variants (none, app, unknown, foreign) — pins the new
  origin-agnostic contract
- Removed Origin headers from request calls in remaining tests
  (now meaningless)

Backend test count: 1491 → 1487 (-4 deleted, dual-cookie tests
encoding the obsolete contract). Pint clean. Larastan clean.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
This commit is contained in:
bert.hausmans
2026-05-06 00:24:01 +02:00
parent 96cb1519de
commit 2e94a107e4
8 changed files with 49 additions and 185 deletions
Download Patch File Download Diff File Expand all files Collapse all files

92
api/tests/Feature/Security/HttpOnlyCookieAuthTest.php
View File

@@ -7,7 +7,6 @@ namespace Tests\Feature\Security;
use App\Models\User;
use Database\Seeders\RoleSeeder;
use Illuminate\Foundation\Testing\RefreshDatabase;
use Laravel\Sanctum\Sanctum;
use Tests\TestCase;
final class HttpOnlyCookieAuthTest extends TestCase
@@ -45,7 +44,7 @@ final class HttpOnlyCookieAuthTest extends TestCase
$response = $this->postJson('/api/v1/auth/login', [
'email' => $user->email,
'password' => 'password',
], ['Origin' => 'http://localhost:5174']);
]);
$response->assertOk();
$response->assertCookie('crewli_app_token');
@@ -58,7 +57,7 @@ final class HttpOnlyCookieAuthTest extends TestCase
$response = $this->postJson('/api/v1/auth/login', [
'email' => $user->email,
'password' => 'password',
], ['Origin' => 'http://localhost:5174']);
]);
$cookie = $this->findCookie($response, 'crewli_app_token');
$this->assertNotNull($cookie, 'Cookie crewli_app_token not found');
@@ -72,37 +71,41 @@ final class HttpOnlyCookieAuthTest extends TestCase
$response = $this->postJson('/api/v1/auth/login', [
'email' => $user->email,
'password' => 'password',
], ['Origin' => 'http://localhost:5174']);
]);
$cookie = $this->findCookie($response, 'crewli_app_token');
$this->assertNotNull($cookie);
$this->assertEquals('strict', strtolower($cookie->getSameSite()));
}
public function test_login_sets_app_cookie_for_unknown_origin(): void
public function test_login_sets_app_cookie_regardless_of_origin(): void
{
$user = User::factory()->create();
// Post-WS-3 PR-B2b: there is no per-app cookie resolution. Whatever
// Origin (or no Origin) the request carries, the auth cookie issued
// is always crewli_app_token. The request body alone determines auth.
$cases = [
'no Origin header' => [],
'app Origin' => ['Origin' => 'http://localhost:5174'],
'unknown Origin' => ['Origin' => 'http://localhost:9999'],
'foreign Origin' => ['Origin' => 'https://elsewhere.example.com'],
];
$response = $this->postJson('/api/v1/auth/login', [
'email' => $user->email,
'password' => 'password',
], ['Origin' => 'http://localhost:9999']);
foreach ($cases as $label => $headers) {
$user = User::factory()->create();
$response->assertOk();
$response->assertCookie('crewli_app_token');
}
$response = $this->postJson('/api/v1/auth/login', [
'email' => $user->email,
'password' => 'password',
], $headers);
public function test_login_sets_portal_cookie_for_portal_origin(): void
{
$user = User::factory()->create();
$response->assertOk();
$response = $this->postJson('/api/v1/auth/login', [
'email' => $user->email,
'password' => 'password',
], ['Origin' => 'http://localhost:5175']);
$response->assertOk();
$response->assertCookie('crewli_portal_token');
$cookie = $this->findCookie($response, 'crewli_app_token');
$this->assertNotNull(
$cookie,
"crewli_app_token must be set for case: {$label}",
);
}
}
// --- Middleware Tests ---
@@ -142,7 +145,7 @@ final class HttpOnlyCookieAuthTest extends TestCase
$token = $user->createToken('auth-token')->plainTextToken;
$response = $this->withUnencryptedCookie('crewli_app_token', $token)
->postJson('/api/v1/auth/logout', [], ['Origin' => 'http://localhost:5174']);
->postJson('/api/v1/auth/logout');
$response->assertOk();
@@ -161,7 +164,7 @@ final class HttpOnlyCookieAuthTest extends TestCase
$token = $accessToken->plainTextToken;
$response = $this->withUnencryptedCookie('crewli_app_token', $token)
->postJson('/api/v1/auth/refresh', [], ['Origin' => 'http://localhost:5174']);
->postJson('/api/v1/auth/refresh');
$response->assertOk();
$response->assertCookie('crewli_app_token');
@@ -192,45 +195,6 @@ final class HttpOnlyCookieAuthTest extends TestCase
$response->assertUnauthorized();
}
// --- Cross-App Isolation Tests ---
public function test_app_cookie_does_not_authenticate_portal_requests(): void
{
$user = User::factory()->create();
$token = $user->createToken('auth-token')->plainTextToken;
// App cookie is set, but request comes from portal origin —
// middleware should only read crewli_portal_token, not crewli_app_token
$response = $this->withUnencryptedCookie('crewli_app_token', $token)
->getJson('/api/v1/auth/me', ['Origin' => 'http://localhost:5175']);
$response->assertUnauthorized();
}
public function test_portal_cookie_does_not_authenticate_app_requests(): void
{
$user = User::factory()->create();
$token = $user->createToken('auth-token')->plainTextToken;
$response = $this->withUnencryptedCookie('crewli_portal_token', $token)
->getJson('/api/v1/auth/me', ['Origin' => 'http://localhost:5174']);
$response->assertUnauthorized();
}
public function test_correct_cookie_authenticates_with_matching_origin(): void
{
$user = User::factory()->create();
$token = $user->createToken('auth-token')->plainTextToken;
// Portal cookie + portal origin = authenticated
$response = $this->withUnencryptedCookie('crewli_portal_token', $token)
->getJson('/api/v1/auth/me', ['Origin' => 'http://localhost:5175']);
$response->assertOk();
$response->assertJsonPath('data.id', $user->id);
}
// --- Helper ---
private function findCookie($response, string $name): ?\Symfony\Component\HttpFoundation\Cookie