bert.hausmans/crewli
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

security: migrate auth tokens to httpOnly cookies (hybrid bearer token approach)

Browse Source 
Backend:
- CookieBearerToken middleware reads httpOnly cookie and injects Authorization
  header before Sanctum validates (prepended to API middleware group)
- SetAuthCookie trait provides cookie creation/expiry helpers with per-app
  cookie names (crewli_admin_token, crewli_app_token, crewli_portal_token)
- LoginController sets token via Set-Cookie, removes it from JSON body
- LogoutController expires the auth cookie on logout
- AuthRefreshController (POST /auth/refresh) rotates tokens with new cookie
- InvitationController accept also sets token via cookie, not JSON body
- All cookies: httpOnly, SameSite=Strict, Secure (in production)

Frontend (all three SPAs):
- Removed all localStorage token storage (apps/app, apps/portal)
- Removed all JS-readable cookie token storage (apps/admin)
- Removed Authorization: Bearer header interceptors from axios
- Auth stores now rely on GET /auth/me to validate httpOnly cookie
- Admin app: new Pinia auth store replaces useCookie-based auth pattern
- withCredentials: true ensures browser sends cookies automatically

Fixes security findings A13-1 (localStorage tokens) and A13-2 (admin
cookie flags). Tokens are now invisible to JavaScript.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
This commit is contained in:
bert.hausmans
2026-04-14 16:06:44 +02:00
parent 836cffa232
commit 513ca519b2
32 changed files with 826 additions and 227 deletions
Download Patch File Download Diff File Expand all files Collapse all files

39
api/app/Http/Controllers/Api/V1/AuthRefreshController.php Normal file
View File

@@ -0,0 +1,39 @@
<?php
declare(strict_types=1);
namespace App\Http\Controllers\Api\V1;
use App\Http\Controllers\Api\V1\Traits\SetAuthCookie;
use App\Http\Controllers\Controller;
use App\Http\Resources\Api\V1\MeResource;
use Illuminate\Http\JsonResponse;
use Illuminate\Http\Request;
use Illuminate\Support\Facades\Log;
final class AuthRefreshController extends Controller
{
use SetAuthCookie;
public function __invoke(Request $request): JsonResponse
{
$user = $request->user();
// Revoke the current token
$request->user()->currentAccessToken()->delete();
// Create a new token
$newToken = $user->createToken('auth-token')->plainTextToken;
$cookieName = $this->resolveCookieName($request);
$user->load(['organisations', 'roles', 'permissions']);
Log::info('Auth token refreshed', [
'user_id' => $user->id,
'ip' => $request->ip(),
]);
return $this->success(new MeResource($user), 'Token refreshed')
->withCookie($this->makeAuthCookie($cookieName, $newToken));
}
}

7
api/app/Http/Controllers/Api/V1/InvitationController.php
View File

@@ -4,6 +4,7 @@ declare(strict_types=1);
namespace App\Http\Controllers\Api\V1;
use App\Http\Controllers\Api\V1\Traits\SetAuthCookie;
use App\Http\Controllers\Controller;
use App\Http\Requests\Api\V1\AcceptInvitationRequest;
use App\Http\Requests\Api\V1\StoreInvitationRequest;
@@ -16,6 +17,7 @@ use Illuminate\Support\Facades\Gate;
final class InvitationController extends Controller
{
use SetAuthCookie;
public function __construct(
private readonly InvitationService $invitationService,
) {}
@@ -63,6 +65,7 @@ final class InvitationController extends Controller
);
$sanctumToken = $user->createToken('auth-token')->plainTextToken;
$cookieName = $this->resolveCookieName($request);
return $this->success([
'user' => [
@@ -72,8 +75,8 @@ final class InvitationController extends Controller
'full_name' => $user->full_name,
'email' => $user->email,
],
'token' => $sanctumToken,
], 'Uitnodiging geaccepteerd');
], 'Uitnodiging geaccepteerd')
->withCookie($this->makeAuthCookie($cookieName, $sanctumToken));
}
public function revoke(Organisation $organisation, UserInvitation $invitation): JsonResponse

8
api/app/Http/Controllers/Api/V1/LoginController.php
View File

@@ -4,6 +4,7 @@ declare(strict_types=1);
namespace App\Http\Controllers\Api\V1;
use App\Http\Controllers\Api\V1\Traits\SetAuthCookie;
use App\Http\Controllers\Controller;
use App\Http\Requests\Api\V1\LoginRequest;
use App\Http\Resources\Api\V1\UserResource;
@@ -13,6 +14,8 @@ use Illuminate\Support\Facades\Log;
final class LoginController extends Controller
{
use SetAuthCookie;
public function __invoke(LoginRequest $request): JsonResponse
{
if (!Auth::attempt($request->only('email', 'password'))) {
@@ -27,10 +30,11 @@ final class LoginController extends Controller
$user = Auth::user()->load(['organisations', 'roles']);
$token = $user->createToken('auth-token')->plainTextToken;
$cookieName = $this->resolveCookieName($request);
return $this->success([
'user' => new UserResource($user),
'token' => $token,
], 'Login successful');
], 'Login successful')
->withCookie($this->makeAuthCookie($cookieName, $token));
}
}

8
api/app/Http/Controllers/Api/V1/LogoutController.php
View File

@@ -4,16 +4,22 @@ declare(strict_types=1);
namespace App\Http\Controllers\Api\V1;
use App\Http\Controllers\Api\V1\Traits\SetAuthCookie;
use App\Http\Controllers\Controller;
use Illuminate\Http\JsonResponse;
use Illuminate\Http\Request;
final class LogoutController extends Controller
{
use SetAuthCookie;
public function __invoke(Request $request): JsonResponse
{
$request->user()->currentAccessToken()->delete();
return $this->success(null, 'Logged out successfully');
$cookieName = $this->resolveCookieName($request);
return $this->success(null, 'Logged out successfully')
->withCookie($this->forgetAuthCookie($cookieName));
}
}

87
api/app/Http/Controllers/Api/V1/Traits/SetAuthCookie.php Normal file
View File

@@ -0,0 +1,87 @@
<?php
declare(strict_types=1);
namespace App\Http\Controllers\Api\V1\Traits;
use Illuminate\Http\Request;
use Symfony\Component\HttpFoundation\Cookie;
trait SetAuthCookie
{
private const COOKIE_MAP = [
'admin' => 'crewli_admin_token',
'app' => 'crewli_app_token',
'portal' => 'crewli_portal_token',
];
private const COOKIE_TTL_MINUTES = 60 * 24 * 7; // 7 days
protected function resolveCookieName(Request $request): string
{
$origin = $request->headers->get('Origin')
?? $request->headers->get('Referer')
?? '';
$adminUrl = config('app.frontend_admin_url', 'http://localhost:5173');
$appUrl = config('app.frontend_app_url', 'http://localhost:5174');
$portalUrl = config('app.frontend_portal_url', 'http://localhost:5175');
if ($this->originMatches($origin, $adminUrl)) {
return self::COOKIE_MAP['admin'];
}
if ($this->originMatches($origin, $appUrl)) {
return self::COOKIE_MAP['app'];
}
if ($this->originMatches($origin, $portalUrl)) {
return self::COOKIE_MAP['portal'];
}
return self::COOKIE_MAP['app'];
}
protected function makeAuthCookie(string $cookieName, string $token): Cookie
{
return new Cookie(
name: $cookieName,
value: $token,
expire: now()->addMinutes(self::COOKIE_TTL_MINUTES),
path: '/',
domain: config('session.domain'),
secure: config('app.env') === 'production',
httpOnly: true,
sameSite: 'Strict',
);
}
protected function forgetAuthCookie(string $cookieName): Cookie
{
return new Cookie(
name: $cookieName,
value: '',
expire: now()->subMinute(),
path: '/',
domain: config('session.domain'),
secure: config('app.env') === 'production',
httpOnly: true,
sameSite: 'Strict',
);
}
private function originMatches(string $origin, string $configuredUrl): bool
{
if ($origin === '' || $configuredUrl === '') {
return false;
}
// Parse to compare host+port, ignoring trailing slashes and paths
$originHost = parse_url($origin, PHP_URL_HOST);
$originPort = parse_url($origin, PHP_URL_PORT);
$configHost = parse_url($configuredUrl, PHP_URL_HOST);
$configPort = parse_url($configuredUrl, PHP_URL_PORT);
return $originHost === $configHost && $originPort === $configPort;
}
}