security: migrate auth tokens to httpOnly cookies (hybrid bearer token approach)

Backend: - CookieBearerToken middleware reads httpOnly cookie and injects Authorization header before Sanctum validates (prepended to API middleware group) - SetAuthCookie trait provides cookie creation/expiry helpers with per-app cookie names (crewli_admin_token, crewli_app_token, crewli_portal_token) - LoginController sets token via Set-Cookie, removes it from JSON body - LogoutController expires the auth cookie on logout - AuthRefreshController (POST /auth/refresh) rotates tokens with new cookie - InvitationController accept also sets token via cookie, not JSON body - All cookies: httpOnly, SameSite=Strict, Secure (in production) Frontend (all three SPAs): - Removed all localStorage token storage (apps/app, apps/portal) - Removed all JS-readable cookie token storage (apps/admin) - Removed Authorization: Bearer header interceptors from axios - Auth stores now rely on GET /auth/me to validate httpOnly cookie - Admin app: new Pinia auth store replaces useCookie-based auth pattern - withCredentials: true ensures browser sends cookies automatically Fixes security findings A13-1 (localStorage tokens) and A13-2 (admin cookie flags). Tokens are now invisible to JavaScript. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
2026-04-14 16:06:44 +02:00
parent 836cffa232
commit 513ca519b2
32 changed files with 826 additions and 227 deletions
--- a/api/app/Http/Controllers/Api/V1/AuthRefreshController.php
+++ b/api/app/Http/Controllers/Api/V1/AuthRefreshController.php
@@ -0,0 +1,39 @@
+<?php
+
+declare(strict_types=1);
+
+namespace App\Http\Controllers\Api\V1;
+
+use App\Http\Controllers\Api\V1\Traits\SetAuthCookie;
+use App\Http\Controllers\Controller;
+use App\Http\Resources\Api\V1\MeResource;
+use Illuminate\Http\JsonResponse;
+use Illuminate\Http\Request;
+use Illuminate\Support\Facades\Log;
+
+final class AuthRefreshController extends Controller
+{
+    use SetAuthCookie;
+
+    public function __invoke(Request $request): JsonResponse
+    {
+        $user = $request->user();
+
+        // Revoke the current token
+        $request->user()->currentAccessToken()->delete();
+
+        // Create a new token
+        $newToken = $user->createToken('auth-token')->plainTextToken;
+        $cookieName = $this->resolveCookieName($request);
+
+        $user->load(['organisations', 'roles', 'permissions']);
+
+        Log::info('Auth token refreshed', [
+            'user_id' => $user->id,
+            'ip' => $request->ip(),
+        ]);
+
+        return $this->success(new MeResource($user), 'Token refreshed')
+            ->withCookie($this->makeAuthCookie($cookieName, $newToken));
+    }
+}