security: migrate auth tokens to httpOnly cookies (hybrid bearer token approach)

Backend: - CookieBearerToken middleware reads httpOnly cookie and injects Authorization header before Sanctum validates (prepended to API middleware group) - SetAuthCookie trait provides cookie creation/expiry helpers with per-app cookie names (crewli_admin_token, crewli_app_token, crewli_portal_token) - LoginController sets token via Set-Cookie, removes it from JSON body - LogoutController expires the auth cookie on logout - AuthRefreshController (POST /auth/refresh) rotates tokens with new cookie - InvitationController accept also sets token via cookie, not JSON body - All cookies: httpOnly, SameSite=Strict, Secure (in production) Frontend (all three SPAs): - Removed all localStorage token storage (apps/app, apps/portal) - Removed all JS-readable cookie token storage (apps/admin) - Removed Authorization: Bearer header interceptors from axios - Auth stores now rely on GET /auth/me to validate httpOnly cookie - Admin app: new Pinia auth store replaces useCookie-based auth pattern - withCredentials: true ensures browser sends cookies automatically Fixes security findings A13-1 (localStorage tokens) and A13-2 (admin cookie flags). Tokens are now invisible to JavaScript. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
2026-04-14 16:06:44 +02:00
parent 836cffa232
commit 513ca519b2
32 changed files with 826 additions and 227 deletions
--- a/api/app/Http/Middleware/CookieBearerToken.php
+++ b/api/app/Http/Middleware/CookieBearerToken.php
@@ -0,0 +1,37 @@
+<?php
+
+declare(strict_types=1);
+
+namespace App\Http\Middleware;
+
+use Closure;
+use Illuminate\Http\Request;
+use Symfony\Component\HttpFoundation\Response;
+
+final class CookieBearerToken
+{
+    private const COOKIE_NAMES = [
+        'crewli_admin_token',
+        'crewli_app_token',
+        'crewli_portal_token',
+    ];
+
+    public function handle(Request $request, Closure $next): Response
+    {
+        // Skip if an Authorization header is already present
+        if ($request->hasHeader('Authorization')) {
+            return $next($request);
+        }
+
+        foreach (self::COOKIE_NAMES as $cookieName) {
+            $token = $request->cookie($cookieName);
+
+            if ($token) {
+                $request->headers->set('Authorization', 'Bearer ' . $token);
+                break;
+            }
+        }
+
+        return $next($request);
+    }
+}