security: migrate auth tokens to httpOnly cookies (hybrid bearer token approach)
Backend: - CookieBearerToken middleware reads httpOnly cookie and injects Authorization header before Sanctum validates (prepended to API middleware group) - SetAuthCookie trait provides cookie creation/expiry helpers with per-app cookie names (crewli_admin_token, crewli_app_token, crewli_portal_token) - LoginController sets token via Set-Cookie, removes it from JSON body - LogoutController expires the auth cookie on logout - AuthRefreshController (POST /auth/refresh) rotates tokens with new cookie - InvitationController accept also sets token via cookie, not JSON body - All cookies: httpOnly, SameSite=Strict, Secure (in production) Frontend (all three SPAs): - Removed all localStorage token storage (apps/app, apps/portal) - Removed all JS-readable cookie token storage (apps/admin) - Removed Authorization: Bearer header interceptors from axios - Auth stores now rely on GET /auth/me to validate httpOnly cookie - Admin app: new Pinia auth store replaces useCookie-based auth pattern - withCredentials: true ensures browser sends cookies automatically Fixes security findings A13-1 (localStorage tokens) and A13-2 (admin cookie flags). Tokens are now invisible to JavaScript. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
This commit is contained in:
@@ -30,6 +30,7 @@ use App\Http\Controllers\Api\V1\VolunteerRegistrationController;
|
||||
use App\Http\Controllers\Api\V1\PublicRegistrationDataController;
|
||||
use App\Http\Controllers\Api\V1\PortalTokenController;
|
||||
use App\Http\Controllers\Api\V1\AccountController;
|
||||
use App\Http\Controllers\Api\V1\AuthRefreshController;
|
||||
use App\Http\Controllers\Api\V1\EmailChangeController;
|
||||
use App\Http\Controllers\Api\V1\PasswordResetController;
|
||||
use App\Http\Controllers\Api\V1\PortalMeController;
|
||||
@@ -82,6 +83,7 @@ Route::middleware('auth:sanctum')->group(function () {
|
||||
// Auth
|
||||
Route::get('auth/me', MeController::class);
|
||||
Route::post('auth/logout', LogoutController::class);
|
||||
Route::post('auth/refresh', AuthRefreshController::class);
|
||||
|
||||
// Account management (self-service)
|
||||
Route::post('me/change-password', [AccountController::class, 'changePassword']);
|
||||
|
||||
Reference in New Issue
Block a user