security: migrate auth tokens to httpOnly cookies (hybrid bearer token approach)

Backend:
- CookieBearerToken middleware reads httpOnly cookie and injects Authorization
  header before Sanctum validates (prepended to API middleware group)
- SetAuthCookie trait provides cookie creation/expiry helpers with per-app
  cookie names (crewli_admin_token, crewli_app_token, crewli_portal_token)
- LoginController sets token via Set-Cookie, removes it from JSON body
- LogoutController expires the auth cookie on logout
- AuthRefreshController (POST /auth/refresh) rotates tokens with new cookie
- InvitationController accept also sets token via cookie, not JSON body
- All cookies: httpOnly, SameSite=Strict, Secure (in production)

Frontend (all three SPAs):
- Removed all localStorage token storage (apps/app, apps/portal)
- Removed all JS-readable cookie token storage (apps/admin)
- Removed Authorization: Bearer header interceptors from axios
- Auth stores now rely on GET /auth/me to validate httpOnly cookie
- Admin app: new Pinia auth store replaces useCookie-based auth pattern
- withCredentials: true ensures browser sends cookies automatically

Fixes security findings A13-1 (localStorage tokens) and A13-2 (admin
cookie flags). Tokens are now invisible to JavaScript.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

api/tests/Feature/Auth/LoginTest.php

@@ -24,10 +24,13 @@ class LoginTest extends TestCase
         $response->assertOk()
             ->assertJsonStructure([
                 'success',
-                'data' => ['user' => ['id', 'first_name', 'last_name', 'full_name', 'email'], 'token'],
+                'data' => ['user' => ['id', 'first_name', 'last_name', 'full_name', 'email']],
                 'message',
             ])
             ->assertJson(['success' => true]);
+
+        // Token must NOT be in response body (set via httpOnly cookie)
+        $this->assertArrayNotHasKey('token', $response->json('data'));
     }
 
     public function test_login_fails_with_invalid_credentials(): void

api/tests/Feature/Invitation/InvitationTest.php

@@ -159,7 +159,9 @@ class InvitationTest extends TestCase
         ]);
 
         $response->assertOk();
-        $response->assertJsonStructure(['data' => ['user' => ['id', 'first_name', 'last_name', 'full_name', 'email'], 'token']]);
+        $response->assertJsonStructure(['data' => ['user' => ['id', 'first_name', 'last_name', 'full_name', 'email']]]);
+        // Token must NOT be in response body (set via httpOnly cookie)
+        $this->assertArrayNotHasKey('token', $response->json('data'));
 
         $this->assertDatabaseHas('users', ['email' => 'newuser@test.nl']);
         $this->assertDatabaseHas('organisation_user', [
@@ -187,7 +189,9 @@ class InvitationTest extends TestCase
         $response = $this->postJson("/api/v1/invitations/{$invitation->plainToken}/accept");
 
         $response->assertOk();
-        $response->assertJsonStructure(['data' => ['user', 'token']]);
+        $response->assertJsonStructure(['data' => ['user']]);
+        // Token must NOT be in response body (set via httpOnly cookie)
+        $this->assertArrayNotHasKey('token', $response->json('data'));
 
         $this->assertDatabaseHas('organisation_user', [
             'user_id' => $existingUser->id,

api/tests/Feature/Security/HttpOnlyCookieAuthTest.php

@@ -0,0 +1,207 @@
+<?php
+
+declare(strict_types=1);
+
+namespace Tests\Feature\Security;
+
+use App\Models\User;
+use Database\Seeders\RoleSeeder;
+use Illuminate\Foundation\Testing\RefreshDatabase;
+use Laravel\Sanctum\Sanctum;
+use Tests\TestCase;
+
+final class HttpOnlyCookieAuthTest extends TestCase
+{
+    use RefreshDatabase;
+
+    protected function setUp(): void
+    {
+        parent::setUp();
+        $this->seed(RoleSeeder::class);
+        // Enable cookies for JSON requests (required for cookie-based auth testing)
+        $this->withCredentials();
+    }
+
+    // --- Login Cookie Tests ---
+
+    public function test_login_response_does_not_contain_token_in_json_body(): void
+    {
+        $user = User::factory()->create();
+
+        $response = $this->postJson('/api/v1/auth/login', [
+            'email' => $user->email,
+            'password' => 'password',
+        ]);
+
+        $response->assertOk();
+        $response->assertJsonMissing(['token']);
+        $this->assertArrayNotHasKey('token', $response->json('data'));
+    }
+
+    public function test_login_response_sets_httponly_cookie(): void
+    {
+        $user = User::factory()->create();
+
+        $response = $this->postJson('/api/v1/auth/login', [
+            'email' => $user->email,
+            'password' => 'password',
+        ], ['Origin' => 'http://localhost:5174']);
+
+        $response->assertOk();
+        $response->assertCookie('crewli_app_token');
+    }
+
+    public function test_login_cookie_has_httponly_flag(): void
+    {
+        $user = User::factory()->create();
+
+        $response = $this->postJson('/api/v1/auth/login', [
+            'email' => $user->email,
+            'password' => 'password',
+        ], ['Origin' => 'http://localhost:5174']);
+
+        $cookie = $this->findCookie($response, 'crewli_app_token');
+        $this->assertNotNull($cookie, 'Cookie crewli_app_token not found');
+        $this->assertTrue($cookie->isHttpOnly(), 'Cookie must be httpOnly');
+    }
+
+    public function test_login_cookie_has_samesite_strict(): void
+    {
+        $user = User::factory()->create();
+
+        $response = $this->postJson('/api/v1/auth/login', [
+            'email' => $user->email,
+            'password' => 'password',
+        ], ['Origin' => 'http://localhost:5174']);
+
+        $cookie = $this->findCookie($response, 'crewli_app_token');
+        $this->assertNotNull($cookie);
+        $this->assertEquals('strict', strtolower($cookie->getSameSite()));
+    }
+
+    public function test_login_sets_admin_cookie_for_admin_origin(): void
+    {
+        $user = User::factory()->create();
+
+        $response = $this->postJson('/api/v1/auth/login', [
+            'email' => $user->email,
+            'password' => 'password',
+        ], ['Origin' => 'http://localhost:5173']);
+
+        $response->assertOk();
+        $response->assertCookie('crewli_admin_token');
+    }
+
+    public function test_login_sets_portal_cookie_for_portal_origin(): void
+    {
+        $user = User::factory()->create();
+
+        $response = $this->postJson('/api/v1/auth/login', [
+            'email' => $user->email,
+            'password' => 'password',
+        ], ['Origin' => 'http://localhost:5175']);
+
+        $response->assertOk();
+        $response->assertCookie('crewli_portal_token');
+    }
+
+    // --- Middleware Tests ---
+
+    public function test_request_with_auth_cookie_is_authenticated(): void
+    {
+        $user = User::factory()->create();
+        $token = $user->createToken('auth-token')->plainTextToken;
+
+        $response = $this->withUnencryptedCookie('crewli_app_token', $token)
+            ->getJson('/api/v1/auth/me');
+
+        $response->assertOk();
+        $response->assertJsonPath('data.id', $user->id);
+    }
+
+    public function test_request_with_invalid_cookie_returns_401(): void
+    {
+        $response = $this->withUnencryptedCookie('crewli_app_token', 'invalid-token-value')
+            ->getJson('/api/v1/auth/me');
+
+        $response->assertUnauthorized();
+    }
+
+    public function test_request_without_cookie_or_header_returns_401(): void
+    {
+        $response = $this->getJson('/api/v1/auth/me');
+
+        $response->assertUnauthorized();
+    }
+
+    // --- Logout Tests ---
+
+    public function test_logout_expires_auth_cookie(): void
+    {
+        $user = User::factory()->create();
+        $token = $user->createToken('auth-token')->plainTextToken;
+
+        $response = $this->withUnencryptedCookie('crewli_app_token', $token)
+            ->postJson('/api/v1/auth/logout', [], ['Origin' => 'http://localhost:5174']);
+
+        $response->assertOk();
+
+        $cookie = $this->findCookie($response, 'crewli_app_token');
+        $this->assertNotNull($cookie, 'Cookie crewli_app_token not found in logout response');
+        // Expired cookie has a past expiry time
+        $this->assertTrue($cookie->getExpiresTime() < time(), 'Logout cookie must be expired');
+    }
+
+    // --- Refresh Tests ---
+
+    public function test_refresh_revokes_old_token_and_sets_new_cookie(): void
+    {
+        $user = User::factory()->create();
+        $accessToken = $user->createToken('auth-token');
+        $token = $accessToken->plainTextToken;
+
+        $response = $this->withUnencryptedCookie('crewli_app_token', $token)
+            ->postJson('/api/v1/auth/refresh', [], ['Origin' => 'http://localhost:5174']);
+
+        $response->assertOk();
+        $response->assertCookie('crewli_app_token');
+
+        // New cookie should contain a different token
+        $newCookie = $this->findCookie($response, 'crewli_app_token');
+        $this->assertNotNull($newCookie);
+        $this->assertNotEquals($token, $newCookie->getValue(), 'New token must differ from old token');
+
+        // Old token should be revoked in the database
+        $this->assertNull(
+            \Laravel\Sanctum\PersonalAccessToken::findToken($token),
+            'Old token must be deleted from database',
+        );
+
+        // New token should be valid in the database
+        $this->assertNotNull(
+            \Laravel\Sanctum\PersonalAccessToken::findToken($newCookie->getValue()),
+            'New token must exist in database',
+        );
+    }
+
+    public function test_refresh_with_expired_token_returns_401(): void
+    {
+        $response = $this->withUnencryptedCookie('crewli_app_token', 'expired-or-invalid-token')
+            ->postJson('/api/v1/auth/refresh');
+
+        $response->assertUnauthorized();
+    }
+
+    // --- Helper ---
+
+    private function findCookie($response, string $name): ?\Symfony\Component\HttpFoundation\Cookie
+    {
+        foreach ($response->headers->getCookies() as $cookie) {
+            if ($cookie->getName() === $name) {
+                return $cookie;
+            }
+        }
+
+        return null;
+    }
+}