bert.hausmans/crewli
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

security: round 3 — token security (crypto random, hashed storage, portal middleware)

Browse Source 
Token generation:
- Replace Str::ulid() with bin2hex(random_bytes(32)) for 256-bit entropy
- Store SHA-256 hash in database, never plaintext tokens
- Hash input before lookup on all token endpoints

Invitation tokens:
- InvitationService: generate crypto random, store hash, pass plain
  token transiently for email URL via UserInvitation::$plainToken
- InvitationController show/accept: hash input before DB lookup
- AcceptInvitationRequest: hash token before invitation lookup
- Migration: widen user_invitations.token and artists.portal_token
  from char(26) to char(64) for SHA-256 hex digests

Portal token auth:
- PortalTokenController: remove Schema::hasTable() runtime checks,
  hash token before lookup, return shaped response via PortalEventResource
  instead of raw model data
- Create PortalEventResource (name, dates, status only — no internals)
- Handle missing production_requests table gracefully via try/catch

Portal token middleware:
- Implement full token validation: extract from Bearer header or ?token=
  query param, hash, look up in artists/production_requests, verify
  event exists and is not draft/closed, set portal context on request
- Return generic 401 on any failure (no information leakage)

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
This commit is contained in:
bert.hausmans
2026-04-14 06:52:54 +02:00
parent 090d2b7d89
commit 52f6380ac0
14 changed files with 258 additions and 30 deletions
Download Patch File Download Diff File Expand all files Collapse all files

7
api/app/Http/Controllers/Api/V1/InvitationController.php
View File

@@ -39,7 +39,9 @@ final class InvitationController extends Controller
public function show(string $token): JsonResponse
{
$invitation = UserInvitation::where('token', $token)
$hashedToken = hash('sha256', $token);
$invitation = UserInvitation::where('token', $hashedToken)
->with(['organisation', 'invitedBy'])
->first();
@@ -52,7 +54,8 @@ final class InvitationController extends Controller
public function accept(AcceptInvitationRequest $request, string $token): JsonResponse
{
$invitation = UserInvitation::where('token', $token)->firstOrFail();
$hashedToken = hash('sha256', $token);
$invitation = UserInvitation::where('token', $hashedToken)->firstOrFail();
$user = $this->invitationService->accept(
$invitation,

62
api/app/Http/Controllers/Api/V1/PortalTokenController.php Normal file
View File

@@ -0,0 +1,62 @@
<?php
declare(strict_types=1);
namespace App\Http\Controllers\Api\V1;
use App\Http\Controllers\Controller;
use App\Http\Requests\Api\V1\PortalTokenAuthRequest;
use App\Http\Resources\Api\V1\PortalEventResource;
use App\Models\Event;
use App\Models\Scopes\OrganisationScope;
use Illuminate\Http\JsonResponse;
use Illuminate\Support\Facades\DB;
final class PortalTokenController extends Controller
{
public function auth(PortalTokenAuthRequest $request): JsonResponse
{
$hashedToken = hash('sha256', $request->validated('token'));
// Try artists table
$artist = DB::table('artists')->where('portal_token', $hashedToken)->first();
if ($artist) {
$event = Event::withoutGlobalScope(OrganisationScope::class)->find($artist->event_id);
return response()->json([
'context' => 'artist',
'data' => [
'id' => $artist->id,
'name' => $artist->name,
'booking_status' => $artist->booking_status,
],
'event' => $event ? new PortalEventResource($event) : null,
]);
}
// Try production_requests table (may not exist yet)
try {
$productionRequest = DB::table('production_requests')->where('token', $hashedToken)->first();
if ($productionRequest) {
$event = Event::withoutGlobalScope(OrganisationScope::class)->find($productionRequest->event_id);
return response()->json([
'context' => 'supplier',
'data' => [
'id' => $productionRequest->id,
'name' => $productionRequest->name ?? null,
],
'event' => $event ? new PortalEventResource($event) : null,
]);
}
} catch (\Illuminate\Database\QueryException) {
// Table doesn't exist yet — skip
}
return response()->json([
'message' => 'Invalid or expired portal token',
], 401);
}
}

81
api/app/Http/Middleware/PortalTokenMiddleware.php
View File

@@ -1,20 +1,87 @@
<?php
declare(strict_types=1);
namespace App\Http\Middleware;
use App\Models\Event;
use App\Models\Scopes\OrganisationScope;
use Closure;
use Illuminate\Http\Request;
use Illuminate\Support\Facades\DB;
use Symfony\Component\HttpFoundation\Response;
class PortalTokenMiddleware
final class PortalTokenMiddleware
{
/**
* Handle an incoming request.
*
* @param \Closure(\Illuminate\Http\Request): (\Symfony\Component\HttpFoundation\Response) $next
*/
public function handle(Request $request, Closure $next): Response
{
return $next($request);
$plainToken = $this->extractToken($request);
if ($plainToken === null) {
return response()->json(['message' => 'Portal token required.'], 401);
}
$hashedToken = hash('sha256', $plainToken);
// Try artists table
$artist = DB::table('artists')->where('portal_token', $hashedToken)->first();
if ($artist) {
$event = Event::withoutGlobalScope(OrganisationScope::class)->find($artist->event_id);
if (! $event || in_array($event->status, ['draft', 'closed'], true)) {
return response()->json(['message' => 'Portal token required.'], 401);
}
$request->merge([
'portal_context' => 'artist',
'portal_person' => $artist,
'portal_event' => $event,
]);
return $next($request);
}
// Try production_requests table (may not exist yet)
try {
$productionRequest = DB::table('production_requests')->where('token', $hashedToken)->first();
if ($productionRequest) {
$event = Event::withoutGlobalScope(OrganisationScope::class)->find($productionRequest->event_id);
if (! $event || in_array($event->status, ['draft', 'closed'], true)) {
return response()->json(['message' => 'Portal token required.'], 401);
}
$request->merge([
'portal_context' => 'supplier',
'portal_person' => $productionRequest,
'portal_event' => $event,
]);
return $next($request);
}
} catch (\Illuminate\Database\QueryException) {
// Table doesn't exist yet — skip
}
return response()->json(['message' => 'Portal token required.'], 401);
}
private function extractToken(Request $request): ?string
{
// Check Authorization: Bearer header
$bearer = $request->bearerToken();
if ($bearer !== null && $bearer !== '') {
return $bearer;
}
// Check query parameter
$queryToken = $request->query('token');
if (is_string($queryToken) && $queryToken !== '') {
return $queryToken;
}
return null;
}
}

3
api/app/Http/Requests/Api/V1/AcceptInvitationRequest.php
View File

@@ -19,7 +19,8 @@ final class AcceptInvitationRequest extends FormRequest
/** @return array<string, mixed> */
public function rules(): array
{
$invitation = UserInvitation::where('token', $this->route('token'))->first();
$hashedToken = hash('sha256', $this->route('token'));
$invitation = UserInvitation::where('token', $hashedToken)->first();
$userExists = $invitation && User::where('email', $invitation->email)->exists();
return [

23
api/app/Http/Requests/Api/V1/PortalTokenAuthRequest.php Normal file
View File

@@ -0,0 +1,23 @@
<?php
declare(strict_types=1);
namespace App\Http\Requests\Api\V1;
use Illuminate\Foundation\Http\FormRequest;
final class PortalTokenAuthRequest extends FormRequest
{
public function authorize(): bool
{
return true;
}
/** @return array<string, mixed> */
public function rules(): array
{
return [
'token' => ['required', 'string'],
];
}
}

24
api/app/Http/Resources/Api/V1/PortalEventResource.php Normal file
View File

@@ -0,0 +1,24 @@
<?php
declare(strict_types=1);
namespace App\Http\Resources\Api\V1;
use Illuminate\Http\Request;
use Illuminate\Http\Resources\Json\JsonResource;
final class PortalEventResource extends JsonResource
{
public function toArray(Request $request): array
{
return [
'id' => $this->id,
'name' => $this->name,
'slug' => $this->slug,
'start_date' => $this->start_date?->toDateString(),
'end_date' => $this->end_date?->toDateString(),
'status' => $this->status,
'event_type' => $this->event_type,
];
}
}

2
api/app/Mail/InvitationMail.php
View File

@@ -32,7 +32,7 @@ final class InvitationMail extends CrewliMailable
return new Content(
view: 'mail.invitation',
with: [
'acceptUrl' => config('crewli.app_url') . '/invitations/' . $this->invitation->token . '/accept',
'acceptUrl' => config('crewli.app_url') . '/invitations/' . ($this->invitation->plainToken ?? $this->invitation->token) . '/accept',
'inviterName' => $this->invitation->invitedBy?->name ?? 'Een beheerder',
'role' => $this->invitation->role,
'expiresAt' => $this->invitation->expires_at,

6
api/app/Models/UserInvitation.php
View File

@@ -15,6 +15,12 @@ final class UserInvitation extends Model
use HasFactory;
use HasUlids;
/**
* Plain-text token, set transiently after creation for use in emails.
* Never persisted the DB stores only the SHA-256 hash.
*/
public ?string $plainToken = null;
protected $fillable = [
'email',
'event_id',

8
api/app/Services/InvitationService.php
View File

@@ -11,7 +11,6 @@ use App\Models\UserInvitation;
use Illuminate\Support\Facades\Mail;
use Illuminate\Support\Str;
use Illuminate\Validation\ValidationException;
use Spatie\Activitylog\Facades\LogActivity;
final class InvitationService
{
@@ -37,15 +36,20 @@ final class InvitationService
]);
}
$plainToken = bin2hex(random_bytes(32));
$invitation = new UserInvitation(['email' => $email]);
$invitation->invited_by_user_id = $invitedBy->id;
$invitation->organisation_id = $org->id;
$invitation->role = $role;
$invitation->token = strtolower((string) Str::ulid());
$invitation->token = hash('sha256', $plainToken);
$invitation->status = 'pending';
$invitation->expires_at = now()->addDays(7);
$invitation->save();
// Set transient plain token for use in the email URL
$invitation->plainToken = $plainToken;
Mail::to($email)->queue(new InvitationMail($invitation));
activity('invitation')

7
api/database/factories/UserInvitationFactory.php
View File

@@ -8,7 +8,6 @@ use App\Models\Organisation;
use App\Models\User;
use App\Models\UserInvitation;
use Illuminate\Database\Eloquent\Factories\Factory;
use Illuminate\Support\Str;
/** @extends Factory<UserInvitation> */
final class UserInvitationFactory extends Factory
@@ -28,7 +27,11 @@ final class UserInvitationFactory extends Factory
$invitation->invited_by_user_id ??= User::factory()->create()->id;
$invitation->organisation_id ??= Organisation::factory()->create()->id;
$invitation->role ??= 'org_member';
$invitation->token ??= strtolower((string) Str::ulid());
if ($invitation->token === null) {
$plainToken = bin2hex(random_bytes(32));
$invitation->token = hash('sha256', $plainToken);
$invitation->plainToken = $plainToken;
}
$invitation->status ??= 'pending';
$invitation->expires_at ??= now()->addDays(7);
});

40
api/database/migrations/2026_04_14_100000_update_token_columns_for_hashed_storage.php Normal file
View File

@@ -0,0 +1,40 @@
<?php
declare(strict_types=1);
use Illuminate\Database\Migrations\Migration;
use Illuminate\Database\Schema\Blueprint;
use Illuminate\Support\Facades\Schema;
/**
* Widen token columns from char(26) (ULID) to char(64) (SHA-256 hex digest).
* Existing tokens become invalid acceptable for pre-production.
*/
return new class extends Migration
{
public function up(): void
{
Schema::table('user_invitations', function (Blueprint $table) {
$table->char('token', 64)->change();
});
if (Schema::hasTable('artists')) {
Schema::table('artists', function (Blueprint $table) {
$table->char('portal_token', 64)->change();
});
}
}
public function down(): void
{
Schema::table('user_invitations', function (Blueprint $table) {
$table->char('token', 26)->change();
});
if (Schema::hasTable('artists')) {
Schema::table('artists', function (Blueprint $table) {
$table->char('portal_token', 26)->change();
});
}
}
};

2
api/routes/web.php
View File

@@ -29,7 +29,7 @@ if (app()->environment('local', 'staging')) {
$invitation = UserInvitation::factory()->make();
$invitation->setRelation('organisation', $organisation);
$invitation->setRelation('invitedBy', User::factory()->make());
$invitation->token ??= 'preview-token';
$invitation->plainToken ??= 'preview-token';
$invitation->role ??= 'org_member';
$invitation->expires_at ??= now()->addDays(7);

11
api/tests/Feature/Api/V1/VolunteerRegistrationTest.php
View File

@@ -18,7 +18,6 @@ use Database\Seeders\RoleSeeder;
use Illuminate\Foundation\Testing\RefreshDatabase;
use Illuminate\Support\Facades\Hash;
use Illuminate\Support\Facades\Mail;
use Illuminate\Support\Facades\Schema;
use Laravel\Sanctum\Sanctum;
use Tests\TestCase;
@@ -402,17 +401,13 @@ class VolunteerRegistrationTest extends TestCase
$response->assertJson(['message' => 'Invalid or expired portal token']);
}
public function test_token_auth_returns_501_when_no_tables(): void
public function test_token_auth_with_empty_token_returns_422(): void
{
// Drop the artists table to simulate no token tables existing
Schema::dropIfExists('artists');
$response = $this->postJson('/api/v1/portal/token-auth', [
'token' => '01JTEST000000000000000000',
'token' => '',
]);
$response->assertStatus(501);
$response->assertJson(['message' => 'Token-based portal access is not yet available']);
$response->assertStatus(422);
}
// ─── Portal Me ──────────────────────────────────────────────────────

12
api/tests/Feature/Invitation/InvitationTest.php
View File

@@ -111,7 +111,7 @@ class InvitationTest extends TestCase
'invited_by_user_id' => $this->orgAdmin->id,
]);
$response = $this->getJson("/api/v1/invitations/{$invitation->token}");
$response = $this->getJson("/api/v1/invitations/{$invitation->plainToken}");
$response->assertOk();
$response->assertJsonPath('data.organisation.name', $this->org->name);
@@ -126,7 +126,7 @@ class InvitationTest extends TestCase
'expires_at' => now()->subDay(),
]);
$response = $this->getJson("/api/v1/invitations/{$invitation->token}");
$response = $this->getJson("/api/v1/invitations/{$invitation->plainToken}");
$response->assertOk();
$response->assertJsonPath('data.status', 'expired');
@@ -151,7 +151,7 @@ class InvitationTest extends TestCase
'expires_at' => now()->addDays(7),
]);
$response = $this->postJson("/api/v1/invitations/{$invitation->token}/accept", [
$response = $this->postJson("/api/v1/invitations/{$invitation->plainToken}/accept", [
'first_name' => 'New',
'last_name' => 'User',
'password' => 'Password123',
@@ -184,7 +184,7 @@ class InvitationTest extends TestCase
'expires_at' => now()->addDays(7),
]);
$response = $this->postJson("/api/v1/invitations/{$invitation->token}/accept");
$response = $this->postJson("/api/v1/invitations/{$invitation->plainToken}/accept");
$response->assertOk();
$response->assertJsonStructure(['data' => ['user', 'token']]);
@@ -204,7 +204,7 @@ class InvitationTest extends TestCase
'expires_at' => now()->subDay(),
]);
$response = $this->postJson("/api/v1/invitations/{$invitation->token}/accept", [
$response = $this->postJson("/api/v1/invitations/{$invitation->plainToken}/accept", [
'first_name' => 'Test',
'last_name' => 'User',
'password' => 'Password123',
@@ -223,7 +223,7 @@ class InvitationTest extends TestCase
'expires_at' => now()->addDays(7),
]);
$response = $this->postJson("/api/v1/invitations/{$invitation->token}/accept", [
$response = $this->postJson("/api/v1/invitations/{$invitation->plainToken}/accept", [
'first_name' => 'Test',
'last_name' => 'User',
'password' => 'Password123',