security: round 3 — token security (crypto random, hashed storage, portal middleware)

Token generation: - Replace Str::ulid() with bin2hex(random_bytes(32)) for 256-bit entropy - Store SHA-256 hash in database, never plaintext tokens - Hash input before lookup on all token endpoints Invitation tokens: - InvitationService: generate crypto random, store hash, pass plain token transiently for email URL via UserInvitation::$plainToken - InvitationController show/accept: hash input before DB lookup - AcceptInvitationRequest: hash token before invitation lookup - Migration: widen user_invitations.token and artists.portal_token from char(26) to char(64) for SHA-256 hex digests Portal token auth: - PortalTokenController: remove Schema::hasTable() runtime checks, hash token before lookup, return shaped response via PortalEventResource instead of raw model data - Create PortalEventResource (name, dates, status only — no internals) - Handle missing production_requests table gracefully via try/catch Portal token middleware: - Implement full token validation: extract from Bearer header or ?token= query param, hash, look up in artists/production_requests, verify event exists and is not draft/closed, set portal context on request - Return generic 401 on any failure (no information leakage) Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
2026-04-14 06:52:54 +02:00
parent 090d2b7d89
commit 52f6380ac0
14 changed files with 258 additions and 30 deletions
--- a/api/app/Http/Controllers/Api/V1/InvitationController.php
+++ b/api/app/Http/Controllers/Api/V1/InvitationController.php
@@ -39,7 +39,9 @@ final class InvitationController extends Controller

    public function show(string $token): JsonResponse
    {
-        $invitation = UserInvitation::where('token', $token)
+        $hashedToken = hash('sha256', $token);
+
+        $invitation = UserInvitation::where('token', $hashedToken)
            ->with(['organisation', 'invitedBy'])
            ->first();

@@ -52,7 +54,8 @@ final class InvitationController extends Controller

    public function accept(AcceptInvitationRequest $request, string $token): JsonResponse
    {
-        $invitation = UserInvitation::where('token', $token)->firstOrFail();
+        $hashedToken = hash('sha256', $token);
+        $invitation = UserInvitation::where('token', $hashedToken)->firstOrFail();

        $user = $this->invitationService->accept(
            $invitation,
--- a/api/app/Http/Controllers/Api/V1/PortalTokenController.php
+++ b/api/app/Http/Controllers/Api/V1/PortalTokenController.php
@@ -0,0 +1,62 @@
+<?php
+
+declare(strict_types=1);
+
+namespace App\Http\Controllers\Api\V1;
+
+use App\Http\Controllers\Controller;
+use App\Http\Requests\Api\V1\PortalTokenAuthRequest;
+use App\Http\Resources\Api\V1\PortalEventResource;
+use App\Models\Event;
+use App\Models\Scopes\OrganisationScope;
+use Illuminate\Http\JsonResponse;
+use Illuminate\Support\Facades\DB;
+
+final class PortalTokenController extends Controller
+{
+    public function auth(PortalTokenAuthRequest $request): JsonResponse
+    {
+        $hashedToken = hash('sha256', $request->validated('token'));
+
+        // Try artists table
+        $artist = DB::table('artists')->where('portal_token', $hashedToken)->first();
+
+        if ($artist) {
+            $event = Event::withoutGlobalScope(OrganisationScope::class)->find($artist->event_id);
+
+            return response()->json([
+                'context' => 'artist',
+                'data' => [
+                    'id' => $artist->id,
+                    'name' => $artist->name,
+                    'booking_status' => $artist->booking_status,
+                ],
+                'event' => $event ? new PortalEventResource($event) : null,
+            ]);
+        }
+
+        // Try production_requests table (may not exist yet)
+        try {
+            $productionRequest = DB::table('production_requests')->where('token', $hashedToken)->first();
+
+            if ($productionRequest) {
+                $event = Event::withoutGlobalScope(OrganisationScope::class)->find($productionRequest->event_id);
+
+                return response()->json([
+                    'context' => 'supplier',
+                    'data' => [
+                        'id' => $productionRequest->id,
+                        'name' => $productionRequest->name ?? null,
+                    ],
+                    'event' => $event ? new PortalEventResource($event) : null,
+                ]);
+            }
+        } catch (\Illuminate\Database\QueryException) {
+            // Table doesn't exist yet — skip
+        }
+
+        return response()->json([
+            'message' => 'Invalid or expired portal token',
+        ], 401);
+    }
+}