security: round 3 — token security (crypto random, hashed storage, portal middleware)

Token generation: - Replace Str::ulid() with bin2hex(random_bytes(32)) for 256-bit entropy - Store SHA-256 hash in database, never plaintext tokens - Hash input before lookup on all token endpoints Invitation tokens: - InvitationService: generate crypto random, store hash, pass plain token transiently for email URL via UserInvitation::$plainToken - InvitationController show/accept: hash input before DB lookup - AcceptInvitationRequest: hash token before invitation lookup - Migration: widen user_invitations.token and artists.portal_token from char(26) to char(64) for SHA-256 hex digests Portal token auth: - PortalTokenController: remove Schema::hasTable() runtime checks, hash token before lookup, return shaped response via PortalEventResource instead of raw model data - Create PortalEventResource (name, dates, status only — no internals) - Handle missing production_requests table gracefully via try/catch Portal token middleware: - Implement full token validation: extract from Bearer header or ?token= query param, hash, look up in artists/production_requests, verify event exists and is not draft/closed, set portal context on request - Return generic 401 on any failure (no information leakage) Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
2026-04-14 06:52:54 +02:00
parent 090d2b7d89
commit 52f6380ac0
14 changed files with 258 additions and 30 deletions
--- a/api/app/Http/Middleware/PortalTokenMiddleware.php
+++ b/api/app/Http/Middleware/PortalTokenMiddleware.php
@@ -1,20 +1,87 @@
 <?php

+declare(strict_types=1);
+
 namespace App\Http\Middleware;

+use App\Models\Event;
+use App\Models\Scopes\OrganisationScope;
 use Closure;
 use Illuminate\Http\Request;
+use Illuminate\Support\Facades\DB;
 use Symfony\Component\HttpFoundation\Response;

-class PortalTokenMiddleware
+final class PortalTokenMiddleware
 {
-    /**
-     * Handle an incoming request.
-     *
-     * @param  \Closure(\Illuminate\Http\Request): (\Symfony\Component\HttpFoundation\Response)  $next
-     */
    public function handle(Request $request, Closure $next): Response
    {
-        return $next($request);
+        $plainToken = $this->extractToken($request);
+
+        if ($plainToken === null) {
+            return response()->json(['message' => 'Portal token required.'], 401);
+        }
+
+        $hashedToken = hash('sha256', $plainToken);
+
+        // Try artists table
+        $artist = DB::table('artists')->where('portal_token', $hashedToken)->first();
+
+        if ($artist) {
+            $event = Event::withoutGlobalScope(OrganisationScope::class)->find($artist->event_id);
+
+            if (! $event || in_array($event->status, ['draft', 'closed'], true)) {
+                return response()->json(['message' => 'Portal token required.'], 401);
+            }
+
+            $request->merge([
+                'portal_context' => 'artist',
+                'portal_person' => $artist,
+                'portal_event' => $event,
+            ]);
+
+            return $next($request);
+        }
+
+        // Try production_requests table (may not exist yet)
+        try {
+            $productionRequest = DB::table('production_requests')->where('token', $hashedToken)->first();
+
+            if ($productionRequest) {
+                $event = Event::withoutGlobalScope(OrganisationScope::class)->find($productionRequest->event_id);
+
+                if (! $event || in_array($event->status, ['draft', 'closed'], true)) {
+                    return response()->json(['message' => 'Portal token required.'], 401);
+                }
+
+                $request->merge([
+                    'portal_context' => 'supplier',
+                    'portal_person' => $productionRequest,
+                    'portal_event' => $event,
+                ]);
+
+                return $next($request);
+            }
+        } catch (\Illuminate\Database\QueryException) {
+            // Table doesn't exist yet — skip
+        }
+
+        return response()->json(['message' => 'Portal token required.'], 401);
+    }
+
+    private function extractToken(Request $request): ?string
+    {
+        // Check Authorization: Bearer header
+        $bearer = $request->bearerToken();
+        if ($bearer !== null && $bearer !== '') {
+            return $bearer;
+        }
+
+        // Check query parameter
+        $queryToken = $request->query('token');
+        if (is_string($queryToken) && $queryToken !== '') {
+            return $queryToken;
+        }
+
+        return null;
    }
 }