security: round 3 — token security (crypto random, hashed storage, portal middleware)
Token generation: - Replace Str::ulid() with bin2hex(random_bytes(32)) for 256-bit entropy - Store SHA-256 hash in database, never plaintext tokens - Hash input before lookup on all token endpoints Invitation tokens: - InvitationService: generate crypto random, store hash, pass plain token transiently for email URL via UserInvitation::$plainToken - InvitationController show/accept: hash input before DB lookup - AcceptInvitationRequest: hash token before invitation lookup - Migration: widen user_invitations.token and artists.portal_token from char(26) to char(64) for SHA-256 hex digests Portal token auth: - PortalTokenController: remove Schema::hasTable() runtime checks, hash token before lookup, return shaped response via PortalEventResource instead of raw model data - Create PortalEventResource (name, dates, status only — no internals) - Handle missing production_requests table gracefully via try/catch Portal token middleware: - Implement full token validation: extract from Bearer header or ?token= query param, hash, look up in artists/production_requests, verify event exists and is not draft/closed, set portal context on request - Return generic 401 on any failure (no information leakage) Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
This commit is contained in:
@@ -8,7 +8,6 @@ use App\Models\Organisation;
|
||||
use App\Models\User;
|
||||
use App\Models\UserInvitation;
|
||||
use Illuminate\Database\Eloquent\Factories\Factory;
|
||||
use Illuminate\Support\Str;
|
||||
|
||||
/** @extends Factory<UserInvitation> */
|
||||
final class UserInvitationFactory extends Factory
|
||||
@@ -28,7 +27,11 @@ final class UserInvitationFactory extends Factory
|
||||
$invitation->invited_by_user_id ??= User::factory()->create()->id;
|
||||
$invitation->organisation_id ??= Organisation::factory()->create()->id;
|
||||
$invitation->role ??= 'org_member';
|
||||
$invitation->token ??= strtolower((string) Str::ulid());
|
||||
if ($invitation->token === null) {
|
||||
$plainToken = bin2hex(random_bytes(32));
|
||||
$invitation->token = hash('sha256', $plainToken);
|
||||
$invitation->plainToken = $plainToken;
|
||||
}
|
||||
$invitation->status ??= 'pending';
|
||||
$invitation->expires_at ??= now()->addDays(7);
|
||||
});
|
||||
|
||||
@@ -0,0 +1,40 @@
|
||||
<?php
|
||||
|
||||
declare(strict_types=1);
|
||||
|
||||
use Illuminate\Database\Migrations\Migration;
|
||||
use Illuminate\Database\Schema\Blueprint;
|
||||
use Illuminate\Support\Facades\Schema;
|
||||
|
||||
/**
|
||||
* Widen token columns from char(26) (ULID) to char(64) (SHA-256 hex digest).
|
||||
* Existing tokens become invalid — acceptable for pre-production.
|
||||
*/
|
||||
return new class extends Migration
|
||||
{
|
||||
public function up(): void
|
||||
{
|
||||
Schema::table('user_invitations', function (Blueprint $table) {
|
||||
$table->char('token', 64)->change();
|
||||
});
|
||||
|
||||
if (Schema::hasTable('artists')) {
|
||||
Schema::table('artists', function (Blueprint $table) {
|
||||
$table->char('portal_token', 64)->change();
|
||||
});
|
||||
}
|
||||
}
|
||||
|
||||
public function down(): void
|
||||
{
|
||||
Schema::table('user_invitations', function (Blueprint $table) {
|
||||
$table->char('token', 26)->change();
|
||||
});
|
||||
|
||||
if (Schema::hasTable('artists')) {
|
||||
Schema::table('artists', function (Blueprint $table) {
|
||||
$table->char('portal_token', 26)->change();
|
||||
});
|
||||
}
|
||||
}
|
||||
};
|
||||
Reference in New Issue
Block a user